There is no doubt Data Protection has always been a key part of the day to day business environment, now with the fines and penalties that could be imposed by the Information's Commissioners Office (ICO) with the new General Data Protection Regulation (GDPR) it has focussed our minds.
Passwords are commonly used to protect personal and sensitive data and following the implementation of the GDPR and heightened regulation there are now a number of additional considerations businesses must take into account when designing a password system. This includes the use of two factor authentication and protecting the means by which users enter passwords.
The ICO has provided a great amount of detail on the above, however, the aim of this article is to summarise some key information from the ICO and other sources so this can be applied directly to your practice and how you can minimise the potential risks.
Nearly all law firms store large amounts of client data, and keeping the confidentiality of that data secure is fundamental to the firm's reputation and longevity. With an increase in data theft it is undoubtedly becoming more difficult to control and secure that data.
The National Cyber Security Centre has established a number of emerging trends in the legal sector which include remote working and the increased risk to smaller firms.
Mobile working and remote access disrupts the corporate infrastructure as the storage of information has been extended. Therefore, organisations that do not establish sound remote working practices may well be vulnerable to loss or theft of devices, credential loss, device tampering or sensitive data simply being overlooked.
There is a growing risk to all law firms, regardless of size. Career criminals target the legal profession due to the potential prize at stake. They are looking for those firms with vulnerabilities and less cyber security and checks in place; despite this they may still have significant funds in their client accounts as they are acting on sizeable conveyancing transaction(s), dealing with Probate estate matters or about to conclude a sizeable commercial transaction. All of which reinforce the fact that the Legal Profession are a very attractive target.
This makes it imperative that firms, large or small, invest in staff awareness to make them more alert to the threats and ultimately become more resilient.
There are 3 main requirements that the ICO suggests when password setting are:
- Password length: there should be minimum character requirements, no less than 10 characters, and there should not be a maximum length.
- Special characters: this is not mandatory, but would be advantageous
Blacklisting: employees should not use common passwords or phrases and all default passwords should be changed once distributed.
Particular emphasis is placed on password expiration and resets. Password expirations should only be enforced if you see necessary, the disadvantage to regular resets is that it encourages strong passwords to be changed to weaker ones. The ICO suggests as a general rule that users create strong initial passwords and only if there is a particular reason, the password should then be changed.
Two high profile examples include both social media giants, LinkedIn and Twitter:
“In 2012, the social networking site LinkedIn was hacked. It was thought at the time that passwords for around 6.5 million user accounts were stolen by cybercriminals. However, in May 2016, following the advertisement for sale on the dark web of 165 million user accounts and passwords, LinkedIn confirmed that the 2012 attack had actually resulted in the theft of email addresses and hashed passwords of approximately 165 million users.” 
“In 2018, Twitter and GitHub discovered that errors in their logging systems had led to plaintext passwords for users being stored in log files. Although the log files were not exposed to anyone outside of the organisations, both Twitter and GitHub recommended or required that users changed their passwords.” 
It is also important to consider how your system will respond to an attacker. The ICO states that:
“Techniques for recognising common user behaviour are becoming more advanced, and you could use these to develop a risk-based approach to verifying an authentication attempt. For example, if a user logs in from a new device or IP address you might consider requesting a second authentication factor and informing the user by another contact method of the login attempt. It is however important to remember that collecting additional data from users in order to defend against authentication attacks could itself constitute processing personal data and should operate in compliance with the GDPR. This does not mean you cannot process this data, but you must ensure that you have considered the data protection implications of doing so.” 
How this could be implemented within your business:
Two-factor authentication is becoming an increasing common and useful tool to help businesses that hold sensitive data combat these criminals. This should be implemented wherever possible, for example through the use of a password and a one-time token generator, via SMS, APP or a fob.
The ICO also gives alternative examples such as fingerprints, smart cards or Universal 2nd Factor key (U2F keys)* and devices. This must be implemented in accordance with the GDPR's requirements for special category data, and/or an appropriate processing condition in Schedule 1 of the Data Protection Act 2018.
*Universal 2nd Factor key – enables internet users to securely access any number of online services with one security key.
GDPR gives no guidance or benchmark that we must adhere to but Article 5(1)(f) does state that personal data shall be:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This principle requires firms to take appropriate technical and organisational measures to prevent unauthorised processing of personal data you hold. This means that when you are considering a password setup to protect access to a system that processes personal data, that setup must be 'appropriate'.
Whilst not definitive in providing a solution there is certainly an expectation that ALL data processers and controllers have measures in place to safe guard their clients' information.
Lockton can help:
We have created a unique product that covers the business risks a law firm is faced with today; this unique policy combines both Cyber, Crime coverages with Regulatory investigation coverage and the compulsory PII insurance to satisfy the SRA.
Unlike you PI Insurance it not only protects the interest of your clients, but is designed to protect your business. In the event of a data breach or incident, you'll have access to leading forensic experts and specialist advisors, putting your business back on track and minimising the impact to you and your business.
Click here to read more on Cyber and Crime cover.
It may however be prudent for your practice to have standalone coverage. Our specialist Global Technology and Privacy Practice is at the leading edge of cyber risk solutions, both in the UK and worldwide. Our specialists place Cyber Liability Insurance policies which provide protection against financial losses arising from your practice's information technology. Unlike your SRA policy wordings, one size does not fit all, and we look to tailor the covers to suit your firm's needs. Typical covers include:
- Network security and privacy liability
- Regulatory defence
- Loss of Digital Assets
Non-physical Business Interruption
For more information around this product please contact myself or your Lockton Representative.