Share with your friends

Navigating data breaches in the legal sector

Navigating data breaches in the legal sector

With the legal sector a key target for cyber-attacks, it is critical to focus on building a cyber-risk strategy, including education, technology and data governance.


Also on

Hands on an illuminated laptop keyboard in a dark room

In the 2019 KPMG CEO Outlook, 42 percent of Australian CEOs agreed that becoming a victim of cyber-attack is now a case of ‘when’ and not ‘if’.

For law firms, which are routinely trusted to collect and hold significant volumes of sensitive data, including personal information, intellectual property, and commercially sensitive material that relates not only to their own practice, but also to their clients and third parties, the impact of a cyber-attack can be far reaching.

The issue of cyber security in law was explored in detail by KPMG professionals and industry guests at KPMG events in Melbourne and Sydney in May 2019.

This article provides some key takeaways for the legal sector to consider around cyber-attack preparation, mitigation and response.

The threat landscape

Paul Black, Partner, KPMG Forensic, said that cyber risk threat comes predominantly from organised crime.

“Typically, organised crime attacks originate from offshore, and attackers favour email to launch ransomware attacks [locking up a user’s data unless they pay a ransom],” he said. “Unlike some other attackers, organised crime groups don’t specifically target any organisation – instead, they take a scattergun approach.”

In addition to organised crime, Black said cyber-attacks can originate from:

  • The ‘trusted’ insider: Attacks by a person from within the organisation itself are an increasing issue. Often, organised crime works with insiders, paying them to take information out of the organisation. “So it's no longer a question of protecting your organisation from the outside; it’s also a question of protecting your organisation from the inside,” Black said.
  • Hacktivists: These are activist groups which attack computer systems, and try to disrupt, embarrass or prove a point against an organisation whose policies or actions they disagree with.
  • Nation states: This is when hackers work on behalf of foreign governments. If an organisation has been hacked by a nation state, as a result of the sophisticated attack vectors used in such attacks, victim organisations often won’t know about it until many months later. Black explained that nation states commonly use ‘zero day attack vectors’, which exploit undiscovered vulnerabilities in software and hardware for which no patch has yet been developed. These are often stealthy computer network attacks in which unauthorised access is gained, and attackers will remain undetected for an extended period. Black said an estimated 7 percent of APT attacks target the legal sector, due to the nature of the transactions law organisations work on, and the types of data they store.

Sources of entry

  • Email: Statistics about data breaches vary, Black said, however it is estimated that about 90 percent of attacks happen via email – most commonly ransomware. Email is an easy entry point, as the email can be tailored to specific people or a recipient group, and can often appear convincing, prompting the recipient. People are not always aware of when not to open an attachment or click on a malicious link. “That tells us that the human element is such a big the factor when it comes to cyber-attacks.” Black said organisations should apply a combination of user education and technology solutions in order to address this risk.
  • The cloud: Increasingly attackers are hosting malware within cloud services, and then tricking users into clicking on links to the malware. DocuSign, Dropbox, Google Drive and Office 365 are commonly used as lures to lead victims to malicious web links.
  • Click bait: This is on the rise, Black said, often via social media. The goal of hackers is to entice a user to click on a link to watch a video, or read an article, and attackers will redirect traffic to a malicious webpage containing code that will harness the power of the end user computer system to mine for crypto-currency.

Preventative measures

Black said it takes a combination of people and technology for organisations to mitigate cyber-attacks. And no strategy can be ‘set and forget’, but rather must be continually updated as the risk environment changes. He said that incident response planning and preparedness is critical.

“I can tell you from dealing on a daily basis with organisations that have been breached, it’s not a good place to be if you’re trying to determine who is going to help you with your incident response; where responsibilities lie; who is going to write communications; what the messaging is going to be to staff; how are we going to tell our clients; and what are our obligations to report,” Black said.

Once these fundamentals are understood, firms can build a cyber-risk strategy based on people and technology.


