Rather than seeing breaches as failures, law firms should focus on proactive strategies to mitigate risks and respond effectively when breaches occur. This briefing outlines key concepts and actions to help legal professionals manage cyber security and personal data breaches.

What is a breach?

According to the National Cyber Security Centre of Ireland, a cyber security incident is any adverse event that threatens the confidentiality, integrity, authenticity, or availability of a network or information system. For law firms, this could range from a phishing attempt to a malware attack that compromises sensitive data. It's important to differentiate between suspected and actual breaches—tracking both can help gauge threat levels.

Distinguishing cyber security and personal data breaches

Not all cyber security breaches involve personal data, and not all personal data breaches result from cyber security issues. For example, losing a hard-copy client file is a personal data breach but not a cyber security incident. Conversely, ransomware attacks may affect information systems without involving personal data. 

Personal data, as defined by data protection laws, includes any information that can identify an individual. In a law firm, this could include client names, contact details, identification documents, and AML/KYC information. If a breach involves personal data, you may need to notify regulatory bodies and affected individuals promptly.

Responding to cyber security breaches

If a breach occurs, immediate action is essential:

• Disconnect infected machines from the network.

• Contact IT support or a cyber security professional for assistance.

• Avoid accessing backups until the breach is contained.

After managing the immediate threat, conduct a thorough review to understand the causes and implement preventative measures. Regular cyber security assessments and training can help reduce the risk of future incidents.

Engaging a cyber security professional

When faced with a breach, it's advisable to consult an expert. They can help identify vulnerabilities, mitigate risks, and ensure compliance with legal obligations. Preparation is key—know your budget and the specific cyber security benefits you need before engaging a professional.

A comprehensive assessment of your systems, including encryption and access controls, can help prevent breaches. Additionally, ongoing staff training is crucial, as many breaches result from human error, such as falling for phishing scams.

Reporting obligations and insurance

In the event of a breach, you may need to notify various parties, including clients, regulatory bodies, and your insurance company. For example, under GDPR, you must report personal data breaches within 72 hours. Failing to comply can result in significant penalties. It is advisable to seek legal advice from an expert colleague in the profession to be fully briefed on your precise reporting obligations.

Ensure your insurance coverage is up-to-date and discuss your breach-response plan with your broker. You may also need to notify financial institutions if sensitive information is compromised.

Ransomware and legal considerations

If faced with a ransom demand, proceed cautiously. Seek both technical and legal advice, considering factors like professional ethics, legal obligations (for example, conncerning client confidentiality), and potential criminal liability. Always report such incidents to the relevant authorities.

Building a culture of transparency

Encourage a workplace culture where breaches are reported without fear of retaliation. This transparency can help identify and mitigate issues before they escalate. Even minor breaches should be documented and addressed.

Finally, law firms are encouraged to share knowledge about cyber security threats with their peers. Reporting both successful and unsuccessful attacks to organisations like the Law Society can help protect the broader legal community. To report an issue or attack, whether successful or unsuccessful, please contact the Law Society cyber security team. This is an anonymous service to assist everyone in the profession through awareness of the latest threats. 

Learn more

This is an abbreviated version of ‘Head in the sand’, published in the October 2023 Law Society Gazette.

• Get more cyber security knowledge and resources
• Register for the 9 October webinar, Regulation Matters: Cybercrime