5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
Richard Forrest, Senior Associate at Hayes Connor, is interviewed by Jason Remillard on the ins and outs of cyber security and data protection for businesses. Find out a little more about what Richard finds so interesting about this field, and hear his expert advice to lawyers and business owners alike.
"As part of Jason's series on “5 Things You Need To Know To Optimise Your Company’s Approach to Data Privacy and Cybersecurity”, he had the pleasure of interviewing Richard Forrest, a Senior Associate at the UK’s leading data breach claims solicitors, Hayes Connor. He has represented clients in some of the most complex and high-value data breach cases. He also manages the Hayes Connor team on a day-to-day basis, focusing on identity theft, phishing, hacking, fraud, copyright infringements, cyber extortion, and online harassment."
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Lancashire, moving to the Ribble Valley in my teens. During this time, I went to Queen Elizabeth Grammar School in Blackburn, and then went on to study Economics at Sheffield University. After graduating I then converted to law, and later qualified as a solicitor.
During my early years, I was supported and inspired by my parents, who both worked in demanding jobs. My Mum always worked in senior financial roles, going back to work after having me and my brother. My Dad always worked in sales, so they really taught me the importance of working hard to achieve your goals and look after your family.
It wasn’t all work, though; we’ve always been a really sporty family, and would always play 4 or 5 different sports as extra-curricular activities. My favourite was football. I see playing sport as a really important part of my upbringing.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I don’t necessarily have a particular story that steered me in this direction, but it’s definitely something I decided on when I went to university. I always find that people change a lot when they head to higher education, and learn a lot about themselves too. When I realized that I love to have a good debate, this definitely steered me towards the courtroom.
Once I decided on this pathway, I realized that there’s so much more to the world of law that really drew me in. I’ve always enjoyed analyzing large amounts of data, and being able to do this to reach conclusions really challenges and excites me.
My attention then steered towards cybersecurity and data breach claims due to the growing importance and value of data in our digital world. With the ever-increasing world of technology, I feel the importance of this data is growing, and I wanted to be there for this. Combining my legal background with my interest in data and numbers seemed like the perfect fit.
Can you share the most interesting story that happened to you since you began this fascinating career?
I would have to say that one of my most interesting cases was a huge data breach case we dealt with against a well-known credit agency. During this case, and many other cases, we had to bring in cybersecurity experts to analyze the case. They basically assessed what measures the agency had in place to avoid a breach, and what they could’ve done better to avoid it. As I’ve mentioned already, I really enjoy this type of data handling so looking at this side of it is something I find very intriguing.
On a more personal level, though, I recently worked on a case involving a really hostile divorce. The woman who came to Hayes Connor had her medical records given to her ex-husband by accident. This was distressing enough as it was, but the spouse then tried to use these records to one-up her in the divorce proceedings.
It was all very messy, and very distressing for my client. This really just reminds me that, as data breach lawyers, we can never lose sight of the human element of these types of claims. You can work the case as effectively and professionally as you want, but you must always understand that you’re dealing with a human. You should always have this at the back of your mind, remembering that this is their life, to help them to move on as best they can.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My Mum has always been a real role model and inspiration to me. When she was younger, she had limited opportunities given to her, unlike myself and my brother, who she offered the world to. She really had to work her socks off to launch herself to the level she attained in her career.
Because of her hard work, my brother and I wanted for nothing. She’s a real example of what you can achieve with hard work and intelligence, even without a leg-up in the world. Without the opportunities she provided for us, and the inspiration she gave me, who knows where I’d be today.
Are you working on any exciting new projects now? How do you think that will help people?
One of the cases we are seeing crop up a lot at the moment is push payment fraud cases. This occurs when someone is contacted by someone pretending to be their bank, and these fraudsters will trick them into transferring money to a criminal bank account. In these cases, we will look to pursue the legitimate bank for breaches of their security, and hope that they can put better measures in place in future.
These sorts of cases are really risky, but are a growing problem. It’s definitely a new and exciting area of law to be in at the moment, and I think it can teach us all a lot. Not only do we have to scrutinise the banks processes, and make sure it doesn’t happen again, but we also get the client involved to help them move forward and be vigilant about how they take calls from people.
This teaches us to be wary of any banks contacting you advising about fraudulent activity on your account. These scammers are becoming harder and harder to spot, as their tactics are growing in complexity each day.
As a result of my experience in these cases, I know how tactful they can be. For example, fraudsters will call from a copycat phone number, so the number will match the bank’s phone number when you research it online. This has taught me some great tips which I think will help people. Basically, if I received a call from what looked to be a legitimate number, knowing what I know now, I’d hang up, dig out a statement, ring the number on that, and ask if the call was real. This is the best way to know it’s not false, otherwise it can really trip anyone up.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
My general working process is that I put in a lot of hours Monday to Friday, but try and completely switch off during the weekends. I will rarely look at my phone or think about work on these savoured days, and would advise people not to look at your work emails past half 7 each evening. But I understand everyone is different.
