An update on the Legal Aid Agency data breach

Back to news

Resolution continues to work with the LAA to gather further details and guidance for members and firms, after the Legal Aid Agency data breach.

Resolution understands members’ anxiety and uncertainty around the impact of the cyber incident affecting the LAA. You should be hearing from the LAA regularly.

The Law Society and the legal aid representative bodies are continuing to press for a more constructive update and we will keep members informed of developments.

We will continue to support the legal aid representative bodies to negotiate a more sensible solution with the LAA.

We will continue to update this page as soon as more information is provided to us.

Members are alerted to the latest update from the LAA published on Tuesday 3 June and set out below.

We are aware that the civil contingency billing arrangements set out by the LAA are not an ideal or comprehensive solution beyond the very short term. Please note that the online guidance has now been updated to include the procedure to be followed for mediation work.

Civil Applications

If providers cannot utilise delegated functions and have an imminent court hearing (within the next 7 days) they can contact the LAA Customer Support Team on 0300 200 2020 to outline the urgency, and what work needs to be done.

The full contingency processes can be found on the incident webpage: Legal Aid Agency cyber-security incident GOV.UK page.

Civil Billing

The information on billing contingency process for civil, offering providers the option of being paid an amount reflecting their average billing, can be found here.

This scheme requires providers to opt-in to the process, so please do review and follow the guidance if you want to receive payments through this mechanism.

You should now have received an email with details of the average payment for your accounts – if you have not please contact your Contract Manager, or CivilClaimBC@justice.gov.uk for counsel.

The contingency scheme will be kept under regular review, and where there are questions about the process these can be submitted to CivilClaimBC@justice.gov.uk or via representative bodies.

The scheme will be formally reviewed in June, in collaboration with representative bodies, to ensure that it is operating effectively to support providers. This review will not affect the stated terms of the recoupment.

The LAA has also updated the FAQ for this scheme in the providers’ guide document for the scheme – please see that document on the GOV.UK page for the latest.

Crime Billing

Graduated fee (LGFS and AGFS) claim assessment has now recommenced, and payments will begin this week. Please continue to submit bills via Claims for Crown Court Defence (CCCD) in the normal way. The LAA has already communicated contingency arrangements for CRM4s, CRM5s and CRM7s.

When submitting on CCCD, please upload a copy of the original representation order to aid with assessment.

Very High Cost Cases (VHCC) and Interim Fixed Fee Offer (IFFO) claim assessment has also recommenced and payments are being made via a contingency process.  Please continue to submit bills to your Case Manager by email.

Crime Lower, Legal Help and Mediation monthly submissions

The LAA has added an update regarding Crime Lower, Legal Help and Mediation monthly submissions for May.

Please download and complete the following form, here, to report your May CWA submission and email it to the email address on the form (by no later than 20 June).             

Client Queries           

Members of the public concerned about the impacts of this incident should contact the LAA on 0300 200 2020.  

FAQ

The LAA has updated the FAQs on the website with the following:

What should providers do if a civil application, amendment or appeal was submitted via the portal previously, but no decision was made before the portal went down?

Regardless of whether a case was previously submitted on the system, providers should follow the same procedures under the contingency process.

How should providers apply for amendments to cost and scope in civil certificates when the portal is down?

Providers are able to submit the amendment for a decision at a later date, the LAA will exercise the backdating provisions were required.

If the provider wants the LAA to make the decision, if they are unsure if the merits criteria is being met they should contact the LAA CST team to explain the urgency to obtain a contingency reference number. They will then be advised to submit the relevant application form and email it to ContactCivil@Justice.gov.uk where they will receive a decision by return email.

Providers in these circumstances should try and provide a copy of their most recent certificate, any reports or evidence to support coverage to Final hearing.

The below update from the LAA was published on Wednesday 28 May.

Civil Billing

The LAA has introduced a billing contingency process for civil, offering providers the option of being paid an amount reflecting their average billing. The detail of this scheme, and process for opting into it, can be found here.

This scheme requires providers to opt-in to the process, so please do review and follow the guidance if you want to receive payments through this mechanism. You will shortly receive an email with details of the average payment for your accounts.

Crime Billing

Graduated fee (LGFS and AGFS) claim assessment has now recommenced, and payments will begin next week. Please continue to submit bills via CCCD in the normal way. The LAA has already communicated contingency arrangements for CRM4s, CRM5s and CRM7s.

Client Queries

Members of the public concerned about the impacts of this incident should please contact us on 0300 200 2020.

