Resetting the relationship between local and national government. Read our Local Government White Paper

Building a cyber resilient service: guidance for directors of legal services

Building a cyber resilient service guidance for directors of legal services
This document aims to support you to develop proactive, protective strategies and capabilities to enhance the cyber resilience of your council services. Some recommendations are technical, some organisational and some are about your people.

Introduction

This page details supplementary guidance specific to council planning services. Full guidance and steps can be found in our guidance document.

Shades of blue

Step 5: Be clear on why your service may be targeted

Legal services, and teams within your directorate, are supported by a huge amount of data. This amount and type of data makes your service vulnerable to cyber attacks and means the impacts to staff, residents and council services can be very damaging. Attackers may be looking to steal sensitive data for resale or to perpetrate further criminal acts, and you will be particularly vulnerable to extortion from criminals who recognise the criticality of this data and the need to keep services running.

Figure 1: Commonly held data in legal services

  • Legal Opinions and Advice – Documents containing legal opinions, advice, and analysis provided by legal professionals within the local government.
  • Litigation and Dispute Data – Information related to ongoing or resolved legal disputes involving the local council, including court filings, judgments, and settlement details.
  • Contractual Documents – Copies of contracts, agreements, and legal documents governing relationships with vendors, service providers, and other third parties.
  • Regulatory Compliance Records – Records demonstrating compliance with various legal and regulatory requirements applicable to local government functions.
  • Employment and Personnel Records – Information related to employment matters, including contracts, personnel records, and legal advice on employment issues.
  • Data Protection and Privacy Documents – Records related to data protection policies, privacy notices, and compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.
  • Planning and Development Data – Documents related to planning applications, development agreements, and legal aspects of local planning regulations.
  • Housing and Homelessness Records – Information related to housing allocation, homelessness applications, and legal matters concerning housing policies and regulations.
  • Environmental Law Compliance Records – Documentation demonstrating compliance with environmental laws, including waste management, pollution control, and other environmental regulations.
  • Freedom of Information Requests – Records of responses to freedom of information requests, including requests received, responses given, and any related legal advice.
  • Licensing and Permitting Data – Information related to licensing applications, permits, and legal matters concerning the regulation of businesses and activities within the local jurisdiction.
  • Education Law Records – Documents related to education law matters, including legal advice on education policies, school governance, and compliance with relevant legislation.
  • Community Care and Social Services Data – Information related to legal aspects of community care, social services, and legal advice on matters affecting vulnerable populations.
  • Criminal Prosecutions and Enforcement – Records related to criminal prosecutions initiated or enforced by the local council, including legal advice, court proceedings, and outcomes.
  • Health and Safety Documentation – Documents related to legal compliance with health and safety regulations, risk assessments, and legal advice on occupational health and safety matters.
  • Ethical Conduct and Standards – Records related to ethical conduct, adherence to standards of behaviour, and legal advice on matters related to the conduct of local government officials.

Shades of blue

Step 6: Be clear on the impact of a cyber attack

Below are a few examples of the way in which a cyber attack could affect your service area and things you should consider when preventing or recovering from a cyber attack:

Figure 2: Example of service level impact for legal

During a cyber attack you may have no access to the internet or your networks within which documents are stored. 

You need to consider how the loss of internet access might affect your critical services, and how you could keep them running – you may need alternative manual processes in place to keep a skeleton service operational.

A cyber attack, such as a ransomware incident, would compromise the integrity and availability of your case management system and would almost certainly lead to your being unable to access critical case information, including court dates, case files, and correspondence, leading to delays in case preparation and legal proceedings.

Always work in partnership with your IT team if you are making any changes to your service. 

Things to consider:

  1. Which critical services operated by your team rely on internet access?
  2. Which of these critical services is prioritised to get back online first?
  3. Have you created offline records and plans for use during an attack and ensure all teams have access to them?

Figure 3: Example of financial impact for legal services

If a cyber attack was to impact your team’s services, the attacker could gain access to contract-related financial data, altering payment details or diverting funds meant for legitimate vendors. This would result in contractual disputes, legal claims, and financial losses.

Things to consider:

  1. Which contracts are potentially affected – determine the scope and nature of the contractual payment fraud, including the specific vendors, payment amounts, and payment schedules that could be impacted.
  2. How were payment details altered or diverted – understanding the specific techniques used can help in closing security vulnerabilities and preventing similar incidents in the future.
  3. What financial losses have occurred – determine the extent of unauthorised financial transactions, identify any funds that may have been diverted or misappropriated, and assess the overall impact on the local government's budget and financial stability.
  4. How can legal recourse be pursued – evaluate legal avenues for pursuing recourse against the cyber attacker and mitigating the financial losses. 

