Report: More than half of data breaches at UK legal firms are caused by insiders  

An analysis of data from the Information Commissioner’s Office (ICO) covering Q3 2022 – Q2 2023 by NetDocuments shows that 60% of identified data breaches in the UK legal sector were caused by insiders.   

The findings show that, combined, data from legal firms relating to 4.2 million people was compromised. Almost half of the cases (49%) impacted customers, and 13% impacted employees. Basic personal information (49%), economic and financial data (13%), health data (10%), and official documents (10%) were the main types of data breached in the legal sector, NetDocuments reports.  

“Law firms and legal institutions handle vast amounts of sensitive and confidential information, which puts them at increased risk of cyber-attacks,” commented David Hansen, VP of compliance at NetDocuments. “But it’s not just external threats like ransomware that law firms need to watch out for. Law firms must be vigilant to insider data breaches – whether intentional or accidental. This requires robust cyber security measures to govern access to documents, without hampering staff productivity.” 

The analysis of the ICO data highlights the common causes of data breaches in the legal sector: 

37% occurred from sharing data with the wrong person (i.e., via email, post or verbally). 

27% occurred from phishing and ransomware attacks. 

12% occurred from losing data (i.e., loss/theft of device containing personal data, or of paperwork or data left in insecure location). 

39% occurred from human error (i.e., verbal disclosure; failure to redact or use bcc; alteration of data; hardware misconfiguration; documents emailed or posted to wrong recipient).  

The findings underline the need for law firms to continue to prioritise addressing threats from within, ensuring that only people with authorisation have access to certain documents and files.  

“For law firms, guarding against insider threats is not just a matter of protecting data; it’s a commitment to safeguarding client and employee confidentiality,” Hansen said. “Data loss prevention must be an essential part of cybersecurity strategies.”