Cyber-security advice for law firms preparing for GDPR
Last updated on April 15th, 2020
With less than 10 months to go until the General Data Protection Regulation (GDPR) officially comes into force firms should certainly be starting their preparations to ensure they meet compliance requirements as soon as possible – if they haven’t already begun.
The implementation of GDPR is likely to have far-reaching consequences. It will standardise data protection regulations across Europe and introduce strict financial penalties for those who do not comply. Far greater than any which we have seen before. For law firms who are responsible for a wealth of sensitive client data, such as those who handle high net worth individuals or who share personal data with third parties under lasting powers of attorney, this is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.
However, GDPR is not just another tick-box exercise which can be set aside once compliance is achieved. Not only are there actions firms will need to carry out regularly to ensure they remain in line, there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing, as demonstrated by the global WannaCry and “Petya” attacks earlier this year. As GDPR further widens the definition of personal data and places an even greater monetary value upon it, this makes it an even more attractive target for cybercriminals and, by extension, potentially increases the risk of cyberattacks against law firms.
The future for law firms
You can certainly expect to see indemnity insurance premiums ramp up considerably, as potential compliance-related fines go from tens of thousands of pounds into potentially millions. The penalties for data breaches are going to be high. Fines for non-compliance will reach €20 million or 4% of global turnover, whichever is greater.
Traditionally firms may have tried to kept any data breaches under wraps, however now with GDPR they will have to report the breach to the Information Commissioner’s Office (ICO) or the relevant supervisory authority (for example if the breach occurred outside of the UK), as well as notifying those individuals who have been affected. Under GDPR firms must report the data breach within 72 hours of discovery, and failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact, along with compensation claims from those affected. Hackers could also use that stolen data to hold the firm to ransom.
GDPR will further fuel the rise of ransomware attacks as the impact to the target is now so much greater. Right now, and previously, attacks were mainly an inconvenience for the majority, you typically reverted to the last backup. It would be painful but the damage was often contained. With the GDPR, the impact will be higher as the party held to ransom will want more than just the return of their data. They will want to prevent that data from being leaked due to the potential fines. It’s common for ransomware creators to now build in “datanapping” technologies that steal information before locking a business out. With the introduction of GDPR, “datanapping” will be just as effective as the traditional encryption payload incorporated into ransomware.
Phishing attacks are also likely to increase. I would expect to see the complexity and sophistication of these attacks to increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially, attacks have been widespread and not necessarily focused on the legal market. However, a number of significant breaches alongside their reluctance to invest in appropriate security by large swathes of small and mid-market firms will make these organisations an attractive target.
The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries it makes sense to put in an alarm.
Robert Rutherford, CEO of QuoStar
QuoStar & Inspire Christmas Lunch raises £21,000 for four Dorset charities
For the third year running we have teamed up with local professional services firm Inspire to host our annual Christmas Charity Lunch, and we are thrilled to say that thanks to the generous donations by local business people we have managed to raise £21,000 for charity – doubling what we raised at last year’s event! This […]
GDPR for CIOs: Why it’s important and what you need to do
The 25th of May 2018 was when GDPR came into full force. Designed to standardise data protection measures across Europe GDPR provides individuals with greater rights and establishes a modern framework to which companies need to comply. GDPR applies to any organisation, regardless of whether they are actually based in the EU, if they process […]
Dorset Legal Awards winners announced!
The winners of the first ever Dorset Legal Awards were announced during an exclusive black-tie awards ceremony at the Bournemouth International Centre on Friday 23rd February. The much-anticipated event brought together some of the top law professionals and firms to recognise the achievements of the legal sector in the region. Law firm Ellis Jones was one […]