Figure 4: Example of data impact for legal services

A cyber attack would almost certainly involve the exposure of case files. This would possibly include information on active court cases, evidence, and legal arguments. Unauthorised access may lead to a breach of client confidentiality and jeopardise the legal positions of the local government.

Areas to consider:

  1. Which case files have been compromised – Determine the nature of the cases involved, the types of legal matters, and the sensitivity of the information contained in the compromised files.
  2. What information within the case files is at risk – this could include sensitive legal strategies, evidence, communications, and any confidential or privileged information related to the legal matters.
  3. Who has had unauthorised access to the case files – understanding who may have gained access helps in assessing the potential impact and identifying the parties that need to be notified or involved in the incident response.
  4. What measures can be taken to mitigate the impact – You may need to invoke immediate actions such as notifying affected parties, enhancing security controls, implementing legal and regulatory compliance measures, and determining whether any legal obligations, such as breach notification, need to be fulfilled.

Shades of blue

Step 7: Be clear on ways to mitigate cyber risks

Table 1: Storing data

Theme Context  Areas to consider
Databases

As your service becomes more digital, systems will need to move online.

To limit vulnerabilities, staff need support to run their devices on the latest available software and to install regular security updates. 

How regularly is software updated?

Who is responsible for update rollout?

How would your service operate without access to databases?

How do you seek assurance that software is up to date?

Cyber security measures Implement cyber security measures on council hardware such as firewalls, antivirus software, and intrusion detection systems to protect against cyber attacks. 

Does all hardware support updated systems?

How often does staff training take place?

 

Devices and networks

Storing and accessing data on personal devices or through a public, unsecure network could create vulnerabilities.

Any data stored in an unsecured way can create vulnerabilities, including data downloaded onto a desktop.

Do staff using personal devices to access sensitive data?

Are all staff in your service aware of potential vulnerabilities exposed by the use of public networks?

How often to staff delete data from their desktop?

Backups

Your service should have suitable, secured backups of essential data that would allow for a quick and prompt recovery of essential services. 

This may include encrypted backups held in a secure off-site environment, removable media in physically secure storage, segregated backups, or appropriate alternative forms.

How often do backups take place?

Where are backups stored?
Are your team aware of how to access backups in case of an attack?

Who has access to backup data?

Which member of your team is responsible for this?

 

Table 2: Managing data

Theme Context Areas to consider

Handling sensitive data

 

Due to the nature of the work your service delivers, you will be handling sensitive data on a day-to-day basis, both electronically and physically. 

Your team must take extra precautions to protect the sensitive information outlined above

Are you aware of all the sensitive data your service holds? 

How are physical notes and recorded stored or destroyed?

What systems are used to store electronic records and information?

 

Access controls

To ensure any sensitive data is protected, you should implement access controls and restrict access to sensitive information only to authorised personnel. 

Training staff members on secure data handling is essential, and ensure they are aware of their responsibilities in protecting data.

 

Is sensitive information stored and protected in your service? 

Who has access to data storage systems?

How often does you review access?

How often does training take place?

Is multi–factor authentication in use across programmes?

Regular audits

Your service should be conducting regular audits of data management practices to ensure that they comply with relevant regulations and industry standards e.g. the retention of records are complaint within GDPR timeframes.

Keep track of any changes in data protection laws and update practices accordingly. 

How often do you audit your data management practices?

Who is responsible for organising this audit?

How do you seek assurance that effective audits have taken place?

Data protection laws

 

In the UK, we still have the General Data Protection Regulation (GDPR) and the Data Protection Act (2018).

It is your obligation to ensure that your team complies with these data protection regulations to protect your services personal data and ensure that the personal data of environmental services is collected, processed, and stored lawfully, fairly, and securely.

Are your team aware of the UK GDPR regulations and how they affect your work?

How often does full staff training take place and not just awareness?

Record keeping

 

The context of record keeping in this sector involves the creation, maintenance, and preservation of legal records to support effective legal management, decision-making, and regulatory requirements.

How often do your team update records?

How are records stored and updated?

 

Risk management

 

Risk management processes, such as conducting regular risk assessments, implementing appropriate security measures, and developing contingency plans for data breaches, are essential to identify and mitigate potential risks to the security and privacy of data. 

These risks should be added to the departmental risk register and raised to your Senior Management Team.

How often do risk assessments take place in your service?

What contingency plans are in place for data breaches?

Are staff aware of data breach processes?

 

 

Table 3: Sharing data

Theme Context  Areas to consider

Collaboration 

 

Different government agencies and departments at various levels (local, regional, national) may be involved in legal management. 

Collaborative efforts may involve the establishment of data standards and protocols to ensure consistency among different datasets. Standardised data formats enable smoother collaboration and data integration.

