In depth: LAA cyber-attack - a year on

A year has passed since the Legal Aid Agency shut down systems required by law firms to log work and get paid after it became aware of a cyber-attack. This led to months of disruption for an already fragile sector.

‘It’s disgraceful that a year on from the data breach that left legal aid firms out of pocket, they still haven’t been compensated by the LAA,’ Law Society president Mark Evans fumed this week. ‘These firms play a key role ensuring everyone has the right to justice and for their voices to be heard, irrespective of their circumstances, such as assisting survivors of domestic abuse and representing people facing eviction and housing disrepair. No small business should be required to bear the burden of such major additional cost caused by the failings of a government department.’

That ‘additional cost’ for family law practice Beck Fitzgerald, which supports victims of domestic abuse, is in the region of £70,000-£80,000, co-founder Jenny Beck told the Gazette. A senior member of staff had to dedicate time every week to manage the payments process. Other staff lost time on additional administrative work, such as reapplying for legal aid certificates, making notes of certificates they granted themselves under temporary delegated powers and uploading applications once the LAA’s systems were restored.

Chancery Lane has repeatedly called for a bespoke compensation scheme. The matter was taken up by the House of Commons justice select committee, which told legal aid minister Sarah Sackman that the onus is on individual providers to seek compensation via the LAA’s complaints procedure. The agency would likely need to field hundreds if not thousands of similar claims.

Sackman replied that her department had worked closely with stakeholders to simplify processes, suspended audits to ease administrative pressures and continued to update guidance. ‘Our priority at present is working through the backlog of cases. We have no plans to set up a compensation scheme at this time,’ she said in February.

Where providers have incurred additional costs on individual cases, the LAA told the Gazette, these can be claimed in line with its costs assessment guidance.

However, Beck told a meeting of the All-party Parliamentary Group on Access to Justice last year – which Sackman attended – that the guidance treated claims for downtime or system sluggishness as office overheads, so the costs were not recoverable. ‘For a firm supporting 15 women fleeing domestic abuse in a single week, this equates to 30 additional hours of unrecoverable work. That time cannot be absorbed, meaning fewer vulnerable clients assisted.’

The LAA says it recognises the impact of the cyber-attack on legal aid providers and is ‘grateful for their continued collaboration’.

Bespoke compensation feels increasingly like a pipe dream, but lessons can still be learned. Following the cyber-attack, legal aid providers were granted ‘delegated powers’ to carry out certain functions to ensure continuity of service. Firms could amend legal aid certificates or instruct experts without having to seek permission from the LAA.

Beck said: ‘We were in a position where we were put, in a certain way, on trust. That trust was upheld. Those circumstances present us with an opportunity to operate in a different way with the LAA. One might have thought a high-trust model would result from these troubled times. That has not happened. We’re back to a situation where we have got to justify everything and get prior authority. The administrative burdens are back.’