Gerald Brent with a timely reminder of the dangers for law firms under the GDPR
Last year’s $4.8bn Yahoo Verizon deal was arguably a watershed in data protection history. The transaction was delayed for an entire financial quarter solely because of the discovery of two huge historical hacks against Yahoo, perhaps the first time that such a deal hinged on the outcome of a data protection problem. As another warning, as I write the fall out from the breaking Facebook / Cambridge Analytica ‘breach’ has wiped billions from the former’s value.
Yet the real world effects of data leaks do not extend merely to financial losses for speculators. 2017 was also the year when the NHS cancelled operations and diverted ambulances solely as a result of a ransomware attack and, highlighting that law firms are no exception, last June staff in DLA Piper’s offices across the world were told to turn off their computers after their systems were targeted in a ransomware attack.
As information intermediaries and keepers of highly sensitive secrets, lawyers deal in data. Information is one of our core products so we represent low-hanging fruit for the regulators and for lurking cybercriminals. The Information Commissioner’s Office (ICO) last year issued a record fine of £400,000 against a claims management company which had, without consent, cold-called people in respect of road traffic accident claims and PPI compensation while, as far back as 2014, they investigated 173 UK law firms for a variety of incidents relating to potential breaches of the Data Protection Act 1998. All this was under the current data protection regime. The ICO has asked for a 40% increase in staffing to enforce the GDPR, evidence of a possible surge in active enforcement of data protection rights.
The preliminary steps to prepare for the GDPR remain logical and relatively easy to action. Updating a law firm’s terms of business, upgrading software, making sure the notices which we now have to give to private individuals as to the ‘processing’ which may occur are in place. We (and our peers in other professional sectors) may be forced to ignore an instinct to collect and horde information, which has in the past informed good performance and the selling of legal services, in favour of one where we simply destroy data when it is no longer required for our legitimate purpose.
How far such a behavioural sea-change will impact on business performance may be determined by whether the firm and its individuals embrace the new culture. If individual lawyers embrace the underlying philosophy of the GDPR, including data minimisation, accountability and that there should always be an underlying reason for processing and holding data concerning an individual, then firms may find it easier to prepare for the inevitable news of GDPR data breaches and fines.
Perhaps the most at-risk law firms are those which do not have sophisticated document and information management systems, such as those which are ISO 27001-compliant, which more easily enable analysis of meta-information on time records or the identity of the individuals who accessed the data. Without being able to understand precisely what information is held and how it is manipulated or ‘processed’, it will be almost impossible to know whether the organisation is operating within the GDPR.
International firms face added complications with need to comply simultaneously with various jurisdictions’ differing data protection frameworks: last year, China introduced a law, mirroring its Russian counterpart, which requires personal data of its citizens to be stored on servers located within the country. It is therefore not simply the Privacy Shield in respect of US and EU exchanges of data which needs to be navigated by international law firms: the global framework is heavily fragmented when it comes to the protection of private data. Some compliance professionals now admit full compliance will be impossible: the real question is what degree of compliance the particular firm decides is required.
There is also the rise of home working among lawyers. The personal/home environment provides myriad opportunities for data breaches. The home may come to be vetted heavily by compliance, prior to a home-working request being approved or renewed. On one interpretation of the rules of the GDPR, a home in which documents and electronic files are kept and then forgotten is an example of a personal data breach, and therefore the GDPR obliges the law firm itself to notify the ICO of such a breach. I am fortunate enough to be training in a firm which has data protection specialists in-house who are, as I write, finalising new policies and processes for the firm to enable it to comply with the new rules. Others may not be so fortunate.
Clearly, a wait and see approach to the future is not appropriate behaviour for a modern law firm. Whilst it is not clear the extent to which the Solicitors Regulation Authority (SRA) and the ICO will collaborate and share information concerning the overlap between breaches of the GDPR and the SRA Code of Conduct, it would be very surprising indeed if a law firm which had breached principles of client confidentiality then went on to fail to be held accountable under the GDPR and vice versa.
That cyber criminals target in increasingly sophisticated ways the email accounts and intranets of UK law firms is perfectly clear to anyone who works in one. I have seen countless examples of fraudulent emails and malware. Increasingly, firms will train staff to recognise and respond to these threats but the possibility of another landmark organised hack of a commercial law firm remains very real. The consequent disruption and commercial consequences, allied with the enormous fines which the GDPR empowers authorities to levy for the data breaches such hacks entail, should frighten law firms into deep and pervasive reform.
Gerald Brent is a trainee solicitor at Fladgate LLP