Who is responsible for data management and sharing in your service?

How often does training take place?

What procedures are in place to ensure effective and secure data sharing between teams and partners?

Do you feel confident that members of your team are safely sharing information?

Offline records

When assessing the risks to your service, you should also think about any partner organisations you work with, suppliers and any systems you have external links with. 

Managing offline records in legal is as crucial as managing digital records. Even in this era of digital technology, many councils maintain physical or offline records for various reasons, including legal requirements, historical documentation, and as a backup strategy.

Do you have processes in place for sharing offline information with partners?

What security measures are in place for sharing sensitive information?

 

Table 4: Awareness and training

Theme Context Areas to consider
Positive culture

A positive cyber security culture instils the importance of cyber security and the role every individual has in helping to protect the council. 

It will ensure that staff view cyber security as a business enabler rather than a hindrance and is understood by all councillors and staff. 

A positive culture contributes to the overall effectiveness, efficiency, and ethical conduct of your service.

Does your team speak openly and regularly about cyber security and risk?

Is it discussed at a board level?

How often does your service review the cyber security strategy?

How confident do your team feel with the strategy? 

Awareness

Experience shows that cyber risk to councils does not only come from external sources; employees can often present some of the most significant risks to cyber security. 

By clicking on links in phishing emails, storing sensitive data on personal devices, using unsecured networks, weak passwords or not installing security updates, employees can put your information under serious threat.

Do you understand the awareness levels of cyber security within your team?

How can you ensure cyber risk is pitched correctly for various roles in your service?

Training

Cyber security training should be refreshed regularly. 

As a director you’ll be aware of the high demands on the staff within your service, however this training must be prioritised to reduce the risk of a cyber attack.

 

How often does cyber security training take place in your service?

Is training appropriate for all staff at different technical levels?

 

Reporting In order to create a positive cyber security culture in your service, all staff must be aware of the process of reporting a potential breach and feel confident to do so at all levels.

Do all team members understand the process of reporting a data breach?

Is there a service-wide communication strategy in place to report data breaches? 

What impact would a data breach have on your team?

Workforce A large amount of agency staff may be being used by your service.  How can you integrate cyber secure practices into this temporary and externally managed workforce?

 

Table 5: Supply chain management

Theme Context Areas to consider
Co–ownership

Co-ownership typically refers to the shared rights and responsibilities among multiple stakeholders involved in the legal process. 

These stakeholders can include local government authorities, developers, community groups, local citizens, and other relevant entities.

Do members of your team work closely with other teams during the legal process?

What barriers are in place during this process?

What needs to change in order to streamline this process?

Contract management

Your service should consider including specific cyber security requirements and clauses in their contracts with external providers to ensure that security measures are in place throughout the duration of the contract.

 

Does your service include cyber security requirements within contracts?

How is this measured?

Monitoring and reporting Regular monitoring and assessment of external providers' security practices should be conducted to ensure that they are maintaining a strong security posture.

How would you work with partner organisations if your IT systems were unavailable? 

How would you work with partner organisations if they were experiencing a cyber attack themselves?

 

Table 6: Legislative Implications

Law/Regulation Cyber security implications 
Local Government Act 1972 Cyber security considerations include safeguarding sensitive information related to council decisions, financial transactions, and personal data of employees and constituents.
Local Government Act 2000 Cyber security measures should focus on protecting information related to local service delivery, financial allocations, and administrative functions.
Localism Act 2011 Cyber security efforts should secure information on local projects, community engagements, and sensitive data held by local authorities to maintain transparency and prevent unauthorised access.
The Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012

Cyber security is critical for protecting data shared during executive meetings and ensuring secure access to information. 

Encryption and secure communication tools should be employed to safeguard discussions and decisions made during these meetings.

Housing Act 1996 Cyber security measures should focus on securing databases containing information on housing allocations, property management, and tenant details to prevent unauthorised access or data breaches.
Homelessness Act 2002

Given the sensitive nature of homelessness data, cyber security measures should be implemented to protect personal information of individuals facing homelessness. 

Secure data storage and access controls are crucial to prevent unauthorised disclosures.

Employment Rights Act 1996

Cyber security safeguards are essential for protecting employee information, especially details related to contracts, working conditions, and other employment–related data. 

Access controls and encryption help prevent data breaches.

Freedom of Information Act 2000

Cyber security is crucial to ensure the protection of information that is subject to freedom of information requests.  

Your team must implement measures to safeguard data transparency while protecting sensitive information from unauthorised access.

Licensing Act 2003 Cyber security measures should be in place to prevent tampering with licensing records and unauthorised access to sensitive data on licensed establishments in your purview.