First appeared in the January 2019 Issue of the Legal Compliance Bulletin.
“Not a week goes by without some organisation disclosing that it has suffered a data breach (or as we call it ‘a data incident’), but what should law firms be doing about this growing twenty-first century hazard?”
While some of the most recent incidents have impacted global brand organisations, there are plenty of examples of law firms having been subject to some form of data incident, whether as a result of an internal failure or an external attack.
The National Cyber Security Centre, in conjunction with the Law Society, published a report in 2018 entitled ‘The cyber threat to UK legal sector’. The report is intended to help law firms understand current cyber security threats and the extent to which the legal sector is being targeted. It also offers practical advice on how law firms can protect themselves. The report in its executive summary states that:
‘.. in common with many other industries, the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PriceWaterhouseCoopers’ law firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014’.
The report also goes on to say that:
‘.. the primary threat to the UK legal sector stems from cyber criminals with a financial motive. However, national states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage. There has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends.’
As law firms possess such a lot of valuable data, whether it be client corporate plans, client intellectual property or client relationship information, it is not surprising they are seen as targets because they may be easier to infiltrate than their clients who may have invested significantly more effort in implementing strategies and technology to prevent data breaches.
The Data Protection Act 2018 and guidance from the Information Commissioner’s Office (ICO) defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.’ It means that a breach is about more than just losing personal data.
The guidance from the ICO goes on to indicate that, ‘there will be a personal data breach whenever any personal data islost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidently lost or destroyed’.
There are, of course, data incidents that are primarily a result of the inadvertent disclosure of trade secrets and business information, but inevitably even those incidents will trigger a concern around a personal data breach.
In preventing data incidents, typically the focus is on either internal threats or external threats.
Internal threats can be anything from ‘operator error’, where an individual mistakenly allows data to be compromised, to an employee going ‘rogue’ and deliberately compromising personal data. The recent Morrisons case is an example of where a rogue employee committed a criminal act in unlawfully accessing the personal data of thousands of employees and uploading it to the web, but it is the employer Morrisons that is left primarily liable for the act of the employee, as well as the damages that may be awarded to the distressed staff.
Other examples of an internal threat are the creation of an incident as a result of inappropriate use of devices in the workplace, or postings to social media by staff, as well as breaches caused by third-party contractors or vendors.
External threats range from cyber criminals seeking to extort ransom payments through ransomware attacks, or politically motivated hackers carrying out distributed denial of service attacks or similar infiltrations for politically motivated purposes. In addition, some of the nation-state sponsored attacks are primarily aimed at acquiring intellectual property and trade secrets, but in the course of such an attack also trigger a personal data breach. Finally, the growth in cloud and other network solutions again can be an external threat.
The guidance from the ICO indicates that personal data breaches can include:
- access by an unauthorised party
- deliberate or accidental action (or inaction) by a controller or a processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data
Recital 87 of the General Data Protection Regulation makes it clear that, when a security incident takes place, the law firm should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
In order to prevent data breaches, law firms should address a number of security issues of which the first is computer security. Examples of good computer security practices are:
- installing a firewall and virus checking on computers
- making sure that your operating system is set up to receive automatic updates
- protecting your computers by downloading latest patches or security updates to cover vulnerability
- only allowing your staff access to the information they need to do their job and not letting them share passwords
- encrypting any personal data held electronically that would cause damage or distress if it were lost or stolen
- taking regular backups of information on your computer system and keeping them in a separate place so that if you lose your computers you do not lose the information
- securely removing all personal data before disposing of old computers
- installing anti-spyware tools
Another security issue is in respect of the use of email. You should consider the following issues:
- whether the content of an email should be encrypted or password protected
- whether auto-completion is switched on when recipients’ names are typed, since email software may suggest similar addresses previously used – be sure to choose the right address before clicking ‘send’ in order to avoid sending personal data to the incorrect recipient
- when emailing multiple recipients, in order to prevent revealing addresses to others, make sure you use blind carbon copy (bcc)
- when using a group email address, make sure you are not sending confidential information and/or personal data to those not entitled to see it
Electronic communications aside, you should also consider the security of manual personal data. Remember that manual data is still personal data if it identifies a living individual, and therefore every law firm should put in place protocols to ensure that paper data is securely disposed of, not left in public places and appropriately shredded when no longer required.
Policies and protocols are of little value if you do not make your staff aware of them and train them appropriately. Therefore you should train your staff:
- to know what is expected of them
- to be wary of people who may try to trick them into giving out personal data
- to be aware that they can be held to account if they deliberately compromise personal data
- to use strong passwords and to change them on a regular basis
- to appreciate that emails may not always be from the person they think is sending them and understand the risks of phishing and malware
- never to open spam – not even to unsubscribe or ask for no mailings
- to be wary of invitations to connect on social media where this may be the start of ‘social engineering’, by which cyber criminals seek to ingratiate themselves with members of staff with a long-term view to subsequently targeting that member of staff to induce them to disclose confidential information and/or personal data
Even with the best plans in place a data breach will happen and it is, as many commentators have said, ‘a question of not if, but when’. The guidance from the ICO confirms that there is a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority and that where feasible this must be done within 72 hours of becoming aware of the breach.
Not all breaches require notification to the ICO and there will be a need to rapidly assess the severity of a breach or its likelihood to cause harm. If the breach is likely to result in a high risk of adversely affecting individuals’ rights or freedoms then those individuals must be informed without undue delay.
It is therefore essential to put in place an incident response plan to set out the steps to be taken if a data incident is reported.
You must agree a core team (a rapid reaction task force) that will have overall control of the data incident management and also consider a response team which may assist the core team in the investigation following an incident. The core team needs to involve the head of legal, as well as the relevant compliance officer and the information security officer, as a minimum.