The Data Protection Act 2018 (DPA), which brought into force the General Data Protection Regulation (GDPR), has introduced new responsibilities for law firms which have been reinforced and added to by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Given the vast amounts of highly sensitive personal data handled by law firms, they are under scrutiny. It is not just IT teams that have to ensure that data is held securely with a clear audit trail, data controllers (those who actually use and manage the data) need to be aware of their responsibilities and able to demonstrate that suitable systems are in place and being followed.
The ICO can now issue vastly increased penalties. The upper limit is 20 million Euros or 4% of a firm’s annual turnover, whichever is greater.
Our experts work with law firms to ensure they are in a position to comply with data protection requirements. Our services include:
- a full data protection compliance assessment to analyse your firm’s current data protection measures, identify areas of deficiency and establish what measures will need to be taken to ensure compliance under the new regulations;
- a review of existing systems, policies and procedures against regulatory requirements, including the following key areas:
- rights of clients and staff in relation to their data held by the firm;
- remote/home working;
- Subject Access Requests (SARs);
- client care documentation/terms of business;
- steps to take to safeguard data and monitoring of procedures to keep track of data;
- physical security arrangements;
- practical steps to avoid data security breaches;
- file opening, file management and file closing procedures, risk assessment procedures and file review procedures;
- mobile devices;
- removable media;
- conflicts and confidentiality;
- procedures regarding data sharing;
- necessary steps to take when another company processes data on your behalf;
- retention and destruction of data;
- appropriate handling of data security breaches.
- provision of any necessary new systems, policies and procedures tailored to your firm’s circumstances;
- training of your firm’s Data Protection Officer and staff at all levels of the firm to ensure they have sufficient awareness of how data protection relates to their particular roles.
Cyber Security and Fraud Prevention
Online crime is widespread, diverse and increasing at an alarming rate. Law firms are particularly attractive targets as they handle large amounts of money, commercial information and sensitive client data.
With law firms in England and Wales reporting a total loss of £731,250 of client money in the first six months of 2019 alone, cyber attacks remain amongst the most persistent and imminent threats to law firms. Firms are expected to keep their systems and processes under constant review to protect clients’ assets and data. Although high-value conveyancing transactions are obviously exposed, any transactional work should be treated as a potential area that could be attacked. Firms that do not hold client money should not assume that they are of no interest to cyber criminals as any loss of confidential information could significantly harm the interests of their clients.
The introduction of the Confirmation of Payee system means that banks (the big six that have signed up to the scheme) are responsible for making sure that accounts are set up with the correct legal name and will make email modification fraud much harder to commit. However, criminals will continue to develop ever more sophisticated methods and information technology to extract money and obtain sensitive data, either by attempting to trick firms into giving away information or by infiltrating systems, or a combination of the two.
A regular review of internal systems and processes as well as ensuring staff have the necessary awareness of recent developments and best practice to limit the risk of human error is critical.
We carry out a comprehensive on-site cyber crime and fraud risk assessment that looks at all of the systems and processes in place across your firm. Following the risk assessment, you will receive a detailed written report highlighting areas of possible weakness and offering practical solutions.
It is a common misconception that cyber crime is usually directed at poor technology controls. Human error is often the weakest link and the cause of the vast majority of the worst security breaches.
We provide cyber crime and fraud prevention training, covering
- how cyber crime affects you and your clients
- current developments
- how to recognize cyber crime and fraud attempts
- measures to protect your firm’s assets and
- what to do in the event of an attempted or successful fraud.
Following our visit, you will also receive a bespoke cyber crime and fraud prevention policy which gives everyone in the firm practical advice to pre-empt breaches.
Finally, we will also provide you with a bespoke cyber attack / fraud incident management plan to help you in the event of a successful attack to minimize damage and bring about the best possible result in rectifying it.