Recognising that law firms hold large volumes of valuable personal and commercially sensitive information, the International Bar Association (IBA) have published new guidelines dealing with cyber security.
Covering technology, organisational processes and staff training, and providing in addition a number of resources and recommendations, the guidelines are intended to assist firms in keeping secure the information they hold – information which can include that about the firms themselves, employees, case information and clients. Indeed, the IBA stress that it is the sheer amount of information held by firms of all sizes that makes them a highly attractive target for cybercriminals. The IBA state that breaches of data security can have devastating legal, financial and reputational consequences for a law firm’s clients and business, as well as the law firm. As such, it is critical that firms have effective cyber security technologies and processes that focus on protecting the confidentiality, integrity and availability of sensitive data.
The IBA have tried to emphasise that the threat of large-scale cyberattacks against law firms is a real risk. It has been reported that attackers have targeted law firms because they hold valuable commercial information and are regarded as ‘weak links’ because they do not usually take cyber security as seriously as their clients or do not have the financial capabilities to invest in efficient technologies that protect the firm from cyberattacks. Global law firms have been the subject of targeted attacks by hackers attempting to acquire insider knowledge ahead of major business negotiations and mergers and acquisitions (M&A).
Even smaller law firms, many of whom commonly believe that they are less likely to be a victim of cybercrime, are a target for hackers because they usually have lower cyber security defences due to a lack of financial and human resources. The IBA state that “in 2015, it was estimated that up to 50 per cent of small businesses had been a victim of a cyberattack and 60 per cent of those who suffer a significant cyber breach go out of business within six months. Such attacks will continue with increasing sophistication and frequency. Consequently, it is essential that law firms of all sizes are aware of cyber security threats and have policies and procedures to counter such threats.”
The report from the IBA forms part of its ongoing work on cyber security. The IBA Presidential Task Force on Cyber Security (the ‘Task Force’) has the objective of:
- producing a set of recommended best practices to help law firms to protect themselves from breaches of data security;
- assisting their ability to keep operations running if a breach of data security or ransom attack does occur;
- giving their clients the best possible assurances that their data is protected; and
- helping protect the reputation of the profession.
The guidelines, which the IBA state are particularly relevant for single practitioners and small to medium sized firms, can be found on their website at www.ibanet.org/LPRU/cybersecurity-guidelines.aspx