On Tuesday 27 May, the LAA sent Resolution this update on LAA Portal Availability: 

Please see below the latest on progress to restore LAA systems and contingency approaches. The latest position can also be found on the incident webpage: Legal Aid Agency cyber-security incident GOV.UK page.

Systems access

LAA online services remain offline and unavailable to both internal and external users. Our technical teams have been working around the clock to allow us to run our normal operations. We will continue to provide you regular updates on progress.

The position on billing contingency remains the same as last week:

Crime billing

If we are able to process crime higher bills this week we will inform you as soon as possible. If this is not possible, all our efforts will be focused on ensuring there is a viable contingency in place to maintain provider cashflow (solicitors and barristers). CCCD remains available so please do continue to submit claims there. We have already communicated contingency arrangements for CRM4s, CRM5s and CRM7s.

Civil billing

CCMS is currently unavailable. We understand the particular importance of access to billing systems and contingency for these, and are in the final stages of developing a contingency scheme. We will you update you on details of this early this week.

I would like to reassure you that addressing the needs of legal aid providers to access our billing processes is of the highest priority for us.

FAQ updates

We have today updated our FAQ with the following information:

  • Can I submit claims for crime VHCCs?
    Yes, please submit your claim as usual to your Case Manager.  VHCC claims are able to be assessed and paid via a contingency route.
  • Are Central Fund claims impacted?
    The central funds claimed assessed and administered by the LAA are not impacted.  Please submit as usual.
  • Is Secure File Exchange via Galaxkey still operational?
    Yes, the Secure File Exchange, via Galaxkey is operating as normal.

The LAA has  stood up additional dedicated call centre capacity for members of the public concerned about the impacts of this incident. The call centre can be contacted on 0300 200 2020.

 


Many of you may have heard from the LAA already, but here’s what we know: 

  • On Wednesday 23 April, the LAA became aware of a cyber-attack on the agency’s online digital services.
  • On Friday 16 May the LAA discovered the attack was more extensive than originally understood and that the group behind it had accessed a large amount of information relating to legal aid applicants.
  • So that the LAA can manage any further risk, and to ensure confidence in the ongoing security of the information provided to them, they are keeping the LAA Online Portal offline at this time.
  • Firms should implement the contingences the LAA has set out for applications and billings. For civil applications, where a provider cannot utilise delegated functions and has an imminent court hearing they should contact the LAA customer services team on 0300 200 2020.
  • The LAA is urging all members of the public who have applied for legal aid since 2010 to safeguard themselves. It is recommended impacted individuals are alert for any suspicious activity such as unknown messages or phone calls and to be extra vigilant to update any potential exposed passwords.
  • If your staff use their LAA Online Portal password for other systems or services we recommend that they immediately change this password in all locations. We anticipate that the LAA will provide a prompt to change CCMS passwords once the system is up and running again.
  • If a provider needs to submit an urgent amendment for a High Cost Family case, please contact the Customer Services Team who will refer the matter over to the High Cost Family team for urgent consideration. For Non-High Cost Family cases, follow the same process where the item will be referred to the Civil Applications team for urgent consideration.
  • Legal Help/Family Help Lower – where providers have not yet submitted their April CWA submissions (due by 20 May), they should email the Reconciliation team reconciliation@justice.gov.uk with their total monthly submission value for their April submission by 20 May. This should be a global amount for each submission which the provider normally makes on CWA. When CWA is available, the submissions should then also be submitted via the system, to allow them to be reconciled.
  • The LAA has confirmed that you are not expected to contact clients in relation to the data breach. They said: ‘We would also like to confirm that there is no contractual obligation on providers to report this incident to the ICO or to inform clients. The data impacted by this incident is either owned by the LAA or is considered Shared Data within the definition of the contract. The contract at clause 16.3 of the standard terms sets out that the responsibilities of the data controller will be exercised by the party in possession of the data – in this case by MoJ as the data controller for LAA. MoJ has notified the ICO of the incident, and has notified data subjects through the public announcement on GOV.UK on 19 May.’ 

You may also be interested in...

Melanie Bataillard-Samuel, Chair of Resolution’s National Committee, addressed delegates at National Conference.

Resolution's new Chair, Melanie Bataillard-Samuel, delivers welcome address at National Conference 2025

Lucy Loizou will be Resolution's next Vice-Chair.

Lucy Loizou elected as National Committee Vice-Chair

Grant Cameron, Chair of Resolution's National Committee, addressed delegates at National Conference
Manchester, 17 May 2024

Chair's Welcome Address, Resolution National Conference 2024