The implementation of GDPR is likely to have far-reaching consequences. It will standardise data protection regulations and introduce strict financial penalties. Far greater than any which we have seen before. For law firms that are responsible for a wealth of sensitive client data. This is likely to be a challenging time as they strive to get ready for the new restrictions enforced by the GDPR.
However, GDPR is not just another tick-box exercise that can be set aside once compliance is achieved. Not only are there actions firms will need to carry out regularly, but there are also future risks to consider. The cyber security landscape is ever-changing and the risks are only increasing. As GDPR further widens the definition of personal data and places an even greater monetary value upon it. This potentially increases the risk of cyberattacks against law firms.
The future for law firms
You can expect to see indemnity insurance premiums ramp up considerably. The penalties for data breaches are going to be high.
Traditionally firms may have tried to keep any data breaches under wraps, however now with GDPR, they will have to report the breach to the ICO. Under GDPR firms must report the data breach within 72 hours of discovery. Failure to do so will lead to significant fines on top of any applicable fines for the breach. As data is often stolen during a breach this could have a significant reputational impact. Hackers could also use that stolen data to hold the firm to ransom.
GDPR will further fuel the rise of ransomware attacks as the impact on the target is now so much greater. Right now, and previously, attacks were mainly an inconvenience for the majority, you typically reverted to the last backup. It would be painful but the damage was often contained. With the GDPR, the impact will be higher as the party held to ransom will want more than just the return of their data. They will want to prevent that data from being leaked due to the potential fines. It’s common for ransomware creators to now build in technologies that steal information before locking a business out. The introduction of GDPR will be just as effective as the traditional encryption payload incorporated into ransomware.
Phishing attacks are also likely to increase. I would expect to see the complexity and sophistication of these attacks increase, alongside the rise in ransomware. The potential earning for the fraudsters has now begun a “global arms race”. Initially, attacks have been widespread and not necessarily focused on the legal market. However, several significant breaches alongside their reluctance to invest in appropriate security by large swathes of small and mid-market firms will make these organisations an attractive target.
The risks to law firms are real and should be addressed through a standard risk register, with applicable controls applied. In reality, many firms will need to invest in improving their security systems, alongside ensuring they are compliant with GDPR. This is completely essential and cannot be ignored, some firms are simply fortunate that they haven’t been breached. At the end of the day if there is a risk of burglaries it makes sense to put in an alarm.