Law Firms and Data Protection ‘Breaches’

April 15, 2015

According to figures released on 16 April by Egress Software Technologies, a worrying number of law firms were investigated for breaches of the Data Protection Act 1998 in 2014. The Egress statement follows an FOI request to the ICO. The statistics demonstrate the scale of the data security challenge facing law firms.

The research shows that a total of 187 incidents were recorded, with 173 firms investigated for a variety of DPA related incidents, of which 29% related to ‘security’ and 26% related to incorrect ‘disclosure of data’.

This reinforces earlier concerns. In August 2014, Information Commissioner Christopher Graham issued a clear warning to law firms following a string of data breaches: ‘It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.’

In addition, results of the ‘2014 Law Firm File Sharing Survey’ highlighted more startling statistics, including 89% of law firms using unencrypted email as the primary means of communication. The survey also revealed that 77% of firms rely on a confidentiality statement to secure communication and nearly half admitted to using free cloud-based file sharing services such as Dropbox to transmit ‘privileged information’. At the same time, the Law Society issued a practice note warning that the use of cloud computing services in law firms could break the Data Protection Act.

Tony Pepper, CEO at Egress, states: “The warning signs regarding data security within the legal sector have been clear for people to see for some time now. What this revelation demonstrates is the scale of issue and the number of firms guilty of not providing adequate data security measures in order to protect the highly sensitive client information they manage and share. For whatever reason, there seems to have been a major disconnect between the priority placed on protecting this data and the consequences of a breach. Organisations in the other market sectors we work with have managed to successfully implement clearly defined DPA policies and technology solutions to protect this information, whilst the majority of law firms have failed to act.

It remains to be seen whether research like this and pressure from industry regulators actually forces change within the legal sector. Or will it take a major data breach affecting thousands of clients or consumers to force a reaction?”