Cybercrime prevention – differences in the approach for Personal Injury teams

Cathy Kirby offers tips on Cybercrime prevention in a recent feature in PI Focus from the Association of Personal Injury Lawyers (APIL)

Number of parties – Personal Injury matters generally tend to have more parties involved so the impact of exposing data, having access to it denied, having it deleted or tampered with grows with the number of individuals referenced in the data.

It is widely accepted that a successful cyber-attack is not fully preventable.  So, whilst strong defences are essential, equal focus needs to be given to mitigating the outcomes.  To do this, you must know where your data is, what is contained within it, where it travels to and from, who is responsible for managing it and apply measures that protect different aspects of your systems in different ways (covered below in ’What does good cyber defence look like?’).

Highly sensitive information – As is essential with Personal Injury matters, you will be holding highly sensitive personal information about individuals, such as medical records.  This not only increases the regulatory burden on your firm to ensure that the data is protected, but also increases the value of the data to cyber criminals.  Furthermore, should a data breach occur, this also increases the negative impact on the firm in terms of cost of remediation, potential fines and reputational damage.

Transit of data – It is inevitable that this sensitive information will be received from and sent to external parties, so we need to consider governance measures to ensure that we understand who we can transact with, in what circumstances and using which methods. For example, do you provide a secure “read only” portal where external parties can view records in a browser but cannot download their own copies?  If not, do you allow access to third party portals and how do you ensure that they are secure?

Large financial transactions – Cybercriminals are obviously attracted to large financial transactions and will seek to impersonate receiving parties and redirect funds to themselves. Most firms are very aware this type of scenario and have governance procedures in place to ensure that these attacks are unsuccessful.

The use of AI – AI is being applied in many ways in Personal Injury matters, providing documentation reviews and summaries, detecting fraudulent activity within data sets, including voice and video, the use of Chat Bots to gather information, categorise and filter cases, etc. Are you certain that you know where this data is held and what else it might be used for?

Certainly, your staff should not be using any uncontrolled and unregulated online AI products.  There are increasing numbers of examples of staff from across various industries uploading information only to find that it is freely searchable on the internet thereafter.

What does good cyber defence look like?

When applying cyber defences, it is often envisaged as a brick wall around your network – this is not, nor should it be, the case.  Cyber protection should be made up of layers.  The external wall is one element of this, but if a cybercriminal breaches that wall, they should not automatically or easily get access to your whole environment.

The following diagram shows the journey that a user will take – logging in through the network firewall, gaining access to files, to applications and data, with security measures at each stage.

Many PMS/CMS systems store data such as contacts, key dates and activity in the database and physical fields on the file server.  It is necessary to consider how each system stores data and that each repository of information is secured correctly in accordance with the ‘Zero Trust’ methodology.

Cybercriminals will often try to target administrative accounts in the knowledge that this will give them wider permissions than an average user.  Your IT provider or Team should therefore minimise the number of administrative accounts and ensure that these accounts have complex passwords, multi factor authentication and are only used for administrative duties – in particular, not using them for emailing or browsing the internet.  Every administrator should have a “standard user” account which they use for their normal day to day activities such as email, documentation, development etc.

One aspect that might be worth exploring with your IT team and/or your Practice Management System provider, is whether the data in the Practice Management System is encrypted when it is both dormant as well as when it is travelling around or outside of your network (referred to as encryption ‘at rest’ and ‘in transit’).  If you have already encrypted your data, then it is of no value to cybercriminals.

When using any other application such as portals, collaboration spaces, AI products, etc., have your due diligence questions and contractual approach pre-defined, regularly reviewed and ready to go.  This will allow you to react quickly to new and innovative products or working practices that might give you an advantage but will also ensure that you have a strong stance with regard to security and governance.

Knowing your data

Imagine yourself in the scenario that you have had an attack… your staff report that when they logged in, they were presented with a screen saying that the firm’s data has been encrypted and that you need to pay a sum of money to receive a key to decrypt it.  If this is not paid, then your data will be exposed on the internet. 

When you engage with the various governing bodies and cyber specialists, they will want to establish how much data could potentially be exposed.  Being able to articulate what data you have, where it is, the measures you took to protect it and who has permission to it will be critical and, if you can’t do this, it could be a factor in any penalties you might receive.

We recommend a formal ‘Data Governance Framework’, including a record of all data repositories with details such as:-

• Data item description
• Location
• Category (Client/Party confidential, Company confidential, etc)
• Who has access
• Risks
• Mitigation
• Who is responsible for managing and monitoring
• How often is it reviewed
• Date of last review
• What is the retention policy
• Is data deleted in line with the retention policy
• Is the data expected to travel outside the business

A good Data Governance Framework will assist in quicker remediation of a data breach and help to reduce the amount of work needed in the forensic review.

Further, ensuring that your data is cleansed in accordance with your data retention policy will minimise the potentially exposed information. 

After the attack has been resolved, if there is any question as to whether any data has been exposed, you will need to go through the process of contacting the affected individuals to let them know that they are impacted by this breach and to provide information about what data may have been exposed.  Obviously, if you have no internal security barriers and poorly cleansed data, the worst of all outcomes would be that you need to contact all individuals about whom you hold data, possibly dating back many years.  Ideally, you would aim to be contacting a much smaller subset of individuals and giving them a clear idea of what information was exposed and what they might be able to do to protect themselves (changing passwords, credit monitoring, etc).