Targeted phishing emails and other online scams aimed at law firms are becoming ever more sophisticated. With the imminent arrival of the General Data Protection Regulation in May 2018, spotting the warning signs is more imperative than ever – and non-compliance is simply not an option, says Peter Wright
Phishing emails are fraudulent emails appearing to come from legitimate sources. They often direct you to a facsimilie of a trusted website (like a bank’s) or entice you to open a legitimately-named attachment, or otherwise get you to divulge private information. This is then used by cybercriminals to commit identity theft.
Targeted phishing emails now look ever more genuine. You could receive an email that you think is from a client. It could be sophisticated enough to have an email signature with a contact phone number. The person at the other end will sound plausible. It's only when you do a little investigating that you realise that this isn't the usual contact number for the client. Only trust the verifiable contact information you have for the client on your own system. Don't simply go back to your last email and scroll down to the signature for contact details, as the email and the information could be fraudulent.
Don't assume that because an email is internal it is safe – I have heard of some firms' email account servers being compromised to the point where internal emails have been hijacked. If you receive a request that you were not expecting, it’s worth a walk to someone else’s desk just to double check the request is genuine. Better this than for a six-figure sum to vanish from your client account, which is precisely what has happened to many other law firms recently.
Criminals are now attempting cyberattacks through many different
channels - phone, email, social media. I have heard of an
accountancy firm in Europe who received an email from a purported
client who said it wanted to buy a company that minute. Within two
hours, the firm received a series of emails and phone calls from
the 'client' reiterating its instructions. It was only when the
actual client returned from holiday that the firm found out that it
was a scam and hundreds of thousands of euros had been paid into a
fake account and transferred away by the fraudsters.
If you receive instructions in this way, think like a journalist
- they won't publish a story without two sources. If you receive
major financial instructions by email, get your two stages of
- call the client on your trusted contact number for them
- confirm their wishes to be sure you are speaking to the real
person before going ahead.
Make sure that whatever medium you are using to either store or
transmit personal data - in particular, data relating to your
clients - is secure and encrypted. Avoid free cloud-based systems
like Dropbox or Google Drive to communicate with clients or receive
confidential data. They are not secure or encrypted, and you are
effectively in legal and regulatory breach by using them for
client-related activity as their servers are based in the cloud and
most likely in the United States.
Regulation is coming
There is an added imperative to take your data protection
obligations seriously with the EU General Data Protection
Regulation (GDPR) becoming law in the UK and across Europe in May
2018, which will continue to apply to all businesses exporting
goods or services into the European Single Market, regardless of
any future legal and regulatory settlement reached by the UK with
The GPDR has many major requirements. The biggest risk for law
firms is the notification of a breach to the Information
Commissioner's Office (ICO) within 72 hours. The ICO will want to
- what systems and information has been compromised
- that your firm has isolated the cyber attack so that data is no
longer being compromised
- worked out what personal data has been compromised and how
- what steps you are taking to
- how you will ensure it doesn't happen again.
I heard of one small, two-partner insolvency practice who had a
breach recently. By the time it had spoken to its insurers, and the
insurers had instructed their own solicitors and given their views
on the notification and their concerns over conceding any issues
around liability, almost three weeks had passed before it notified
72 hours may seem like a long time, but many firms don't know
about a breach for weeks or even months after it has happened. My
advice is to carry out a cybersecurity breach simulation, working
out the necessary resources and lines of communication including
who will be responsible for reporting the breach to your insurers,
bank, clients, staff, or the police. A stakeholder delaying your
report to the ICO could lead to regulatory action being taken
against your firm.
If firms have already not begun work on achieving compliance
with the GPDR, they will find it impossible to achieve full
compliance by May 2018. At this point, it's a matter of working out
how uncompliant you wish to be. You will have to cherry pick what
you can and cannot afford to comply with, and put the rest in place
as quickly as possible.
