GDPR and the rise of ‘datanapping’ – the new threat to the pockets of law firms

Print This Post

21 April 2017


Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS

Wright: little or no technical knowledge is required to launch a cyber-attack

You’ve heard about ransomware – a hacker infiltrates your IT systems, locking them down until you pay a ransom. Some studies now estimate that over 50% of businesses have experienced this type of attack in the last year, and it’s particularly prevalent within the legal sector.

Previously, firms could protect themselves by having a solid disaster recovery plan in place to ensure they can get back up and running in the event of a disruption. However, the General Data Protection Regulation (GDPR) – the new EU-wide regime which comes in effect on 25 May 2018, irrespective of Brexit – means that this approach alone is no longer adequate and security measures must be strengthened to prevent attacks.

Ransomware is developing and hackers are now taking copies of data at the point at which they lock systems down – a practice the industry has dubbed ‘datanapping’. Being able to get your systems back quickly is irrelevant to the hacker; they already have your data and will threaten to release it publicly if you don’t pay up.

Rather than keeping it quiet when they’ve been a victim of such an attack, GDPR means businesses will have to report data breaches to the supervisory authority, with more severe penalties levied if they fail to do so. And with the added threat of data being released to the public, there’s the reputational damage along with the inevitable compensation claims from those affected.

Nowadays, little or no technical knowledge is required to launch an attack and the risk of getting caught is low as ransom payments are made in bitcoins, meaning they’re untraceable. Thousands of cyber-attacks are unleashed on UK businesses every day and GDPR only makes this a more attractive way for criminals to make money.

With significantly higher fines and stricter regulations, GDPR gives criminals power they didn’t possess previously as businesses are more likely to pay the ransom to avoid large fines if sensitive data is released online.

Cyber criminals are acutely aware of the potential negative impact on a firm’s reputation if data is released and will use this to demand a higher ransom. If your firm decides to pay out, it will rarely be a one-off, so you’ll need to fix your security vulnerabilities fast. It’s easy to see how this becomes a recurring cycle of paying up again and again, with hackers returning every few months for more.

But carrying out security investigations to fix issues as they arise can become much like plugging holes in a sieve and be quite costly in the long run.

Firms now have just over a year to ensure their systems are robust enough to meet their data security obligations. A business cannot outsource their responsibilities under GDPR, meaning the culture and mindset around how data is treated has to be modernised and law firm managers must take responsibility for ensuring data is safe. An external audit of a firm’s infrastructure and network security is the first step to assessing whether the appropriate measures are being taken to protect data.

The good news is that GDPR is likely to be the much needed catalyst for change, forcing firms to focus on prevention rather than cure for security attacks. The outcome is that our data is likely to be much safer as a result.



Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

New right to paid leave for bereaved parents: A welcome move

Kimberley Manning DAS

This year, like many in recent years, has seen some key changes within the employment law field, with the government, trade unions and lobbyists remaining endlessly engaged in seeking to impose their interpretation of fair balance between employers and their respective workforces. Although consensus on that equilibrium can never really be achieved, sometimes there are pieces of legislative movement which are difficult to argue with regardless of your perspective: This is one of those. Published on 13 October 2017, the Parental Bereavement (Pay and Leave) Bill would provide for the first time a legal right to parents who are employed and have suffered the death of a child, a minimum of two weeks’ leave in which to grieve.

November 20th, 2017