In line with global trends, cybercrime is a rapidly increasing problem for the both the profession and client. Client account funds and confidential information relating to firms and clients are attractive targets for cybercriminals. Unfortunately, Irish firms, their clients and vendors have been victims of increasingly sophisticated attacks. 

An attack can impact on your firm, your client relationship, your reputation, and your firm finances. However, armed with appropriate knowledge and support and training, you can significantly reduce the risk of a successful attack. In this section, we detail how several common cyverattacks work, and provide links to useful resources.

Common types of attack

Cybersecurity protects your IT systems from vulnerability and attack, protecting your clients, your staff, and your financial and other assets. 

In a law firm environment, the ultimate gain is either sensitive information, or gaining access to your bank accounts.

Threats involve, but are not limited to:

• Malware, which includes viruses, worms, Trojan horses, spyware and ransomware. These attacks result in the theft, deletion, alteration or hijacking of your information and/or network.
• Phishing describes the action of using emails, text messages, phone calls, or websites in a malicious manner. In a law firm environment, individuals could use phishing to obtain confidential information on your clients, passwords to your bank accounts, or tricking people into downloading malware.
• Impersonation and social engineering, to trick you or your staff to open a phishing email, installing malware, or transferring a monetary amount to a fake bank account.

Most cybersecurity attacks require human interaction, meaning that you and your staff are your main defence. Training, behavioural change and policies complement efforts to protect IT software and hardware. A crucial piece is to review how safely you and your team carry out financial transactions. 

It is recommended that you carry out a cybersecurity risk analysis and establish a governance model, which includes reviewing your insurance.

This cybersecurity hub is designed to support solicitors with relevant and useful information.

Build your knowledge

See useful articles, introductory resources and training below.

• Summary of the 6-part series: December 2023 Gazette - 'The phantom menace'
• Safe banking procedures: November 2023 Gazette - ‘Equality of arms’
• Cybersecurity v data protection breaches: October 2023 Gazette - ‘Head in the sand’
• Cybersecurity assessments: Aug/Sept 2023 Gazette - ‘Potential threats’
• Technical cybersecurity measures: July 2023 Gazette - ‘Stress test’
• Cybersecurity insurance: Aug/Sept 2023 Gazette - ‘Safe haven’
• Introduction to the 6-part series: June 2023 Gazette - ‘Attack mode’
• Risk management for law firms: March 2021 Gazette – 'Tangled webs – managing risk in an upside-down world'
• Court proceedings for cybersecurity attacks: April 2020 Gazette – 'Return of the Cybermen'
• Legislative changes: April 2019 Gazette – 'Away in a hack'

More resources can be found in the Law Society Library's Cybersecurity Subject Guide.

Preventing a cyber attack

In this section, you will find useful information on how to prevent a cyber attack on your practice.

Guidance on preventing fraud

Law Society Committees have published useful guidance that can help you to reduce the risk of fraud against your account.

• Cyber-security - mitigating the risks
• Crypto-ransomware – guidance for firms
• Misappropriation by employees in solicitors’ practices
• Secure email systems - encryption
• Spear Phishing – the latest threat

Based on a number of factors - including applicable laws, your IT environment and the advices of your cybersecurity/IT expert - you should consider drawing up a cybersecurity policy and business continuity plan.

• A cybersecurity policy gives structure to your preventative approach, which might include regular IT updates and annual staff training. 
• A business continuity plan provides a framework for you to consider your firm's response in the event of an attack or other critical incident affecting the business. 

Responding to a cyber attack

This section will provide information on what to consider when an attack is detected.

Ongoing attack

In the event of an attack where criminals may still have access to your systems or may hold you to ransom, the Law Society recommends:

1. disconnecting any infected machines from your IT network,
2. contacting your IT support team for immediate help,
3. refraining from accessing your system backup until all infected computers have been cleaned, and
4. considering your reporting requirements and your obligations under applicable data protection laws.

Understanding your responsibility

The Regulation of Practice Committee has advised practitioners that any deficit arising in client moneys held by a practice is the personal responsibility of the partners/principal of the practice, whether caused by a solicitor or staff member or as a victim of cybercrime.

• View the 2015 Practice Note: Responsibility for deficits arising as a result of cybercrime

Reporting an issue

Reporting an attack, even when unsuccessful, is one of the best ways to reduce exposure to cybercrime. Once you suffer a successful attack, regulatory obligations may apply.

Unsuccessful attacks: let’s protect each other

Sharing knowledge and awareness helps to defend against cybercrime and mitigate its effects. The Law Society urges everyone in the profession to report both successful and unsuccessful attacks, as this can highlight latest trends and help to protect everyone. 

Members can report an issue anonymously to the Society. Where a new threat is revealed by a report, the Society will share this vital information with the profession and, depending on the case, may issue relevant information on prevention measures.

• Report an issue

Successful attacks: reporting requirements

If you have suffered a successful attack, you should consider who you should notify under applicable law. Examples might include:

• your client,
• your cybersecurity advisor,
• your financial institution,
• your insurance company,
• the Law Society,
• external regulators such as the Data Protection Commission, or
• An Garda Síochána.

You may wish to seek your own legal advice on your obligations in the event of a successful attack.

Data protection and cyber attacks

Cyber attacks may trigger applicable data protection laws.

Access to information may be withheld pending the payment of a ransom, or data may be published if such a ransom is not paid. Personal data might also be revealed even if the focus of the attack was a withdrawal from the client account or a transfer of monies into a fraudulent account.

Data Protection – Before the Attack

Solicitors should consider how relevant data protection laws apply to their own practice in operational terms. For example, which categories of personal data are processed in which manner, relating to which data subjects, and whether there are appropriate technical and organisational measures in place to process such personal data in a safe and secure manner.

Measures may include:

• pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
• a process for regularly testing, assessing and evaluating the effective of technical and organisational measures for ensuring the security of the processing.

Data protection – after an attack

Both an unsuccessful and successful attack may trigger applicable data protection laws. You should familiarise yourself with your reporting requirements where a personal data breach may have occurred.

Depending on the situation, even the unauthorised access to personal data (without further unauthorised publishing to third parties) may in itself constitute a personal data breach. 

Next steps

Detailed guidance on reporting requirements, as well as issues such as security firewalls, remote access and incident responses, is available on the Data Protection Commission website. The Law Society has also published guidance on data protection for solicitors.

You should consider seeking legal advice from a colleague if this is not your area of expertise.

Useful contacts and resources

Law Society guidance

If you want to contact the Law Society regarding a potential cybersecurity issue, email cybersecurity@lawsociety.ie.

Other resources

• Department of Justice Cybercrime website
• Garda National Cyber Crime Bureau (GNCCB) is the national Garda unit tasked with forensic examinations.
• National Cyber Security Centre (NCSC) is responsible for advising and informing on network information security. 
• Hotline.ie. This is the Irish national reporting centre for reporting securely, anonymously, and confidentially, illegal content online. It includes financial scams, such as phishing.  
• Cyber Ireland is Ireland’s national cybersecurity cluster organisation. It brings together Industry, Academia and Government to represent the needs of the Cyber Security Ecosystem in Ireland. Events are regularly held, even for non-members.

If you are affected by cybercrime, the Crime Victims Helpline may be of assistance.

The Law Society is not responsible for the content of external sites.