The Information Commissioner’s Office is alerting legal professionals to the risk of data breaches in the sector, especially concerning paper files that can be easily lost, stolen or copied – with no form of encryption.
The ICO (Information Commissioner’s Office) is the office responsible for the enforcement of the Data Protection Act 1998. They have the power to serve a monetary penalty if up to half a million pounds for serious breaches of the Data Protection Act, so they are not an organisation to ignore.
Especially if you work in the legal sector where sensitive information is handled, posted, transferred, copied and destroyed on a daily basis.
In a three month period in 2014 alone, 15 data security incidents linked to the legal sector were reported to the ICO. This may not sound like many, but due to the highly confidential data handled by the legal profession, the security incidents can often be more likely to generate a fine.
In the ICO’s 2015 annual report, the ICO also highlighted that they were receiving “a significant amount of complaints about the legal profession and (were) working closely with the Bar Standards Board and other regulatory and representative groups within the legal profession to improve information rights compliance”, suggesting that the sector is coming under scrutiny for how it handles data in the future – especially as more and more legal work is conducted online and transferred by email or web portals.
Across all industry sectors, the health sector still stands out as having the most reported data security incidents. In October – December 2015, the health sector was reported to the ICO for 204 incidents, compared to the legal sector at just 19 incidents.
In the same three month period of 2015, the Crown Prosecution Service received a penalty of £200,000.00 from the ICO (which was one of only two monetary penalties issued in that quarter, the other one being a £250 fine for Bloomsbury Patient Network). Some of the increases in incidents are thought to be related to the prevalence of cyber-attacks, and the ICO is now creating specialist teams to focus on cyber security as it becomes an increasing threat to data loss and misuse.
In 35% of all cases in 2015 reported to the ICO, no action was required to be taken, however in 22% of cases data controller action was needed. In other cases, further information or investigation was carried out.
In the entire year, the ICO received 14,268 incidents, across a range of categories, such as inaccurate data, fair processing, retention of data and excessive data. It’s important to remember that the ICO also handles spam call incidents so not all of the 14,268 incidents are data breaches.
Data breaches can also result in prosecutions. In 2015, some notable cases prosecuted by the ICO include a company director who was fined for accessing Everything Everywhere’s customer databases to sell his own telecoms services, and a pharmacist who unlawfully accessed the medical records of his family and work colleagues.
In 2014, a Freedom of Information request revealed that during the year, 173 legal firms were investigated by the ICO (29% relating to security and 26% related to the disclosure of data).
In an infographic from the ICO, 2014/15 saw the majority of breaches within the legal sector attributed to the loss or theft of paperwork. Some commentators have suggested this is due to the large folders and quantities of files that lawyers regularly carry around from court to office to home – increasing the opportunity for information to be lost or stolen.
- The second most common type of breach in the sector was data posted or faxed to an incorrect recipient.
- The fifth most common breach was data sent by email to the incorrect recipient. Over time as more firms move their communications to a digital format, I would expect that these two breach types to swap places, as more email incidents occur, and less info is faxed.
- The least common breach was hacking into insecure webpages – however, with a higher number of firms choosing to interact with clients via portals (for uploading files, receiving updates or reporting) – it is expected that this breach will increase.
The type of data most vulnerable to breaches in the legal sector were basic personal identifiers, followed by clinical data and then criminal records. The sensitivity of the information that legal professionals deal in means that the loss of a few items of data about a person has the ability to significantly affect the individual. An extreme example is how some individuals resorted to suicide following the Ashley Madison ‘affair website’ hacking incident; demonstrating the extent that data can affect people’s lives if the data is used in an unintended way.
A specific example of how the legal sector has been on the receiving end of ICO penalties can be seen in the case of Stoke City Council who received a penalty of £120,000 after a solicitor who worked on behalf of the council sent 11 emails about a child protection case to the wrong email address by mistake, some of which contained highly confidential information. This was the second time the council received a fine from the ICO after a USB stick was lost that contained sensitive information relating to childcare cases.
Evidently, data is important to the legal sector, but data security is critical for the safeguarding of clients, lawyers and law firms. The legal sector is particularly interesting as many of their data breaches relate to the high use of paper files that can’t be encrypted, unlike other industries that often fall foul of data protection laws due to cyber-attacks, hacking incidents or lax IT policies around data management.
For further reading and our references on the above statistics, please see the below links:
ICO: Data Security Trends
Computer Weekly: Stoke City Council Data Fine