  • Have a current, incident-response plan in the event of a cyber-attack.
  • Have clearly established roles and responsibilities as to what people should do when this happens.
  • Educate teams through examples of phishing exercises, and other simulated cyber-breach scenarios.
  • Drive good hygiene around how staff use IT.
  • Encourage employees to adopt equally secure practices on their personal devices, particularly mobile devices that they also use for work purposes.


  • Build in two-factor authentication to all systems.
  • Ensure all systems have endpoint protection, a VPN for network connections, and regular software updates
  • Monitor ‘shadow IT’, which is employee use of hardware or software on company systems, without the knowledge of the IT and cybersecurity teams.
  • Ensure all sensitive data is regularly backed up.
  • Have procedures in place to investigate any concerns immediately.

 “It really is a question of having constant monitoring in place to identify anomalies within an environment.”

Paul Black, Partner,
KPMG Forensic

Know your data

Data control is another key step to mitigating a cyber-attack. Kelly Henney, National Data Privacy Lead, KPMG, said it is vital for law firms to understand exactly what data they have, to collect only the data that they need, and to control access to the data.

Law firms receive very disparate data from very disparate groups. Henney said it is vital they have good governance in place to ensure that data is safely received, understood and protected.

Data safety considerations include:

  • Risk appetite: Henney said to ask: What is our risk appetite when it comes to data and our management of data? What would our customers expect from us from a risk appetite and governance perspective? “Some organisations will push the boundaries of what they do with their data and others will be more conservative,” she said.
  • Current and future state: What is our current data governance, and what do we need to do to reach a defensible position? Henney said key to this is understanding the flow of data; where it goes to third parties, and then on to fourth parties.
  • Data storage: Henney said organisations need to be clear from the board through to the front line on how they are going to use data. Ask, where and how is our data stored? How is it used, and by who? Building in data minimisation and retention schedules is a key step to security, along with quantification, classification and validation of the data.
  • Third party data security: Often, when big organisations ‘lose’ data, it is the result of a third party losing it, Henney said. “Third and fourth parties are key vulnerable points and their data uses and policies need to be better understood.” Law firms need an understanding of who they are sharing their data with, and through which parts of the organisation it is passed on. Organisations should do due diligence, auditing and monitoring of third and fourth parties on how they are dealing with data. She said some key questions to ask are:
    • Are third parties handing the data on to fourth parties?
    • Is their use of the data in line with our risk appetite?
    • What sorts of contractual arrangements do we have with third parties in regards to privacy, and what do they have with their fourth parties?
  • Consent management: With privacy laws increasing, Henney said a key focus for law firms needs to be managing consent around the collection, use and sharing of information. “Consent isn’t set and forget,” she said.

Insurance against cyber attack

Emma Cronin, Senior Underwriter, Cyber Liability, Berkshire Hathaway Specialty Insurance, joined the KPMG panel, and shared insights into what insurance is now available and how it can respond in the event of a cyber-attack.

Cronin said there has been a rapid evolution in insurance firms offering cyber liability insurance – with around 35 insurers offering policies in Australia.

Currently, organisations are looking at first-party cover – covering the cost of incident response, and third-party cover to mitigate against data breaches down the line – although this is less common.

Typical cyber-attack claims include email compromise, crypto locking and denial of service. There are also simpler (less sinister) breaches, such as when staff inadvertently send an email to the wrong person.

Before offering cover, Cronin said insurers will ask what current cyber security strategies are in place. For example, staff education, technology protection, recovery time for critical systems in the event of an attack, the likely business impact, and the resilience and responsiveness in how the business can respond to an event. This investigation is often a good trigger to focus on what needs to be improved.

“Insurance isn’t an alternative to risk management. It is to work alongside the risk management framework.”

Emma Cronin, Senior Underwriter, Cyber Liability,
Berkshire Hathaway Specialty Insurance

Contact KPMG to discuss how we can help your organisation achieve a defensible position in relation to cyber risk. We can help you focus on data strategy, data governance and third party oversight.

©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.

Liability limited by a scheme approved under Professional Standards Legislation.

For more detail about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal