Security? ICO investigated 173 UK law firms for data protection breaches in 2014

ICO logoFigures released today by Egress Software Technologies following an FOI request to the Information Commissioner’s Office (ICO) reveal the worrying number of law firms investigated for breaches of the Data Protection Act (DPA) in 2014. The research shows that a total of 187 incidents were recorded, with 173 firms investigated for a variety of DPA related incidents, of which 29% related to ‘security’ and 26% related to incorrect ‘disclosure of data’.
Despite increasingly high-profile data breaches by law firms and warnings from industry regulators about the lack of data security measures being applied to the highly sensitive information shared and managed by firms, today’s figures demonstrate a worrying lack of care and security. In August 2014, for example, Information Commissioner Christopher Graham issued a clear warning to law firms following a string of data breaches: “It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
In addition to this, results of the 2014 Law Firm File Sharing Survey highlighted more startling statistics, including 89% of law firms using unencrypted email as the primary means of communication. The survey also revealed that 77% of firms rely on a confidentiality statement to secure communication and nearly half admitted to using free cloud-based file sharing services such as Dropbox to transmit ‘privileged information’. At the same time, the Law Society issued a practice note warning that the use of cloud computing services in law firms could break the Data Protection Act.
In March 2015, research in the US revealed that at least 80% of the country’s 100 biggest firms had been involved in a breach since 2011.
Tony Pepper - ColourTony Pepper, CEO at Egress (pictured) commented “The warning signs regarding data security within the legal sector have been clear for people to see for some time now. What today’s revelation demonstrates is the scale of issue and the number of firms guilty of not providing adequate data security measures in order to protect the highly sensitive client information they manage and share. For whatever reason, there seems to have been a major disconnect between the priority placed on protecting this data and the consequences of a breach. Organisations in the other market sectors we work with have managed to successfully implement clearly defined DPA policies and technology solutions to protect this information, whilst the majority of law firms have failed to act.
“It remains to be seen whether research like this and pressure from industry regulators actually forces change within the legal sector. Or will it take a major data breach affecting thousands of clients or consumers to force a reaction?”
Today’s announcement supports the findings of a FOI request submitted by Egress in November 2014, which highlighted a worrying increase in data breaches as a result of human error. The findings showed that only 7% of breaches for the period analysed occurred as a result of technical failings. The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data. In fact, to date no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.