Thanks to the digital transformation and increasingly strict data security obligations, law firms’ business priorities are changing. Today, data protection, transparency, and privacy are top-of-mind.
It makes sense.
Keep reading to find out…
Interested in learning more about regional compliance standards or those that impact other industries? Check out our Compliance Hub to find articles, tips, guides, and more or download our CEO’s Guide to Data Protection and Compliance to learn more about how cybersecurity enables business and drives revenue.
Lawyers’ hard drives, email accounts, and smartphones can contain anything from sensitive intellectual property and trade secrets to the Personally Identifiable Information (PII) of clients.
Unfortunately, hackers and cybercriminals are all too aware of this. It’s no surprise, then, that the legal sector is amongst the most targeted by social engineering attacks like spear phishing. Ransomware is a big problem, too. In fact, just a few months ago, Grubman Shire Meiselas & Sacks, a prominent media law firm, had its client information compromised.
Those behind the attack later threatened to auction some of these files concerning major celebrities for as much as $1.5 million unless the firm paid a $42 million ransom.
But, it’s not just inbound attacks that law firms have to worry about. Because the legal sector is highly competitive, incidents involving Insider Threats are a concern, too.
When it comes to data protection and privacy, the legal sector is subject to a relatively strict regulatory framework both under the law and rules imposed by professional bodies. Depending on where a firm is based and what its practice areas are, it can be subject to several stringent laws and regulations. This is especially true for firms operating in major markets like the United States, the United Kingdom, and the European Union.
In this article, we’ll focus on some of the more general regulations and standards that all firms operating in these markets are expected to abide by.
When the GDPR was introduced in 2018, it represented the largest change to data protection legislation in almost two decades. It also contains some of the most thorough compliance obligations for law firms and indeed any other entity that collects, stores, and processes data.
The GDPR has been designed to help and guide organizations with a legitimate business interest as to how personal data should be handled and gives regulators the power to impose large fines on firms that aren’t compliant.
You can read more about the largest GDPR fines (so far) in 2020 on our blog.
The GDPR was introduced amid growing concerns surrounding the safety of personal data and the need to protect it from hackers, cybercrime, Insider Threats, unethical use, and the growing attack surface.
Essentially, it gives citizens full and complete control of their data, subject to some restrictions (for example, where data must be held by firms by law).
The legislation regulates the use of ‘personal data’ and applies to all organizations located within the EU, as well as organizations outside the EU who offer their goods or services to EU citizens. It also applies to organizations that hold data pertaining to EU citizens, regardless of their location.
The main part of the GDPR that law firms should be paying attention to is Article 5.
This sets out the principles relating to the collection and processing of personal data. The six key principles are that personal data:
The GDPR also gives your clients the right to ask for their data to be removed (‘right of erasure’) without the need for any outside authorization. Note: Data can only be kept contrary to a client’s wishes to ensure compliance with other regulations.
Before GDPR, law firms could follow their own protocols when dealing with a data breach. But now, the GDPR forces firms to report any data breaches, no matter how big or small they are, to the relevant regulatory authority within 72 hours. In the UK, for example, the regulatory authority is the Information Commissioner’s Office (ICO):
The notification must:
Clients who have had their personal data compromised must also be notified of the breach, the potential outcome, and any remediation “without undue delays”.
It’s important to note that breaches aren’t always the results of malicious activity by an Insider Threat or hacker outside the organization. Even accidents can result in breaches. In fact, misdirected emails (emails sent to the wrong person) has consistently been one of the most frequently reported incidents to the ICO.
That’s why it’s essential law firms (and other organizations) have safeguards in place to prevent mistakes like these from happening. Looking for a solution? Tessian Guardian prevents misdirected emails in some of the world’s most prestigious law firms, including Dentons, Hill Dickinson, and Travers Smith
Financial penalties imposed for GDPR violations can be harsh, and they often are; regulatory authorities are keen to highlight just how important the GDPR is and how seriously it should be taken. Fines for non-compliance can be as high as 4% of annual global turnover or €20 million—whichever is higher.
Rule 1.6 governs the confidentiality of client information. It states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Simply put, lawyers must make efforts to protect the data of their clients.
Two years ago, the American Bar Association issued new guidance in the form of Formal Opinion 483. This covers the importance of data protection and how firms should act when, not if, a security breach happens. This wording demonstrates that the ABA recognizes that breaches are part and parcel of firms operating in the modern world, and the statistics confirm this.
In essence, Formal Opinion 483 states:
The bottom line: law firms must protect data with cybersecurity.
In the UK, solicitors are obliged under the Solicitors’ Regulation Authority (SRA) Code of Conduct to maintain effective systems and mitigate risks to client confidentiality and client money. Solicitors are also obliged to ensure systems comply more broadly with the SRA’s other regulatory arrangements.
The SRA says that, although being hacked or falling victim to a data breach is not necessarily a failure to meet these requirements, firms should take proportionate steps to protect themselves and their clients while retaining the advantages of advanced IT.
Where a report of cybercrime (note: crime, not a loss that takes place due to negligence) is received, the SRA takes a constructive approach in dealing with the firm, especially if the firm:
That means that, under the SRA’s Code of Conduct, law firms should take steps to prevent inbound attacks like spear phishing and set-up policies and processes that ensure swift reporting.
The good news is, Tessian can help with both inbound attacks and Insider Threats and has a history of successfully protecting law firms around the world from both.
Across all three of the regulations listed here, there’s one commonality: law firms are responsible for ensuring that their IT systems and processes are robust and secure enough to keep data safe and mitigate the chance of a breach taking place.
But, that’s easier said than done, especially in our dynamic and digitally connected world where threats are ever-evolving. So, where should law firms start? Email.
90% of all data breaches start on email and it’s the threat vector IT leaders are most concerned about protecting. That’s why Tessian is focused on protecting this channel.
Across three solutions, Tessian detects and prevents threats using machine learning, which means it’s constantly adapting, without requiring maintenance from thinly-stretched security teams.
Importantly, Tessian is non-disruptive. That way, partners, lawyers, and administrators can do their jobs without security getting in the way.
Tessian stops threats, not business.