Skip to main content
WUHLD
← Back to insights

Cybersecurity and Data Protection in Will Writing Practices: A Risk Management Framework for the Post-DUAA Landscape

· 23 min

Executive Summary

Will writing practices face an unprecedented convergence of escalating cyber threats, enhanced regulatory obligations, and prospective legislative reform. Successful cyber attacks on UK law firms increased 77% year-on-year to 954 incidents, with the April 2025 ICO fine of GBP 60,000 against DPP Law Ltd demonstrating tangible enforcement consequences following a breach that exposed 32GB of sensitive legal files on the dark web.12 The Data (Use and Access) Act 2025, in force since June 2025, introduces mandatory complaints-handling processes by June 2026 and enhanced ICO enforcement powers. Private client practices processing testamentary capacity assessments and medical records handle special category data under UK GDPR Article 9, demanding enhanced technical and organisational measures. The Law Commission's electronic wills proposals, if enacted, would introduce additional cybersecurity infrastructure requirements. This article provides a structured risk management framework enabling will writing practices to achieve regulatory compliance, mitigate professional indemnity exposure, and establish forward-compatible security architectures.

1. The Threat Landscape for Private Client Practices

The legal sector's attractiveness to cyber criminals reflects a distinctive risk profile: high-value confidential information, strict professional confidence obligations, and the reputational imperative to avoid publicity around breaches. The National Cyber Security Centre identifies that over 320,000 people work in the UK legal sector, with legal services accounting for GBP 6.8 billion in exports (2021 figures).3 Will writing practices, whilst typically smaller than commercial litigation firms, hold particularly sensitive datasets that criminals can monetise through extortion or identity fraud. The combination of detailed financial information, family relationship records, and health data creates comprehensive identity profiles with substantial black market value.

Escalating Attack Frequency

The 77% year-on-year increase in successful cyber attacks against UK law firms—from 538 to 954 incidents—demonstrates that the threat is not theoretical but operational.1 This escalation reflects both the increasing sophistication of attack methodologies and the sector's continued vulnerability. The trend shows no indication of plateauing; security researchers anticipate continued escalation as AI-enhanced attack tools become more accessible to threat actors.

Ransomware featured in over 60% of successful attacks against legal practices in 2024, with average ransom demands exceeding GBP 89,000.4 The Simplify Group attack in 2021 cost GBP 6.8 million, illustrating the scale of potential financial exposure for even established firms. For smaller will writing practices operating on narrower margins, a successful ransomware attack could threaten business viability entirely. The average cost of a data breach for law firms reached USD 5.08 million in 2024, representing more than 10% increase from the previous year.5

Enforcement Consequences Materialising

The DPP Law Ltd enforcement action demonstrates that regulatory consequences have moved from theoretical to actual. The June 2022 attack exploited a legacy case management system through brute force access to an administrator account, enabling lateral movement and exfiltration of 32GB of data including privileged material.2 The firm's failure to report the breach within 72 hours—notification occurred 43 days after awareness—constituted a separate violation compounding the security failure. Andy Curry, ICO Director of Enforcement, stated unequivocally: "Data protection is not optional. It is a legal obligation."2

The ICO's decision to publicise the enforcement action serves notice to the wider profession. The GBP 60,000 fine, whilst modest relative to maximum penalties available, reflects the ICO's approach of calibrating penalties to firm size and circumstances. Larger practices or more egregious failures would attract proportionally greater penalties. The reputational damage from publicised enforcement—appearing in the Law Society Gazette and legal trade press—compounds the financial penalty.

The Legal Aid Agency breach disclosed in May 2025 exposed client information dating back to 2007, including information about partners of legal aid applicants.6 The scope and duration of compromised data—nearly two decades—underscores the long-term retention obligations of legal practices and the corresponding data protection risks. Will writing practices routinely retain files for extended periods, creating similar accumulation of data exposure risk.

Human Factors as Primary Vulnerability

Technical controls alone cannot address the primary attack vector. An estimated 95% of successful cyber attacks succeed due to human error, including opening malicious email attachments or using weak passwords.7 The SRA's thematic review found that eight of forty reviewed firms (20%) had never provided specific cybersecurity training to staff, and more than half did not maintain training records.7 This training deficit creates systematic vulnerability regardless of technical infrastructure investment. A firm may implement enterprise-grade firewalls and endpoint protection, but a single untrained staff member clicking a malicious link can circumvent all technical defences.

