Access to information may be withheld pending the payment of a ransom, or data may be published if such a ransom is not paid. Personal data might also be revealed even if the focus of the attack was a withdrawal from the client account or a transfer of monies into a fraudulent account.

Data Protection – Before the Attack

Solicitors should consider how relevant data protection laws apply to their own practice in operational terms. For example, which categories of personal data are processed in which manner, relating to which data subjects, and whether there are appropriate technical and organisational measures in place to process such personal data in a safe and secure manner.

Measures may include:

• pseudonymisation and encryption of personal data;

• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

• a process for regularly testing, assessing and evaluating the effective of technical and organisational measures for ensuring the security of the processing.

Data protection – after an attack

Both an unsuccessful and successful attack may trigger applicable data protection laws. You should familiarise yourself with your reporting requirements where a personal data breach may have occurred.

Depending on the situation, even the unauthorised access to personal data (without further unauthorised publishing to third parties) may in itself constitute a personal data breach. 

Next steps

Detailed guidance on reporting requirements, as well as issues such as security firewalls, remote access and incident responses, is available on the Data Protection Commission website. The Law Society has also published guidance on data protection for solicitors.

You should consider seeking legal advice from a colleague if this is not your area of expertise.