[BreachExchange] Information security & the risks for the legal sector

[Audrey McNeil]

https://www.lexology.com/library/detail.aspx?g=2c2fc62a-1659-4eee-aad9-
14cca80999d5

Information security is a substantial risk for the legal sector. Law firms
are an attractive target to cyber criminals due to the vast wealth of
personal and private information in their possession.

Cyber-attacks on UK law firms increased by a fifth between 2014 and 2016,
with nearly three quarters of the country’s top 100 targeted in 2015,
according to PwC’s 25th Annual Law Firms’ Survey.

Despite the increasing threat, and the potential financial and reputational
damage following a breach, a survey by online legal magazine, Legal Week,
found that only 35% of law firms had a response plan in place for
cyber-attacks. This is compared to 52% for non-legal professions.

With the European Union’s General Data Protection Regulations (GDPR) due to
come into force in May 2018, legal firms that fail to appropriately secure
personal data will face severe fines in the event of a breach. The
regulations could affect organisations throughout the world because they
apply to any company that handles the personal data of Europeans. The GDPR
defines a personal data breach as a breach of security leading to the
destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data.

Fines imposed following a breach could be as much as 4% of a firm’s annual
global turnover, or €20 million, depending on which is greater.
Furthermore, should a firm be fined under GDPR they are also likely to face
personal litigation from the individuals whose data is lost. The total cost
of a breach could therefore be far greater than the fine, and might see
senior partners being taken to court and even imprisoned should the breach
show negligence.

Personal Data

To understand your legal data protection obligations, it is necessary to
understand what is considered personal data. This is an area that can cause
confusion. An individual’s name? That’s certainly personal information. But
what about an email address? Or a photograph? Or an ID number that, when
combined with other information you hold, could be used to identify someone?

For years, we have understood personal data in terms of the Data Protection
Act 1998: that personal data is any data, whether by itself or when
combined with any other data you possess or are likely to possess, by which
a living individual is identifiable.

This includes any opinions or decisions pertaining to an individual, such
as notes from performance review meetings, or recruitment notes on a
candidate’s suitability for a role.

Under the GDPR, the definition of personal data has been expanded and is
considered “any information relating to an identified or identifiable
natural person”.

This means that if any data you hold can identify an individual, either
directly or indirectly, then it is considered personal data. If an
individual can be identified by reference to “an identifier such as a name,
an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person” then it is
personal data.

For organisations, this includes work email addresses, company car details,
and work phone numbers. An email address, whether it is
a.smith at company.co.uk or ITmanager at company.co.uk or even shared email
addresses can identify an individual, either on their own or by processing
other data.

There are several ways in which a law firm could find itself vulnerable to
a personal data breach. The following scenarios describe the risk and
outline what protective measures can be taken.

Mergers and Acquisitions

A personal data breach includes unauthorised disclosure of, or access to
personal data. A legal firm could therefore be held responsible for a
personal data breach if its clients’ data is inappropriately accessed due
to lack of internal controls.

Legal firms are often most at risk of this type of breach during a mergers
and acquisitions engagement. Failure to plan and implement appropriate
internal controls during such times leaves legal firms extremely vulnerable.

During a legal firm merger we often see unsophisticated methods of
attempting to address this issue by either everyone joining the firm is
denied access, or they are given unrestricted access to everything. The
former solution is not conducive to the seamless integration of new team
members, creating inefficiency and harming employee morale. The latter,
while enabling access to those who require it, also enables individuals who
should not have permission to access the same files. This crude solution is
extremely inadvisable as it creates a large security risk.

A worst-case scenario would be a deliberate attempt by a disgruntled
employee to harm their employer by destroying, altering, or disclosing
invaluable information. The financial and reputational damage following
such an incident could be severe.

Appropriate solutions, although more time and resource intensive, provide
the best protection against a personal data breach. One solution is to set
up a system of permissions, whereby internal documents are marked and
classified accordingly.

An alternative is to create and manage an active directory. The benefit of
this system is that it enables permissions to be set by grouping people
together based on their role and personal access status within the firm, so
whole teams can be permitted or denied access.

However, when an active directory is not administered well, users inherit
access rights they should not have. This can occur following a change in
role within the company where the new access rights for the role are simply
appended to the original profile, and so the user retains the permissions
from their previous position. We recommend companies allow heads of
departments access to view the active directory, as these heads are in the
best position to confirm which users should be permitted access.

Man-in-the-middle attacks

Cyber criminals target the legal sector by monitoring emails being sent
between staff and individuals. Communication is then intercepted at a
crucial moment, such as when the individual is asked to send a deposit.
Having intercepted the email, the cyber-criminal alters the bank details,
resulting in the payment being sent to a different bank account. In this
scenario, the solicitor will only become aware of the breach when the money
fails to arrive days, or even weeks, later.

Utilising digital signatures or secure email platforms provides a guarantee
that the documents come from a known sender, and have not been altered in
transit.

You can also utilise software to encrypt emails and attachments. Encryption
offers additional protections should a breach take place, rendering the
information unreadable and therefore useless to the hacker. The GDPR will
require affected parties and authorities to be notified in the event of a
breach within 72 hours, but provides a safe harbour if the data that is
stolen has been adequately encrypted. The extent of an investigation will
be greatly reduced, and the level of fine and any subsequent personal
litigation will be minimal if not zero.

Sharing of passwords

Another risk arises when passwords are shared or written down. When in
court during a case, it may be necessary to phone a colleague to ask for
information or documents to be sent via email. You may need to provide your
password for your colleague to access them. This is where 2 factor
authentication can provide an additional layer of security. In addition to
your password, you could be sent a code to your phone, for example, which
you are also required to enter to access restricted documents. You could
provide your colleague with the code, knowing that it would only be valid
for use once, and that your colleague would be unable to log in again with
your password without also receiving a newly generated code.

These are all simple ways to improve your firm’s security. It is essential
that information security is a priority for the legal sector. Law firms
that fail to plan and implement organisational protective measures expose
themselves to great risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170912/b13e6a06/attachment.html>