Email modification fraud accounts for 68% of cyberattacks reported to the SRA, with criminals exploiting "Friday afternoon fraud" patterns in conveyancing—accessing systems to intercept completion funds.8 Whilst conveyancing-specific, this attack vector applies to any practice handling client funds or sensitive documents. The technique involves compromising email accounts through phishing, then monitoring correspondence to identify high-value transactions and intercept payment instructions. Will writing practices handling estate administration are particularly vulnerable during the distribution phase when significant funds transfer between accounts.

AI-enhanced threats now enable attackers to craft increasingly sophisticated phishing emails that evade traditional detection, whilst Ransomware as a Service (RaaS) platforms democratise attack capabilities to actors with limited technical knowledge.9 The barrier to entry for cybercrime has lowered substantially. Attackers no longer require sophisticated technical skills; they can purchase ready-made attack toolkits and target legal practices methodically.

2. The Regulatory Architecture: Overlapping Obligations

Will writing practices operate under multiple regulatory regimes creating intersecting compliance obligations. Effective governance requires mapping these requirements and implementing controls that satisfy each framework simultaneously. The complexity of overlapping requirements means that addressing one regulatory obligation often satisfies elements of others, enabling efficient compliance architectures.

Data (Use and Access) Act 2025

The DUAA received Royal Assent in June 2025, with provisions phasing in until June 2026.10 This represents the most significant reform to UK data protection law since the UK GDPR retained framework was established. Key changes affecting legal practices include:

Recognised Legitimate Interest: A new lawful basis distinct from the existing legitimate interests provisions under UK GDPR Article 6(1)(f), applicable to specified purposes. Practices must assess whether this basis applies to any processing activities. For most will writing activities, existing lawful bases (contractual necessity, legal obligation, legitimate interests) remain appropriate, but the new provisions may simplify certain processing activities.

Mandatory Complaints Process: By June 2026, all organisations must implement a documented process for handling data protection complaints.10 This requirement extends beyond existing regulatory complaint-handling obligations and demands specific procedures for data subject grievances. Practices should establish documented complaint receipt, investigation, escalation, and resolution procedures with defined timelines and record-keeping requirements.

Subject Access Request Rationalisation: Solicitors may now limit SAR responses to "reasonable and proportionate searches"—for example, searching a former client's case file, billing records, and correspondence folder rather than conducting organisation-wide searches.10 This provides practical relief but requires documented policies defining search parameters. Practices should establish SAR handling procedures specifying search scope, documenting the rationale for limitations applied.

Enhanced ICO Powers: The DUAA grants the ICO new powers to require individuals to answer questions and require organisations to arrange for approved persons to prepare reports.10 These investigative capabilities strengthen enforcement effectiveness. The ability to compel testimony and expert assessment means that attempted concealment or obfuscation following a breach becomes substantially riskier.

UK GDPR Core Requirements

Article 32 requires "appropriate technical and organisational measures" to ensure security appropriate to the risk, including pseudonymisation and encryption, systems resilience, restoration capability, and regular testing.11 The phrase "appropriate to the risk" requires risk assessment—practices must evaluate their specific threat profile and data sensitivity when determining control requirements. Will writing practices handling special category health data should implement more stringent controls than practices handling only standard personal data.

The 72-hour breach notification timeline to the ICO applies where breaches risk individuals' rights and freedoms. Failing to notify when required can result in fines up to GBP 8.7 million or 2% of global turnover.12 Where breaches present high risk to individuals, direct notification to affected data subjects is additionally required. The DPP Law case illustrates that notification failures compound penalties—the 43-day delay formed part of the enforcement basis.

The European Commission's renewal of UK adequacy decisions on 19 December 2025 removes uncertainty for UK-EU data flows.13 Practices serving clients with European assets or beneficiaries can continue transfers without supplementary measures, though monitoring ongoing adequacy status remains prudent. Cross-border estates are increasingly common; practices should maintain awareness of international transfer requirements.

