Editor's note: Richard Ryan is an executivedirector and barrister with Willis. This entry originally ranon WillisWire.

The UK's InformationCommissioner's Office recently highlighted the risks thatbarristers and solicitors face when handling personalinformation–but they apply equally to anyone in the legalprofession around the world. The ICO sent out the warning afterbeing notified of 15 breaches in the past three months.

Lawyers typically hold very sensitive data, which couldinevitably mean that the financial penalty that would be imposedcould hit the ceiling at £500,000. This level of fine istruly substantial for any legal practice. Beware though, that thiscould be much more when the European Data Privacy Regulations come intoforce.

Both Paper and Digital Data at Risk

Fifteen data breaches may not seem high to some of you, but theICO's concern is the sensitive information that is handled bylawyers, often in paper files rather than secured by any sort ofencryption.

The legal world still utilizes a lot of paper given that not allcourts for example have adopted online filing. The ICO hastherefore sounded the alarm, at what they consider an early stage,before a barrister or solicitor is significantly harmed byfinancial and reputational damage following a serous databreach.

I'm sure you are all too well aware of the fact that lawyerscarry around file bundles, tablets, laptops and smartphones to andfrom court, home and clients' offices; this increases the risk ofbreaching the data protection rules.

Tips to secure your data

The ICO's top tips to help barristers and solicitors:

• Keep paper records secure. Do not leave files in your carovernight and do lock information away when it is not in use.
• Consider data minimization techniques in order to ensure thatyou are only carrying information that is essential to the task inhand.
• Where possible, store personal information on an encryptedmemory stick or portable device. If the information is properlyencrypted it will be virtually impossible to access it, even if thedevice is lost or stolen.
• When sending personal information by email, consider whetherthe information needs to be encrypted or password protected. Avoidthe pitfalls of auto-complete by double checking to make sure theemail address you are sending the information to is correct.
• Only keep information for as long as is necessary. You mustdelete or dispose of information securely if you no longer needit.
• If you are disposing of an old computer, or other device, makesure all of the information held on the device is permanentlydeleted before disposal.

Transmission and Cloud Vulnerabilities

In a slightly different context, but maintaining the theme ofdata, The Council of Bars andLaw Societies of Europe (CCBE) recently published theirreport on the threat of surveillance of privileged information heldby lawyers. This will clearly resonate with many lawyers followingthe disclosure of the extent of surveillance by governments forexample by Edward Snowden. The CCBE noted that:

Information which once would have been contained in thelawyer's office, literally under lock and key, is being transmittedbetween lawyer and client by electronic means over the Internet,and, increasingly, stored in the Cloud. This puts it out into thepublic space, reliant for protection only on legal and technicalprotection, such as encryption. The electronic data might, as it istransmitted by email or stored, be, literally, anywhere in theworld and vulnerable to being intercepted and read… the data ismore exposed than it has ever been.

However, given the means of state sponsored hackers andhacktivists, lawyers do present an interesting and attractivetarget for lucrative information. If law firms do hold client datain the cloud, be sure to assess the level of protection that isprovided by your cloud provider.

Encryption is key

The common theme from both organizations is that at the veryleast data must be encrypted, which can also mean sending encryptedemails. The underlying message is to check, review and update yourdata protection procedures.

Data breaches now and in the future will be very costly andcould potentially undermine the confidence a client will have inyour practice as clients become more interrogative as to wheretheir data is held, controlled and managed. The number of recentdata breaches by lawyers has sounded the alarm.