This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Anticipating breaches: How to prepare for the loss of client data

News
Share:
Anticipating breaches: How to prepare for the loss of client data

By

Sarah Mumford outlines the key stages in preparing for the loss of ?client data

 

Three things you will learn from this Masterclass:

  1. The areas to cover in ensuring your firm is ready to respond to data loss

  2. Which questions to ask about your firm’s systems, processes and training

  3. How to ensure clients’ data requirements are understood and enforced

 

Someone somewhere in your firm today is being careless with data that your clients expect you to protect. One day, carelessness will lead
to loss. Information security is near or at the top of the risk registers of many law firms, reflecting the paradox that data
has never been so easy to lose and
clients have never been as concerned about the issue.

Managing partners that delegate the specifics of security to IT or loss investigation to the risk team will miss a trick in not thinking about this subject (preferably before a significant data loss occurs) and asking informed questions about the firm’s systems, processes and training, as well as ensuring clients’ data requirements are understood and enforced. As with all plans, it is helpful to test your response to a serious data loss by scenario planning in advance. It will also help to clarify responsibility for collateral issues such as reputation management.

For the purposes of this article, ‘data’ means information (whether in electronic or paper form) which is client confidential or business confidential. Personal data may be found in either category, but data loss is a wider issue than data protected by the UK Data Protection Act.

Creating a plan

When a problem arises, it is essential to build in some reflection time to ensure the response is swift, purposeful and correct. The following methodology builds on that suggested by the UK Information Commissioner’s Office (ICO) for investigating a breach of personal data.
It is not a linear process, however, as some steps will be concurrent and
others will be consecutive.

 

Are you a target?

  • Your clients’ data may be of great interest to other organisations or governments. Have you protected this information sufficiently, whether at rest or in transit?

  • Is your firm the weakest link in the chain of your client’s information?

  • How would you know if your firm was the subject of a targeted attack? Many hacking victims find out from law enforcement.

  • Do your organisational defences (cyber and physical) match the threat?

  • Be prepared to answer: What is lost? Where has it gone? Who has got it? Why did it happen?

 

Questions to ask

Among the first questions that you need to ask are the questions that will be asked by the owner of the lost data (which, for the purposes of this article, is the client).

What, exactly, happened? Is it a ‘one off’ loss caused by incompetence, inadvertence or bad luck – or a toxic combination of all three? Was it an accident waiting to happen because of slack processes and insufficient training or more general systems failure? If the loss was caused through targeted action or a deliberate malicious act, then a parallel investigation is likely to be called for (see box: ‘Are you a target?’).

Is the item lost or misplaced?
A solicitor gets back to the office to find that a core bundle is missing. Was it left
in counsel’s chambers? In the robing room? On the taxi or train home? A different response is required for each.

What was lost? It is not enough to
say ‘a laptop’ or ‘a USB stick’ but what exactly was on it. There are some data types that require particularly careful handling. These include:

  • health and social care data (almost always sensitive personal data), with extra complications if there is a US connection. Note that, since last year, the NHS information governance toolkit’s incident reporting tool must be used for level-two UK data losses – it is likely that these requirements will be stepped down through client standard terms;

  • data held for financial institutions;

  • data processed from
    other jurisdictions;

  • credit card processing; and

  • any data type which has been identified by the client as requiring special handling (either in relation to a specific case or generally in the client retainer). It is essential that a wider group than the client service team is aware of any specific client requirements, not least in case of
    data loss occurring.

Containment

First, ensure the situation doesn’t get
any worse. Once you lift the stone,
what is underneath it?

There may be some immediately obvious steps to take, such as wiping
data remotely, changing access codes and so on. At the most serious end of
the spectrum, you should consider proactive containment – a civil search
and seizure order.

Email fat finger

Email is probably the most likely type of data loss that a law firm will encounter, but it is striking how few basic strategies are encouraged to slow the process of pressing ‘send’ before the sender is in
fact ready. These range from using Outlook Rules to delay sending to addressing all drafts to oneself until
it is absolutely ready to go.

For UK law firms, it is worth remembering Indicative Behaviour 4.4(d) in the Solicitors Regulation Authority’s Code of Conduct: one of the few exceptions to the duty of disclosure is when it is obvious that privileged documents have been mistakenly disclosed to you. So, if the data has been sent to another firm, the recipient should be informed as soon as reasonably practicable of the precise status of
the lost data and reminded of the indicative behaviour.

Assessing the risks

The ICO’s suggested interim step is a risk assessment. Its focus is on personal data and, from that perspective, the most important issue is an assessment of potential adverse consequences for individuals. However, this step has merit regardless of data type.

Consider impact against likelihood. Is it likely to be serious or substantial? It is helpful for a number of reasons to record the risk assessment in writing and to revisit it regularly as the investigation proceeds. You will also need it when
it comes to reporting the data loss to
the relevant authorities (see box: ‘Who
should be notified and when?’)

