173 Law Firms Investigated by the ICO
It has come to my attention that law firms are now more than ever under increased pressure to secure their data after a growing number of information security lapses.
Just recently it was revealed that the ICO investigated 173 law firms in 2014 for potential data breaches. For companies operating in the legal sector that is a damning statistic taking into consideration a law firm should be recognised as ‘secure haven’ to hold, store or manage your confidential data but more importantly you would expect this sector to meet the principles under the data protection act.
Whether law firms have businesses or individuals as their clients, there are definite gains to be made for successful hackers.
Highly sensitive information
Law firms are often seen as a point of entry to access clients’ patents, unreleased business plans, sensitive corporate financial information, delicate personal information, company secrets, business strategies and intellectual property.
Not only can hackers use this information for extortion and resale, they can also use it to blackmail or even formulate a socially engineered attack against the client.
As we know Law firms are very attractive targets. They have information from clients on deal negotiations which adversaries have a keen interest in. They’re a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.” Simply sending an email with confidential data attachments without encryption or alternative secure methods to protect the information or data can be deemed an negligent act which could compromise a client and also be in breach of the data protection act…
Lawyer working habits
At one time, client files were kept under lock and key in filing cabinets, or even in underground vaults. Now, with the evolution of technology lawyers use a multitude of devices to access information on the go, many of which are not encrypted so therefore certainly not compliant.
According to the International Legal Technology Association 2014 Survey:
47% of law firms do not encrypt laptop hard drives
62% do not encrypt removable media (e.g. USB drives)
86% do not encrypt desktop hard drives
81% do not employ advanced threat protection
90% have no phishing/social engineering testing of users
Timothy Hill, technology policy adviser at the Law Society, said firms needed to start taking cyber threats seriously. Failure to do so, he said, could not only result in direct financial loss but also reputational damage.
At the risk of sounding like a broken record there is sufficient Data Protection Compliance advice and support out there for law firms to enquire and ensure they run their companies in a compliant manner and treat data security with the seriousness it deserves.
I would advise any law firm, lawyer or data controller (for that matter) who is unsure about their existing data security arrangements are fit-for-purpose or meet minimum regulatory requirements to undertake a Data Protection Health Check on their business to identify any potential risks of non-compliance or vulnerabilities that pose a risk to the reputation of your business.