SRA Code of Conduct

Section 2.5 of the SRA Code of Conduct for Firms requires firms to "identify, monitor and manage all material risks to your business, including those which may arise from your connected practices."14 The Code for Solicitors paragraphs 3.3 and 4.3 require maintaining competence and effective oversight systems. Cybersecurity governance falls squarely within these obligations. The SRA has consistently emphasised that cybersecurity is not merely an IT matter but a core governance and risk management responsibility.

Where a cyberattack directly affects a firm or its clients with actual or potential impact—inability to complete transactions, significant service delays, risk of client data or asset loss—the SRA expects prompt reporting under Rule 3.9.15 This creates a parallel notification obligation to ICO reporting, requiring coordination of disclosure processes. Practices should prepare unified incident response procedures addressing both regulatory notification streams.

Cyber Security and Resilience Bill

Introduced to Parliament on 12 November 2025, the Cyber Security and Resilience Bill would expand regulatory scope to cover managed service providers (including outsourced IT and cybersecurity providers) and data centre operators above specified capacity thresholds.1617 Whilst legal services are not directly listed as a regulated sector, practices relying on in-scope service providers must anticipate enhanced monitoring requirements. The rationale is that legal practices often outsource IT functions to managed service providers; if those providers face enhanced regulatory requirements, the service relationship requires corresponding governance.

The Bill proposes 24-hour initial notification and 72-hour full incident reporting to both competent authorities and the NCSC.18 Fines of GBP 100,000 per day are proposed for failing to act against relevant threats.19 Although primarily targeting critical infrastructure and their service providers, the Bill signals governmental intent to strengthen cyber resilience across the economy. Legal practices should anticipate that similar expectations may eventually extend to their sector.

3. Special Category Data in Will Writing: Enhanced Protection Requirements

Will writing practices process data categories demanding elevated protection under UK GDPR Article 9. The routine nature of this processing within private client work can obscure the enhanced compliance obligations it triggers. Many practitioners handle capacity assessments and family circumstance records without recognising the special category implications these create.

Article 9 Special Categories

UK GDPR Article 9 places special restrictions on processing sensitive personal data including health data, genetic data, racial or ethnic origin, and information about sex life or sexual orientation.20 Will writing practices routinely encounter several categories:

Health Data: Testamentary capacity assessments require documenting physical and mental health status. The "golden rule" that practitioners should obtain contemporaneous written medical evidence for elderly or seriously ill testators creates systematic collection of health records.21 Health data encompasses past, present, or future physical or mental health; information from testing or examination; genetic and biological samples; and information on diseases, risk, disability, medical history, and clinical treatment.22 A GP letter confirming cognitive capacity to execute a will constitutes health data requiring Article 9 protections.

Family Relationship Information: Will instructions frequently record family circumstances that may encompass sensitive categories—estrangement, disinheritance reasons, family medical history, and relationship details that may reveal information about sexual orientation. A file recording that a testator wishes to exclude a child due to that child's substance abuse issues combines health data with family relationship information.

Financial Data: Whilst not a special category, the detailed asset information gathered for estate planning creates significant identity theft and fraud risk if compromised. Will files typically contain comprehensive financial profiles: property values, investment holdings, pension details, and business interests. This information enables sophisticated identity fraud and targeted theft.

Lawful Basis for Processing

The legal claims exception under Article 9(2)(f) permits processing of special category data where "necessary for the establishment, exercise or defence of legal claims."23 This provides the primary lawful basis for will writing practices processing health information to establish testamentary capacity. However, the exception requires genuine necessity, not mere convenience. Practices should document their reliance on this basis and implement data minimisation principles—collecting only health information genuinely required for capacity assessment, not comprehensive medical records.

Enhanced Technical Requirements

Special category data processing demands enhanced security measures beyond baseline personal data protection. The ICO expects organisations processing special categories to implement proportionally stronger controls. This means that a will writing practice handling capacity assessments should maintain higher security standards than a practice that never encounters health data.

Practices should implement access controls restricting special category data to personnel with legitimate need, enhanced encryption for storage and transmission of health records, audit trails documenting access to capacity assessment files, secure destruction protocols when retention periods expire, and staff training specifically addressing special category handling. The principle is defence in depth—multiple overlapping controls so that failure of any single control does not expose special category data.

