Law firms accused of being negligent with client data

Information is the lifeblood of modern business, no less so than in the lofty eyries of the legal eagles, where sensitive client information is analysed and monetised.

Law firms accused of being negligent with client data
Law firms accused of being negligent with client data

However, when it comes to taking care of that data – ensuring it isn't lost or handed over to the wrong parties – solicitors appear to have an appalling track record of carelessness.

Figures just released following an FOI request to the UK's Information Commissioner's Office (ICO) reveal that the ICO investigated 187 data-related incidents involving 173 law firms in 2014.

According to the research, released by Egress Software Technologies, the firms were investigated for a variety of incidents related to the Data Protection Act, including breaches of security (29 percent) and the accidental disclosure of sensitive client data to a third party (26 percent).

Industry regulators have been warning law firms about the incidence of data breaches and the lack of data security measures being applied to sensitive information as it is stored, managed and shared both inside and outside the firms.

In August 2014, Information Commissioner Christopher Graham issued a clear warning to law firms following a string of data breaches: “It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”

Tony Pepper, CEO of Egress, told SCMagazineUK.com that the damage to reputation could be the real killer for many firms. “I think unfortunately that in the near future we are going to see a fine imposed by the ICO for losing data or disclosing data,” he said. “As they had been previously warned and its happened again, the fine would be in excess of £100,000 and then what would happen is that their clients would immediately begin to shift to other firms, causing a huge loss of revenue.”

Currently as the independent UK body charged with upholding information rights, the ICO has the power to fine data holders up to £500,000 per incident for breaching the Data Protection Act.

However, some people think that doesn't go far enough, especially when it comes to legal data. Emma Carr, director of Big Brother Watch, told SCMagazineUK.com: “The information held by legal firms is of huge personal significance and for details to be wrongly disclosed is unacceptable. The penalties currently available for those found guilty of data breaches are failing to be a deterrent. Much harsher penalties, including the threat of jail time and a criminal record, should be a possible outcome for those guilty of the very worst data breaches.”

And law firms aren't exactly rushing to adopt internal controls. Tony Pepper revealed that Egress has about 100 law firms as clients of its secure communication platform, a disappointingly low figure given that the company enjoys a 28 percent market share in government and healthcare. “It backs up that this sector is waiting for a wakeup call,” he said.

Pepper is looking forward to the enactment of European Union data harmonisation which has been in the works for a number of years now. It is expected to allow for an increase in fines for non-compliance to as much as five percent of an organisation's global turnover.

Egress found in a similar FOI exercise in November 2014 that 93 percent of data breaches were caused by human error. Given statistics like that and the prospect of eye wateringly high fines, Pepper believes that organisations – including the previously uninterested law firms – will be queuing up to invest in systems to control that potentially toxic data.