In a clear demonstration of its intent to take action against data breaches resulting from poor cybersecurity practices, the Information Commissioner’s Office (ICO), which regulates and enforces the UK’s data protection laws, recently issued a reprimand notice to Durham-based law firm Swinburne Snowball & Jackson (SSJ).

The notice was issued as a result of a data breach that led to fraudulent payments of significant sums of money and subsequent delays in payments to beneficiaries of a probate case.

The breach occurred due to a spear-phishing attack (a targeted malicious email usually designed to trick recipients into disclosing passwords or making payments to criminal accounts), which compromised an employee’s email account. This compromised email account was then used to interfere with the payments.

SSJ reported the breach to its insurers, the Solicitors Regulation Authority, and then the ICO. An independent cybersecurity firm was appointed to investigate. However, the ICO’s subsequent investigation criticized the firm for the following lapses in their cybersecurity:

  • There was no suitable contract in place with their IT provider defining security responsibilities or measures.
  • Multifactor authentication was not in place on the affected email account, despite advice from the National Cyber Security Centre, Solicitors Regulation Authority, and the Law Society promoting this practice.
  • The firm was not certified under the government’s Cyber Essentials scheme, despite this being a requirement of the Law Society’s Lexcel quality standard.

The ICO found that the firm had failed to comply with its obligations under UK data protection laws and decided to issue a reprimand based on SSJ’s prompt notification to regulatory authorities and the appointment of independent cybersecurity experts.

What Law Firms Can Learn from This Incident

There are key learning points for law firms to take away from this incident:

Ensure that your firm is certified with Cyber Essentials. This ensures you have key measures in place to reduce the risk of a cyber attack, including multifactor authentication. This should be considered a minimum standard for any firm and is mandatory for the Law Society’s Lexcel standard.

Ensure you have appropriate cyber response plans in place. This involves a cyber response plan (including who to notify and when) and appropriate cyber insurance. In the event of such an incident, your IT provider may not have the depth of capability required; you will need specialist cyber forensic experts provided by your insurers.

If you experience a cyber attack that requires reporting to the ICO and you lack appropriate protection or response measures, the ICO is likely to take enforcement action. Details of the breach and your lax approach to cybersecurity will then become public, negatively impacting your reputation.

Should you be concerned that the Information Commissioner’s Office may view your firm’s cybersecurity practices negatively, contact us today for a free security audit to determine the necessary actions you need to take.