Cybersecurity for solicitors

Cybersecurity is a critical issue facing all businesses. Cybercrime is getting more sophisticated so it’s important to protect your firm’s information and systems.

This guide looks at the security you should have in place to protect your critical assets from cybercrime. These assets will include:

  • data
  • networks
  • computers
  • mobiles and smart devices

Data must be processed securely to comply with the General Data Protection Regulation (GDPR).

Data breaches must be reported to the Information Commissioner’s Office within 72 hours of being discovered. Everyone in your firm should know how to do this.

You may want to consider cloud computing. This is where your data is stored on remote servers and accessed through the internet instead of your computer’s hard drive. These servers are managed by a third-party supplier, who’s also responsible for the security of the data it holds.

Find out what cover your professional indemnity insurance provides.

It’s unlikely it will be enough cover for cybercrime attacks, so you should understand the different types of cyber insurance and how to work out the right level of cover for your firm.

There are steps you can take to protect your firm from a cyberattack.

General safety

  • Use a firewall to secure your internet connection
  • Protect all devices with antivirus software
  • Keep IT systems up to date with regular patching
  • Encrypt mobile devices and install a system that can wipe them if they are lost
  • Back up important information regularly
  • Avoid giving out admin accounts (able to access other accounts and install software) or access to payment systems unless necessary

Review your assets

You should regularly review:

  • your financial and information assets (for example payment systems and IT equipment)
  • who has access to assets and how they are stored
  • your firm’s policy on cybersecurity, appointing someone to oversee the policy

Introduce safety measures – for example, make sure there are clear processes and reporting lines across your firm for handling money.

Check regularly that your measures are working as expected.

Make a response plan

You may want to have a plan in place for what to do if there is a cyberattack. It can include:

  • who staff should alert if there is an attack
  • actions to take to stop the attack if it’s still happening
  • how to reduce damage afterwards 

Train your staff

Make sure your staff understand how to:

Staff should avoid:

  • changing payment details or making payments without thorough checks
  • opening email attachments without knowing who or where they’re from
  • connecting personal devices, for example memory sticks, to your network
  • downloading unsafe apps or browsing on unsafe sites

Get certified

Certification helps you and your practice demonstrate expertise to your clients.

Consider:

Reporting an attack

You can report an attack to:

Resources

Read more about reporting an attack

Cybersecurity Information Sharing Partnership (CiSP) run by the NCSC – discuss cybersecurity with peers and get alerts

National Cybersecurity Centre – small business guide: cybersecurity – how to improve cybersecurity within your organisation quickly, easily and at low cost

National Cybersecurity Centre information Security – good practice for information security

National Cybersecurity Centre – 10 steps to cybersecurity

Under the UK General Data Protection Regulation (GDPR) you must process personal data securely.

Personal data is information that can be used to identify people. All solicitors hold personal data.

You must protect personal data against:

  • unauthorised or unlawful processing
  • accidental loss
  • destruction
  • damage

You must consider data protection:

  • at the start of any processing activity
  • during the processing

Data processing

Systems that handle personal data must comply with data protection by design and default. We recommend following these principles for all data processing purposes.

Data protection by design

You must consider privacy and data protection issues at the design phase of any system and throughout data processing.

This could be, for example, when you:

  • develop new IT systems
  • use personal data for new purposes
  • create processes that may affect the privacy of data

Read more on data protection by design

Privacy enhancing technologies (PETs) can help you apply ‘data protection by design’ in your firm.

PETs protect privacy by minimising personal data use and maximising data security. They also empower data subjects by giving them the ability to manage and protect their personal data.

Read ENISA’s research reports on PETs

Read the Royal Society’s report on protecting privacy in practice (PDF 2.8 MB)

Data protection by default

To comply with the GDPR, you must only process data which is ‘necessary’ for your specific purpose.

Before the processing starts, data protection by default means you need to:

  • specify the data you’re using
  • tell the data subjects
  • only process the data you need for your purpose

You should also consider:

  • using a ‘privacy-first’ approach for system settings
  • giving data subjects enough choice and control over how their data is used
  • not processing additional personal data unless the data subject agrees
  • making sure personal data is not made publicly available unless the data subject agrees

Read more on data protection by default

Level of security

The level of security (or protection) you need for your data depends on the risks involved in your processing.

