Cyber attacks may trigger applicable data protection laws.
Access to sensitive information may be withheld pending the payment of a ransom, or may be published without authorization, if such a ransom is not paid. Moreover, personal data may be revealed even if the focus of the attack was ultimately a withdrawal from the client account, or a transfer of monies into a fraudulent account.
Data Protection – Before the Attack
Solicitors should consider how relevant data protection laws apply to their own practice in operational terms. For example, which categories of personal data are processed in which manner, relating to which data subjects, and whether there are appropriate technical and organisational measures in place to process such personal data in a safe and secure manner.
Such measures may include:
pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effective of technical and organisational measures for ensuring the security of the processing.
Data Protection – After the Attack
Both an unsuccessful and successful attack may trigger applicable data protection laws. You should familiarise yourself with your reporting requirements where a personal data breach (as defined by law) may have occurred. Depending on the situation, even the unauthorised access to personal data (without further unauthorised publishing to third parties) may in itself constitute a personal data breach. You should consider seeking legal advice from a colleague if this is not your area of expertise.
Detailed guidance on reporting requirements, as well as issues such as security firewalls, remote access and incident responses, is available on the Data Protection Commission website. The Law Society has published guidance on data protection for solicitors. You should consider seeking legal advice from a colleague if this is not your area of expertise.