In this piece, I expand on the issue of cybercrime as a serious threat facing law firms. This topic was first introduced in the piece titled Some Challenges Facing the South African Legal Fraternity.
The impact of cybercrime has escalated within law firms. According to Joanne Cracknell, legal PI specialist and Divisional Director at FINEX, 2019/20 in particular, will see an increase in law firms being targeted (www.lawyer-monthly.com, accessed on 07-08-2019). The legal profession routinely deals with confidential and sensitive client information and has access to vast sums of client monies. These are extremely valuable commodities to cyber criminals. A cyberattack or breach can have serious consequences for law firms, including: theft of client monies and assets, breaches of confidential and sensitive information, structural and financial instability, reputational damage, damage to IT infrastructure and loss of clients.
Cracknell (www.lawyer-monthly.com, accessed on 07-08-2019) discusses examples observed in the United Kingdom and internationally –
- International law firm DLA Piper publicly fell victim to the large scale ransomware NotPetya attack in 2017, creating catastrophic interruption in business and operations.
- The offshore law firm, Mossack Fonseca closed in March 2017 as a result of irreversible economical and reputational damage as a consequence of the Panama Papers leak, exposing more than 11.5 million documents containing sensitive information about the firm’s wealthy clients and public office clients.
- In October 2017, law firm Appleby experienced a data breach known as the Paradise Papers exposing names and financial information of high profile and high net worth clients.
According to Cracknell (www.lawyer-monthly.com, accessed on 07-08-2019), email modification fraud and business email comprise are the most frequently used methods of cyberattack against law firms. Other lesser utilised scams include phishing, smishing and vishing that involves criminals sending emails in order to obtain confidential or other sensitive information. Another method is the use of ransomware where data can be “taken hostage” as a result of IT systems being infiltrated by malicious software.
The International Bar Association (IBA) has also identified the threat of large-scale cyberattacks against law firms as a serious risk. It has been reported that attackers have targeted law firms because they hold valuable commercial information and are regarded as ‘weak links’ because they do not usually take cybersecurity as seriously as their clients, or do not have the financial capabilities to invest in efficient technologies that protect the firm from cyberattacks.
In this regard, the IBA has released a valuable report with the following objectives: producing a set of recommended best practices to help law firms to protect themselves from breaches of data security; assisting firms in their ability to keep operations running if a breach of data security or ransom attack does occur; helping firms to give their clients the best possible assurances that their data is protected; and helping protect the reputation of the profession.
In the South African context, the Law Society of South Africa released the 2018 Guidelines on Information Security for South African Law Firms. This helpful guideline by Mark Heyink was compiled as a tool to assist South African attorneys in understanding their information security obligations. Although the guideline can be used as a general framework, each practice is different and will have to apply the principles in accordance with the nature of the information and firm.
As Heyink suggests, attorneys are knowledge workers and information is the lifeblood of any attorney’s practice (p, 5). Attorneys have significant amounts of client information entrusted into their custody and as such security of information is simply good business practice. More importantly, the failure to safeguard information properly may have legal consequences. Therefore, the proper governance of information on which practices depend is an undeniable obligation of every attorney (p, 5).
Heyink states that at this time, there is no research available as to how South African law firms safeguard information owned by or under their control (p, 5). While some practices have embraced technology, others are unwilling participants and have been slow to implement appropriate information management and security. Heyink’s personal experience and interaction with law firms in general, indicate that most law firms’ understanding of information security is poor (p, 5). Even amongst those more progressive firms that have invested heavily in technology information, security is not high on most attorney’s agenda (p, 5).
For Heyink, education in the implementation of information security will assist attorneys in taking advantage of the enormous benefits good information governance, management and security will yield their practices (p, 6).
In this regard, it is important to understand what the discipline of information security aims to protect, namely, confidentiality – ensuring information is accessible only to those authorised to have access; integrity – safeguarding the accuracy and completeness of information; and availability – ensuring users have access to information and information systems to process information as and when needed (p, 7).
According to Heyink, the three important components with regards to information security are technology, people and process (p, 7). All three need to be addressed properly in order for a law firm to have a credible information security management system (ISMS). In addition to the three principles of confidentiality, integrity and availability, management systems must also address the issue of “resilience” (p, 7). Resilience refers to the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions to information systems. The myriad of cyberthreats that exist do not render even the best prepared organisations immune from possible disruption. The ability to react quickly and smartly to a breach will significantly reduce to potential for reputational damage (p, 7).
Heyink explains that in terms of information security obligations, there has been expansion of the obligations of entities holding information in electronic form to implement reasonable, organisational, physical and technical measures to safeguard information under its control (p, 11). Even in the absence of legislation or case law obliging holders of information, persons responsible for the governance or management of an organisation have a duty of care to stakeholders of the organisation and third parties on whose behalf they may hold information to ensure that they exercise due diligence in properly safeguarding information (p, 11).
This duty of care is recognised in more general terms in the Companies Act, The King Report IV and The Protection of Personal Information Act, which bring with them significant change to the ICT Governance landscape in South Africa (p, 15).
What becomes of important is the distinction between the governance of information and the governance of information technology (p, 17). Heyink explains that while IT plays a critical role in providing appropriate technologies and support for managing information appropriately, controls of access to information and safeguards for information remains with the owner, or the person responsible for the information and is not an IT responsibility (p, 17).
“It is simply not acceptable in dealing with the practice’s information and that of its clients that decisions in this regard be delegated to persons responsible for IT (in many cases to third parties who provide technical IT assistance) who have no understanding of the attorney’s responsibilities to safeguard information or the importance of the information to the practice” (p, 17).
From a legislative and regulatory perspective, the recognition of the importance of cybersecurity has been the development of the cybersecurity policy framework and the resultant Cybercrimes and Cybersecurity Bill. This Bill has of course been widely criticised as a result of the fact that it is heavily biased in favour of national security and law enforcement at the expense of freedoms of citizens. Heyink argues that although there are valid criticisms of the Bill, there is no doubt that legislation addressing cybercrime and cybersecurity in South Africa is long overdue (p, 16).
Heyink hopes that the report will persuade readers that information security is an immediate requirement, that information security is an ongoing process which much become a core competency within organisations, and that each day without security places the organisation at risk (p, 16). For Heyink, those practices that take information security seriously and can demonstrate inherent ability to protect information (particularly personal information) properly will gain an important advantage in the market place (p, 17).
Heyink’s framework provides important guidelines, and offers a good starting place from where to strategically tackle the issue of information security.
Hardly a week goes by without reading about some or the other cyberattack. Given the nature of the information that law firms deal with, as well as the fact that they deal with large sums of money, firms should, at all times, prioritise good security and information management.
Ultimately, by implementing effective policies and procedures to deal with cybercrime and creating a culture of cybersecurity awareness, law firms will be establishing strong foundations to minimise their exposure to cybercrime and the threats that stem from cybersecurity failures.
Yvonne Jooste
Independent Consultant