• LittleLaw
  • Posts
  • 🔍 How lawyers help the M&S cyber attack

🔍 How lawyers help the M&S cyber attack

TOGETHER WITH

Table of contents

If you take just one thing from this email...

A cyber attack doesn’t just cause tech problems — it creates serious legal and business risks.

That’s why law firms play a key role before and after a breach, from helping clients report to regulators on time to protecting sensitive info through legal privilege.

EDITOR’S RAMBLE 🗣

Last week, I ran an experiment on LinkedIn.

I auctioned off the sponsor slot in today’s LittleLaw newsletter.

Bidding started at £0.01, in my LinkedIn comments… and ended up in the hundreds 🤯

Click here to see what the final bid was

I’ll be honest — I was nervous about opening up the newsletter like this.

I’ve been writing this newsletter for over 5 years, for free, to help aspiring lawyers. Over that time, I’ve built trust with the audience, which I value more than any money.

That’s why I turn down a lot of advertisers.

If I don’t think they’re a good fit or I’m not sure they’re legit, I say no. Even during this auction, I had to turn a few away. But luckily, the winning bid came from someone I know and trust.

This is how the newsletter stays free: promotions that genuinely could help you.

So if you ever see a sponsor in here, know that engaging with them helps support LittleLaw — and I’ll only share them if I think they’re the real deal.

- Idin

P.S. Anyone looking to reach 20,000+ super smart, diverse future lawyers, my DMs are always open.

🔍 How lawyers help the M&S cyber attack

What’s going on here?

At the end of April, Marks & Spencer was hit by a suspected cyber attack.

The attack caused big problems. For weeks, the company’s systems were disrupted. M&S had to stop taking online orders for clothing and homeware.

M&S said that hackers may have stolen data from up to 9.4 million customers. This could include names, dates of birth, and order history (but not passwords or payment details).

Have other businesses been attacked too?

Yes, other well-known UK companies have also been hit.

Luxury store Harrods was targeted. But it managed to stop the cyber-attack before any damage was done.

The Co-operative Group, which runs supermarkets, legal services, and funeral care services, was also hit. Hackers broke into its systems and got hold of a lot of customer data.

Can M&S recover any of its losses?

The attack caused financial damage: M&S lost over £60 million in sales. Its share price also dropped by 16%. That fall wiped out £1.3 billion from the company’s overall value.

But M&S has insurance, right? Yes — it has cyber insurance, which might let the company claim up to £100 million.

The policy it has covers both:

  • Direct losses, like lost sales and the cost of fixing systems, and

  • Indirect losses, like legal claims or government fines.

That’s good then, isn’t it? Well, yes and no. While M&S can probably claim for this cyber attack, the price of its insurance going forward will probably go up. Right now, M&S pays about £5 million a year for this insurance. After the attack, that price could double.

Why would the price go up? Well, insurers charge more when they’re dealing with more risk. Once a company is hacked, it becomes more likely to be attacked again.

Also, the attack showed that M&S has gaps in its cyber security. If those gaps aren’t fixed, insurers will see M&S as a much riskier company to cover.

What should companies do after a cyber attack?

If there’s any risk to people — like identity theft, fraud, or damage to their reputation — the company must report the breach to the Information Commissioner’s Office (the UK data protection regulator) within 72 hours.

Some companies in industries like energy, healthcare or transport, have even stricter rules. They must have strong cyber security in place and report any attack that disrupts their services to the correct regulator, such as Ofcom (TV and radio regulator) or Ofgem (gas and electricity regulator). If they don’t, they could face huge fines.

If a company has cyber insurance (most do) they’re also usually required to tell the insurer about the breach straight away.

How can law firms help after a cyber attack?

📋 How law firms help before an attack happens:

  • Draft an incident response plan: This is a written plan that sets out what to do if there’s a cyber attack. It covers legal time limits (like the 72-hour deadline to report to the ICO), who signs off on decisions, and how to involve lawyers quickly.

  • Review data-sharing and processor contracts: Lawyers check your contracts with third parties (like cloud providers or payroll companies) to confirm: (1) who’s responsible if there’s a breach, and (2) whether they must notify you (or vice versa).

