Over 170 UK law firms were investigated for breaches of the Data Protection Act (DPA) last year, more than a quarter of which were security related incidents, according to a new freedom of information (FoI) request.
The request, submitted by encryption firm Egress Software Technologies to data protection watchdog the Information Commissioner’s Office, revealed that the nation’s law firms have learned little from a series of high profile, industry-wide breaches.
Some 29% of the 173 ICO investigations were apparently related to ‘security’, while 26% concerned incorrect disclosure of data.
Information commissioner, Christopher Graham, was forced to issue a warning to the legal profession back in August 2014 after 15 incidents over a three-month period were reported to the privacy watchdog.
“The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling,” Graham said at the time.
“It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
It is not just UK solicitors and barristers that are to blame for poor data handling.
The LexisNexis 2014 Law Firm File Sharing Survey revealed that 89% of US law firms still send emails containing highly sensitive details via unencrypted channels.
Some 77% said they rely primarily on a confidentiality statement at the end of an email to secure documents.
“Clearly law firms need to take action now in order to better secure the ‘sensitive’ information they handle. The fact that organizations in other sectors have addressed this issue so effectively demonstrates there is no excuse for failure to act,” Egress CEO, Tony Pepper, told Infosecurity.
“As part of any data protection policy review, firms need to consider how they secure and potentially encrypt electronic shared data and, just as importantly, when security should be applied and when it isn’t necessary.”
He added that end-user training is also an important step towards improving data protection, as clued-up employees will be able to spot a potential breach.
“But effective training and policy needs to be supported by data security solutions that are easy to use, integrated into existing DMS and PMS systems, and allow centralized policy to be applied based on email or document content.