Thursday, September 21, 2017

Information Security: GDPR, ISO & Balancing Risk

"Information security & the risks for the legal sector" --
  • "Information security is a substantial risk for the legal sector. Law firms are an attractive target to cyber criminals due to the vast wealth of personal and private information in their possession. Cyber-attacks on UK law firms increased by a fifth between 2014 and 2016, with nearly three quarters of the country’s top 100 targeted in 2015, according to PwC’s 25th Annual Law Firms’ Survey."
  • "Despite the increasing threat, and the potential financial and reputational damage following a breach, a survey by online legal magazine, Legal Week, found that only 35% of law firms had a response plan in place for cyber-attacks. This is compared to 52% for non-legal professions."
  • "With the European Union’s General Data Protection Regulations (GDPR) due to come into force in May 2018, legal firms that fail to appropriately secure personal data will face severe fines in the event of a breach. The regulations could affect organisations throughout the world because they apply to any company that handles the personal data of Europeans. The GDPR defines a personal data breach as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."
  • "Fines imposed following a breach could be as much as 4% of a firm’s annual global turnover, or €20 million, depending on which is greater. Furthermore, should a firm be fined under GDPR they are also likely to face personal litigation from the individuals whose data is lost. The total cost of a breach could therefore be far greater than the fine, and might see senior partners being taken to court and even imprisoned should the breach show negligence."
"Richard Elson, IS Director at law firm Trowers & Hamlins LLP, discusses the challenges of taking a security-first stance" --
  • "Speaking to Computing recently, Richard Elson, director of IS at the firm, explained how they balance the need for security with the oftentimes conflicting need for open communication."
  • "'We could probably spend millions and millions and millions on security," he said. 'It's obviously central to what we do; we've tried to take a security-first approach to all of our technology projects, but particularly our mobile technology. Taking a security-first stance can sometimes be a little unfashionable - and there can be trade-offs with ease-of-use, productivity, people wanting to use the latest apps. But we think we've got the right balance. We fairly recently standardised around a BYOD strategy, which is centrally-managed applications delivered to personal devices.'"
  • "When asked about the impact of the GDPR on the firm, Elson explained that although the regulation is a fairly onerous set of responsibilities, good data governance has accelerated their preparations. 'We did an awful lot of work around the ISO 27001 and we did a lot of work for the Cyber Essentials Plus [scheme] and got the accreditation for that last year; and also in preparation for looking at the cyber insurance, about two and a half years ago, we put together a systems map of our Personally Identifiable Information.' He explains, 'What we've tried to do is, for each system and for each set of Personally Identifiable Information, [identify] what the risk is, how we're treating it today and how the requirements of GDPR - particularly in respect of consent and control - what next steps we have to take for each set.' The firm's security-led stance means that from an IT perspective, they're well prepared for the GDPR."

No comments:

Post a Comment