With law firms the seventh most targeted business group according to the Cisco 2015 Annual Security Report, it is probably little surprise that the Information Commissioner, Christopher Graham, has warned the profession to improve its information security practices after 15 reported data breach incidents involving members of the industry in three months.
Christopher Graham commented: “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
The Law Society Gazette announced that the ICO investigated 173 UK law firms in 2014 for a variety of incidents that may have breached the Data Protection Act 1998 (DPA).
Solicitors and barristers hold a veritable treasure chest of data including: confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally sensitive information.
The impact for the legal profession is serious. The penalties for a law firm quite profound. If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.
Graham warns about data security Principle 7 of the DPA, which states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The ICO says he is mindful that there is “no one size fits all” solution, so “…[legal firms] should adopt a risk-based approach to deciding what level of security you need”, in order to mitigate the risk.
The efficacy of ISO 27001 and best-practice cyber security IS that necessary safeguard. ISO27001 as an ISMS, wraps people, processes and technology with an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces. This acts as the counterpoint to inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
Responsible companies should certainly take heed of his advice and do more to protect their client data. This may be in the form of gaining the certification directly, or alternatively, outsourcing to a reputable established IT Managed Service Provider which holds this this essential accreditation to properly consult and set about the necessary measures to formally protect clientele, finances and reputation. What price reputation?