Sign Up for our Free Newsletter
menu
Solicitors Journal Homepage
Cyber security specialistiomart

The changing role of lawyers in a cyber-attack

Wed Sep 06 2023Opinion
The changing role of lawyers in a cyber-attack

In an increasingly data driven world, cyber-attacks are more prolific and damaging than ever before, says Matt Dowson.

In June, file transfer app MOVEit was breached, causing sensitive data from a number of high-profile organisations, including the BBC and Ofcom, to fall into the hands of hackers. In fact, according to the 2022 Cyber Security Breach Survey, more than a third (39 per cent) of UK firms suffered a cyber-attack last year. 
A data breach occurs when sensitive or confidential information is accessed, disclosed, or stolen by unauthorised individuals. After a data breach happens, it’s a huge challenge for all departments across the business, including the legal team, who now play a key role in helping organisations navigate the legal aspects of potential consequences of a data breach. 
Legal teams have now become a crucial part of an organisation’s cyber strategy across every step of the journey, governing everything from incident response plans and regulatory challenges to stakeholder management.


Pre-incident 
For any organisation, the threat of a cyber-attack is not a case of if, but when, so preparation is key. A crucial part of this preparation is developing and testing incident response (IR) plans.
IR is a subset of cybersecurity which includes strategies around technical tasks, processes and workstreams, such as detecting, preventing, stopping, and remediating cybersecurity incidents. IR planning in today’s interconnected digital world is critical. 
Lawyers can help develop a customised IR plan with a detailed understanding of how cybersecurity and cyber law affect an organisation, to provide a coordinated, organised, and effective response.
As part of the plan, legal teams should structure their approach across several practices when assessing the legal implications of a potential breach, including violations of data protection laws, privacy regulations and contractual obligations. They should also help the organisation understand its legal obligations and potential liabilities, including the implications on any contracts in place with third-party vendors, clients, or partners.
Furthermore, solicitors are there to ensure that the organisation complies with relevant regulations, such as GDPR for those operating within the European Economic Area (EAA) and UK, to guide them through any necessary reporting or notification requirements. 


During an incident
Legal support during a data breach involves several key responsibilities. In complex data breaches, solicitors should ensure they’re working effectively alongside cybersecurity experts, forensics teams and other specialists to determine the scope of the breach, assess the potential damage and identify the vulnerabilities that caused the breach. This could be anything from a personally identifiable information leak, to a threat actor on the network watching a business’s unique manufacturing process via a hacked CCTV infrastructure.
Depending on the severity of the breach and the applicable laws, the organisation may then need to notify affected individuals, regulatory authorities (such as the Information Commissioner’s Office) and other stakeholders. The solicitor should guide the organisation through this notification process, ensuring that it is done in compliance with legal requirements.
Following this, the solicitor should support with a wider communication strategy that provides accurate and timely information to those affected, while managing potential legal risks.

Post-incident
After responding to a cyber-attack, the duties of a lawyer continue. In some cases, a data breach could result in legal actions or claims from affected parties, and therefore the solicitor will need to represent the organisation's interests in negotiations, settlements, or potential litigation. During this time, and throughout the cyber-attack process, solicitors will need to document all actions, communications and decisions carried out during the breach response.
Solicitors should also play a key role in rebuilding cyber resilience after an attack, working closely with the organisation to reassess and rework the incident response plan to mitigate any further impact and prevent future breaches.

Final thoughts
A solicitor's role during a cyber-attack is to provide legal expertise, guidance and strategic advice to help the organisation manage the legal and regulatory challenges that arise from a breach, and to minimise its potential negative consequences. 
It’s a long and complex process, and with the chances of an attack remaining high, it’s clear that lawyers must be a central part to every organisation’s cyber strategy to give themselves the best advantage when they fall victim to an attack.
Matt Dowson is a cyber security specialist at iomart.

AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

Ethics Institute launches taskforce to examine legal services to oligarchs and kleptocrats

Mon Sep 25 2023

Legal Departments See Higher Matter Volumes but Flat or Declining Budgets: Thomson Reuters 2023 Legal Department Operations Index

Mon Sep 25 2023

More Than 200 Employers Named And Shamed For Failing To Pay National Minimum Wage

Mon Sep 25 2023

Browne Jacobson collaborates with LGiU on report highlighting “critical” role of local government to hit net zero

Fri Sep 22 2023

BSB publishes new guidance on barristers’ conduct in non-professional life and on social media

Fri Sep 22 2023

The Chancery Lane Project expands to the USA

Thu Sep 21 2023

Delay in Final Report of the Infected Blood Inquiry

Thu Sep 21 2023

Attorney General presents UK intervention in Ukraine case against Russia at International Court of Justice

Thu Sep 21 2023

Firms losing potential clients by failing to return their calls, research shows

Thu Sep 21 2023
FeaturedChanging tactics in litigation – crystal ball gazing
Changing tactics in litigation – crystal ball gazing
FeatureTue Sep 26 2023
Changing tactics in litigation – crystal ball gazing
Diane Parker discusses the potential consequences of the forthcoming intermediate track for civil claims.
UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation
UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation
NewsTue Sep 26 2023
UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation
The United Nations Working Group on Business and Human Rights, and five United Nations Special Rapporteurs have written to Unilever Plc, expressing their deep concern about the lack of access to justice and an effective remedy provided by Unilever to a group of (former) Unilever workers who were brutally assaulted on a Unilever tea plantation.
Live Facial Recognition: How to Stay Within the Law
Live Facial Recognition: How to Stay Within the Law
NewsTue Sep 26 2023
Live Facial Recognition: How to Stay Within the Law
With the retail sector currently under scrutiny about its use of live facial recognition technology it is crucial that businesses understand how the equipment can be used lawfully.
B Corps: the future for law firms?
B Corps: the future for law firms?
OpinionTue Sep 26 2023
B Corps: the future for law firms?
Dana Denis-Smith explains why she decided to pursue a B Corp certification for her firm.
SJ Interview: Hannah Ambrose
SJ Interview: Hannah Ambrose
SJ InterviewMon Sep 25 2023
SJ Interview: Hannah Ambrose
Hannah Ambrose is an international arbitration partner at Herbert Smith Freehills. She talks to Solicitors Journal about her practice and the Law Commission's recent proposals to update the Arbitration Act 1996.
Whose human rights are more important, yours or mine?
Whose human rights are more important, yours or mine?
ForewordFri Sep 08 2023
Whose human rights are more important, yours or mine?

Under the law, should your right to express your opinion – be it on politics, the environment, abortion, or anything else – trump my right to go about my business unhindered, whether or not I happen to agree with your opinion?