I also enjoy taking half an hour every lunch time to just have a walk around and clear my head. Especially with the sorts of cases we take on, which can be pretty emotionally-fuelled at times, this is a great way to refresh. My main goal is to always be fresh and ready for the week ahead, otherwise my productivity will suffer, so I’d advise other solicitors in the field to do the same.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- I love that the legal landscape for data breach claims is everchanging. It’s a relatively new area of law and, as mentioned previously, technology is ever-growing and changing too, so there’s always something new on the horizon.
- To add to this, cyber criminals are becoming more sophisticated by the day, so there’s always more interesting and complex data breaches happening all the time.
- I’m a nerd for data, as we’ve seen, and I think this also excites me a lot too. We’re really seeing the value of data in all walks of life these days, be it in the economy, politics, and now social media. It’s increasing all the time, which just makes the work so prominent and interesting.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I think it’s really important that companies don’t just wait for something to happen; they need to look into measures to prevent it before it does. As we’ve seen, cyber criminals are becoming more and more sophisticated. So, if I was in a company owner’s shoes, I would aim to pre-empt what the criminals might look to do next.
There are a number of highly trained and skilled cyber security experts out there who can be employed to do this. They will come into the business and analyse the systems, putting plans in place to protect the company.
I would suggest businesses bring in these experts and pay what is required. Ultimately, it’s a short-term cost for a long-term saving. Companies need to invest this money now, rather than lose it later on.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
There’s no one particular story that stands out, as I’d say we work on a lot of interesting cases each day. I think it’s these day-to-day cases that teach us all a lot.
Firstly, in these cases, we will write to a company setting out the case against them, pointing out what happened and what they did wrong. Although companies may not necessarily own up to their failings, they can learn a lot through this.
Even on a basic level, this helps. If we take our divorce case from before as an example, after this happened, the GP practice would have likely changed up their system. Hopefully now the staff will receive training on the issue, and avoid something like this occurring again.
As lawyers in the world of data breaches, we provide those cautionary tales for people to avoid repeating.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
As data breach solicitors, we obviously understand the importance of keeping client data and cases under wraps. But, we feel there’s only so much that technology and software can do to help. In fact, the majority of data breaches occur due to human error, which is why all our staff members are trained on how to ensure this information doesn’t leave our four walls, so to speak.
As lawyers, we have a pretty good eye for detail anyway, but we’re extra vigilant when it comes to sending emails. This is because our emails with clients contain a lot of sensitive information which, in the wrong hands, could completely derail a case.
So, whenever an email is being sent, we make sure to double-check the recipient, and our post is always checked carefully to ensure it is sent properly. We also have an email policy on our email footer which provides a little warning for recipients. So, if someone receives an email from us and they aren’t 100% certain it is us, they can look at the disclaimer on legitimate emails and use it as guide.
Overall, just taking time to think before doing things, for the very nature of what we do, is instilled in us, so it’s a natural caution.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It really depends on the finances and size of the company, and the type of data they’re holding. A bank or credit agency clearly needs to hire a team due to the type of data they hold. I would say to use your initiative to gauge whether you should hire somebody. It’s down to you to protect yours and your client’s data as best you can, so do what you think is best.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
- Listen to your IT experts; they’re a major sign that something isn’t right. They will be able to keep an eye on any strange goings on. If they are suspicious, and think they’ve spotted something which leads them to believe someone has entered the system from an external account, be sure to listen to them.
- For this one, I think a working example will help. Say a client of a law firm is looking to buy a house, and you have to transfer the deposit money. We’ve come across cases where the hackers may have been monitoring emails throughout this process, and then step in at the point of transaction. They might say something like their bank account details have changed, and that’s when the transaction occurs. Always keep an eye out for strange activity like this, and call up your advisor if you’re uncertain.
- In a similar way, hackers will often use language that will be markedly different to any previous communication you had prior to this. They may also make grammatical errors, which is a sure sign. Looking for subtleties like this, checking the email address, and where it’s come from, and looking closely to how it’s written, is paramount.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
- Within reason, notify the customers as soon as possible.
- Be sure to learn from how the data was infiltrated in the first place, and understand the nitty gritty of what happened.
- Then, the company can put their own measures in place to prevent fraud occurring.
- Think creatively about what could be the next line of attack; as we’ve seen, cyber criminals are always adapting and changing, so adapt with them.
- Reinforce to the client to keep all log-in details safe, and just be generally vigilant in terms of any approaches.
- Training is key in every aspect of things, so communicate processes with every new employee and client, and make it ingrained as part of your business.
