Changes in your terms of business to ensure that you have the correct consent from your client to hold their data has probably had you and your fellow partners poring over your client care documents and matter acceptance procedures. But has the administrative burden of GDPR hijacked the cyber-security agenda? Is there a misconception that by having a suite of GDPR compliant documents evidencing your responsibilities to the client, the job’s done?
I doubt that anyone reading this article would agree with this statement, but there is a chance that GDPR compliance has taken centre stage over the past 12 months and that the real and increasing threat of cyber-crime is lurking in the recesses, so let's look at a few statistics.
A staggering 46 percent of UK businesses suffered from cyber-attacks or data breaches in 2017. There is a commonly held perception that, because of what’s newsworthy, the types of businesses targeted by cyber-criminals are bigger businesses. It’s the likes of British Airways, Dixons Carphone and Sony that get targeted by these cyber-attacks because they hold so much customer information. The reality is that this is not true. Of small to medium sized enterprises (SMEs) across the UK, 38 percent suffered cyber-attacks or a data breaches during 2017, and the reality is probably even worse. These are just the percentage of businesses that know they have suffered from a cyber-attack or a data breach.
Let’s Turn to the Legal Sector As many of you might know, the statistics are a lot worse for lawyers. Nearly two out of every three firms in the UK (61 percent), have been victims of cyber-crime; be it a cyber-attack or data breach, in 2017. Given this figure represents a 17 percent increase from 2014, the trend is clear. Despite being more exposed than most organisations in the UK, and the threat level rising, only 35 percent of practices report that they have a plan in place to mitigate the impact of a cyber-attack or data breach. Considering this is a mandatory requirement of GDPR, it’s not all about having compliant client care documents. So, to summarise, one in three firms has a plan in place, but two in three firms are the victims of cyber-attacks or data breaches.
Why is the Legal Sector so Vulnerable? Why were 4.5 percent of all cyber-attacks reported in 2015 directed specifically at the legal sector? Unfortunately for the profession, law firms are the perfect target for cyber-criminals as they hold high volumes of particularly sensitive information. Add to that the very large sums of money held in client accounts and practices find themselves in the cyber equivalent of the perfect storm. Cyber-criminals are motivated by financial gain and are all too aware of the prize represented by a hacked law firm in both data and monetary terms. Whether it’s direct theft of funds from your client or office accounts, proceeds from the sale of your data or extortion in the form of preventing access to your systems until you pay a ransom, the potential returns for a cyber-criminal are greater with law firms than most other organisations.
A hacking group called Wild Neutron, who had been largely dormant for the last couple of years, have recently resumed activities with the specific and stated objective of targeting law firms. That’s an alarming mission statement from a sophisticated hacking collective that now has the legal profession firmly in its crosshairs. And they’re not operating alone.
What Can You do to Protect Your Firm? Do you need to spend tens or hundreds of thousands of pounds on network security? The answer for some firms is yes, but for many practices, there are three simple steps you can take to minimise risk.
• Implement appropriate system controls as your first line of defence. There are some simple and straightforward steps that you can take to ensure that you have got a base level of protection in place, including the use of anti-virus software and updating operating systems regularly with manufacturer patches. • Make sure that there is an awareness of the potential impact of cyber-crime throughout all levels of your firm and an appreciation of good data security practices. Even an average cyber-criminal won’t take long to hack a password that is “PASSWORD” or “ABC123”. • Make sure you have a breach response plan. We know that, statistically, two out of three people reading this article won’t have one, yet firms are odds-on to need one.
What Happens if You Suffer a Cyber-Attack or Data Breach? Unfortunately, it’s statistically more likely that, at some point, you will be in a situation where there is a wrongful disclosure of data, and you will need to respond to that data breach. It happens to businesses of all sizes and from all sectors. The key when this happens is not in focusing on what could have been done to prevent the data breach in the first place; that ship has already sailed. It’s about dealing with the breach effectively, strongly and mitigating the impact on those individuals whose data has been disclosed. Failure to do this is a real reputation killer.
In certain data breach circumstances, you only have 72 hours from the point you first become aware of a breach to notify the Information Commissioner’s Office (ICO) and, of course, the individuals affected by the breach. Having a robust data breach response plan is critical in these circumstances, and this is where cyber insurance can provide essential support. But beware, not all cyber insurance policies are equal. Unlike the SRA’s minimum terms and conditions that homogenises professional indemnity cover from all participating insurers, there are no minimum terms for cyber insurance. Consequently, you have to make sure that your cyber insurance policy provides the right cover for you. Again, I’d urge you to watch our webinar for more information about assessing your needs and the adequacy of coverage purchased.
Returning to the 72-hour response deadline, it’s useful to use a couple of scenarios to help us to understand the real importance of having access to effective breach response services and where a cyber insurance policy can help out.
Scenario one is a firm that has a data breach, a non-existent or ineffective breach response plan and no relationship with breach response service providers. The firm suffers a breach and becomes aware of it late on a Friday afternoon (Fridays are a favourite with law firm hackers). The firm has got 72 hours to inform the ICO and all of the data subjects affected by the breach.
It’s unlikely that the firm has the internal resources to cope with this process, so the first step is to identify people that can help. The response team will need to include:
• Data protection counsel with a detailed understanding of GDPR, to help the firm quickly understand both whether they need to notify data subjects and, if so, what should be contained within these notifications. • Communications specialists that can deal with practical matters or producing notifications for what could be thousands of data subjects that have been affected by the breach. • Call and e-mail handling centre to field potentially high volumes of client enquiries. • Credit monitoring agency to help with credit monitoring for those individuals affected. • PR expertise to help mitigate the reputational damage to the firm.
Having identified the response team, it’s time to get in touch with them. If it’s over the weekend, is that going to be possible? But once in touch, the firm needs to verify that the vendors have the capacity and expertise to perform their respective roles, comply with regulatory requirements and, of course, mitigate the reputational damage to the firm. Then it’s down to negotiating terms. Bearing in mind the firm has only a 72-hour window, it's going to be difficult to get the best deal for the firm when the vendors hold all the cards. Finally, after the response team is assembled, work can commence on notifying the regulator and the data subjects who have been affected. A tall challenge in 72-hours.
Scenario two is a firm that has suffered a data breach but has access to breach response services through a cyber insurance policy. The firm does not have to find vendors to provide essential response services because all good cyber insurance policies will have a panel of experts, ready and waiting to go. The firm notifies its insurer and the wheels are set in motion immediately. Seems a much more achievable goal within that 72-hour window. Have the appropriate system controls in place. Make sure that you have got the right culture within your firm to understand the importance of keeping data safe. Have a breach response plan in place and look at cyber insurance as a means of helping you out should the worst occur.
About the Author Chris Mallet has worked for Aon for over a decade. As Broking Manager, he specialises in understanding how the risks that small businesses face, develop and change over time. Chris focuses on the emerging risks associated with cyber and data, and leads the Aon’s strategy in supporting SME clients to remain resilient against this ever-changing threat.
This article has been compiled using information available up to 14/09/22.
Whilst care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in this document.