Protection of clients’ sensitive information is essential for solicitors working in the modern world, and managing cybersecurity threats is a vital part of this procedure
As someone who took articles in Bolton in the 1980s, I have to admit that getting to grips with modern cybersecurity is something of a challenge. It’s hard to shake the idea it will involve someone disconcertingly youthful engaging in some form of wizardry with computers while charging me a rate that would make even a magic circle partner wince.
Yet with the steady stream of headlines about cyber-attacks and ‘Friday afternoon fraud’, there’s no doubt why cybersecurity matters.
Don’t get me wrong. I don’t lie awake at night worrying that there are nefarious cyber-terrorists eyeing up the crown jewel of the Bolton legal scene. This is about something much more basic, something that every solicitor will understand.
While every business today needs to protect itself from cybersecurity threats, as solicitors, we have an added duty – we must protect our clients.
Doing our best by them, and protecting the information that they entrust to us, is drilled in to us from the start of our legal careers - it is intrinsic to our profession. It is a cornerstone of the trusted relationship we enjoy with our clients, without which our justice system could not operate.
So while every business must manage the risks to their business posed by cyber-attacks, we must include in our thinking the way a cyber-attack would also harm our clients. Our clients can always have the reassurance of the consumer protections that come with employing a solicitor – including comprehensive professional insurance when something goes wrong. However, we of course serve them best when we keep them, their information, and the funds we hold on their behalf safe in the first place
Larger than each individual client is the confidence the public has in our profession. The public as a whole know that they can come to us and trust us, that we will protect their interests and their confidences. It is important that as a profession we live up to that trust, not just in our advice and our conduct, but also in how we run our businesses. By taking issues like cybersecurity seriously, we ensure we remain worthy of the high trust and confidence the public place in us every day.
That is why I see cybersecurity as part of my duties as a professional. It is why the Law Society put so much focus on cybersecurity - ensuring that solicitors have the resources, the guidance, and the partnerships they need to keep safe. It is why we must get better at talking about cybersecurity.
No one wants to be the firm to put their hand up and admit that they got caught out. No one wants to admit that they fell victim to a scam - that doesn’t happen to smart people like us. We know that foreign princes do not need our help transferring millions of pounds out of their secret accounts, and would never respond to the misspelt offers of pharmaceutical products. Our passwords are secure - none of this ‘password123’ business from us.
Yet somehow we are still getting caught out. In this, we are no different to every other business - and more akin to those who also handle large amounts of information and funds, such as banks. We must be willing to talk about it, to learn from our mistakes, and to seek out the professional assistance we need.
These conversations are already starting. I know our Relationship Management team reports that cybersecurity is one of the top topics raised with them as they meet with solicitors throughout the country. Peter Wright and our Technology and Law Reference Group churn out a steady stream of advice, guidance and assistance for the profession. And of course Gazette features such as this serve to put information about the latest tools, threats and tactics before the profession.
These are important conversations we are having. It is a topic that might seem imposing, but which we must confront. Just as we owe, and as a profession routinely deliver, our clients our best endeavours in the service we give them, we owe them no less when it comes to keeping ourselves and our firms safe from online threats and fraud.
Are you on top of your data protection compliance?
With fewer than 200 working days to go until the implementation of the European General Data Protection Regulation across the European Union on 25 May 2018, it is now essential for law firms to be on top of their data protection compliance, and that includes ensuring that all reasonable and proportionate steps are taken to protect personal data, including client information and HR records, from a possible cyber-attack.
The high-profile ‘Wannacry’ and ‘Petya’ ransomware attacks that affected many organisations large and small including law firms illustrated how easily systems can be breached, and the regulatory requirements under GDPR could have meant that firms that fell victim could have been liable for a fine of up to 20 million euro if their systems were compromised due to something that was comparatively avoidable such as using an older operating system that is no longer supported and receiving updates from the manufacturer such as Windows XP.
I know that GDPR is providing the impetus in many organisations to move towards legal and regulatory compliance around cybersecurity issues as the risks now include not just the damage to professional reputation and possible regulatory action from the SRA and ICO, but much greater regulatory fines and possible civil legal action from affected parties. Cybersecurity has been a growing and persistent problem for many years, but GDPR and the Ransomware attacks have forced it onto the agenda for many board meetings, with those responsible for regulatory compliance now working closely with IT, HR and marketing colleagues to accurately map where personal data is stored across an organisation, identify the risks and weak points and to work together to implement not just the right technical solutions in terms of secure IT systems and threat detection, but also update and enforce new internal governance policies around the storage, use and transmission of data and to make sure that all staff receive the right training on the use of personal data.
Staff are often overlooked in this regard and training is the first area to receive cutbacks when in reality staff need to be alive to the risks of transmitting personal data like a client’s bank account details, as well as being aware of the risks from fraud - including phishing emails and able to ensure that their firm does not get enmeshed in a sophisticated online scam.
If staff don’t receive the right training and don’t have the right tools to help them, your best line of defence will be unable to guard your organisation as effectively as it could and the risks from a cyber-attack and the ensuing regulatory investigation and possible enforcement action will be commensurately far higher.
Over the course of the last year I have spoken at Law Society Conferences & Events to solicitors from across the City and the regions, from a diverse range of firms and practice areas and from in house to local government disciplines. Many have either had personal experience of a cyber-attack or know a colleague who has had to deal with one affecting their work, their firm and their clients. Many have been to cybercrime seminars where a frequent refrain is that ‘the profession is drowning and all we are being told is what the water looks like’.
With GDPR compliance looming, now is the time to make sure your firm or organisation is not floating in the ocean but is in a life raft or preferably back onboard the ship, and I hope that by taking a look at this cybersecurity supplement it will act as a life preserver at the very least!
Peter Wright is chair of the Law Society’s Technology and Law Reference Group, and founder and managing director of DigitalLawUK