Retention Challenges

Will writing creates distinctive retention obligations. Original wills should be retained indefinitely where the practice holds them. Capacity assessment records must be retained to defend against future contentious probate challenges—potentially decades after will execution. Professional indemnity insurance requirements may mandate extended file retention. The Law Society's practice note on file retention addresses wills, lifetime gifts, and estate administration, recommending that client care letters advise retention periods and that insurers' requirements be considered.24

Long retention periods compound data protection risk. A 2007 file compromised in 2025 (as in the LAA breach) represents 18 years of accumulated data exposure. Practices must balance legitimate retention requirements against data minimisation principles, implementing secure archives with appropriate access controls rather than maintaining active access to historical files. Archived files should be encrypted with access limited to specific retrieval requests.

4. Building the Framework: Practical Controls for Will Writing Practices

A cybersecurity framework for will writing practices must be proportionate, implementable within typical private client resource constraints, and mapped to regulatory requirements. The following components address each identified risk area whilst recognising that smaller practices cannot replicate the security infrastructures of large commercial firms.

Component 1: Cyber Essentials Certification

From October 2025, all firms holding Criminal Legal Aid contracts must hold valid Cyber Essentials certification, as specified in Version 5 of the Legal Aid Agency's Data Security Requirements.2526 Whilst this mandate applies to criminal practices specifically, it signals regulatory direction for the broader profession. The April 2025 "Willow" update introduced new requirements including addressing vulnerabilities in password-based authentication and reflecting remote working practices.27

Cyber Essentials provides a recognised baseline demonstrating compliance with UK GDPR Article 32's "appropriate technical and organisational measures" requirement. The SRA's thematic review found that five firms with Cyber Essentials Plus certification demonstrated good cybersecurity approaches and appropriate controls, whilst firms not pursuing certification showed poor or inconsistent controls in half of cases.7

Cost-Benefit Assessment: Cyber Essentials certification typically costs between GBP 300-500 for self-assessment, with Cyber Essentials Plus (verified) costing GBP 1,500-3,000 including external assessment. Against average data breach costs for law firms of USD 5.08 million (2024 figures, representing over 10% year-on-year increase), the certification investment represents negligible risk mitigation expenditure.5 The certification process also identifies security gaps that might otherwise remain unaddressed.

Component 2: Technical Controls

Multi-Factor Authentication: Implementing MFA on all systems accessing client data addresses the password-based vulnerabilities that enabled the DPP Law breach. The Willow update specifically addresses password-based authentication weaknesses, making MFA effectively a certification requirement.27 MFA should apply to email accounts, practice management systems, cloud storage, and any system holding client data.

Email Security: Given that 68% of SRA-reported cyberattacks involve email modification fraud, email security controls are essential.8 Practices should implement Domain-based Message Authentication (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to prevent email spoofing, alongside staff training on identifying fraudulent communications. These technical controls prevent attackers from sending emails appearing to originate from the practice's domain.

Encryption: Data at rest (stored files) and in transit (emails, file transfers) should be encrypted. For special category health data from capacity assessments, encryption is particularly critical. Cloud-based practice management systems should be verified for encryption standards. Practices should ensure that capacity assessment files and medical correspondence are stored in encrypted formats.

Backup and Recovery: The NCSC Cyber Governance Code of Practice published in April 2025 emphasises resilience capabilities.28 Regular automated backups, offline backup copies (protecting against ransomware encryption of connected backups), and tested recovery procedures are essential. The ability to restore from backup may be the only alternative to ransom payment following a successful attack. Critically, backups must be tested—an untested backup is not a backup.

Component 3: Staff Training and Awareness

Addressing the 95% human error factor requires systematic training programmes. The SRA thematic review's finding that 20% of firms had never provided cybersecurity training and over half did not maintain training records indicates widespread deficiency.7

Effective training programmes should include initial cybersecurity awareness during onboarding, regular refresher training at minimum annually, phishing simulation exercises with documented results, specific guidance on handling capacity assessment health records, and incident reporting procedures. Training must be practical rather than theoretical—staff should understand how to identify suspicious emails, verify payment instructions through callback procedures, and report potential incidents immediately.

