In April this year, the Information Commissioner’s Office fined a law firm that suffered from a cyberattack where highly sensitive data was stolen. The investigation found that the law firm apparently failed to put the necessary measures in place to protect personal information held in the firm’s electronic records.
Perhaps most shockingly, the firm was only made aware of the incident after the National Crime Agency got in touch with them. You would think that incidents like this are rare, but the reality is different. The ICO found that between Q3 in 2023 and Q2 in 2024 the number of data breaches in the UK legal sector rose by almost 40%. The total number of breaches involved almost 8 million people or 12% of the UK population.
So maybe our most important professional obligation to our clients is to keep their information confidential.
They trust us to do that. They are entitled to expect it from us. Not only do clients expect it from us but regulators do too.
From recent data breaches such as Marks and Spencer and Jaguar Land Rover, we know that cybersecurity incidents do not discriminate between sectors or organisation size. As a regulated profession, what sets us apart is our commitment to protecting client data and advocating for their interests.
Virtually all client information is digitised and legal professionals hold vast amounts of sensitive, confidential and valuable data. You hold your first meeting with the client in your offices, face to face, but you take notes of the meeting, type them up and put them in your digital filing system. Thereafter, almost all the exchanges with the client are digital (email; Word documents; PDFs; invoices; Teams meetings etc). So it goes without saying that in order to protect their confidentiality, and meet your professional obligation, you need to use digital techniques – all the time.
Happily, you don’t need to become a ‘techie’ to achieve that. But you do need to master some basic concepts of ‘cybersecurity’. Your clients expect it, the Solicitors Regulation Authority expects it and so does the Information Commissioner because data protection law requires you to put suitable technical measures in place to keep personal data (a client’s personal information) confidential.
Interestingly, one of the first questions the ICO is likely to ask you in the event of a personal data breach (where someone has gained unauthorised access to some personal client information in your system) is 'do you have a cybersecurity standard certificate of some kind, Cyber Essentials, or ISO 27001, for example?'
If you can answer 'yes, we do' then you will have ticked an important box and dialled down the tension in a stressful situation. You will also have gone through a brief, but very important, process of understanding your own firm’s digital set-up. That’s to say your company’s email system, calendar, contacts list, working practices, storage system, devices you use (and don’t use), how you create, send and store documents and how you bill and receive payments. Your external assessors should have taken you through this.
They might talk to you about ‘phishing’ and ‘ransomware’, ‘multi-factor authentication’ and some other technical terms but all you need to know is that not every external email is what it claims to be and that, whilst you might work in a small firm you are still a target for hackers simply because you are part of the digital ecology. You use computers and the internet so you are useful to criminals.
Even if criminals leave you alone (or if you’ve got some strong digital locks to keep them out), all communications need to be conducted carefully; all emails sent to the right person (and no one else); the information you keep needs to be managed properly (encrypted), keeping the ever-present risk of ‘unauthorised’ (accidental or otherwise) access front-of-mind.
You can also get trusted free advice from the National Cyber Security Centre who have published their online Cyber Action Toolkit, aimed at those who don’t know where to start.
Confidentiality is critical, and nowadays it’s mainly digital.
Tim Heywood, partner at Gunnercooke, is a specialist in data protection and information law and a member of the Law Society’s Technology and Law Committee
No comments yet