ICO investigates 173 UK law firms for reported breaches of the Data Protection Act in 2014
Figures released by Egress Software Technologies following an FOI request to the Information Commissioner’s Office (ICO) revealed the worrying number of law firms investigated for breaches of the Data Protection Act (DPA) in 2014. The research showed that a total of 187 incidents were recorded, with 173 firms investigated for a variety of DPA related incidents, of which 29% related to ‘security’ and 26% related to incorrect ‘disclosure of data’.
Despite increasingly high-profile data breaches by law firms and warnings from industry regulators about the lack of data security measures being applied to the highly sensitive information shared and managed by firms, these figures demonstrate a worrying lack of security.
In August 2014, for example, Information Commissioner Christopher Graham issued a clear warning to law firms following a string of data breaches: “It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
In addition to this, results of the ‘2014 Law Firm File Sharing Survey‘ highlighted more startling statistics, including 89% of law firms using unencrypted email as the primary means of communication. The survey also revealed that 77% of firms rely on a confidentiality statement to secure communication and nearly half admitted to using free cloud-based file sharing services such as Dropbox to transmit ‘privileged information’. At the same time, the Law Society issued a practice note warning that the use of cloud computing services in law firms could break the Data Protection Act.
This announcement supports the findings of a previous FOI request submitted by Egress in November 2014, which highlighted a worrying increase in data breaches as a result of human error. The findings showed that only 7% of breaches for the period analysed occurred as a result of technical failings. The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data. In fact, to date no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.