Cybercrime comes in many different forms and as new attacks surface, so do new anti-cybercrime measures – an exponential trajectory for both cause and effect. Of course, the application of AI / machine learning brings a new range of possibilities and we anticipate the same rate of escalation in both security issues, governance issues and resolutions.
Later in this article we will cover, at a high-level, one of the most damaging types of attack that a firm might encounter – a ransomware attack. Whilst awareness of the outcomes is important, the key focus should be on ensuring that your anti-cybercrime measures are in place and are tailored to the types of attack that are most likely to hit law firms with Personal Injury teams. This article will also consider practical advice in this regard.
Firstly, let’s examine why Personal Injury data requires a slightly different approach:-
Processing of bulk claims – naturally, this scenario requires that you hold data about more individuals – the more data you hold, the greater your exposure in the event of a cyber-attack.
This sort of large-scale processing often requires high levels of process automation which can lead to an over reliance or dependence on technology., It is often the case that these systems are not kept up to date with current cyber threats or developed with security in mind in the first place. The development focus is often more on creating efficiencies, keeping up with the changing requirements of clients, the business, the Court, insurers, etc rather than ensuring security is “baked-in” to the solution.
Staff in these high workload situations are often looking for the quickest route to achieve what they need and may not consider security implications or may see them as a blocker to achieving timelines or targets. Further, the way cases are progressed can result in multiple case handlers working on a single case which results in a lack of data stewardship.
Number of parties – Personal Injury matters generally tend to have more parties involved so the impact of exposing data, having access to it denied, having it deleted or tampered with grows with the number of individuals referenced in the data.
It is widely accepted that a successful cyber-attack is not fully preventable. So, whilst strong defences are essential, equal focus needs to be given to mitigating the outcomes. To do this, you must know where your data is, what is contained within it, where it travels to and from, who is responsible for managing it and apply measures that protect different aspects of your systems in different ways (covered below in ’What does good cyber defence look like?’).
Highly sensitive information – As is essential with Personal Injury matters, you will be holding highly sensitive personal information about individuals, such as medical records. This not only increases the regulatory burden on your firm to ensure that the data is protected, but also increases the value of the data to cyber criminals. Furthermore, should a data breach occur, this also increases the negative impact on the firm in terms of cost of remediation, potential fines and reputational damage.
Transit of data – It is inevitable that this sensitive information will be received from and sent to external parties, so we need to consider governance measures to ensure that we understand who we can transact with, in what circumstances and using which methods. For example, do you provide a secure “read only” portal where external parties can view records in a browser but cannot download their own copies? If not, do you allow access to third party portals and how do you ensure that they are secure?
Large financial transactions – Cybercriminals are obviously attracted to large financial transactions and will seek to impersonate receiving parties and redirect funds to themselves. Most firms are very aware this type of scenario and have governance procedures in place to ensure that these attacks are unsuccessful.
The use of AI – AI is being applied in many ways in Personal Injury matters, providing documentation reviews and summaries, detecting fraudulent activity within data sets, including voice and video, the use of Chat Bots to gather information, categorise and filter cases, etc. Are you certain that you know where this data is held and what else it might be used for?
Certainly, your staff should not be using any uncontrolled and unregulated online AI products. There are increasing numbers of examples of staff from across various industries uploading information only to find that it is freely searchable on the internet thereafter.
What does good cyber defence look like?
When applying cyber defences, it is often envisaged as a brick wall around your network – this is not, nor should it be, the case. Cyber protection should be made up of layers. The external wall is one element of this, but if a cybercriminal breaches that wall, they should not automatically or easily get access to your whole environment.
The following diagram shows the journey that a user will take – logging in through the network firewall, gaining access to files, to applications and data, with security measures at each stage.
Even within the files, applications and data sections, there should be sub-permissions allowing or denying access. This sort of approach is often referred to as ‘Zero Trust’ and the purpose is to make it as difficult as possible for a cybercriminal to work their way through the layers to get to the key data… your ‘crown jewels’.
It is likely that you will have a Practice Management System (PMS) or Case Management System (CMS) with a Personal Injury section or workflow. Where possible, you should limit the number of users with access to that subset of data. This follows the ‘Zero Trust’ methodology and can help to limit the potential impact in the event that an individual user account is compromised.
