The terms cyberattack and cyber-breach are often used interchangeably – but the two are actually quite different.
- A cyberattack involves someone gaining unauthorised access to a protected computer/IT system. It is caused by people with malicious intent who are cracking into a firm’s systems in ways that cause problems.
- A cyber-breach is a broader category, indicating any spill of confidential data, including those that happen by accident and without malicious intent, such as a mistake, negligence, or some other unintentional cause.
Here are some of he potential consequences of a cybersecurity breach:
Firm funds could be stolen and loss of income could result from inability to operate, failure to complete client work or business deals, reduction in productivity, staff downtime, increased insurance premiums and the cost of attempting to recover lost information, equipment or data.
Clients expect their solicitor to operate in a safe and secure environment, and expect high standards. A security breach will cause reputational damage and could result in loss of existing and potential clients.
The Data Protection Act 1998 requires appropriate technical and organisational security measures to be applied to protect data that individuals can be identified from. If steps have not been taken to prevent a cybersecurity breach, liability for breaching this legislation can result in fines of up to £500,000, enforcement notices, or an investigation from the data protection regulator, the Information Commissioner's Office. From 25 May 2018, a new data protection law will put in place higher standards to protect security of data and higher fines for breaches.
Solicitors working under panel appointments, for example with banks or public bodies, may find themselves in breach of contract and potentially liable to indemnify their clients if a security breach results in a data loss.
Protection of confidential information is a fundamental feature of a solicitor’s relationship with clients under the Law Society’s practice rules and Standards of Conduct. Failure to introduce satisfactory security measures could be seen as a breach of this obligation and lead to a finding of misconduct.