It is clear that cybercriminals have viewed Covid-19 and the various lockdowns as a great opportunity to increase their targeted efforts against both individuals and companies. The scale of cyber scams is at an all-time high and it is clear that even large organisations are falling victim to such attacks. Indeed, even the legal sector is not immune to such cyber-attacks.
Cybersecurity attacks in the legal sector
It was reported recently that Gateley Plc, a large law firm listed on the London Stock Exchange was the victim of a cyber-attack in which it lost 0.2% of its data in respect of clients. As with most well-run law firms, it would be expected that Gateley would have in place extensive staff training, good IT equipment/protections and an effective IT team. The report that the Law Society published on the incident contains confirmation that the IT team at Gateley Plc acted decisively and quickly in tracing and deleting the lost data from the source that it was downloaded to. This affirms the writer’s thoughts that Gateley will be well resourced with a view to protecting itself against a cyber-attack. They are, therefore, a good example to highlight the fact that no organisation in the world can truly insulate itself against these hackers.
The impact the cybersecurity attack has had on the business
The full effect of this data breach for Gateley is yet to be seen but the immediate impact is that it has wiped 8% off their share price. This is likely to be in anticipation of the fall-out that such a high profile data breach could have.
Reputational damage
The first point to note is that existing and future clients may be deterred from using the firm in the future as they may perceive (rightly or wrongly) that their data is not secure. In some areas, such as corporate transactions and dispute resolution, client confidentiality and security of their data is of paramount importance as if the information stored on the solicitor’s file is made available to the opposition to the dispute or transaction, this could give the opposition an unfair advantage. It is, therefore, conceivable that in addition to the loss of share value, turnover, certainly in the short term, could be affected as clients decide whether they wish to remain a client of Gateley or to take their services elsewhere.
Fines
In addition to the above-referred issues, there are very heavy fines that the Information Commissioner’s Office (ICO) can levy for data breaches. In the Gateley scenario, it would be very surprising if the ICO issued a fine. The ICO is more likely to issue fines where there has been a flagrant disregard for data protection, rather than incidents where well-run organisations have fallen victim to a targeted attack. The ICO website makes this clear as it states:
“Will the ICO always issue a fine if an organisation gets something wrong?
No. Fines aren’t suitable for every breach.
Our fines and penalties may grab the headlines, but we know that our work with organisations, helping you to make changes and improvements to comply with the law, is the most effective way of reducing mistakes and misuse of people’s data.
We’re here to help you get data protection right, through our events and our support and advice services.
If things go wrong, we want to work with you to decide what improvements we expect from you and provide advice to help you get it right in the future.”
In this regard, the fact that Gateley’s IT team appeared to be very proactive in tackling the breach and targeting/retrieving the lost data will no doubt put the ICO’s mind at rest.
Compensation
The final point to note is that those clients affected by their data being lost may be entitled to compensation.
Article 82 of the GDPR and section 168 of the Data Protection Act 2018 confirm that where there has been a breach of the data protection principles, an individual, whose data has been compromised, is entitled to compensation. That compensation is expressly noted to include distress and, accordingly, it is conceivable that Gateley could be pursued by clients affected by the data breach, whether or not it has resulted in a tangible loss as distress is sufficient.
Whilst distress is technically payable for a data breach, the levels of such damages are likely to be in the hundreds of pounds rather than thousands and, accordingly, whether it would be cost-effective for clients to pursue such claims is questionable.
There are, however, large marketing agencies that have started to appear who gather together these claims in the hope that they reach critical mass in terms of forming a class action, which is what recently happened against organisations, such as EasyJet. If, however, clients have suffered additional losses as a result of the data breach, whether this is an impact on their transaction or, for example, them becoming the victim of identity theft, these losses may also be recoverable.
As stated above, no organisation is able to entirely insulate itself against cyber-attacks. If damage to public perception of an organisation, fines and compensation claims are to be minimised, it is essential that organisations invest their time and money in ensuring that their staff are adequately trained and their IT systems are fit to provide them with the best protection available.
How Nelsons can help
Kevin Modiri is a Partner in our expert Dispute Resolution team.
Whilst the team at Nelsons cannot provide assistance with the IT systems, if your organisation has fallen foul of a data breach, whether accidental or as a result of a targeted attack, we can assist in dealing with the aftermath in terms of reducing the impact of any data breach.
Should you be affected by a data breach and wish to seek advice, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester or Nottingham on 0800 024 1976 or via our online enquiry form.