As we see an ever-increasing stream of high-profile data breaches and regulatory fines Sean O’Brien, Director DVV Solutions, takes a look at one of the most common weak links in law firms’ data security and GDPR compliance programs – the risks posed by third parties and suppliers.
- You can outsource the work, but you can’t outsource the risk!
- Identify ALL your third parties, supplies, partners (including internal subsidiaries), subcontracted data processors, and their data/system access
Clearly define all of the areas and activities in which GDPR is in scope, and have third parties provide signed contractual assurances they do/will achieve all GDPR requirements
Perform thorough cybersecurity and data privacy compliance assessments and collect relevant artefacts, for example via questionnaire
- Verify and validate, typically via onsite or virtual assessments for critical suppliers
- Act on GDPR risks, ensuring a clear audit trail of requests, actions and outcomes, and
- Continuously monitor third parties and act proportionally to changing risk profiles
The EU General Data Protection Regulation (GDPR) and the UK’s complementary Data Protection Act (DPA) 2018 are now two years old. As a new regulatory framework, the GDPR was an acknowledgement that the digital economy — fuelled by (personal) information — should operate with the informed consent of users and clear rules for companies who seek to do business in the European Union.
Law firms, like everyone else, are required to demonstrate effective processes in their handling and protection of personally identifiable information (PII) data, or risk facing tough financial penalties and (even harder to measure) potential long-term brand damage.
Firms can no longer bury their head in the sand and put off addressing their responsibility to fully understand exposure to third-party risk. In fact, reports suggest that 73 of the UK top 100 law firms regularly being targeted by cyber criminals.
To add fuel to the fire we have also seen a rapid change in the risk landscape for firms as a result of the move to remote working in response to COVID-19 and social distancing measures. This has created even more complex IT infrastructures and access to new supporting services, software and connectivity that many firms were not fully prepared to implement at scale, securely. Probably the most public example of this being the overnight rush for conferencing facilities such as Zoom, which has seen mass adoption despite known and emerging security issues.
But what drives hackers to target law firms in particular? Put simply, law firms store and have access to a great deal of valuable information, acting as a critical link in an extended enterprise – be it sensitive commercial information about mergers and acquisitions that could affect share prices, brand and reputation of a client, or large amounts of personal or financial information about your clients and their customers.
Law firms are relatively easy targets, with typically fewer skilled resources and smaller information security budgets in comparison to the larger financial organisations they serve. Likewise, many of the vendors, data processors and service providers law firms rely on may not necessarily have allocated sufficient resources or controls to ensure adequate levels of data privacy and protection. For that reason, amongst others, the GDPR and DPA recognise nested liability within the supply chain, meaning firms cannot simply delegate their responsibility and accountability. In common parlance “You can outsource the work, but you can’t outsource the risk”.
Case Study: DLA Piper NotPetya20
In 2017 DLA Piper suffered a global ransomware attack that is to date the single biggest cyberattack to ever hit any law firm and it affected almost the entire IT infrastructure.
The attack used a variant of NotPetya malware via the software update of a Ukrainian tax program that had been compromised. The attack encrypted data and all telephones and emails of 3,600 lawyers in 40 countries were knocked out.
DLA Piper was running around 800 applications at the time and went through the slow and costly process of building them back up.
For example, the Law Society states an example of the use of “plugin” social applications increasingly used on websites. “Law firms which embed third-party applications within their websites should be aware that the operator of a website embedding a third-party plugin such as the Facebook Like button, which causes the collection and transmission of the users’ personal data, is jointly responsible for that stage of the data processing.”
You’re Only As Strong As Your Weakest Link
As law firms outsource an ever-increasing number of functions and services – albeit for justifiable commercial efficiencies – their level of exposure to cybersecurity risk significantly increases while their control of it diminishes.
It is a growing concern, identified by the National Cyber Security Centre (NCSC) “By far the greatest issue is a third-party supplier failing to adequately secure the systems that hold your sensitive data. The increasing use of digital technologies to deliver legal services will likely offer further avenues for exploitation.”
In addition, BeyondTrust’s 2019 Privileged Access Threat Report finds that 58% of businesses believe they’ve had a breach due to compromised vendor access in the last 12 months. This is hardly surprising given the businesses surveyed reported an average of 182 vendors and sub-contractors logging in to their systems every week!
However, law firms show a tendency to prioritise the risk of penetration into the organisation through more direct means of attack, focusing expenditure on securing devices and internal networks.
While third-party risk is often recognised, the time and resources applied to it are disproportionately low.
The problem is typically immaturity of process. Law firms just aren’t approaching risk in the right way. Ask yourself: What percentage of our data processing do we perform ourselves, and how much is outsourced? Then, critically: Is our spend on understanding and mitigating risks to our data and systems from third parties proportional?
Within the legal sector there may also be a structural issue. Often, larger firms have decentralised procurement processes. We even see no procurement process whatsoever – with partners purchasing IT services with little or no due diligence. It is all too common to find firms don’t even know who all their suppliers are, the services they provide and the access they have. This all makes it impossible to get a firm grasp of risk and the regulatory compliance of the data supply chain, but regulations such as GDPR have raised the stakes.
Trust, But Verify – Maturing Your Third-Party Cyber Risk & GDPR Compliance
Many organisations find measuring compliance challenging as they are still yet to understand the complete picture of their data supply chain and the scope of activities surrounding the controlling and processing of European Union citizens’ PII data they control.
If you haven’t got a GDPR third-party compliance program in place, where to begin?
When outsourcing a process involving PII you need to evidence responsibility for how that data will now be managed in a contractual form. There are also key understandings to be reached in said contract, such as jurisdiction of data storage, access rights, and any further subcontracting. You may find you have fourth or even fifth parties to consider, with liability reaching right down the chain.
Together they have developed global standards in third-party risk assurance in a “Trust, but Verify” model with supporting tools that offer a cost-effective way for organisations to launch, grow and optimise risk assurance programs with ready-made structures and workflows.
Their best practice recommendation include the use of Standardised Information Gathering (SIG) questionnaires to acquire an attestation of third parties’ current policies and controls, followed by onsite verification for critical and high-risk third parties and services using Standardised Control Assessment (SCA) procedures. In addition, they have developed a ‘Third-Party Privacy Toolkit’ with templates and project management tools for third-party privacy assessments to meet the demands of GDPR and various other data privacy regulations and frameworks.
GDPR is clear that you must be accountable for the way third parties process personal data. In the event of a breach, it’s not good enough to deny any wrongdoing and lay the blame entirely on the supplier. Don’t assume your third parties take security and compliance seriously, let alone are GDPR compliant.
GDPR has definitely been a “game changer” in the world of third-party risk. Firms should be responding to the threat of large fines to drive a more mature third-party risk management program that assures the security and privacy of their customers’ PII data, and ultimately benefits their own business. In theory, those who have been slow to prepare for GDPR have already had to switch up a gear and are at a distinct commercial disadvantage.
For further reading, we recommend the Law Society’s – GDPR and DPA 2018 : Guidance for Solicitors in Law Firms.
About DVV Solutions
There’s never been a more vital time to start thinking seriously about the security posture of your organisation and extended enterprise. DVV Solutions is one of the UK’s leading managed service providers for Third-Party Risk Management. We are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party cyber, data privacy and location risk domains. For more advice and information on any Third-Party risk challenge you have:
If you haven’t got a GDPR third-party compliance program in place, where to begin?