According to a recent article in The Lawyer following a cyber attack on a leading city law firm, concerns have mounted that hackers looking to steal sensitive data view law firms as the ‘soft underbelly’. In other words, legal professionals are an easy target.
How can this be? Surely the confidential nature of any and all information imparted between a fiduciary and their principal warrants equivalent procedural and technological safeguards to protect client information in the spirit of legal professional privilege? So you would think, but from my own experience and during many client visits, I regularly come across evidence to suggest that the opposite is true for a worrying number of solicitors, and it’s becoming more important than ever that the legal profession should sit up and take notice of what is happening.
Solicitors investigated for data breaches are being fined, sanctioned, named and shamed, fined again and having their reputations destroyed after Solicitors Regulation Authority and Information Commissioner’s Office investigations uncover weaknesses in their data protection frameworks, both from human error and technological perspectives. The SRA’s actions are brought on not only where cyber-attacks have occurred, but in cases where solicitors simply fail to demonstrate adequate systems in place to protect client data. Meanwhile, cyber-attacks are on the increase; the threat of fines and to careers is very real.
To put this threat into context, in April 2010 the ICO was granted the power to fine up to £500,000 for a single breach; the Ministry of Justice has indicated that it will likely raise the amount the SRA can fine without a tribunal to £100,000 from £2,000. Last year the SRA’s Risk Outlook raised data security and ignorance over best practice as a major concern. The Legal Ombudsman also has increased powers, as of 1st February 2013, to fine anything up to £50,000 for an upheld complaint, including complaints of mishandling or losing client data. A new EU Directive will soon be implemented imposing greater obligations to all businesses to comply with data protection laws and apply appropriate policies and procedures.
LBS Legal is a specialist regulatory and compliance support company for firms and their staff. We regularly assist law firms if they are under investigation from the SRA for matters including data protection breaches. To date our success rate is 100%. I know myself through training clients, that the main cause of data protection breaches is down to basic human error and, more importantly, completely avoidable with simple checks and processes in place.
Alas, it is these simple errors which tend to be indicative of wider ranging failures as patterns of data mismanagement which have gone unnoticed for months or even years, having remained dormant, can come to light at the moment of identifying one single breach; a legacy of errors unfold, a can of worms is opened, often under the unsympathetic gaze of the regulator. The good news is that it is relatively easy to fix by educating staff on best practice and putting better procedures in place.
A particular problem in small to medium-sized legal practices is that partners are so busy with fee-earning work, but if they’ve taken their eyes off the ball their business is more and more likely to be vulnerable to a cyber-attack. If a hack leads to a breach of the Data Protection Act they could face serious penalties.
Take the example of Andrew Crossley of ACS Law, who was threatened with a £200,000 fine by the ICO, reduced to £1,000 as the firm had stopped trading. Under the spotlight for a speculative invoicing campaign, Mr Crossley’s website experienced a denial-of-service attack, following which very sensitive personal data on around 6,000 people was published on the internet. The £200,000 fine would have been the second largest to date under the ICO’s new powers. Information Commissioner Christopher Graham said at the time: “The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”
Mr Crossley’s fall from grace highlights the vulnerability of firms that adopt low-level IT support infrastructures. It is widely suspected that the cyber-attack on ACS Law was carried out by controversial hacktivist group ‘Anonymous’, demonstrating to dramatic effect how simple it is to steal and publish confidential information.
However, if you bear in mind that the most common cause of a data breach is simply sending an email to the wrong recipient, the risk becomes a lot clearer and a lot closer to home. Others include common speculative hacker activities like blagging and phishing, and the old favourite Trojan horses. Hacker activities evolve as we become wise to them, and the best way to protect ourselves is through knowledge and procedure.
Awareness of how to handle and protect data should be current and up-to-date for all members of staff. Data protection training counts towards CPD. I’m amused by the obvious low expectations of some attendees as they arrive to begin their training course, because I know by the end of the day that they will have made the proverbial U-turn, and will leave armed with knowledge, practical tips and the motivation to tighten up their framework.
The best data protection training will combine the regulatory and legislative obligations of all practices under the SRA Code of Conduct 2011 and the DPA and will relate guidance from the ICO with practical tips on client confidentiality and privacy in relation to the data controller, subjects and processors.
The biggest mistake a solicitor can make is to assume that the warnings do not apply to them. Ensure you do not become a statistic, or a stereotype.
Stephen Carris is Head of CPD Training at LBS Legal.