Insights - “the value of the data that we hold” and “keeping our data safe- the human factor”

Introduction

What’s in a name, a date of birth, a currency amount? Individually, each of these is a piece of data, a value, which on its own is useless. However, if we start to collect different data together: a name; an email; an address; a postcode; a National Insurance number; a bank account number and a sort-code then this becomes information, and something that is very valuable to both you personally, and increasingly to cyber-criminal gangs.

In this article we will explore two different areas – data and it’s value and a related area of how we can keep our data safe, specifically focusing on the human-aspects of cyber security.

Both of these are of interest to the legal profession, both in terms of the data that they hold, but also in terms of the likely increase in the number of cyber-related cases that may be, or may have already, arrived on the doorsteps of legal firms. This is an increasingly complex area, especially with the advances that we are seeing in the area of Artificial Intelligence (AI) based systems that provide great opportunities, but also a number of threats that we must be aware of. AI is only introduced briefly in this article, and is not the main focus, but this is certainly something that is attracting a lot of attention in the Legal Technology (Legal Tech) field.

The Technology sectors have a great opportunity to work together, they generate innovative solutions and approaches to the issues, challenges and complexities of these areas – much has been achieved, but there is still more to be done…

The value of data – is it ‘the new Oil’?

Each datum we generate creates vast amounts of data – emails, transactions, sensor readings, social media posts. This datum, a single value, has no meaning on its own; however, if we combine these data together, we can create information – a collection of data values which, taken in combination, is meaningful or provides insight. It is this combining of data and the interpretation of the information that when combined can provide the reason why data is increasingly being seen as a valuable commodity, both for us personally and for others financially. This value, especially the monetary one, and the leverage it may provide, means that data and the theft of data, has become an increasingly prevalent issue over the past two decades. This is in part, due to the internet, digitisation and the World Wide Web making data easier to access, and this provides issues and challenges for technology companies and legal firms alike.

Social security number – meaningless on its own unless we can get other data/information to relate it to someone else.

Just take a moment to think about the data you may have access to, or may be asked to provide, or willingly make available: Your employee record, your social media profile/LinkedIn profile –these contain lots of related data which in combination is valuable (both to you, and a cyber attacker who may use the data to clone your identity, or to apply for a loan, mortgage etc. in your name). However, we often fail to realise the value of our, or others' data, until it is too late – until it gets into the wrong hands.

Recent years have seen high profile data breaches (British Airways, 2021 – Executive Club details leaked) and most recently the MOVEit cyber attack involving a number of large organisations (BA, BBC and Boots, 2023) in which significant details of employees records have been stolen, namely data relating to Payroll; Capita Data Breach (May 2023) in which University Superannuation Scheme (USS) members data had potentially been accessed. USS is only one of over 90 organisations that depends on Capita for administering pension-related work. If it is proven that data has been accessed and copied this could lead to hundreds of thousands of individuals' personal information being at risk, something which cyber criminals could benefit from, including making profits from selling data on the Dark Web.

With more and more data being stored online, the increase in ‘smart devices’ such as doorbells, heating systems and many other devices, the advances in Cloud (Internet) and third party storage at low costs it is enticing for companies and individuals to make use of these services, but this then takes an element of control of that data out of our hands.

It is important to note that there are laws and regulations, e.g. the European Data Protection Regulation (EDPR) and Data Protection Act (2018) that are there to ensure holders of data have mechanisms in place to secure the data, but this does not provide a cast-iron guarantee for safety, and with cyber criminals gaining significant profits from the sale, or threat of sharing data, victims are willing to pay the ransom. It is clear that data (and the insight and access it can provide) is becoming an increasingly valuable commodity.

In addition, the UK Information Commissioners Office (ICO) which has overall oversight of data protection has mechanisms in place, including requiring any organisation suffering a data breach to report this within 72 hours, and significant fines if negligence is to blame.

This provides a significant incentive for data holders to secure data. However, cyber attackers and the advance of powerful AI-based systems may provide yet another challenge to data/information security which in turn means that we all need to work together in order to keep our information safe.

Why is this important to the legal community?

1) Legal firms have access to and store large amounts of data relating to individuals and cases – this is attractive to cyber attackers, and so ensuring legal data and client files are secure is important.

2) There are likely to be increasing numbers (and, increasingly complex) of cases relating to data theft, and so being able to deal with these within the existing legal framework may become even more challenging, especially if a software-based AI system has been used where tracing the perpetrator of the crime may be very challenging – this is an opportunity for Technology companies and the legal profession to work together as part of development in the Legal Technology field.

Now that we understand the importance and value of data, we shall now turn to look at how we, as humans, play an important role.

Cyber hygiene – keeping our data safe: the human factor

It is estimated that at least 60% of cyber-attacks are the result of an ‘insider’, most often a disgruntled employee or contractor. These are humans, and despite some evidence to the contrary, the human is often the weakest link – it is ‘easy’ to put technology in place to detect systems breaches, and have complex password policies, biometrics (fingerprint scanners) and multi-factor authentication (think an authenticator app on your phone as well as a password) but this is all rendered useless if:

1) An employee is subject to a so-called social engineering attack (e.g. a phishing email) and divulges their login credentials or system access.

2) An employee gives their password combination away (and no multi-factor authentication method is in place, or the employee authenticates on behalf of a third party).

3) An employee stores their password on their desktop in a file called ‘passwords.txt’ or uses a sticky note to remind them of their login credentials.

4) An employee launches a cyber attack or provides access to the company’s systems from inside the organisation (in which case they are already provided with access).

This is not an exhaustive list, but perhaps indicates that we need to think carefully before acting. Good cyber security practices (also part of a broader concept known as cyber hygiene) can help limit the risk of such security breaches and many of the mechanisms and steps are probably already part of your organisation’s IT policy, Acceptable Use Policy or HR policies.

Some useful tips:

1. Always be vigilant with emails, especially those asking you to log-in or share sensitive details (personal or work-related) or are from someone you do not know; take the time to read the email and if you are unsure, do not do anything and report to your IT team or line manager.

2. Never share your password with anyone else, and if you have then make sure you change your password immediately and report the incident to your IT team.

3. Never write passwords down – companies often have password policies to ensure strong passwords, and more are now moving towards the choice of a combination of random words or phrases that make sense to you (as you understand the relationship between them) and makes it very difficult for attackers and password cracking tools to guess.

4. Report any unusual behaviour, and for your IT team, suggest the Principle of Least Privilege, an approach that restricts access to the absolute minimum and has a process for managing access requests that is more safe and secure.

With some simple, and often non-technical behavioural changes you can significantly increase the security of your systems and save damage and loss (monetary and reputational) that could result from poor cyber hygiene.

Summary

Data is becoming an increasingly valuable commodity and therefore it is becoming an increasing target for cyber criminals. We all hold a collective responsibility to understand the importance and value of data, especially when this can be put together to create valuable or sensitive insights into an individual or organisation. There are excellent opportunities for the Technology, Legal and Academic professions to come together to work on innovative solutions that can keep our data safe. It is important to remember that whilst technology plays a role, it is the human who is in charge and who often represents the weakest link in the security chain. We therefore need to remember to integrate the human aspect and the user context into our solutions in order to make them as effective as possible 

Paul Sant