Depending on the nature of the scam and what is at risk, there are certain parties you should alert straight away to limit damage caused. These may include the police, your bank and your clients.
For more, see our advice on reporting scams.
Cybersecurity is the protection of networks, services and devices, and the data on them from theft or damage. Technology offers great opportunities for improving efficiency and cost savings, but technologies are vulnerable to attack. Cybersecurity is a critical issue for all businesses.
Phishing is untargeted, mass emails sent to many people to try to obtain financial or other confidential information (including user names and passwords). This is usually done by sending an email that looks as though it has been sent by a legitimate organisation (often a bank). The email usually contains a link to a fake website that looks authentic.
See our glossary of cybersecurity terms.
There are three steps to getting started with cybersecurity:
1. Appoint someone with the seniority, time and resources to lead your work on cybersecurity
2. Ensure that you have an up-to-date policy on cybersecurity
3. Undertake a cybersecurity risk assessment.
Your cybersecurity policy should reflect the needs and vulnerabilities of your system. A good starting point is to understand all of your IT assets, including your networks. You should review and document the kind of data you are storing, whether it is personal, non-personal, confidential, sensitive or public.
Consider the organisational and technical measures that need to be in place to maintain the operation of your systems and to protect the data they hold. Your cybersecurity policy should explain how you will maintain these protections over time by identifying priorities, allocating resources and personnel, testing and reviewing.
More detailed guidance, including template policies, is available in our Cybersecurity Toolkit.
As they often hold personal, critical business and commercially sensitive information, Law firms are an attractive target for cyber-attacks. An NCSC study in 2016 suggested that 62 per cent of firms were the victim of a cyber-attack in the previous year.
From working with our members we know that firms have suffered significant losses from criminal attacks, particularly in relation to conveyancing transactions.
If you are 'hacked' it means that someone has gained unauthorised access to your computer systems, networks or data.
Law firms hold sensitive personal data and have obligations of confidentiality to their clients.
If you fail to maintain adequate technical and organisational measures to protect the personal data you hold, you could be in breach of your professional obligations, your regulatory obligations under the Data Protection Act and become liable to professional and regulatory sanctions, including fines. Your firm could also suffer severe reputational damage.
Effective cybersecurity training can help your staff mitigate the risks and effects of cybersecurity attacks and encourage more secure working practices.
A government cybersecurity survey states that small firms in particular could do more to train their staff. Only 22 per cent of employees in small firms had received cybersecurity training in the past 12 months, compared to 62 per cent of employees in large organisations.
Cybersecurity for Legal and Accountancy professionals is a free online course developed by the government as part of its National Cybersecurity Strategy with the support of both the Law Society and the Institute of Chartered Accountants in England and Wales.
In order to establish this you need to undertake a risk assessment.
According to the Data Protection Act 1998, the measures you take must ensure a level of security appropriate to:
- the harm that might result from a cybersecurity breach - the nature of the data to be protected.
The cost of implementing readily available technological protections like encryption is not high. Such measures are likely to be appropriate where it would mitigate against a security breach involving sensitive data which could cause serious harm.
See our cybersecurity services page to see products and services from the Law Society's trusted partners.
The General Data Protection Regulation (GDPR) is an EU regulation that will come into force in member states on 25 May 2018. It replaces the EU Data Protection Directive 95/46 which was transposed into UK law in the Data Protection Act 1998.
The government has said that the UK will implement the GDPR despite Brexit, and adoption of the regulations would appear to be necessary post-Brexit to ensure continuing cross-border flows of personal data.
The GDPR builds on the existing data protection framework established by the Directive but also imposes some stringent new requirements, including compulsory data breach notification.
The ICO has published guidance on the steps organisations should be taking now to prepare for the GDPR (PDF).
The main piece of legislation that you need to comply with is the Data Protection Act (DPA) 1998. This will be replaced by the EU General Data Protection Regulation from 25 May 2018.
The seventh data protection principle requires data controllers to take ‘appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
The Information Commissioner’s Office, the supervisory authority for the DPA, has published guidance on the seventh data protection principle.
It is imperative to inform your bank as soon as possible that funds have been stolen from your account. Put them on notice that you expect them to act quickly to stop the funds from being dissipated. They may act by notifying the recipient bank and asking that bank to stop the funds. Acting quickly could prevent the money being transferred out of the jurisdiction.
Find out more by in our practice note on protecting your firm if you fall victim to a scam.
Your PII insurer will obtain information from you about the transaction and the funds stolen. They should then appoint a panel firm of solicitors to investigate the matter. If you have not heard from a panel firm within seven days of reporting the matter, you should contact your insurers.
Emails are not the most secure medium to send or receive bank account details and should be avoided if possible. The safest way is by seeing your client face-to-face. If this is not possible, obtain them by letter or fax. Where emails are necessary, encryption offers a greater level of security.
Encryption encodes data so that only authorised users can read it. Firms should consider whether encryption is an appropriate security measure for them. For more information see the Information Commissioner’s Office’s guide to encryption.
The Law Society offers a range of practical tips to protect your firm.
See our latest updates and advice on cybersecurity and scam prevention