Sound the alarm: Legal profession vulnerable to data breaches

Editor's note: Richard Ryan is an executive director and barrister with Willis. This entry originally ran on WillisWire. 

The UK's Information Commissioner's Office recently highlighted the risks that barristers and solicitors face when handling personal information–but they apply equally to anyone in the legal profession around the world. The ICO sent out the warning after being notified of 15 breaches in the past three months.

Lawyers typically hold very sensitive data, which could inevitably mean that the financial penalty that would be imposed could hit the ceiling at £500,000. This level of fine is truly substantial for any legal practice. Beware though, that this could be much more when the European Data Privacy Regulations come into force.

Both Paper and Digital Data at Risk

Fifteen data breaches may not seem high to some of you, but the ICO's concern is the sensitive information that is handled by lawyers, often in paper files rather than secured by any sort of encryption.

The legal world still utilizes a lot of paper given that not all courts for example have adopted online filing. The ICO has therefore sounded the alarm, at what they consider an early stage, before a barrister or solicitor is significantly harmed by financial and reputational damage following a serous data breach.

I'm sure you are all too well aware of the fact that lawyers carry around file bundles, tablets, laptops and smartphones to and from court, home and clients' offices; this increases the risk of breaching the data protection rules.

Tips to secure your data

The ICO's top tips to help barristers and solicitors:

• Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
• Consider data minimization techniques in order to ensure that you are only carrying information that is essential to the task in hand.
• Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
• When sending personal information by email, consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
• Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
• If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

Transmission and Cloud Vulnerabilities

In a slightly different context, but maintaining the theme of data, The Council of Bars and Law Societies of Europe (CCBE) recently published their report on the threat of surveillance of privileged information held by lawyers. This will clearly resonate with many lawyers following the disclosure of the extent of surveillance by governments for example by Edward Snowden. The CCBE noted that:

Information which once would have been contained in the lawyer's office, literally under lock and key, is being transmitted between lawyer and client by electronic means over the Internet, and, increasingly, stored in the Cloud. This puts it out into the public space, reliant for protection only on legal and technical protection, such as encryption. The electronic data might, as it is transmitted by email or stored, be, literally, anywhere in the world and vulnerable to being intercepted and read… the data is more exposed than it has ever been.

However, given the means of state sponsored hackers and hacktivists, lawyers do present an interesting and attractive target for lucrative information. If law firms do hold client data in the cloud, be sure to assess the level of protection that is provided by your cloud provider.

Encryption is key

The common theme from both organizations is that at the very least data must be encrypted, which can also mean sending encrypted emails. The underlying message is to check, review and update your data protection procedures.

Data breaches now and in the future will be very costly and could potentially undermine the confidence a client will have in your practice as clients become more interrogative as to where their data is held, controlled and managed. The number of recent data breaches by lawyers has sounded the alarm.