When cyber risk becomes personal: the human cost of data breaches in law firms
Sarah Armstrong-Smith, executive board advisor at Softwerx, explores the psychological toll of a data breach on clients, and why SME law firms and conveyancing are particularly vulnerable to cyber incidents
When the legal industry talks about cybersecurity it’s usually in terms of regulation and professional standards. These are important, but the real focus should be placed on the devasting impact of cybercrime on people’s welfare and lives. These human stories can get lost in a conversation that focuses on technicalities and compliance.
When people seek legal advice, it’s usually at a defining moment in their life, often when they are feeling at their most vulnerable or anxious. The data they entrust to a solicitor is very personal and would be devastating for it to be exposed. It’s this sensitivity that makes the information so valuable to cybercriminals and places extra pressure on law firms .
This makes SME firms an attractive target for cybercriminals: they are also one of the most vulnerable. However, for the legal sector, it is about far more than money. The real damage is often reputational and is deeply personal to those most impacted. When highly sensitive data is exposed, the emotional fallout can be profound, affecting partners, staff and clients alike — and in some cases, leaving lasting financial, social and emotional impact long after the incident itself.
SME firms are often identified as the optimum target by cybercriminals. They have a wealth of highly sensitive data and are potentially less well-resourced than a large firm. In many cases, in-house IT teams are lean and focused on keeping systems operational but may lack the expertise and know-how to successfully monitor and respond to threats round the clock.
Protecting data protects people
People trust firms with their information and have no choice about what data is collected and how it’s processed and stored. They trust that their sensitive information and identities will be protected for the duration of their case and beyond.
There are many aspects of a person’s private life that can be exploited but it’s with conveyancing that we regularly hear the most impactful stories. When cyber criminals gain access to firms, they’re not only looking for sensitive data. The largest everyday payments that will attract an attacker’s attention are property purchases.
If they gain access to conveyancing files, a criminal can discover the details and timeline of a house purchase, intercept the messages and send a convincing email requesting a sum is paid to their bank account rather than the solicitors. From the individual’s perspective, it’s likely at a point in the transaction when they’re expecting to receive a solicitor’s request to make payment, the email looks authentic and references the details of the purchase with the correct amount to be paid.
The result can be devastating. Not only may the individual lose their savings, but they may also lose their dream home. While some firms may have professional indemnity insurance (PII) to cover redress, this takes time to investigate and for people to obtain their money back. Meanwhile, individuals have not only lost their data and money but they’re also having to fight to get it back. Firms must be empathetic to their clients’ needs and expectations.
Turn safety into a strategic priority
These human stories are always behind the prevalent threat of cyber incidents, with 1 in 5 UK law firms having experienced one in the last few months alone. Protecting people, their data and their families means that law firms need to consider cybersecurity as a fundamental part of their strategy, to protect what matters most and to deliver trust and resilience across the sector.
Until we talk about cyber risk through the lens of people, not just policy, we will continue to underestimate both its impact and its importance. Many firms may be wondering where to start and a good option is to consider cloud-based services, which typically have a range of security and privacy controls built into the platform that firms can take advantage of, based on the sensitivity and confidentiality of data.
Good security is about understanding the nature of the data you hold, classifying it properly, limiting access and being prepared when something goes wrong. It is about recognising why your firm might be a target and what the real-world impact of exposure would be.
The Solicitors Regulation Authority (SRA) and the Information Commissioner’s Office (ICO) have made it clear that failing to patch vulnerabilities or implement multi-factor authentication (MFA) is not just a technical oversight, it’s a breach of professional duty that can result in significant fines and reputational harm.
Certification to known standards such as the UK Government’s Cyber Essentials scheme is a good step in providing assurance to clients but it’s often a snapshot in time. Cybersecurity needs to be considered beyond compliance to counteract the evolving threat.
That’s one of the main reasons why firms choose to work with specialist security partners, such as Softwerx, who can protect against existing and upcoming threats while providing education on the evolving landscape.
Cybersecurity is a business enabler that firms need to put at the heart of their strategy. It’s not just about securing systems. It’s about protecting the livelihoods of people that come to them when they are most vulnerable and in need of help. It shows that client trust is both honoured and protected.