How have recent privacy measures like The California Consumer Privacy Act (CCPA/a>, CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?
GDPR gives people significantly more rights with regards to their data than before. This means there’s now a lot more emphasis on businesses making sure there are measures in place to protect this data.
The biggest change this will probably have is that companies will now have to take that extra time, money and care to make sure they’re following the rules. This is a big change, and a shock to many, but so important. It’s also probably making any shortcomings really apparent, demonstrating to a lot of companies the sorts of measures they should have always had in place.
What’s more, it also means that a lot of companies will be facing legal action in the future. Despite the GDPR principles put in place, so many companies are still falling short. Companies should ready themselves for this eventuality.
Ultimately, this all comes at a pinnacle moment in the world of cyber security. With hackers becoming more sophisticated, it’s a good thing that it’s now lawful to be as vigilant as possible.
What are the most common data security and cybersecurity mistakes you have seen companies make?
From a solicitor’s point of view, I get to see the backend of it all, and the biggest mistake I see is a lack of hindsight. Most of us have this “it will never happen to me” attitude, and this can be really dangerous. Because of this, many companies will not identify the obvious weaknesses within their system, even though they know this makes them susceptible to attack.
They’re just not proactive about it, and aren’t investing the time and money into it because they probably put it at the bottom of their priority list. So, they then have to be more reactionary once it’s already happened.
If companies were to consider these risks beforehand, we’d probably have a lot less cases coming through our doors!
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
No, not at the moment. That said, there’s a lot going on that makes me think we’ll see an uptake very soon. For example, the track and trace app coming in now will mean that people are handing their data over to companies left, right, and centre. What’s more, with peoples’ continued reliance on technological interaction, especially with a further lockdown in the UK, it will be interesting to see how things develop.
To add to this, with people continuing to work from home, they may be a bit laxer than perhaps they would be in the office. Tucked away in their pyjamas whilst working is bound to make people trip up, so people working remotely do need to be extra vigilant.
Ultimately, I do think it’s a little too soon to say, and we’ve not noticed an uptake yet, even as the leading data breach claims solicitors in the UK! But, it really wouldn’t surprise me at all if things started to change, and cases began to emerge.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Stay one step ahead of the game. This can be achieved through hiring cyber security professionals to take a look at how your company is running already, and what can be done to make everything more secure. They should be hired regularly to monitor any systems, and make sure no suspicious activity has been noted.
- Don’t be reactionary to breaches that have already occurred; aim to be proactive in your approach to avoid anything happening before it happens. By investing the time and money into the correct infrastructure to begin with, you will be much less likely to face any inevitable consequences. Remember, not only might you be sued a lot of cash, you are likely to lose a lot of loyal customers along the way, so be proactive to avoid this fallout.
- Especially right now, investing in company laptops is pretty much essential. One of the biggest risks at the moment is that people are working from home, still using personal laptops for the job. Most personal laptops lack all the important updates, will probably not be connected to a VPN, and most likely won’t have proper security measures installed due to personal costs. A company laptop will be much easier to monitor in all these ways. But, if you really can’t afford to provide these measures right now, just be sure that staff are being responsible, and pay for their monthly subscription to a security app, at the very least. These measures will really help to avoid any potential breaches.
- Training is essential! You may remember my story from before about the GP who gave out his patient’s details to her ex-husband? This could have been avoided through a bit of extra training, and an extra process put in place to avoid it. In fact, most data breaches occur due to human error. By investing that extra time into training staff to handle data effectively and privately, you’ll save yourself a lot of grief.
- Get on a private network ASAP. Many companies still run without a VPN, which basically provides a secure network for all company data. It’s almost like tunnel, where any hackers will be restricted from viewing your content as it’s not open for all to see; only those within this “tunnel” can access it. Without this, all company and client data is open for business, so get on one of these ASAP, and be sure to train all staff, even those working from home, on how to use it and stay on it.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Something that’s really close to my heart is the mental health crisis we’re experiencing at the moment. I know loads of people who struggle with their own mental health and, especially now, I think it’s becoming more and more prominent within our society.
I see mental health continuing to become a massive issue worldwide over the next few years, attracting lots of coverage. Specifically, I feel there are a lot of people out there who may struggle with their mental health, but don’t feel comfortable talking about it, which often makes things worse. Right now, it’s just the tip of the iceberg, so encouraging people to exchange this information, and feel free to discuss it, is really important to me.
So, if I could inspire any movement, it would be this; the free discussion of all our mental health, without judgement, to help avert this crisis.
How can our readers further follow your work online?
I am on LinkedIn (https://www.linkedin.com/in/richard-forrest-974b4154/), and will hopefully start becoming more active on there over the next few months. You can also keep track of what we’re up to, and any new relevant articles on our site, by heading to our website: https://www.hayesconnor.co.uk/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!