By David Bowles, Ethics Solicitor, Queensland Law Society
Maintaining information security is now a basic professional skill.
Criminals have learned that even small legal practices handle large funds transfers and a lot of valuable client data. They now have easy access to software and attack systems which will find and exploit common weaknesses in many law firms’ funds and information handling systems.
Criminal groups – some offshore, some in Australia - specializing in preying on law firms have made millions and are now a permanent threat surrounding every law firm. Since 2017 there has been a significant escalation in cyber-intrusion on small and mid-sized law firms – as many as four attacks per day in Queensland alone.
Every law practice handling client money and client data in a connected world must – as a matter of basic competence – develop the skills to protect both from criminals.
Cyber-attacks have profound consequences for law firms
The effect of an attack is always significant, sometimes devastating. Consequences include:
- direct financial loss to clients;
- significant costs investigating incidents, repairing networks and replacing data (even small firms may incur costs between $10,000 and $50,000);
- damage to reputation and lost clients (average revenue drop of 7.5%, which translates to around 25 – 50% reduction in profit for at least a year);
- loss of access to critical data and infrastructure; and
- protracted disruption to day-to-day work and communications.
Many of these consequences apply even if the criminals were unsuccessful in stealing money. Information compromise can be almost as damaging.
A Solicitor who pays out trust funds on a forged authority must make good the default immediately, even if they acted in good faith and without negligence.
‘It was like making a major mistake on all my files simultaneously. I have never felt so overwhelmed.’ - A small city firm Partner
Client money lost by the firm is usually covered by professional indemnity insurance, but most of the costs listed above are not covered.
A firm may not survive the disruption, financial losses and damage to client confidence arising from a major data breach, with immediate and lasting damage to relationships built over many years.
Don’t Panic – you can fix this.
Most attacks on law firms come through the same channels, and a few basic measures can block these. Law firms manage risk every day, and are good at following procedures when given a clear leadership plan to follow.
You do not even have to be particularly good at IT to effectively manage the information security risk – but it does require that the firm take the issue seriously and commit to building a security culture.
If you would like assistance and some guidance on where to start, feel free to contact me at the QLS Ethics and Practice centre on 3842 5937.