The ICO, the Law Society of England and Wales, and the English Solicitors Regulation Authority (the SRA) all recognize the increased threat of cyber-attacks to law firms and have each published guidance setting out practical steps that can be taken to improve security. The Law Society has set up a page dedicated to providing advice to lawyers and law firms on how to avoid cyber-attacks, and the SRA has published a document dedicated to highlighting cybercrime risks to law firms and also its latest Risk Outlook report, both of which provide practical advice for legal practitioners.
The ICO has also published some “top tips” to help lawyers keep the data they handle secure:
- keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use;
- consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand;
- where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen;
- when sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct;
- only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it; and
- if you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.
For UK firms, a cyber-attack could reveal a breach of a law firm’s obligations to the SRA as well as under the Data Protection Act 1998, and is likely to result in damage to a firm’s reputation and its client relationships (both past, current and potential), loss of business, and a huge investment in time and resource to remedy the breach. In light of this and recent events, it is time for firms which have not already done so to assess their data breach risks and put in place appropriate security measures as a business priority.