Peter Wright discusses the cybersecurity headlines for law firms as we reach the end of 2017, including ransomware attacks, the dangers of unsecure public wifi, and the countdown to D-day for the General Data Protection Regulation.
What has been the biggest cybersecurity trend over the last six months?
The prevalence of ransomware, which has highlighted how many large firms are running on very old versions of operating systems. The NHS attack via WannaCry was driven by the fact that many NHS trusts were using Windows XP (which is no longer supported) or old versions of Internet Explorer. The subsequent Petya ransomware attack affected some multinational law firms using different versions of operating systems in different countries.
Law firms are not particular targets – the nature of ransomware is indiscriminate – hackers are simply looking for systems that are not properly ‘patched’ and do not have the requisite security levels in place. Ransomware has always been a problem – it is just more prevalent and has had a higher profile this year.
I know of one large law firm that was taken down by the fact that the Microsoft update they downloaded – presumably arranged by their IT supplier – actually contained the ransomware itself. That took down their entire network. Their system was down for a few days and no one could log on or use their mobile devices.
Once they were up and running again, they found they could not regain full access to their precedent bank. They had all documents in PDF, but not Word, format, which meant that staff had to manually type everything out – clearly, a hugely inefficient use of their time. Firms need to update their risk registers to reflect possible risks like this from a cyber-attack on their systems.
What are the legal developments in this area that lawyers should be aware of?
We are rushing headlong towards the 25 May 2018 implementation date for the General Data Protection Regulation (GDPR). I know of some law firms who believe that they don't have to take any steps to prepare for it, or that it will not apply in some form to them. Wrong, in both cases – you must be able to demonstrate compliance to the Information Commissioner’s Office (ICO) and the Solicitors Regulation Authority (SRA) in the event of a breach, or if you are subject to an assessment by the ICO or an audit by the SRA. They will be looking at whether you are complying on a day-to-day basis.
Next year will also see a new UK Data Protection Act (DPA) which will incorporate GDPR into UK law. It is currently in bill stage and will become law in 2018. It will be UK law, regardless of Brexit, come 2019.
Preparing for the GDPR
Resources and support
What do you need to do first if you have not yet started preparing for the GDPR?
The first step is to conduct a gap analysis to work out where the gaps and weak points are in your compliance. You can then put together a reasoned and proportionate compliance plan. There is no one-size-fits-all approach to GDPR; it will vary from organisation to organisation.
It’s important to note, however, that the ICO is not expecting firms to spend vast resources on complex technical compliance solutions. It is looking to see that reasonable and proportionate steps have been taken towards compliance. It does not want to find that you have done nothing or wilfully ignored the fact that GDPR is coming. Consequently, it is essential that firms are able to demonstrate meaningful compliance with GDPR in 2018.
What do you think law firms could be doing better in terms of cybersecurity?
Given that two-thirds of breaches are due to staff not understanding best practice, better cybersecurity training for employees is essential. This applies to all staff, including temps and new starters. Make sure cybersecurity forms part of their induction training, and bring them up to speed very quickly. Ignorance, such as ‘they only started six weeks ago and had not received their training yet’ is no excuse.
You don't need to spend a lot of money – your training needs to be reasonable and proportionate to your size. If you have only one office and/or a small staff, the ICO will not expect you to break the bank in terms of training, but it will look for evidence, such as minutes of meetings, or records of desk-side 1-2-1 instruction, assistance and guidance, to demonstrate that you have properly taken account of your cybersecurity risks. Even if you haven't closed off all risks, the fact that you have identified them and are working towards compliance will stand in your favour with the regulator.
Are there any particular risks in remote working?
People working away from the office must be very careful about which wifi network they use. If you are working in a cafe or other public place, do not use any unsecured wifi networks for any work-related activity, in particular if they are using personal devices for business-related tasks. If you are encouraging your staff to work remotely, give them a business device and a secure 4G connection so they can work on that network.
Further, ensure you have a separate guest wifi network for visitors to your firm that does not give them access to the whole network, and inadvertently to other staff business desktops, laptops, devices or servers.
What is on the horizon in 2018?
We will continue to see large businesses, especially in the US, being hacked – this autumn we have already seen large breaches at Uber and Equifax (a consumer credit reporting agency).
We will probably see the US-EU Privacy Shield come under threat – this is a mechanism that allows big organisations like Google and Facebook to store EU citizens' data on their servers. It may even end up collapsing under pressure from the European Court and the US Supreme Court. This could lead to problems in the storage of EU citizens' data in the US by the large US tech firms such as Facebook, Google and Amazon.
What should law firms be doing now?
Law firms need to ensure they are taking steps to comply with GDPR. If this does not happen, it could lead to enforcement action against them in the second half of 2018 if it is found that they have subsequently breached the new DPA.