Documentation Imperative: Training that is not documented cannot be evidenced to regulators or insurers. Practices should maintain training records including dates, content covered, attendees, and assessment results. Following a breach, the ICO will request training records; their absence compounds regulatory exposure.

Component 4: Incident Response Planning

The multiple notification timelines—72 hours to ICO, prompt reporting to SRA where clients are affected—require pre-prepared response procedures. An incident response plan should address incident identification and classification criteria, escalation pathways and responsible personnel, initial containment and evidence preservation steps, regulatory notification procedures and templates, client communication protocols, and external support contacts (IT forensics, legal advisors, PR).

The ICO's guidance emphasises "report early, update later"—initial notification within 72 hours need not be complete but should provide available information with commitment to updates.29 Delaying notification whilst investigating (as in the DPP Law 43-day gap) compounds regulatory exposure. Practices should prepare draft notification templates adaptable to specific incident circumstances.

Component 5: Cyber Insurance

Seven in ten (72%) of UK law firms have not purchased cyber insurance, whilst nearly 40% of clients would fire or consider firing a firm that experienced a breach.30 This insurance gap creates unhedged exposure for practices and signals potential underestimation of cyber risk.

Cyber insurance policies for legal practices should address breach response costs (forensics, notification, credit monitoring), business interruption during system recovery, ransomware payment (noting ethical considerations), regulatory defence costs and fines where insurable, and third-party liability to affected clients. Policy terms vary significantly. Practices should verify coverage for special category data breaches, which may attract enhanced regulatory scrutiny, and confirm that coverage aligns with SRA requirements and professional indemnity policy terms.

Regulatory Mapping Matrix

Control Component UK GDPR Art 32 DUAA 2025 SRA Code 2.5 CE Requirements
Cyber Essentials Appropriate measures N/A Risk management Core requirement
MFA/Access Control Security appropriate to risk N/A Oversight systems Willow update
Email Security Appropriate measures N/A Risk management Boundary firewalls
Encryption Pseudonymisation/encryption N/A Confidentiality Secure configuration
Backup/Recovery Availability/resilience N/A Business continuity N/A
Staff Training Organisational measures N/A Competence (3.3) User access control
Incident Response Breach notification Complaints process Rule 3.9 reporting N/A
Cyber Insurance N/A N/A Risk management N/A

5. Forward Compatibility: Electronic Wills Infrastructure

The Law Commission's May 2025 Modernising Wills report proposes enabling electronic wills subject to "reliable system" requirements with "remote presence" provisions meeting specified security and authentication standards.31 The Government welcomed the recommendations but no legislative timetable has been confirmed.32 This places electronic wills in the "monitor and prepare" category rather than requiring immediate implementation investment.

Cybersecurity Implications of Electronic Wills

If enacted, electronic wills would create new attack surfaces requiring infrastructure investment:

Remote Witnessing: Video witnessing systems would require secure, authenticated connections preventing impersonation or interception. Identity verification processes would need to meet evidential standards for probate proceedings. The cybersecurity challenge is not merely technical; systems must be robust enough to withstand challenge in contested probate proceedings years after execution.

Electronic Signatures: Digital signature infrastructure must provide non-repudiation—assurance that the testator signed and cannot later deny signing. Cryptographic standards and key management become legally significant. The signature mechanism must produce evidence that would satisfy a court decades after execution.

Document Integrity: Electronic wills must be protected against tampering throughout their potentially decades-long retention. Hash values, blockchain timestamps, or equivalent integrity mechanisms would likely be required. Any system must maintain integrity assurance over retention periods extending beyond the lifespan of current technology platforms.

Secure Storage: Long-term electronic will storage demands security architectures maintaining confidentiality and availability over extended periods. Technology obsolescence planning becomes a legal compliance consideration. Systems that are state-of-the-art today may be obsolete and unsupported within a decade.

Prudent Preparation Posture

The absence of a confirmed legislative timetable counsels against premature investment in electronic wills infrastructure. However, practices can position for future requirements by implementing cybersecurity frameworks that would support electronic will infrastructure, monitoring Law Commission and Ministry of Justice communications, engaging with professional body guidance as it develops, and avoiding technology investments that would be incompatible with likely electronic wills requirements.

