It should not be surprising that organisations in the legal industry face cyber threats on a regular basis, given the importance of the information they maintain. Safeguarding intellectual property, financial information, and your firm’s reputation is a crucial part of business strategy for legal firms.
Cyber threats in the Legal industry
Cyber-attacks are a threat to all businesses today and law firms are particularly attractive sources of information, driven by a perception that the industry’s attempts to address security measures still lag behind other professional sectors.
The so-called “Panama Papers” hit the headlines earlier this year, as the theft of approximately 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca lead to the resignation of one international leader and threaten the fates of several more.
A Wall Street Journal (WSJ) article reported that hackers illegally accessed the computer networks at some of the most respected and prestigious law firms in the United States, apparently for the purpose of stealing confidential information that in turn can facilitate insider trading.
The Solicitors Regulation Authority (SRA) are one of the regulatory bodies in the UK that help regulate solicitors and law firms in England and Wales. The SRAs handbook provides a set of principles and a code of conduct for those regulated by it and they have to abide by them in order to provide legal services.
Under Principle 10 in the handbook, regulated firms have a responsibility to ‘protect client money and assets’. Cybercrime presents a significant risk to clients and their assets, including information and money. As a result, cybercrime also presents a risk to Outcome 4.1, which requires that law firms ‘keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents’.
The new EU data protection framework has finally been adopted and the General Data Protection Regulation (GDPR) will replace the current Directive and will not apply until 25 May 2018. However, as it contains some onerous obligations, such as;
- Data controllers must notify most data breaches to the DPA. This must be done without undue delay and, where feasible, within 72 hours of awareness.
- The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million.
With such significant fines coming through companies of all shape and size will tend to sit up and listen and it’s not so surprising to see that many law firms have started to adopt data security standards like ISO27001.