Co-Author by Rosalind Greenwood
Staff and client data belonging to 193 law firms, including a number of large City firms, has been compromised by a breach involving a third party legal technology software provider.
The breach involves data submitted by law firms to the Laserforms Hub, which allows firms to digitally complete and submit legal forms to Companies House, HMRC and the Land Registry. It has been reported that the compromised data relates to around 10,000 commercial property transactions dating from before 2017.
The data was held on an open database which was first discovered by security researchers at TurgenSec, who made contact with the affected firms and Advanced Computer Software Group Limited (Advanced), which owns Laserforms Hub.
According to a statement issued by TurgenSec, law firm staff data appears to have been compromised for all of the 193 firms affected, including user names and hashed passwords. For some of the firms concerned, the database also contained other potentially sensitive authentication information such as town of birth, eye colour, passport numbers, national insurance numbers, mother's maiden names and father's first names. Extensive details of transactions, payment terms and client agreements may also have been contained within the unsecured database.
TurgenSec state that the database appears to have been exposed for an extended period, during which time it would have been accessible to anyone with a browser and Internet connection.
Statements issued by Advanced and some of the firms affected suggest that the client data that was exposed was already in the public domain, the passwords were in secure hash form and only parts of the security verification responses were disclosed. Nevertheless, this event underscores the potential risks involved in professional services firms outsourcing services and how such firms can be exposed not only by their own internal systems but by the vulnerabilities of their third party service providers.
The SRA guidance on technology and legal services makes clear that individual solicitors and firms are responsible for the service that they provide to clients and "they cannot outsource this responsibility to a third party". Firms should take all reasonable measures to ensure that their arrangements with third party providers preserve their ability to maintain client service levels and meet their regulatory obligations, which include maintaining effective governance structures, arrangements, systems and controls so as to ensure client confidentiality.
As well as commercially sensitive and confidential information pertaining to client instructions, law firms and their vendors may also be targets for cyber criminals for the personal and financial information belonging to clients and employees. Should such data be compromised, firms could potentially face third party claims from data subjects and regulatory scrutiny from the Information Commissioner's Office as well as the SRA. In addition, virtually every data breach – no matter what the cause – leads to some degree of reputational concern for the data controllers and/or processors involved.
The following steps may mitigate the risk posed by outsourcing of this nature:
- Set appropriate standards of service that are consistent with regulatory duties in contracts with external vendors.
- Require suppliers to acknowledge that documents and data are strictly confidential and may also be subject to privilege and other restrictions on disclosure.
- Oblige the supplier to comply with relevant data protection legislation, including in particular the duty to implement appropriate technical and organisational measures to ensure the security of data.
- Obtain indemnities against losses caused by a failure on the part of the supplier.
- Set any limitation of liability in agreements with vendors at a level which is appropriate to the circumstances.
- Ensure that providers hold sufficient insurance including professional indemnity and cyber liability cover.
The rapid shift to remote working occasioned by Covid-19 has given rise to specific challenges in maintaining the confidentiality and security of documents and data held by professional firms, as discussed in our recent briefing here. While firms work to mitigate the risks posed by this new working environment, they may also be investing in new technology solutions to reinforce their capacity to operate remotely. This event therefore provides a timely reminder of the risks that outsourcing such services can entail.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.