Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1502513
50 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 2 3 For instance, we know an AMLAW 50 firm that stumbled upon a business intake and conflict resolution system that was superseded by a newer product more than ten years ago. At the time of the switchover, the old system was maintained because it was needed to consult earlier decisions for audit purposes. But time passed and it was never taken down. This system was full of personally identifiable and other highly sensitive information, unsupported, and eminently hackable. Had the firm not found it, it would have gone on presenting a substantial, yet hidden, hazard. A certain prominent UK criminal law firm was not so lucky. In 2022 the firm was heavily fined by the UK regulator (the Information Commissioner's Office) for breaching the UK's version of GDPR. The firm had failed to adequately secure data held on an older archive server. A ransomware attack encrypted 972,191 individual files on this server, of which nearly 25,000 were court bundles that included medical files, witness statements, names and addresses of witnesses and victims, and the alleged crimes of individuals. The attackers proceeded to publish 60 of these bundles on the dark web. As it goes, this firm had a records retention policy, but hadn't applied it to this particular server. Consequently, the ICO found the firm was storing court bundles after the 7-year retention period had elapsed, causing the regulator to note: "A failure to adhere to or to justify departure from its retention practices creates concerns about compliance with Article S(l)(e) GDPR, which requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." 1 But that's not even the worst that can happen when information governance fails. In March 2022 a 150-year-old London Stock Exchange-listed law firm, Ince & Co, was the victim of a major cyberattack in which personal data was stolen and held to ransom. 2&3 Thirteen months later, on 12 April 2023, the firm announced it had gone into administration following an irreversible slump triggered by the attack. Warm blanket Meanwhile, many firms on the opposite side of the pond have wrapped themselves in a warm blanket of denial, in the belief that GDPR doesn't affect them. But this isn't true, because GDPR's tendrils reach into any database that holds the records of EU citizens, irrespective of location. GDPR notwithstanding, firms in the Americas will have spotted that the contagion of data privacy regulation has reached your shores anyway. State data privacy legislation has already been enacted in California, Colorado, Connecticut, Indiana, Iowa, Virginia and Utah 4 as well as in Canada (Bill C-27) and Brazil (LGPD). In addition, multinational clients operating in multiple jurisdictions increasingly find it much more Q 2 W H I T E P A P E R S "The attackers proceeded to publish 60 of these bundles on the dark web."