As privacy lawyers, we spend our time advising and cautioning our clients about data protection and information security compliance and yet, recent news on both sides of the Atlantic indicate that the legal profession is as vulnerable to data breaches and cyber-attacks as any other business – if not more so!
During 2014 the UK Information Commissioner (ICO) issued a warning to lawyers to keep personal information secure following a number of data breaches reported to the ICO involving the legal profession. Whilst many of the breaches related to the loss of paper records, more recently the data incidents have been the result of sophisticated cyber-attacks aimed at obtaining critical information from lawyers about their clients and business secrets of those clients.
In the US, we understand that the Department of Homeland Security and the Secret Service are investigating numerous breach incidents involving law firms and no doubt there will be an increasing amount of activity in other parts of the world because lawyers are often in possession of highly valuable information to cyber criminals.
As I have often said, “why would a nation state sponsored hacker spend time trying to break through the security walls of a military equipment manufacturer to obtain the plans for the next generation swing-wing fighter plane when they could obtain exactly the same information by walking through the relatively insecure doors and firewalls of that same manufacturer’s patent lawyers.
Law firms and their staff need to be significantly more vigilant in relation to information and use better organisational and technological measures to keep themselves and their clients secure.
The Law Society of England & Wales has issued a cyber-security e-learning test which all English lawyers should take and in the same way that privacy lawyers advise their clients to implement appropriate policies, procedures and training so the same should apply to law firms without delay.