Evaluation and response

The evaluation and response process is the generally-understood quality loop, but you must do it if you have notified the ICO. The evaluation will complete the written record and can be used to demonstrate (internally and externally) that lessons have been learned and improvements made.

Reporting lines

The master plan for data loss incidents should be clear about responsibilities for running any investigation and learning the lessons. All data losses (except those of the most trivial nature) should be recorded on the firm’s incident log and regularly reviewed so that lessons are learned. The reviews should show the specific outputs. For example: ‘guidance on email safety revised and re-communicated’ or ‘policy enforced of encrypting all USB sticks containing client data’.

 

Data loss toolkit

  • Be prepared – have a tested plan

  • What happened?

  • What was lost?

  • Contain and recover

  • Assess the risks

  • Who should be notified?

  • Evaluate and respond

  • Learn the lessons

 

Gap analysis

A gap analysis of information security is a useful tool to understand where effort should be applied to prepare for the worst and make an incident less likely. Many firms find that, in answering detailed client questionnaires, they have largely completed such an analysis. It is likely
that the analysis will find room for improvement in a number of areas;
do not be surprised if the majority
are people-based and/or behavioural.

People

  • Are you confident that you have given sufficient training to all relevant people about how to keep data safe?

  • Is it easy to find your guidance on how to keep data safe and what to
    do in the event of loss?

  • Have you reinforced your expectations about what is checked, and by whom, before it is sent? Do your colleagues know that certain types of data must be sent or stored in a particular way?

  • Do you have an open culture (reinforced with a fair whistleblowing policy) to ensure that you know centrally of all non-trivial incidents?

Cyber safety

  • If deliberate targeting of the
    firm’s data is likely, should you commission ethical hacking and
    other penetration tests?Have you considered whether your policies for mobile devices (including bring-your-own-device) enhance or hinder your contractual requirements with existing clients?

  • Do members of your IT department know what to do and whom to
    contact if they become aware of
    a security breach?

  • Do your governance arrangements have explicit data security elements? For many firms, the risk function reports to an audit and risk
    committee. Is cyber safety a fixed agenda item? Does the subject
    have a board sponsor?

Physical security

  • Have you reviewed your contracts
    with suppliers handling your data
    (such as couriers and records management companies)? Are they aware of your security requirements? Do you audit this?

  • When did you last review any access codes or audit your security pass arrangements? Are you confident
    that you know who has access to
    the areas in which confidential information is stored?

 

Who should be notified and when?

  1. Information Commissioner’s Office.Must you report? Should you report? Was the loss in the private or public sector? Were you a data controller or data processor? There is helpful guidance on the ICO website. In the private sector, you should report if a large number of people are affected or there are very serious consequences relating to, for example, the volume of the material and/or sensitivity of the data. However, a number of firms take the view that, if their client has an obligation to report to the ICO, the firm should be proactive and report to the ICO as well. This is a balancing exercise and the reasoning should be recorded in writing.

  2. Compliance officers and regulators.In the UK, the Solicitors Regulation Authority will need to be notified of a material breach. Your compliance officer for legal practice (COLP) should therefore be aware of the issue as soon as it comes to management attention. Foreign regulators may also need to be notified.

  3. Your client and/or the data subject.The client should be told as soon as possible, on the principle that it is better to hear bad news from you than from someone else. However, timing is important because it is clearly more effective to be able to be precise about the loss and the plan. If the lost data is third-party data given to you by your client, the client retainer may be very specific about what you say directly to the data subject.

  4. Many argue that the data subject must be told if you know that the data has been leaked or there is something the data subject could do, such as cancel a bank card or change a password. It is worth noting that the ICO recommends that, if you are concerned that a bank account may be compromised, it is best to go direct to the bank rather than the account holder, since the bank will be able to act more quickly.

  5. Your insurers.There are a number of policies which might respond, including professional indemnity, management liability and cyber liability. Be fully aware of the different notification requirements and extent of cover well before the need to notify arises.

 

Limiting the damage

A Data Protection Bill is expected shortly in the UK and is likely to contain increased reporting obligations. Commercial clients are expected to be ever more precise in their information security requirements.

Information security risk is not a matter that only concerns your IT department or compliance officers: it should concern every member and every person to whom the members delegate their management obligations.

A known and rehearsed response plan can help to limit any actual or reputational damage. The very act of planning should however give you the data you need
to reduce the chances of a serious
data loss occurring. But, if a data
loss does occur, be prepared to
delve – the loss may turn out to be
a symptom of a wider problem.


Sarah Mumford advises law firms
on risk management and was
previously best practice partner
at two commercial law firms
(sjm@sarah-mumford.com)