Securing client data: Cybersecurity advice for law firms preparing for GDPR
9 August 2017
With less than 10 months to go until the General Data Protection Regulation (GDPR) officially comes into force firms should certainly be starting their preparations to ensure they meet compliance requirements as soon as possible – if they haven’t already begun.
The implementation of GDPR is likely to have far-reaching consequences, as it standardised data protection regulations across Europe and introduces strict financial penalties for those who do not comply – far greater than any which we have seen before. For law firms who are responsible for a wealth of sensitive client data, such as those who handle high net worth individuals or who share personal data with third parties under lasting powers of attorney, this is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.
However, GDPR is not just another tick-box exercise which can be set aside once compliance is achieved. Not only are there actions firms will need to carry out on a regular basis to ensure they remain in line with the regulations, there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing, as demonstrated by the global WannaCry and “Petya” attacks earlier this year. As GDPR further widens the definition of personal data and places an even greater monetary value upon it, this makes it an even more attractive target for cybercriminals and, by extension, potentially increases the risk of cyberattacks against law firms.
The future for law firms
You can certainly expect to see indemnity insurance premiums ramp up considerably, as potential compliance-related fines go from tens of thousands of pounds into potentially millions. The penalties for data breaches are going to be high, with fines for non-compliance reaching €20 million or 4% of global turnover, whichever is the greatest.
Traditionally firms may have tried to kept any data breaches under wraps, however now with GDPR they will have to report the breach to the Information Commissioner’s Office (ICO) or the relevant supervisory authority (for example if the breach occurred outside of the UK), as well as notifying those individuals who have been affected. Under GDPR firms must report the data breach within 72 hours of discovery, and failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact, along with compensation claims from those affected. Hackers could also use that stolen data to hold the firm to ransom.
GDPR will further fuel the rise of ransomware attacks as the impact to the target is now so much greater. Right now, and in the past, an attack was mainly an inconvenience for the majority of businesses, you typically reverted to the last backup. It would be painful but the damage was often contained. Now with the GDPR, the impact is now going to be higher as the party held to ransom will want more than just having their data returned to them, they will want to prevent that data from being leaked due to the potential fines. It’s common for those who create ransomware these days to build in “datanapping” technologies that steal information before locking a business out of their data. With the introduction of GDPR, you can be sure that “datanapping” will be just as effective as the traditional encryption payload incorporated into ransomware.
Phishing attacks are also likely to increase, and I would expect to see the complexity and sophistication of these attacks to increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially attacks have been widespread and not necessarily focused on the legal market, however, a number of significant breaches alongside the resistance to invest in appropriate security solutions by large swathes of small and mid-market firms will make these organisations an attractive target.
The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied and signed off. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries in your neighbourhood it makes sense to put in an alarm.
Robert Rutherford, CEO of QuoStar