Data breaches are an unavoidable fact of life for all organisations, including law firms. It’s not a matter of ‘whether’ a firm will be breached, but ‘when’ it will be breached. The cyber threat to the UK legal sector is significant and, with the number of reported incidents on the rise, cyber security should be high on the agenda.

Law firms are an attractive target for cyber criminals because of the wealth of confidential information they hold. Although financial motives are common in cyber crime, increasingly there are strategic, economic, political and ideological factors at play.

According to the Solicitors Regulation Authority, more than £11 million of law firms’ clients’ money was stolen in 2016–17 as a result of cyber crime.

The reputational damage is also significant. Client confidentiality is a core value in the sector, so the loss of client data can have a devastating impact. If law firms don’t protect their highly sensitive client information, their entire practice may be put at risk.

Feeling the pain of a data breach

Data breaches and phishing are among the most significant cyber threats to law firms. Ponemon Institute’s 2018 Cost of Data Breach Study, reveals that the global average cost of a data breach has increased 6.4% from the previous year to just over £3 million.

PwC’s Law Firms’ Survey 2017 states that 60% of law firms reported that they had suffered an information security incident in the last year.

Breaches under the GDPR

The EU General Data Protection Regulation (GDPR) applies to personal data, which is any information that can directly or indirectly identify a natural person, and can be in any format. It came into effect on 25 May 2018, and has been transposed into UK law through the Data Protection Act 2018.

The GDPR has attracted media interest due to the increased administrative fines for non-compliance. Besides the power to impose fines, the Information Commissioner’s Office (ICO) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.

To avoid the risk of a penalty due to non-compliance, all law firms should take the appropriate steps to become GDPR-compliant.

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

Breaches can vary greatly in size, from a single person through to millions of individuals; they can involve hard copy or electronic information. They can be caused by a lost or stolen laptop, an email sent to the wrong people, unauthorised access to computer systems, or misplaced paperwork.

Even though the GDPR deadline has passed, 25 May marked the beginning and not the end. The Regulation requires organisations to demonstrate compliance with its data processing principles. This involves taking a risk-based approach to data protection, ensuring that appropriate policies and procedures are in place, and building a workplace culture of data privacy and security. Compliance is not optional.

Reporting a data breach

The GDPR requires all organisations to report certain types of personal data breach to the ICO within 72 hours of becoming aware of the breach.

Identifying the breach, who has been affected, how extensive it is and how it happened – all within 72 hours – is not easy, especially when firms want to use this time to fix the damage caused by the breach. However, with the right planning, preparation and resources in place, your firm will be well placed to respond.

Preventive measures

With an increasing number of security incidents, information security is an important issue for all law firms to tackle. Risk management and business resilience frameworks can help firms to manage risk and respond appropriately when their security is breached.

Firms need to ensure they have adequate defences, with robust and well-tested crisis management and business continuity plans in place. Law firms need to be ready to respond appropriately to a security incident, contain the event and return to full operations as rapidly as possible.

The ability to prove GDPR compliance is critical, and a comprehensive and effective privacy compliance framework will provide evidence to support your compliance claims.

ISO 27001 certification helps you achieve GDPR compliance

Information security isn’t just a job for the IT department: it is the responsibility of all members of the firm, from partners to trainees, from administrative staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO 27001.

Certification to the international information security standard ISO 27001 can help your firm protect its confidential information. ISO 27001 is the accepted global benchmark for the effective management of information assets, enabling organisations to avoid costly penalties due to non-compliance with data protection requirements and financial losses due to data breaches. By following ISO 27001, you will be able to implement effective security measures based on the outcomes of a formal risk assessment and comply with the GDPR.

Keep calm and prepare for a data breach

When an organisation has been breached, there is often an air of panic and urgency. Without a proper plan in place, it’s a potential PR disaster. Firms should be preparing now to ensure that they have the roles, responsibilities and processes in place to respond to and recover from a data breach.

Develop a roadmap to help protect your firm from the financial penalties and losses associated with data breaches.

Paula Fagan is Sector Marketing Manager for Professional Services at IT Governance.

IT Governance specialises in risk management and compliance solutions, with a special focus on GDPR, data protection, ISO 27001, PCI DSS and cyber security. They are the sponsors of our GDPR Guide.

Grey steps with a pair of legs climbing up


Our guide to data protection from the perspective of a legal practice