The Information Commissioner's Office (ICO) last year investigated 173 UK legal firms over Data Protection Act issues, with one-third of these related to data security.
A freedom of information (FOI) request from Egress Software Technologies revealed that 29% of the investigations concerned data security.
The 2014 Law Firm File Sharing Survey revealed that 89% of firms use unencrypted email for primary communication and about half use free cloud-based file-sharing services for privileged information.
“The warning signs about data security within the legal sector have been clear to see for some time now,” said Tony Pepper, CEO at Egress. “What today’s revelation demonstrates is the scale of issue and the number of firms guilty of not providing adequate data security measures in order to protect the highly sensitive client information they manage and share.”
Read more about data protection
- Organisations will be expected to report a breach in 72 hours, and give data owners the right to request a copy of the personal data they hold.
- Research has revealed that data loss is a top concern of IT executives, according to data management firm Iron Mountain.
- Versions of the new EU data protection regulation to replace the outdated 1995 directive have been approved.
Pepper said there had been a major disconnect between the priority placed on protecting this data and the consequences of a breach. “Organisations in the other market sectors we work with have managed to successfully implement clearly defined Data Protection Act policies and technology solutions to protect this information, while the majority of law firms have failed to act.”
An FOI request submitted by Egress in November 2014 highlighted a worrying increase in data breaches resulting from human error, with only 7% of breaches caused by technical failings. The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data.
It found that fines have been levied for technical failings exposing confidential data, with penalties totalling £5.1m issued for mistakes made when handling sensitive information..