3 min read

Cyber Warfare – Now a battle on two fronts?

Read more

By Patrick Hill

|

Published 14 December 2020

Overview

IT security is firmly in the spotlight as COVID-19 has increased pressure on IT systems to support homeworking and other forms of remote interaction. Whilst there are undoubtedly many benefits to homeworking, there is a clear and obvious risk to law firms given that many staff will be working on devices which are less secure than those provided as part of the office network. Cyber criminals are looking to capitalise on that potential weakness by increasing the frequency of phishing and other scams.

The SRA has reported that the first two months of lockdown alone gave rise to a 300% increase in phishing scams. In the first half of 2020, the SRA reported that almost £2.5m held by law firms had been stolen by cyber criminals, representing a three-fold increase in the amounts reported during the corresponding period in 2019. Aside from the obvious financial exposure, there are two further issues which might arise as a result of a phishing attack.

 

SRA Investigation

Any incident which affects client money or information should be reported to the SRA. The SRA has indicated that it will take a proportionate view of the incident, taking into account whether the protective measures in place by the firm were reasonable. They will also take into account how the incident was handled and any remedial action taken. Depending on the severity of the incident and the degree of culpability on the part of the law firm, the SRA may choose to impose a sanction as appropriate.

The SRA publishes details of recently issued scam alerts on its website, with the aim of alerting any members of the public or businesses who may potentially be impacted by the incident; for example if they have received a fraudulent phishing email purporting to come from any of the firms mentioned. In this regard, the SRA itself was targeted by a firm of cyber criminals who sent out a number of e-mails purporting to come from the SRA containing a compliance questionnaire which they requested be completed. The e-mails were generated to come from an e-mail address designed to mimic a genuine SRA e-mail account. However, the scam alert register on the SRA website is publically available, and the fact that a firm has been targeted by cyber criminals and potentially been the subject of an e-mail attack or data breach will be publically accessible.

 

Privacy claims

We know that claimant law firms are actively seeking clients who may have been the victim of a data breach, and monitor the SRA website to see which firms may have been impacted. In certain circumstances, a firm may then face privacy claims from individuals who may have been affected by the breach in question. Whilst privacy claims are typically brought for relatively small amounts (up to £3,000), disposing of them can be time consuming and expensive when the claimant’s costs, any CFA element and ATE insurance premium (where different rules apply for privacy claims) are factored into account.

 

Conclusion

Firms should ensure that their risk management processes reflect the current working environment and that client and confidential data is protected to the best of their abilities. They should also be aware of the potential exposures to privacy claims in the wake of any incident which is reported on the SRA website.

Author