In October 2017, leading international firm, Appleby, admitted that in 2016 it had been the victim of a cyber-security breach which led to the Paradise Papers scandal. The firm, which advises corporations, high-net-worth individuals and families on wealth protection, stated that clients, which include some FTSE 100 companies, may have had some of their financial details leaked.
The huge batch of leaked documents was passed to German newspaper Süddeutsche Zeitung and then shared with the International Consortium of Investigative Journalists (ICIJ). Panorama led research for the BBC as part of a global investigation involving nearly 100 other media organisations, including the Guardian, in 67 countries.
The Guardian and the BBC announced yesterday that Appleby had taken legal action against them over their reporting of the leaked documents, some of which shared the details of off-shore tax-avoidance schemes.
With the General Data Protection Regulations (GDPR) coming into force in five months’ time, it is crucial that law firms understand the risks of cyber-security breaches and take steps to avoid such occurrences as the one that struck Appleby in 2016. Under the GDPR, penalties will potentially be crippling, with a maximum fine of €20 million or 4% of a corporation’s international turnover.
Why do cyber-criminals target law firms?
Law firms are desirable targets for cyber-criminals because, as the notorious US outlaw, Willie Sutton, famously quipped when asked why he robbed banks, “that’s where the money is .”
Multi-nationals dealing with large M&A work and luxury property are a goldmine for hackers. However, even high-street firms dealing with residential property and small business sales can net a criminal network tens or even hundreds of thousands of pounds in one transaction.
Both large and small firms are being targeted; from Mossack Fonseca which led to the publication of the Panama Papers to DLA Piper, which suffered a devastating ransomware attack resulting in the firm being unable to access its own data. And astonishingly, 62% of UK law firms reported they had suffered a cyber-security incident last year, up from 45% in 2015 . The most common forms of incidents are email ‘phishing’, whereby attackers attempt to intercept a transaction to get hold of a client’s money .
Protecting your firm from a cyber-security breach
There are several ways law firms can strengthen their defences against a cyber-attack. These include:
- Understanding the compliance requirements under the GDPR and ensuring data is centralised and a Data Protection Officer is appointed.
- Invest in professional advice. A consultant can review your IT policies and procedures, identify any weaknesses in your security systems and put in place a plan to fortify them. They can also put in place systems to protect entry points such as web applications and servers.
- Make sure your defences including firewalls and internet gateways are rigorously maintained to prevent access to malicious websites and internet malware.
- Encrypt data that is stored on hard drives or USBs.
- Train all members of staff on cyber-security and the risks of an attack occurring. Make sure employees change their passwords frequently, and as soon as they leave the organisation, cut their access. A data breach or cyber-attack can be a result of an inside job, as supermarket giant, Morrisons, recently discovered. A disgruntled former staff member leaked the payroll data of almost 100,000 employees. Personal details included names, addresses and bank account details were all revealed online. Andrew Skelton, who was jailed for the incident, apparently held a grudge against his employer after being accused of dealing in “legal highs” at work.
As 2017 closes off, law firms must place more resources in cyber-security and data protection. There is little doubt that many practices are unprepared for the GDPR (all organisations which deal with personal data must be compliant before the regulations come into force in May 2018). In addition, criminal gangs utilising malware and subsets such as ransomware, to attack professional bodies will become smarter and faster at torpedoing in on high-value transactions. Investing in cyber-security is no longer a ‘nice-to-have’ it is an essential element of good practice management and survival.
We have been helping legal professionals with professional disciplinary and regulatory hearings for over 20 years. If you have any questions relating to GDPR compliance, please call us on 0151 909 2380 or complete our Free Online Enquiry and I will soon be in touch.