Steps to Ensure Law Firms Strengthen IT Processes and Cyber Security

25 Ms Rahayu Mahzam asked the Minister for Law in light of scammers targeting law firms and impersonating lawyers (a) what steps will be taken to ensure law firms strengthen their IT processes and cyber security; (b) whether any assessment of the state of cyber security awareness amongst law firms has been done; (c) if not, whether the Ministry will consider conducting such an assessment; and (d) how can victims of such scams be assisted to recover their lost monies.

Mr K Shanmugam: The recent reports in the media of scammers impersonating conveyancing lawyers, involved hackers targeting the clients' email accounts, rather than the systems or email accounts of the law practices or lawyers in question. The scammers then sent emails with payment instructions which differed from what the lawyers had earlier told their clients. Unfortunately, these victims then proceeded to carry out these payments – one of them doing so even though their lawyer clarified that no such instruction had been given by the law firm.

Following these incidents, the Law Society of Singapore has taken steps to highlight the need for careful scrutiny of payment instructions or requests. The Law Society maintains a section on their website with information on email scams targeting lawyers.¹ It has also released two advisories to lawyers and conducted a media conference in relation to the recent scams, highlighting steps which lawyers can take to keep themselves, their law practices and their clients safe.

Law practices, as with any other business, are ultimately responsible for their own IT processes, data protection and cybersecurity. All private sector organisations, including law practices, are also subject to requirements under the Personal Data Protection Act, which imposes on them obligations to protect personal data.

In addition, they are supported by a regulatory framework under the Legal Profession Act, to protect clients and guide law practices in best practices within this framework. Lawyers also have a responsibility to maintain the confidentiality of client information, and the management of each law practice has a statutory obligation to ensure that their law practice has adequate systems to comply with client confidentiality requirements in written law and any applicable practice directions, guidance notes and rulings issued by the Law Society or its Council or the Professional Conduct Council.²

To help law practices, the Law Society publishes various Practice Management Guides,³ Guidance Notes⁴ and Advisories⁵ on its website, on matters such as security risks to a law practice's IT system, cloud computing, and email security. Separately, the International Bar Association has also published a set of "Cyber Security Guidelines" on its website.⁶ The Personal Data Protection Commission and Cyber Security Agency of Singapore have also issued guides to assist organisations to secure personal data and manage data breaches. Lawyers should take guidance from these publications, and apply them as appropriate to their own practices.

At the same time, clients must also exercise personal vigilance and due care to ensure that they do not fall prey to such scams. Members of the public should scrutinise email addresses, links, and attachments carefully in their correspondence, and where appropriate, take additional steps to cross check instructions, especially payment instructions, with their lawyers.

Victims of such scams should file a report with the police.