How can you protect your firm from a data breach? We ask Peter Wright, managing director of DigitalLawUK, about the latest trends in cyber and IT security risk in a post-GDPR world.
What have been the biggest cyber trends in last six months?
Cybersecurity got overlooked a bit in the run-up to the GDPR, I think. Of course, cybersecurity can apply to any sort of data, not just personal. In all the noise, people overlooked the fact that cybersecurity continues as a threat.
The recent Dixons data breach, which could be the biggest breach so far in the UK, typifies that large-scale breaches will continue, and firms need to be taking all reasonable and necessary steps.
A lot of law firms think they are too small to be attacked. This comes from a misconception of the risks: a malware or ransomware attack, for example, is totally indiscriminate and just looks for a weak system regardless of size.
Firms often see corrective actions as too complex, disproportionate or costing too much. But often, you only need to take simple measures, which don't have to be expensive or cumbersome. Basic steps, such as a risk register, allow you to track any risks and deal with them effectively. This could be through regular training, setting standards when dealing with your data, and ensuring you and your staff follow good practice.
An intern or paralegal breaching the rules because they haven't received the training isn't an excuse. No matter who it is, you need to make sure that cyber best practice is included in their induction programme. At the same time as briefing new staff on the basics of money laundering or confidentiality, you should also cover your cybersecurity standards.
If law firms aren't yet compliant with the GDPR, what should they be prioritising?
Law firms need to take steps to be able to produce evidence that they comply with as much of the GDPR as they can. If the worst happens, and there is a data protection breach that must be reported to the ICO, you will want to supply as much evidence of compliance as possible: risk registers, for example, or minutes of board meetings in which risks were considered, detailing actions taken etc. If you decide you need a data protection officer - due to the volume or sensitivity of data you’ve processed, or if your firm has over 250 staff - then you should register their details with the ICO.
If nothing else, I would recommend you set up a data protection breach response plan. This will help ensure you can report a breach to both the regulator and data subject within the 72-hour deadline. Make sure you test your response plan and update it regularly. You don’t want to find when you come to use it, that half the people named in it have left your firm.
GDPR aside, what are the legal developments to look out for in the next six months?
A new Data Protection Act will be coming in this year. Currently caught up in the log-jam of Brexit legislation, this will incorporate the GDPR into UK law, so that the UK has a regulatory equivalent when we leave the EU. Therefore, it must be in place before March 2019.
There is also a draft ePrivacy Regulation to be aware of, which will be coming through from Europe. Originally supposed to come in simultaneously with the GDPR (which deals with personal data), the ePrivacy Regulation deals with communications generally. The directive it will replace originally came out in 2002 and was last updated in 2009. It is being updated in 2018 to reflect new developments in instant messaging, such as WhatsApp, Twitter and Facebook Messenger. I cannot see this happening before 2019, even 2020.
The new regulation will impact the security of firms using instant messaging (such as Telegram and WhatsApp) to speak with clients. Law firms may wish to discourage their clients from using such systems. Although encrypted, WhatsApp still has security issues – data is stored outside Europe – and GCHQ has warned it is open to exploitation.
The new ePrivacy Regulation will piggyback on the GDPR's enforcement mechanism, which means if you breach it you could be liable to fines of up to €20m (or four per cent of global turnover). This will make people sit up and take notice of what’s in the regulation, I believe, in the same way that the GDPR has achieved a new level of public consciousness around personal data protection.
Depending on the agreement that the UK eventually reaches with Europe, we could well still agree to accept e-privacy. Even if we are outside the EU, we will still need to abide by the ePrivacy Regulation’s requirements when exporting data there. This is important to bear in mind for law firms advising clients in Europe or handling clients' affairs in Europe.
What should law firms be doing right now in terms of cybersecurity, and what mistakes are they making?
Law firms need to think carefully about how they take instructions from clients, such as the email asking clients to confirm their account details or a transaction amount.
The problem for many firms is they may make these requests without thinking. You need to ensure all your staff are properly trained and that they know what the risks are, whether that’s spotting a phishing email on a Friday afternoon, or strange phone or email activity.
Asking your staff to take appropriate action must be accompanied by an open-door policy, however. You can no longer have the environment in a law firm where people are afraid to notify partners and management because they are worried about being shouted at. You must encourage people to flag concerns to an appropriate nominated person. Only through working collaboratively, and having the right rules and governance in place, are you dealing with cybersecurity risks as best as you can. An awful lot comes down to the right training and creating the right culture.
Law firms need to take the same measures as other sectors. When going into firms to assess compliance, my firm has seen a running pattern among long-term staff who have not received any data protection or cybersecurity training. There is a pattern in City firms too, where staff may be familiar with risks associated with the financial services industry, but do not know the risks connected with the legal sector, as their firm has not trained them.
Too many law firms offer no cyber training or try to do it too cheaply, providing only a quick online assessment. There is a free cybersecurity course, co-produced with ICAEW and HMRC, which is fantastic. It doesn’t have to be expensive, or overlong, but it must be more than a tick-box exercise. Your training should be specific to the legal profession; include a full online assessment so that you know your staff have understood; and point out the risks regarding people’s day-to-day roles, which for many law firms are conveyed through email and communicating with the client.
How has the nature of IT security risk changed over the last year?
Overall, due to the GDPR and large-scale data breaches being reported, people are more alive to the risks. People are also beginning to wake up to the factors that cause risks, for example the recent issue with TSB, where its data migration from an old, legacy system to a new system was flawed. TSB failed to carry out the proper privacy impact assessments before migrating data. If it had, it would have identified the risks and tackled them. Instead, the bank issued a press release praising the project’s success, only to find that thousands of customers were unable to access their financial data.
For any organisation reviewing its IT capabilities, considering privacy and confidentiality is paramount. This applies to personal, confidential and commercially sensitive data. You need to identify risks that could be exploited, such as legacy equipment or new vulnerabilities exposed during data migration. Regular testing and checking is integral.
Unfortunately, we often only hear about examples of poor practice. We need to get better at sharing those examples of good practice which are out there.