Miller Insurance Services: Worried about data breach? Then take cover
In the past few years, law firms have quickly become lucrative targets for hackers, as repositories of client money and confidential information. As much as £85 million was stolen from them in “Friday afternoon frauds” in 18 months up to March 2016, according to the Financial Times. In the past three years, the number of attacks has jumped: for every successful hack ten more failed, the paper said.
Firms involved in conveyancing have been the focus for hackers, because the large amounts of client money they hold and the tight deadlines involved in property sales make them particularly vulnerable to hackers’ impersonation frauds.
But the threat to the legal profession is already changing. Lawyers’ reliance on being able to access client records stored electronically has made them a growing target for ransomware attacks, In June, DLA Piper’s computer and telephone systems were disabled for days by the Petya global cyber attack.
More than one in four law firms reported being targeted by scammers in the past year, the most common form being fake emails, according to a Law Society survey issued in July. Some have paid ransoms to regain access to their databases, according to the press.
The problem is that many law firms still don’t perceive themselves as being at risk. “There’s a perception that law firms have been slow to respond to the threat,” says Adam Crosher, a cyber insurance specialist at Miller. “That includes not spending enough money on beefing up their IT security, not regularly encrypting their data or even something more simply such as not updating anti-virus software regularly.”
Law firms at high risk
A 2016 report by the UK’s Computer Response Team (CERT-UK), part of the National Cyber Security Centre, estimates that 62% of law firms had suffered a cyber attack in the previous year, but that barely more than a third had a crisis plan in case they are attacked.
Many law firms thought they were either too small or too obscure to attract hackers’ attentions, the CERT-UK report said. But that’s exactly why they’re easy prey for cyber criminals: their IT-security defences are low because they don’t view themselves as being potential targets. High street solicitors have been the most common targets for the Friday afternoon frauds because they are seen as being soft targets, the FT said.
Another issue is that the sheer scale of today’s hacking operations often isn’t understood. The popular image of hackers being lone computer experts launching attacks from PCs in their bedrooms is outdated. Today, hacking is a lucrative industry being run by organized crime syndicates, which target specific sectors perceived to be particularly vulnerable, such as healthcare and the legal profession. Their operations are like hacking factories, sending out tens of thousands of malware-containing emails to unsuspecting organizations at a time. It isn’t a case of if but rather when a firm will be attacked, cyber security experts warn.
So law firms need to be ready. “Now, most businesses rely on their computer systems, but law firms are particularly dependent. So you need to ask whether it would still be ‘business as normal’ if you couldn’t access your IT network,” says Charles Hawtin, Head of Client Services at Chancery Pii. “How long could you survive? A day? A week?”
Data breach a growing risk
But the risk to the legal profession is bigger than the threat of hacker attacks. Even the smallest law firm holds a lot of sensitive client information on its computer system and any slip-ups in keeping that data safe could prove very costly.
The profession’s data security standards have already been put under the spotlight by the Information Commissioner’s Office (ICO), the UK data watchdog. In 2014, it warned the legal sector about how it stores confidential information after investigating 173 incidents of potential breaches of the Data Protection Act by law firms. In March 2017, it fined a barrister for keeping sensitive client information unencrypted on her home computer.
The ICO recently fined a small video firm £60,000 for not taking basic steps to prevent its website from being attacked and not keeping client data safe, which resulted in over 26,000 clients’ details being exposed. Although not a headline figure in itself, consider that the company’s annual turnover was less than £200,000 according to press reports so the fine would be a significant financial blow to the business. “It shows the ICO has the will and the teeth to crack down on firms, regardless of their size, if it thinks they aren’t taking data protection seriously enough,” says Richard Brown, Head of Solicitors’ PI insurance at Miller.
The General Data Protection Regulation, which comes into force across Europe in May 2018 – and which won’t be repealed after Brexit – will force all businesses to adopt much stricter processes in dealing with clients’ personal information. Penalties for failing to comply with the regulation could be a lot higher than under the existing laws, with fines of up to 4% of a company’s annual turnover.
It will also introduce a strict liability for those firms that lose clients’ data, so even if your data is lost due to a slip-up or attack at your cloud service provider you will still be responsible. Also, under the new regime, every data breach, from a ransomware attack to leaving a laptop or a USB stick on a train, must be reported to the data watchdog within 72 hours, while affected clients will also have to be informed quickly that their data might have been lost.
Data breach can be complex and costly
Dealing with the fallout from a data breach can be a complex, sensitive and expensive exercise. Working out what information has been lost and which clients are affected can be a painstaking process. If your system’s been attacked then you need to make it secure and to restore as much of your data as quickly as you can. You’ll also need to inform the regulator of the breach and provide clients with support and assistance if necessary, such as an advice hotline or even credit monitoring if their personal identifiable information has been lost. All of that is likely to involve the services of IT experts, lawyers, PR consultants and perhaps even crisis negotiators, if hackers demand a ransom to restore access to your computer system.
It’s no surprise that the costs of dealing with a breach can quickly escalate. “The average cost of notifying data subjects of a breach is around £100 for each record that is stolen or lost, so it doesn’t take long before the costs mount up,” says Crosher. “The cost for a small law firm could easily reach five figures.”
For the estimated two thirds of UK law firms that don’t have a crisis plan, cyber insurance offers an affordable backstop in the event of a data breach. A cyber policy also includes:
Business interruption cover, for any loss of profit your firm may experience if you cannot access your system for any period of time;
Paying for any fines and penalties levied by a data protection regulatory authority;
The services of trained negotiators to get back control of your network from cyber gangs, which may include paying a ransom;
Cover for the legal costs incurred in in attending or preparing for interviews related to any other regulatory investigations, as well as any subsequent court proceedings.
“Law firms that don’t have a policy would be forced to pay all the costs of identifying, containing and notifying people of a breach, as well as all the various expenses related to cleaning up after a breach out of their money. That isn’t cheap,” says Crosher. “But I think what most firms find most valuable about a cyber policy is having the peace of mind of knowing there’s a telephone number they can call day or night to help sort out a problem as soon as it arises. The insurer will have a crisis response team that will try to fix the problem as quickly as possible so the law firm experiences as little disruption as possible.”
If you would like to know more about how a cyber insurance policy could help your firm, call one of our specialist team now to discuss your options on 020 7031 2741 or get in touch through our website.