In this guest blog, GDPR expert Judith Andrews from Business Tamer outlines the lessons law firms can learn from recent cyber attacks on some well-known brands.
The recent high-profile cyber-attacks on M&S, Co-op and Harrods have highlighted the vulnerability of data systems, sending ripples reaching far beyond the retail world.
However, hitting closer to home for the legal industry was the news of DPP Law Ltd being fined £60,000 by the Information Commissioner’s Office (ICO) after its client data was stolen. Having failed to notice the theft until they were notified by the National Crime Agency, the firm did not inform the ICO until three days later – a clear violation of its data obligations.
With the majority of these and many similar cyber-attacks carried out every year enabled by human error, the lesson for businesses is that data systems are only as secure as the people who control them. Holding hugely confidential and commercially sensitive data makes legal firms a prime target, so understanding your data protection and security responsibilities is vital.
I’ve identified some essential lessons every legal firm can learn from these attacks, and the steps you must take to secure your systems and staff.
The real cost of a data breach
Data breaches carry immediate costs - consultant fees and extra staff time for recovery, lost hours, IT upgrades, insurance excesses, stolen funds or ransom payments. The Government’s Cyber Security Breaches Survey 2024 found that breaches involving asset loss cost businesses an average of £6,940.
This figure excludes lost profits. Disruption caused by a cyber-attack can hit the bottom line hard: M&S predicts its attack will reduce profits by 30% this year - around £300m. It also excludes potential fines, as was the case with DPP Law Ltd.
However, for some businesses, these costs are minor in comparison to reputational damage. When data is compromised, trust often is too, prompting customers, suppliers, partners and stakeholders to lose confidence or even abandon a brand entirely in favour of one they perceive as more secure – one that hasn’t had a breach.
Cyber security starts with people and processes
If multi-million pound household names with advanced technology are vulnerable to attacks, then it might seem that smaller firms – like law practices - are particularly at risk.
But big budgets and expensive IT systems are no guarantee of security.
By far, the key to data protection for every business from a small law practice to a huge multi- national is the preparation and adherence to robust data processes and procedures, and the due diligence of you and your team. Training, awareness and procedure underpin good cyber security.
Make data housekeeping a priority
Data security should be part of your everyday operations. Any person within your practice who has access to data must understand their responsibilities and follow clear protocols every time they handle data to prevent accidental loss, misuse, or exposure.
Here are the key steps you can start putting in place and following today:
1. Data Inventory and Mapping
Keeping track of your data is essential. This might seem a big job to begin with but will save invaluable time in the long run, especially if you ever need to provide evidence to a client of exactly how you have handled their data.
Start by identifying all personal data held across all systems – whether electronic or paper files. Map where the data comes from, where it goes, and how it is processed, and note the retention period (how long you are going to keep it for). Classify the data by sensitivity and purpose.
2. Data Minimisation
Ensure you only collect and retain data that is strictly necessary for its intended use. Remove redundant, obsolete or trivial data. Review forms and databases for excess data – for example, when someone submits an enquiry via your ‘Contact us’ form on your website, where is the data collected and stored?
3. Data Accuracy Checks
Data should not be simply stored away and left to languish in a database or filing cabinet. Implement processes to regularly verify and update it – this will also help you to make regular and relevant contact with your clients. Allow data subjects (the people whose data you hold) to update their information easily via email request, online portal, telephone or in person depending on what communication channel they expressed as a preference when you first collected their data.
4. Retention and Deletion Policies
You must only keep data for as long as it is reasonably needed in line with your Data Retention Policy. If you don’t have one in place, now is the time to create one and apply it consistently to all data.
Once the retention period passes, data should be automatically deleted or anonymised and you must keep a record of this process for audit purposes.
5. Data Subject Rights Readiness
As part of a Data Subject Access Request (DSAR), an individual can exercise their right not only to view the data held on them, but also to request rectification, erasure (Right to be Forgotten) and if appropriate, data portability, which involves supplying their information in a suitable format for transference to another organisation. This can be extremely time consuming if your practice is unprepared.
Introducing an Incident Management Plan to cover data related complaints, DSARs and data breaches can give you a clear plan of action in such situations. You must always keep a log of any requests and your responses.
6. Third-party data review
It’s important to audit any data that you share with third party processors or partners, and it is your responsibility to verify they handle it securely, appropriately and adhere to retention policies. Any contracts must include data protection clauses that are fully UK GDPR compliant.
7. Security measures
Personal data should be encrypted and protected by strong passwords and multi-factor authentication wherever possible. Restrict access only to members of staff who need it to carry out their role and who fully understand how to handle it responsibly and securely.
You should monitor data regularly for signs of unauthorised access or breaches such as unusual login activity (odd hours or unfamiliar devices), unexpected amends or deletions, system performance issues or antivirus software alerts, for example.
8. Documentation and audit trail
Maintain clear and up-to-date records of all processing activities in line with UK GDPR requirements. Conduct an annual audit and data mapping exercise to ensure your data handling processes and policies remain current and compliant.
When introducing new data systems or processes, conduct Data Protection Impact Assessments (DPIAs) to identify and mitigate risks.
9. Training and Awareness
Your staff are key to your data security. Train new employees on data handling, retention and deletion as part of your new employee induction process and repeat on an annual basis.
Set an example for your whole practice by promoting a culture of data hygiene and privacy awareness and conduct spot checks to ensure compliance with policies. Run regular training, including phishing awareness exercises, to build staff resilience against threats.
10. Ongoing Monitoring and Review
Staff at all levels should be actively involved in data security – it’s a good idea to include data protection compliance on senior management or board meetings monthly or quarterly.
Schedule regular reviews of data quality and compliance and use KPIs or dashboards to track progress and issues. Maintain a data protection risk register to document and manage ongoing risks and mitigation measures.
If there’s work to do to thoroughly secure your data, the good news is that a UK GDPR expert can help prepare all your policies and procedures, and provide training, giving you peace of mind that your practice’s most valuable assets are protected.
Judith Andrews is from Business Tamer, specialising in GDPR, data protection and compliance. Judith can advise on reviewing policies, collecting, storing and using data with confidence as well as provide expert support with handling cyber-attacks and data breaches.
businesstamer.co.uk
Comments