The framework outlined in Section 4 establishes capabilities that would underpin electronic wills compliance without requiring technology-specific investment until legislative requirements are confirmed. A practice with robust cybersecurity governance will be well-positioned to adopt electronic wills technology when it becomes available and lawful.

Conclusion

Will writing practices occupy a uniquely exposed position in the cybersecurity threat landscape: handling special category health data for capacity assessments, maintaining indefinite document retention obligations, typically operating with smaller IT infrastructure budgets than commercial practice counterparts, and now facing prospective electronic wills requirements that would expand digital attack surfaces.

The regulatory architecture has tightened materially. The DUAA 2025 introduces enhanced ICO powers and the June 2026 complaints-handling deadline. The DPP Law enforcement action demonstrates that penalties for inadequate security and breach notification failures are being applied. The Cyber Security and Resilience Bill, if enacted, would further intensify reporting obligations and potential penalties.

A structured framework addressing Cyber Essentials certification, technical controls, staff training, incident response planning, and cyber insurance enables practices to demonstrate compliance with overlapping regulatory requirements whilst managing professional indemnity exposure. Documentation of controls and training is as important as the controls themselves—evidencing compliance to regulators, insurers, and clients.

The practice that can demonstrate documented, evidence-based security frameworks will be best positioned for client trust, regulatory compliance, and the eventual infrastructure requirements that electronic wills would introduce. In a sector where client confidence is paramount, cybersecurity and data protection capabilities increasingly differentiate competitive positioning alongside technical legal competence.

CPD Declaration

Estimated Reading Time: 20 minutes Technical Level: Advanced Practice Areas: Private Client, Legal Practice Management, Regulatory Compliance, Data Protection

Learning Objectives

Upon completing this article, practitioners will be able to:

  1. Identify the key provisions of the Data (Use and Access) Act 2025 affecting will writing practices, including the June 2026 complaints-handling deadline and enhanced ICO powers
  2. Explain the enhanced protection requirements for special category health data processed during testamentary capacity assessments under UK GDPR Article 9
  3. Apply the five-component cybersecurity framework to assess and address gaps in current practice security measures
  4. Evaluate the cybersecurity implications of the Law Commission's electronic wills proposals and determine appropriate preparation postures

SRA Competency Mapping

  • A4: Draw on knowledge of law and procedure to advise clients effectively
  • B3: Ensure compliance with regulatory requirements
  • C2: Communicate clearly and effectively with clients and others

Reflective Questions

  1. How would an assessment of testamentary capacity health records currently held by the practice be classified under the UK GDPR special categories framework, and what enhanced security measures are in place?
  2. What documented incident response procedures exist for coordinating the 72-hour ICO notification and SRA Rule 3.9 reporting obligations following a data breach?
  3. How might the practice's current cybersecurity controls need to evolve to support electronic wills infrastructure if the Law Commission's recommendations are enacted?

Professional Disclaimer

The information presented reflects the regulatory and legislative position as of 28 January 2026. Regulations, tax rules, and professional guidance are subject to change. Readers should independently verify all information before acting and seek advice from appropriately qualified solicitors, financial advisors, or other professionals for their specific circumstances.

Neither WUHLD nor the author accepts liability for any actions taken or decisions made based on the content of this article. Professional readers are reminded of their own regulatory obligations and duty of care to their clients.

Footnotes

Footnotes

  1. Law Society Gazette (September 2024). "Cyber attacks on law firms jump by 77%". https://www.lawgazette.co.uk/news/cyber-attacks-on-law-firms-jump-by-77/5120668.article 2

  2. ICO Press Release (April 2025). "Law firm fined £60,000 following cyber attack". https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/law-firm-fined-60-000-following-cyber-attack/ 2 3

  3. NCSC (June 2023). "Cyber Threat Report: UK Legal Sector". https://www.ncsc.gov.uk/report/cyber-threat-report-uk-legal-sector

  4. Quiss (2025). "Ransomware Reality Check: What Every UK Law Firm Needs to Know in 2025". https://www.quiss.co.uk/ransomware-reality-check-what-every-uk-law-firm-needs-to-know-in-2025/

  5. PDA Legal (2025). "Law Firm Data Breach Statistics". https://pda-legal.co.uk/articles/law-firm-data-breach-statistics 2

