Technology

Why Solicitors Need Better Data Security

Issue 32

General Data Protection Regulations (GDPR) will be one of the most significant changes in data protection legislation for over 20 years when it comes into effect from May.

Solicitors and other professional service providers are being urged by Stephen O’Connell, sales director of Advantex, to safeguard their IT systems against the cybercrime threat.

With cybercrime hitting UK businesses to the tune of £30bn in 2017, there’s no question that solicitors will need to legislate for greater data security if they are to avoid falling foul of the new GDPR requirements and avoid punitive fines. Indeed, any breach of data such as that caused by a computer hack, which results in lost or stolen data can have potentially devastating consequences for the company in question – they could be fined an eye-watering £17m, or 4% of global annual revenue, whichever is the highest amount.

It is essential professional service providers such as solicitors, who hold large volumes of confidential client data, start planning their approach to GDPR compliance sooner rather than later. This may involve implementing new procedures to deal with greater transparency and improved IT security: a proactive approach will contribute to minimising disruption, reputational damage and financial costs if you do come under cyber-attack.

There are some simple, yet effective steps, that you can undertake now that will help to minimise the risk to your information security requirements and technologies while going a long way to help avoid seeing your profits disappear in a 4% cybercrime ‘tax’.

Risk-based assessments

Carry out a risk-based assessment of your firm’s information security requirements. Take these active steps to make information security part of your normal business risk-management procedures. Disseminate key security principles among your staff to ensure that they become part of your firm’s culture.

Checks and balances

It should always be good practice to make sure that IT systems are properly protected and safeguarded against external and internal threats. But it’s surprising how often this can get overlooked amid other priorities and distractions. Take steps to ensure appropriate security measures are in place and that computer systems, including anti-virus software and algorithms that check for unusual activity, are automatically backed-up. If you use third-party managed IT services, check your contracts and service level agreements, and check that whoever handles your systems and data has these security controls in place.

Reviewing systems and procedures

After reviewing your security and implementing any requisite changes, continue to test, monitor and upgrade your security controls and protocols on a regular basis. Dispose of any software or equipment that you no longer need, ensuring that it contains no sensitive information, and review and manage any change in user access, such as the creation of accounts when staff members join the firm and deletion of accounts when they leave.

Essential post-breach action

It’s important that if your firm is disrupted or comes under attack, you ensure that any post-event response includes making the proper notifications to authorities and removing any ongoing threat – such as malware – and that you understand the cause of the incident. If appropriate, close any gaps in your security or loopholes that have been identified following the attack.

There’s little doubt that GDPR is set to have an impact but how much remains to be seen. It will affect all organisations that handle personal data and failing to secure your data could cost you dearly (potentially millions of pounds in fines). You must ask yourself if it’s worth the risk?

It’s vital you act now to have the wherewithal in place by the time GDPR kicks-in. Advantex, which is fully certified in data security and disaster recovery software that can help you protect your data, has the experience, expertise and technologies to help you stay safe.

Sign-up to our newsletter

  • This field is for validation purposes and should be left unchanged.