  • Run breach simulations: These are practice exercises where your IT, legal, and PR teams act out a breach scenario. Lawyers test how your team handles legal steps like data breach reporting, regulator notifications, and press statements.

  • Set up pre-approved experts: Lawyers help you line up forensic investigators and crisis PR firms in advance, and make sure they can be brought in quickly by the lawyers when needed.

Why is it better for the lawyers (not the company) to instruct the experts? If a company’s lawyers are the ones who hire the investigators after a cyber attack, the findings might be legally protected as it benefits from “legal professional privilege”.

This means the company might not have to share those details with regulators or in court.

🚨 How law firms help after an attack happens:

  • Work with forensic investigators: Lawyers help direct the investigation to find out how attackers got in, what systems or data were accessed, and how long the breach lasted. This helps decide if regulators or customers need to be told.

  • Assess if the breach is notifiable to the ICO: If the breach poses a risk to people’s rights (like identity theft or loss of medical data), it must be reported to the ICO within 72 hours. Lawyers make that call and prepare the report.

  • Draft ICO notifications and data subject letters: Lawyers write the official message to the ICO (explaining what happened, who’s affected, how it’s being fixed), and help prepare legally compliant letters to affected customers.

  • Review and approve press statements: It’s important that these public messages balance transparency with legal safety — especially if claims or fines might follow.

How can you use this in your applications?

Good commercial lawyers are “business advisors”, not just “legal advisors”.

But what does that actually mean?

This article shows how the commercial and legal advice go hand in hand.

If you're talking about why you’re interested in commercial law, you can now go beyond “legal” answers.

Explaining how a lawyer helps a client through a cyber attack by giving both legal advice (like ICO reporting duties) and business support (like managing PR fallout to help stabilise share price).

This will show you get what being a commercial lawyer actually is.

TOGETHER WITH TCLA* 🤝

“Understand how business works” — but no one teaches you

To be a good commercial lawyer, you’re told to understand how companies make money, raise capital, and manage risk. 

But here’s the problem: no one explains that finance stuff.

As an applicant, you’re left to wing it — and hope you don’t get caught out in an interview.

It includes:

  • A 1-minute explainer on why finance matters in law

  • The key financial players (and how they move markets)

  • The difference between private equity, public equity and debt

  • A mock law firm case study that pulls everything together

Plus, it’s made for future lawyers — not finance experts.

* This is sponsored content

IN OTHER NEWS 🗞

  • 🇮🇳 India is starting to let more foreign lawyers in. India planned to ease its rules by July to let UK law firms enter the market (we wrote about that here). Now, some of those changes have already begun. Foreign lawyers can advise on deals involving foreign or international law, and they’re allowed to take part in arbitration cases held in India. They still can’t go to court, but it’s a big step towards opening up one of the world’s largest legal markets.

  • 📰 The UK is allowing foreign states to own up to 15% in UK newspapers. It’s a major U-turn on foreign-state investment — after blocking a UAE-backed bid for the Telegraph last year. The government says the 15% cap strikes a balance: it protects media independence while helping struggling publishers raise money. But critics worry even small stakes could give foreign governments quiet influence over how the news is reported.

  • ⚽ Everton FC’s new 52,000-seat stadium will be called the Hill Dickinson Stadium. The Liverpool-based law firm has signed a long-term naming rights deal worth £6-10 million a year. As part of the partnership, the two will team up on community projects, including tackling homelessness and mental health through Everton’s charity work and the Hill Dickinson Foundation.

AROUND THE WEB 🌐

  • 📜 Jackpot: Harvard’s “copy” of the Magna Carta is actually a 725-year-old original (worth millions!)

  • 🎬 Factcheck: Ever wonder how accurate “based on a true story” films are? This site will tell you (The Wolf of Wall Street got 80%)

  • 🦆 Speedy: A duck keeps setting off speed cameras on a road in Switzerland

STUFF THAT MIGHT HELP YOU 👌

  • 📹️ Free application help: If you're applying to commercial law firms, check out my YouTube channel for actionable tips and an insight into the lifestyle of a commercial lawyer in London.

How did you find today's newsletter?

Login or Subscribe to participate in polls.