  6. Law Society (July 2025). "Legal Aid Agency data breach". https://www.lawsociety.org.uk/topics/legal-aid/legal-aid-agency-data-breach

  7. SRA (2024). "Cyber Security Thematic Review". https://www.sra.org.uk/sra/research-publications/cyber-security/ 2 3 4

  8. Law Society (2025). "How to identify a cyber attack". https://www.lawsociety.org.uk/topics/cybersecurity/how-to-identify-a-cyber-attack 2

  9. Legal Futures (2025). "Why cybercriminals love law firms". https://www.legalfutures.co.uk/associate-news/why-cybercriminals-love-law-firms

  10. ICO (August 2025). "The Data Use and Access Act 2025: What does it mean for organisations?". https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/the-data-use-and-access-act-2025-what-does-it-mean-for-organisations/ 2 3 4

  11. UK GDPR Article 32. Security of processing. https://www.legislation.gov.uk/ukpga/2018/12/schedule/1

  12. ICO (2025). "Personal data breaches: a guide". https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/

  13. ICO (December 2025). "Receiving personal information from the EEA". https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/receiving-personal-information-from-the-eea/

  14. SRA (2023). "Code of Conduct for Firms". https://www.sra.org.uk/solicitors/standards-regulations/code-conduct-firms/

  15. SRA (2024). "SRA Update 123: Cybercrime". https://www.sra.org.uk/news/news/sra-update-123-cybercrime/

  16. UK Parliament (November 2025). "Cyber Security and Resilience Bill". https://bills.parliament.uk/bills/4035

  17. House of Commons Library (November 2025). "Cyber Security and Resilience Bill Research Briefing". https://commonslibrary.parliament.uk/research-briefings/cbp-10442/

  18. Clifford Chance (November 2025). "Cyber Security and Resilience Bill". https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2025/11/cyber-security-and-resilience--network-and-information-systems--.html

  19. GOV.UK (2025). "Cyber Security and Resilience Bill Collection". https://www.gov.uk/government/collections/cyber-security-and-resilience-bill

  20. EU GDPR Article 9. Processing of special categories of personal data. https://gdpr-info.eu/art-9-gdpr/

  21. Hugh James (2024). "Testamentary capacity and the golden rule". https://www.hughjames.com/blog/testamentary-capacity-and-the-golden-rule/

  22. HIPAA Journal (2024). "What is GDPR Special Category Data?". https://www.hipaajournal.com/what-is-gdpr-special-category-data/

  23. Verasafe (2024). "Special Categories of Personal Data Under the GDPR". https://verasafe.com/blog/special-categories-of-personal-data-under-the-gdpr/

  24. Law Society (2024). "File retention: wills and probate". https://www.lawsociety.org.uk/en/topics/private-client/file-retention-wills-and-probate

  25. GOV.UK (October 2025). "Legal Aid Agency data security requirements". https://www.gov.uk/government/publications/legal-aid-agency-data-security-requirements

  26. ITPS (2025). "Cyber Essentials mandatory for all Criminal Legal Aid firms by October 2025". https://www.itps.co.uk/insights/cyber-essentials-mandatory-for-all-criminal-legal-aid-firms-by-october-2025-what-you-must-do-now/

  27. Littlefish (April 2025). "Cyber Essentials 2025 Updates". https://www.littlefish.co.uk/news-insights/cyber-essentials-2025/ 2

  28. NCSC (April 2025). "Cyber Governance Code of Practice". https://www.ncsc.gov.uk/static-assets/documents/cyber-governance-code-of-practice.pdf

  29. ICO (May 2025). "Breach response and monitoring". https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/accountability-framework/breach-response-and-monitoring/

  30. PDA Legal (2025). "Law Firm Data Breach Statistics". https://pda-legal.co.uk/articles/law-firm-data-breach-statistics

  31. Law Commission (May 2025). "Wills Project". https://lawcom.gov.uk/project/wills/

  32. Law Commission (May 2025). "Modernising Wills: Final Report Volume II - Draft Bill for a New Wills Act". https://lawcom.gov.uk/publication/modernising-wills-final-report-volume-ii-draft-bill-for-a-new-wills-act/