Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
The Panama Papers and cyber risks for UK solicitors
Cyber security threats to law firms and their clients have made for spectacular headlines in recent days. Solicitors need to be aware that they are potentially soft targets and prepare for such attacks.
The Panama Papers
The biggest story in the news this week, which has already resulted in the resignation of one European head of state, is the result of a leak of 2.6 terabyte set of data from Panamanian law firm Mossack Fonseca. The firm attributes the leak to a hack of its email server, following which the data was apparently provided by an anonymous source to the German newspaper Süddeutsche Zeitung.
Putting aside the public interest concerns in the publication of certain of the Mossack Fonseca data by journalists, it is clear that the data of many clients of the firm was stolen regardless of whether the activities they were engaged in were either legal or legitimate.
Corporate firms targeted for M&A data
New York-based security firm Flashpoint has issued an alert that a cybercriminal in the Ukraine with the pseudonym “Oleras” has been attempting to hire hackers to target corporate law firms to gain access to M&A information for insider trading. Named targets include London-based “Magic Circle” firms as well as prominent US firms.
According to the Wall Street Journal, the FBI and the Manhattan US attorney’s office are investigating a suspected breach of data held by certain major US firms. One of the firms named has since issued a statement confirming that it suffered a “limited breach” last summer but was not aware that any of the information accessed had been used improperly.
Law firms and cyber risk
As the above examples demonstrate, access to client data may be for various motives, including insider trading, international and corporate espionage, fraud and hacktivism. However, law firms are considered by many as a weak spot in companies’ cyber security defences. Sophisticated corporate clients and financial institutions may have better-developed security policies and systems than the law firms to whom they entrust some of their most sensitive data.
In the UK, both the Solicitors Regulation Authority and the Information Commissioner’s Officehave warned about the need for law firms to be aware of cyber risk. Firms should have response plans in place for cyberattacks, yet surveys suggest that law firms are less likely than non-law businesses to do so.
Firms of solicitors are under duties pursuant to the Data Protection Act as data controllers and have regulatory requirements to protect client money and assets and to keep client affairs confidential. When a breach does occur, firms will be faced with a range of challenges in responding to the incident. As well as ensuring the attack is immediately stopped and cannot be repeated, the incident response team will need to consider:
- A breach assessment, the data affected, what has happened and the risks to data subjects and/or clients arising.
- Taking legal advice on regulatory and litigation issues which may arise.
- Whether there is a duty to notify the SRA and/or the ICO.
- Whether there is a duty to, or the firm should nonetheless choose to notify affected clients and data subjects.
- Whether to notify law enforcement, insurers, contactors and affected third parties.
- Taking steps, such as appointing crisis management PR consultants, to mitigate reputational risk.
White & Black are experts in cyber security and data protection issues and have written a suite of cyber security practice notes for Practical Law, including a soon-to-be-published note on incident management. If you would like to discuss how these issues affect your firm or are interested in a bespoke training session for your organisation, please contact Nick Mathys, John Allen or Nick Mitchell.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.