On 24 October 2017 the law firm Appleby confirmed that they had been subject to a ‘data security incident’ in 2016. Appleby also confirmed that it had received enquiries from the International Consortium of Investigative Journalists (ICIJ), which had published the Panama Papers in 2016, regarding the data breach.
The data, leaked on 5 November, contained 13.4 million documents and is the subject of an investigation by 100 media groups. Appleby said the disclosure was caused by an illegal computer hack, perpetrated by an intruder who deployed the tactics of a professional hacker and not someone who works for the firm. They confirmed that the company takes client confidentiality extremely seriously .
There are echoes of the situation when 11 million documents spanning several decades were leaked from the Panama firm Mossack Fonseca.
Mossack Fonseca complained that the data leak was external and filed a complaint with state prosecutors. This throws up two separate legal issues:
- The extent to which any individual responsible for the data hack has committed a criminal offence.
- The extent to which Mossack Fonseca could be held liable for failing to protect their client’s data.
Mossack Fonseca nor Appleby fall under the jurisdiction of UK regulators. However, should a UK regulated firm find itself it the same position, it would have to consider both cybercrime and data protection issues. For more information, see Practice notes, Cybercrime; overview and Data Protection Act 1998: criminal enforcement. Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality client money, and to comply overall with our regulatory arrangements.
Data breaches at law firms are a growing concern: confidential information, often sent in unencrypted emails, risks being stolen and ransomed back to firms, used for fraud or sold to third parties to be used in crimes such as insider trading. The Information Commissioner’s Office regards solicitors as facing the same types of threats as other businesses. ICO figures from the first quarter of 2016 show the legal and justice sectors reporting the fourth highest number of data security breaches.
It is not just the risk of hacking to provide information to journalists that poses a risk to law firms’ internet security. Cybercriminals are aware that law firms hold client identification documents and financial details and that even the biggest law firms do not have the same cybersecurity resources as banks. A reported £7million of client money was lost to cybercrime in 2016. Ransomware is becoming a fast-growing threat.
Ransomware threat
Ransomware is malicious software that blocks access to an organisation’s data and is accompanied by a demand, threatening to delete everything unless the organisation pays up. Law firms have valuable datasets, a duty of confidentiality and a public reputation to protect and so are high-value targets. According to Verizon’s 2017 Data Breach Investigation report ransomware has moved up from the 22nd most common form of malware in 2014 to the fifth most common because it is quick, low-risk and lucrative.
On June 27, 2017 DLA Piper’s advanced-warning system detected suspicious activity on their network, which was related to the global cyber event known as “Petya”. An investigation and remediation efforts were immediately initiated and relevant authorities including the FBI and UK National Crime Agency were notified.
“Petya ransomware” takes over computers and demands $300, paid in Bitcoin. The malicious software spreads rapidly across an organisation once a computer is infected using the EternalBlue vulnerability in Microsoft Windows or through two Windows administrative tools. DLA Piper has not said whether it paid any ransom, but it has confirmed that it found no evidence that any client information was affected.
Law firms are pre-emptively opening Bitcoin wallets to pay ransoms in case their data is hacked according to John Sweeney, president of IT and cyber security advisors LogicForce. He suggested that opening a Bitcoin wallet is just one contingency plan firms can make to prepare for cyber breaches in which client data is stolen. He said that firms may see this as a useful last resort when the data is not backed up and cannot be restored unless a ransom is paid.
Although Sweeney stressed he did not advocate paying ransoms, he thought it made sense for firms to have a Bitcoin wallet in case. However, paying a ransom is no guarantee that access will be returned immediately or that a one-off ransom will be sufficient.
What should firms be doing?
Firms must do more to enhance cyber security. The PWC 2017 law firm survey notes that:
- The majority of law firms have reported that they suffered a security incident in the past 12 months and the most common of these remains phishing attacks.
- 12% of firms claim to be recipients of such attacks on a daily basis with a further 30% identifying attacks on either a weekly or monthly basis.
- The increasing level of threat means it is more important than ever to have effective and tested business continuity plans and a resilience framework.
- It is a concern that 16% of all firms claim not to have any such framework and of those that do, only 75% test their business continuity plan annually.
Peter Wright, Chair of the Law Society’s Technology and Law Reference Group, and managing director of DigitalLawUK, highlighted the number of organisations that have been hit by ransomware attacks recently (most notably the NHS). He too recognises that many firms will do almost anything to get that data back, especially if they don’t have effective back-up systems in place. Many law firms do not have effective back-up systems and have not fixed this area of vulnerability. He records speaking to one organisation which was attacked by ransomware three times in one year, and which paid £150k to the perpetrators but did not invest in a back up system.
He commented on the ransomware attack on DLA Piper noting that if one of the largest law firms in the world did not have the adequate safeguards in place to protect against a ransomware attack then it begs the question who does?
It is clear that these crimes are under reported for fear of losing client confidence.
The Chief executive of the SRA has said that where client money or information is lost, firms need to report it to the SRA. He confirmed that the SRA will take a constructive and engaged approach, particularly if the firm is taking steps to make good any losses to the client, and demonstrated that it has learned from the incident. See Solicitors Regulation Authority publishes IT security: keeping money and information safe
He emphasised that the SRA would be in a better position to advise firms on how to protect themselves if it was told about failed incidents as well as about successful attacks.
Firms should be aware of No More Ransoms, a site dedicated to stopping ransomware. It is a joint initiative between Europol, the Dutch police and IT companies Intel and Kaspersky, providing a way to recover files affected by four different types of ransomware. The NCA is also involved in international efforts NCA publishes statement on international cyber crime incident.
Firms may also wish to consider whether they need cover for their own potential losses from cybercrime, beyond those affecting the client. In the wider business context, it has been increasingly common to take up specific cyber insurance