Now that we’re nearly 18 months into the passing into law of the General Data Protection Regulations, solicitors’ practices and barristers’ chambers have three strong motivators (other than their own desire to offer the highest level of professional services) to protect their data.
First, if a data breach does occur and the Information Commissioner’s Office believe that your firm was negligent in allowing that breach and/or it believes you didn’t follow the breach up correctly then you may be subject to a significant financial penalty.
Second, reputationally, the effects of a data breach could be significant. Not only will you have to email all parties who may have been impacted by the event, you will then have to justify why these very same clients should continue to trust you with their sensitive personal and commercial information.
Last, operationally, the recovery of lost data and the level of work needed to allow your practice or chambers to return to normal could involve days of disruption and a significant level of expenditure on IT consultants.
Sprout IT are legal IT specialists and we continue to assist clients in getting them ready to withstand the increasingly sophisticated cyberattacks which expose valuable data to the possibility of theft.
In this article, we examine the four main approaches your practice or chambers should take to offer the highest levels of protection to clients.
A culture of cybersecurity
Data protection is the responsibility of everyone within an organisation, particularly legal firms handling personal and commercially sensitive data. But does everyone in your firm know that they are expected to be responsible for protecting that data? And even if they are, do they know what a cyberattack looks like and how they should respond if they spot one?
Furthermore, do the leaders and senior managers in your firm realise in which areas you are currently providing strong protection and where you need to improve? According to PwC, less than one in six senior management teams within legal firms have taken in part in training to successfully manage crises in the last year.
Make someone responsible
Data protection policies, procedures, and processes need to be updated on a continuing basis – the first step is to appoint someone to that role and to give them responsibility for data protection. That person needs to understand what technical and human-related areas need improving and then to buy in the equipment needed and to provide the training to top up colleagues’ knowledge.
A culture of security and privacy
For too many organisations within and outwith the legal sector, a firewall is a technical device to stop cyberattackers from infiltrating their computer networks.
As important as they are, you need a human firewall because many of the successful attacks on companies’ systems rely on a member of staff being duped (by email or phone) for a successful cyberattack to occur.
On most occasions, the staff member themselves will not be aware following a successful cyberattack that anything has actually happened. It may be days, weeks, or even months before they or someone else within your firm realise that there has been a data protection breach.
In addition to ongoing training and briefing for staff on cybersecurity issues, your staff need to feel responsible for defending their part of your castle walls. And you need to give them the tools and the insight to do it well.
Comprehensible for staff
For non-IT staff, data protection can be an unprepossessing and somewhat esoteric subject. Your ongoing training and any occasional memos or updates on data protection should be written assuming absolutely no knowledge on behalf of the reader. The surest way to prevent someone from becoming engaged in a company-wide activity to is preclude them through impenetrable language.
With all policies, procedures, and processes, illustrate examples as best as you can with screenshots and how-to guides. If you send staff an update email on the progress of the business every week, send a second email each week keeping staff informed about progress on data protection issues – let them see what successful attacks look like and the effect they have on other commercial enterprises (especially competitors).
Data protection with Sprout IT
Sprout IT provides high quality legal IT support, cloud & consultancy for the legal industry, 24/7 service, 365 days. We have been promoting data security and utilising the best cyber resilience technology and techniques since we began.
We believe in building and testing the most suitable technology products and solutions for each of our clients. We’re able to assist you in training your staff and in the germination and cultivation of data protection as a culture within your practice.
To speak with one of our team about protection for your solicitors’ practice or barristers’ chambers against the growing threat of targeted cyberattacks, please call Sprout IT today on 020 7036 8530 or email us.