UPDATED 10 May 2017: Following great discussion on social media this weekend, it is probably helpful to highlight that the risk from using cloud storage systems is in particular from using the free online versions – which the original post refers to.
Dropbox in particular is an interesting example. It is true that they are one of the more secure free cloud storage solutions available, with some security features and encryption in place, the following should be considered from a regulatory compliance perspective:
- The free version of dropbox does not allow for a choice of jurisdiction as to where user data is stored. This choice is available but is for paying business customers only
- The differentiation between the free version of Dropbox and the business version is an important one. The Terms and conditions of Use for the freely available versions of Dropbox state that:
IF YOU USE THE SERVICES FOR ANY COMMERCIAL, BUSINESS OR RESALE PURPOSES, DROPBOX AND ITS AFFILIATES, SUPPLIERS OR DISTRIBUTORS WILL HAVE NO LIABILITY TO YOU FOR ANY LOSS OF PROFIT, LOSS OF BUSINESS, BUSINESS INTERRUPTION OR LOSS OF BUSINESS OPPORTUNITY. DROPBOX AND ITS AFFILIATES ARE NOT RESPONSIBLE FOR THE CONDUCT, WHETHER ONLINE OR OFFLINE, OF ANY USERS OF THE SERVICES.
The UK is not a jurisdiction that makes this type of limitation of liability unlawful. And it makes it quite clear that they will not be held liable for losses from failing to keep your data secure. This will fall squarely on the user if the user is a business, like a law firm.
OTHER THAN FOR THE TYPES OF LIABILITY WE CANNOT LIMIT BY LAW (AS DESCRIBED IN THIS SECTION), WE LIMIT OUR LIABILITY TO YOU TO THE GREATER OF $20 USD OR 100% OF ANY AMOUNT YOU'VE PAID UNDER YOUR CURRENT SERVICE PLAN WITH DROPBOX.”
- The leading case of a law firm facing action from the UK Information Commissioner remains ACS Law, where a law firm was penalised by the ICO for having used a cloud storage system designed for private users for business purposes. The ICO made it clear in issuing a monetary penalty notice that a law firm was held to a higher standard compared to other data controllers as it should have understood its responsibilities as a data controller, and as a result the amount of the fine was commensurately higher. Consequently where a law firm depends on a free or very low cost cloud service that is not intended for business use they could face regulatory action for any data protection breach from both the ICO and the SRA along with civil liabilities to any of the data subjects affected.
It should be emphasised that there is no issue with businesses that are paying a premium for the Dropbox business service and again, the original post stated only the free version. Any business users should consider looking at Dropbox’s subscription services which allows for users to specify that data should remain in the European Economic Area, as well as requiring two-factor identification on all accounts.
Furthermore the issue here is not the use of the Dropbox or other free cloud software in and of itself. It is more the use of such products in organisations without any internal governance, policies or procedures, such as where business related files and data are being uploaded to the cloud by members of staff because it is convenient, without any awareness of the risks, such as cryptolocker, the most common form of ransomware. I know of one law firm where a Partner was using a free version Dropbox to take instructions from a client and inadvertently found their system locked down with ransomware, requiring a full re-set from their backup. Once they were back up and running, the same partner went back into Dropbox and compromised the system once again through not being aware of both the risks and indeed his own firms data protection and cyber security policies which would have required data to be scanned before uploading on to the system. A free version of Dropbox did not require downloaded documents to pass through the firm’s normal communication channels that had been set up to scan and detect viruses and other malware.
In order to ensure compliance, firms need to ensure that their data is kept securely and inside the EEA, preferably inside the UK for added post – Brexit certainty. One highly recommended option is having a private encrypted cloud for a firm on its own servers so that staff can enjoy all of the benefits of agile remote working without having onerous security measures getting in the way of flexibility is one solution, while still maintaining a secure off-site backup that fits in with any disaster recovery plan is an ideal solution.
The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyber attacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.