Cyber-security advice for law firms preparing for GDPR
August 9th, 2017
With less than 10 months to go until the General Data Protection Regulation (GDPR) officially comes into force firms should certainly be starting their preparations to ensure they meet compliance requirements as soon as possible – if they haven’t already begun.
The implementation of GDPR is likely to have far-reaching consequences. It will standardise data protection regulations across Europe and introduce strict financial penalties for those who do not comply. Far greater than any which we have seen before. For law firms who are responsible for a wealth of sensitive client data, such as those who handle high net worth individuals or who share personal data with third parties under lasting powers of attorney, this is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.
However, GDPR is not just another tick-box exercise which can be set aside once compliance is achieved. Not only are there actions firms will need to carry out regularly to ensure they remain in line, there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing, as demonstrated by the global WannaCry and “Petya” attacks earlier this year. As GDPR further widens the definition of personal data and places an even greater monetary value upon it, this makes it an even more attractive target for cybercriminals and, by extension, potentially increases the risk of cyberattacks against law firms.
The future for law firms
You can certainly expect to see indemnity insurance premiums ramp up considerably, as potential compliance-related fines go from tens of thousands of pounds into potentially millions. The penalties for data breaches are going to be high. Fines for non-compliance will reach €20 million or 4% of global turnover, whichever is greater.
Traditionally firms may have tried to kept any data breaches under wraps, however now with GDPR they will have to report the breach to the Information Commissioner’s Office (ICO) or the relevant supervisory authority (for example if the breach occurred outside of the UK), as well as notifying those individuals who have been affected. Under GDPR firms must report the data breach within 72 hours of discovery, and failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact, along with compensation claims from those affected. Hackers could also use that stolen data to hold the firm to ransom.
GDPR will further fuel the rise of ransomware attacks as the impact to the target is now so much greater. Right now, and previously, attacks were mainly an inconvenience for the majority, you typically reverted to the last backup. It would be painful but the damage was often contained. With the GDPR, the impact will be higher as the party held to ransom will want more than just the return of their data. They will want to prevent that data from being leaked due to the potential fines. It’s common for ransomware creators to now build in “datanapping” technologies that steal information before locking a business out. With the introduction of GDPR, “datanapping” will be just as effective as the traditional encryption payload incorporated into ransomware.
Phishing attacks are also likely to increase. I would expect to see the complexity and sophistication of these attacks to increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially, attacks have been widespread and not necessarily focused on the legal market. However, a number of significant breaches alongside their reluctance to invest in appropriate security by large swathes of small and mid-market firms will make these organisations an attractive target.
The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries it makes sense to put in an alarm.
Robert Rutherford, CEO of QuoStar
Why do companies need to control internet access?
How can employees’ internet usage put your business at risk? 1. Security risks An employee browsing potentially dangerous websites without control can open your business to an array of security risks, such as viruses, trojans, spyware – the list goes on. This is because non-work related websites are a major feed of dangerous exploits into […]
In the press: Stay safe – Cybercrime in conveyancing
Robert Rutherford, CEO of QuoStar, and Nigel Smith, Managing Partner of Ellis Jones, outline how to protect both firms and clients from scam emails during conveyancing. “The rise in targeted email attacks against solicitors and their clients continues to dominate the headlines, with one couple recently losing a £45,000 deposit after succumbing to an email from a […]
FAQ: What is Cyber Essentials?
Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations. What are the certification levels? There […]