UK law firms investigated 187 times for data protection breaches

FoI request reveals the reason behind last August's ICO warning

Share

UK law firms were investigated 187 times by the Information Commissioner in 2014 for possible breaches of the Data Protection Act (DPA), a Freedom of Information (FoI) data by encryption firm Egress Software Technologies has revealed.

It might be assumed that legal firms would be especially careful with personal data but that didn’t stop 173 firms generating the heavy caseload for the ICO.

According to Egress, the ICO revealed that 29 percent of the cases were caused by unspecified security events with a further 26 percent connected to some form of data disclosure.

As Egress points out the worry isn’t new. Last August the ICO head Christopher Graham took the unusual measure of singling out the British legal sector after a series of data breaches hit the industry.

That warning referred to 15 incidents in the space of three months, which it reminded them could be extremely serious given the sensitive data handled by solicitors and barristers.

Egress connects this to low take-up of email encryption by the legal sector evidenced by a survey of US firms in the 2014 Law Firm File Sharing Survey.  That found barely one in ten were using the technology with the assumption that the same non-secure practices will be found among UK firms.

The same research also found widespread use of cloud storage such as Dropbox to transmit sensitive data. Last year the Law Society warned that such behaviour could also breach the DPA.

“The warning signs regarding data security within the legal sector have been clear for people to see for some time now,” said Egress CEO, Tony Pepper.

“What today’s revelation demonstrates is the scale of issue and the number of firms guilty of not providing adequate data security measures in order to protect the highly sensitive client information they manage and share,” he said.

“For whatever reason, there seems to have been a major disconnect between the priority placed on protecting this data and the consequences of a breach.”

Egress has had some sucecss selling its cloud email encryption technollogy - which requires no email client - to UK organisations with Flintshire Council in Wales a recent example.

In December 2014, a similar FoI request by Egress found a surge in data breaches being reported to the ICO with healthcare a particular trouble spot.