Many PMS/CMS systems store data such as contacts, key dates and activity in the database and physical fields on the file server. It is necessary to consider how each system stores data and that each repository of information is secured correctly in accordance with the ‘Zero Trust’ methodology.
Cybercriminals will often try to target administrative accounts in the knowledge that this will give them wider permissions than an average user. Your IT provider or Team should therefore minimise the number of administrative accounts and ensure that these accounts have complex passwords, multi factor authentication and are only used for administrative duties – in particular, not using them for emailing or browsing the internet. Every administrator should have a “standard user” account which they use for their normal day to day activities such as email, documentation, development etc.
One aspect that might be worth exploring with your IT team and/or your Practice Management System provider, is whether the data in the Practice Management System is encrypted when it is both dormant as well as when it is travelling around or outside of your network (referred to as encryption ‘at rest’ and ‘in transit’). If you have already encrypted your data, then it is of no value to cybercriminals.
When using any other application such as portals, collaboration spaces, AI products, etc., have your due diligence questions and contractual approach pre-defined, regularly reviewed and ready to go. This will allow you to react quickly to new and innovative products or working practices that might give you an advantage but will also ensure that you have a strong stance with regard to security and governance.
Knowing your data
Imagine yourself in the scenario that you have had an attack… your staff report that when they logged in, they were presented with a screen saying that the firm’s data has been encrypted and that you need to pay a sum of money to receive a key to decrypt it. If this is not paid, then your data will be exposed on the internet.
When you engage with the various governing bodies and cyber specialists, they will want to establish how much data could potentially be exposed. Being able to articulate what data you have, where it is, the measures you took to protect it and who has permission to it will be critical and, if you can’t do this, it could be a factor in any penalties you might receive.
We recommend a formal ‘Data Governance Framework’, including a record of all data repositories with details such as:-
- Data item description
- Category (Client/Party confidential, Company confidential, etc)
- Who has access
- Who is responsible for managing and monitoring
- How often is it reviewed
- Date of last review
- What is the retention policy
- Is data deleted in line with the retention policy
- Is the data expected to travel outside the business
A good Data Governance Framework will assist in quicker remediation of a data breach and help to reduce the amount of work needed in the forensic review.
Further, ensuring that your data is cleansed in accordance with your data retention policy will minimise the potentially exposed information.
After the attack has been resolved, if there is any question as to whether any data has been exposed, you will need to go through the process of contacting the affected individuals to let them know that they are impacted by this breach and to provide information about what data may have been exposed. Obviously, if you have no internal security barriers and poorly cleansed data, the worst of all outcomes would be that you need to contact all individuals about whom you hold data, possibly dating back many years. Ideally, you would aim to be contacting a much smaller subset of individuals and giving them a clear idea of what information was exposed and what they might be able to do to protect themselves (changing passwords, credit monitoring, etc).
By putting these elements together (layered security, governance measures and a good understanding of your data), the aim is to enable technology to support your need for good client service, business process efficiency and the flexibility to try new products and services. With new and exciting products entering the market, the ability to move quickly to differentiate yourself will be ever more important. However, it will remain important that you ensure your existing solutions are secure, as well as the new ones that you invest in – the cyber criminals will always find the weakest link to infiltrate your systems.
Underpinning this aim is the need to understand and manage your data, particularly with the size and nature of data necessary for Personal Injury matters, to minimise the impact of a data breach.
This article was written by Cathy Kirby of Baskerville Drummond and was first published in the September 2023 edition of PI Focus.
Part 3 – Automation in Legal Case Management: Streamlining Processes and Improving Efficiency or is it Over Development
In recent years, the legal industry has witnessed a pattern shift with the integration of automation into case management processes. Automation in legal case management has the potential to streamline processes and improve efficiency within law firms and legal...
Save the date - Webinar Information governance - Why now? And where do you start? - Wed 22 November @ 13.00It can be difficult to know where to start when first considering an information governance strategy. The scale and breadth of the challenge, as well as the...
Covid did not only change the way we travel the world, but it fast tracked the way in which law firms work, with less people in the office and more staff working remotely, but has IT training adapted to meet these new needs? “Remote working” has now become a...