To understand the risks, you should review how valuable, sensitive or confidential the data is.

You should also consider:

  • risks with your firm’s computer systems
  • how many staff can access personal data
  • risks involved with personal data held or used by a processor acting on your behalf

Read more information on security

Security requirements

You must have an ‘appropriate’ level of security to protect data. To achieve this, you should follow the NCSC and the Information Commissioner’s Office (ICO) security outcomes.

The security outcomes should:

  • manage security risk
  • protect personal data against cyberattacks
  • identify security events
  • minimise the impact of a data breach

Reporting a personal data breach

After a cyber attack, you need to check if personal data has been lost. If it has, you may need to report the breach to the ICO.

You must report a personal data breach within 72 hours of first finding out – even if this is outside working hours.

Read about when to report a personal data breach

You may want to consider using cloud computing for your firm’s IT needs.

Cloud computing is the delivery of services (for example, storage and computing power) over the internet by a supplier.

Benefits of cloud computing

These include:

  • your data storage and handling capacity is increased
  • your IT infrastructure and support costs could be lower
  • your cloud capacity can be increased simply
  • you have access to your files anywhere, on any device
  • your software updates are completed by suppliers
  • your data is backed up

For these reasons, small to medium-sized firms in particular may benefit from using cloud computing services.

Risks of cloud computing

These include:

  • client data is at risk if the cloud is breached
  • if the cloud server is unavailable you will not be able to access your data
  • you may have less visibility and control of your data

Choosing a cloud supplier

To minimise risks, you may like to check your supplier:

  • is reputable and well-established
  • can comply with regulatory obligations, for example under the GDPR
  • is ISO 27001-accredited, the international standard for information security management
  • has security measures to protect data from hacking
  • encrypts data in storage and in use
  • has added security measures – for example, two-factor authentication, which is another method of confirming someone’s identity beyond a username and password

Cyber insurance covers your costs and losses if you experience a data breach or cyber attack. This can supplement your professional indemnity insurance (PII) cover.

Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.

What PII covers

A standard compulsory minimum terms and conditions PII policy will cover you for civil liability and most third party cover.

However, it will not cover other risks linked to cyber incidents, such as:

  • reputational damage
  • costs of a forensics investigation
  • business interruption

What cyber insurance covers

Cyber insurance policies have different levels of coverage:

  • first party cover – damage caused to your firm
  • third party cover – damage caused to clients and others

First party cover

First party cover includes:

  • breach costs – for example, costs of getting experts to investigate the cause and scale of the breach
  • restoration costs – for example, costs of repairing damage to software and data caused by a hacker, such as removing malware
  • response management – for example, getting expert advice to help develop communication strategies to limit reputational damage
  • business interruption – for example, paying back fee income that would have been earned
  • costs relating to cyber threats – for example, paying ransom costs

Third party cover

Third party cover includes:

  • privacy protection – defence costs and settlements following legal action or investigation after a data breach, invasion of privacy or breach of confidentiality
  • media content liability – defence costs and settlements following legal action as a result of content on the firm’s website or social media

Risks not covered

Third party cover does not include theft from your firm’s office account by either third parties or employees. You would need to buy a policy with a crime insurance element to cover this.

Buying cyber insurance

Before you buy cyber insurance, you need to understand the potential threats to your firm and the level of risk you'll accept. You should create your own risk management process.

Assessing the risk

When assessing the risks your PII policy does not cover, you should consider:

  • how much sensitive information your firm holds
  • what the reputational damage would be if you experienced a data breach
  • if you would need expert help to identify and respond to a cyberattack
  • how well you could recover from an attack – the costs of restoring software and data, avoiding bad publicity and not losing fee income

Using a broker

You should discuss your firm’s insurance needs with a specialist broker who is an expert in cyber and crime policies.

Discuss removing unnecessary elements in the policy, such as cover for regulatory fines and penalties, that are already covered by your firm’s PII policy. This may lower your cyber insurance premiums.

Your broker should advise on issues relating to your cyber and PII policies, including:

  • if both will be triggered by a cyber attack
  • how coverage disputes can be avoided
  • how excesses will be dealt with
  • if there are any exclusions in the policy

Resources

Getting started with cyber insurance    

Get discounted rates on cybersecurity services

Maximise your Law Society membership with My LS