Comparison of GenAI benchmarking models for legal use cases
Data breaches - Is Your Law Firm in Danger
1. DATA BREACHES:
Is Your Law Firm in Danger?
Tim Newton
Associate Member of the Association of Security Consultants &
Regional Manager at Tresorit
2. Tim Newton
Regional Manager, UK/Ireland/Benelux,
Tresorit
Associate Member,
Association of Security Consultants
Introduction
Agenda
1.About data breaches
2.Everyday risks of data
breaches and what you can
do to reduce their likelihood
3.Types of encryption
3. What is a data breach?
data breach: a personal data breach can be defined as “a breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise
processed” – Data Protection Act 2018
4. Breach or not a breach?
An employee gets dismissed, and saves all the documents of his clients
to his personal drive to reach out to them later.
A trainee sends an email with phone numbers and other contact details
to the wrong recipient by accident.
Your colleague stores client documents in Dropbox.
YES
YES
NONOT YET
5. Data breaches cost time and money for UK businesses
60%of law firms reported suffering
some form of security incident
in 2018
46%of law firms reported loss or leakage
of confidential information
caused by their own staff
₤113is the per capita cost for each
lost or stolen record
₤2.81Mis the average amount
a data breach costs
₤1.22Mis the cost of lost business
after a data breach
163 dayspass, until a company identifies
a data breach
Sources: 2018 Cost of a Data Breach Study: Global Overview by Ponemon Institute
PWC Law Firms’ Survey 2018
6. How big is the problem?
LegalTechnology.com:
…legal sector data security incidents as reported
to the Information Commissioner’s Office have
risen by a significantly above average 112% in
two years, with the justice sector up 128%.
Human error (as opposed to a cyber incident)
accounted for the vast majority of incidents, led
by data being emailed to the wrong recipient.
*Legaltechnology.com 4th Sept 2018
SRA:
There were 512 concerns reported to us about
breaches of confidentiality in 2017 and a further 408
reports in the first three quarters of 2018. This shows
an increasing trend compared to the same period in
2017.Most of the information security breaches
reported to the Information Commissioner's Office
(ICO) for all sectors are:
• confidential emails, faxes and letters being sent
to the wrong person
• lost or stolen paperwork
*http://www.sra.org.uk/risk/outlook/priority-risks/information-security.page
7. How big is the problem?
WalesOnline.com:
A serious new scam sees fraudsters hacking into
the email accounts of solicitor firms to try and
steal huge sums of money from their clients.
In a scam that’s been seen across the UK, hackers
are intercepting emails sent to clients.
They are then sending a fake email from the
hacked account asking clients to send the money
to a different bank. The emails are timed, usually
to coincide with the date a house deposit is due.
In total, 120 cases of the scam, known as
“conveyance fraud”, were reported to Action
Fraud in the first nine months of 2017 - costing
customers more than £8m.
In one case a person lost £988,091.
*WalesOnline.com 6th March 2018
8. The main causes of data breaches
Human error
27%
System glitch
25%
Malicious or criminal
attack
48%
Source: 2018 Cost of a Data Breach Study: Global Overview by Ponemon Institute
Even if accidental or
intentional error!
9. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Category 1
Chart Title
Malicious/deliberate insider Accidental/unintentional insider Not sure
47%
Someone willfully causing
harm to the company
51%
Carelessness, negligence or
compromised credentials
2%
Accidental breaches worry experts just as much as malicious
attacks
Source: 2018 Cybersecurity Insiders/Sunday Times
Most concerning insider threats to cybersecurity professionals
10. What insiders look like
Source: 2018 Cybersecurity Insiders/Sunday Times
6%
2%
22%
29%
42%
55%
56%
0% 10% 20% 30% 40% 50% 60%
Not sure/other
None
Customers/clients
Privileged business users/executives
Contractors/service providers/temporary workers
Privileged IT users/admins
Regular employees
Axis Title
AxisTitle
Percentage of cybersecurity professionals who say the following presents a
security risk
12. Sending out an email with confidential attachment to wrong
recipients by accident
What you can do
Replace risky email attachments.
Provide secure tools that allow for further data control
like revoking access to content, setting up password
protection, expiry date and/or download limit.
1
Consequences
• The firm has to report the breach to ICO (Information
Commissioner’s Office).
• They can be fined.
• The firm can lose clients due to the incident.
13. Stolen device results in data leak2
Consequences
• The firm has to report the breach to ICO (Information
Commissioner’s Office).
• The firm can be fined.
What you can do
• Set up passcode protection for all work devices.
• Ensure you have further device control measures to
be able to restrict access and/or wipe documents
remotely in case a device is lost or stolen.
14. Malicious ex-employee takes revenge by leaking data3
Consequences
• The firm can be fined for not meeting the requirements
of the Data Protection Act 2018.
• The business is at risk as its entire client list is revealed
to its competitors.
What you can do
Store all company documents in a secure cloud storage
that allows you to manage permissions and track
changes:
• Terminate the access of leavers immediately.
• Remove their accounts and remote wipe their devices.
• Manage login details of users to make sure they can’t
login via web access.
15. Leaking data with a USB drive4
Consequences
• The firm has to report the breach to ICO (Information
Commissioner’s Office).
• The firm can be fined.
• The firm loses the bid and suffers a reputational loss.
What you can do
• Don’t use hard drives and USB sticks to store
confidential files, as they don’t offer any protection.
• Use an encrypted, cloud-based service with data
control features.
16. Using an unsecure file server and no encryption for
files5
Consequences
• The firm has to report the breach to ICO (Information
Commissioner’s Office).
• The firm can be fined.
• The company can lose trust of its clients.
What you can do
• If you use on-premise file servers, you need dedicated
security experts and maintenance to make sure it’s
secure and convenient.
• Use encrypted cloud services, so even in case of an
attack, the information won’t be revealed to hackers.
17. Consequences of digital failures
Executive resignations
Lost business
Lost time – ICO reporting,
informing clients, dealing
with press
Significant costs
Upset customers
Regulatory backlash
20. What you can do to prevent them
Control user and device permissions centrally for better
management and visibility. “Who has my company data and on
what devices?” audit.
Make sure you can give and revoke access to information
easily.
Protect the content of your files with end-to-end encryption.
21. What legal professionals do now
Still, the majority of legal professionals use consumer-
grade cloud services to store and share documents.
100-499 lawyers 500+ lawyers
Dropbox 54% 47%
Google Docs 25% 32%
iCloud 18% 32%
Many others still use on-premise solutions as they have security
and backup concerns regarding the cloud.
Source: PWC Law Firms’ Survey 2017
22. Not all types of encryption
provide you with the same level of security.
23. Bar Council recommendation on encryption
“Look for a service which says it has ‘zero knowledge’
encryption – this means that the encryption provider doesn’t
store your password for the data: any requests for the data
have to come to you.”
Bar Council Guide on Cloud computing – security issues to
consider
24. Types of encryption
Server-side encryption
The encryption key is stored in
the cloud in plaintext format,
therefore the cloud provider
can see your data.
26. Read more about how Tresorit can help legal
professionals work securely and productively in
the cloud or read a customer testimony from
Apogee Law Group.
Try Tresorit for FREE
Take the opportunity to try our ultra-secure
service for free
Schedule a live demo
Learn more about Tresorit and cloud encryption
from our experts
The materials available in this presentation are for informational purposes only and do not constitute legal advice.
To obtain advice with respect to a particular issue, you should contact your attorney.