Law firms 'warned over data protection errors'

Law firms have been reminded of their responsibilities when it comes to storing personal data securely.

The Information Commissioner's Office (ICO) shone a light on the issue after a series of data protection mistakes were revealed in the legal profession. Indeed, 15 separate incidents have been recorded in the last three months.

Under the Data Protection Act, firms can be fined up to £500,000 for a serious breach. While the fines are typically served to companies or public authorities, the ICO pointed out that as lawyers are effectively data controllers, they are legally responsible for any information they process.

Information Commissioner Christopher Graham stated that because of the sensitive nature of the data most lawyers are in possession of, security has to be at the forefront of their minds at all times.

The road to compliance

Part of the problem is that lawyers often carry large amounts of data to and from court. On top of this, information is frequently held overnight at their homes without proper safety measures being in place.

"It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach," he stated. Mr Graham is encouraging every lawyer to get on the "road to compliance" by at least getting the "basics right".

Best practices

In an effort to reduce the potential for further data protection scares, the ICO is working with The Bar Council to update its guidance. It has also released a series of tips for both solicitors and barristers, including:

Use encrypted memory sticks or personal devices
By doing this where possible, it means the information cannot be accessed even if the device is stolen or lost. An added layer of security protection.

Regularly delete old data
There is no point holding on to data that is no longer needed, as this represents an unnecessary security risk. Routinely delete or dispose of information securely.

Data minimisation
Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.

The need for encryption

According to Simon Rice, the group manager for the technology team at the ICO, storing any personal information is "inherently risky" and this is why the right measures have to be put in place. He pointed out that encryption offers the best option, as the method sees software installed that uses a complex series of mathematical algorithms to protect and encrypt information. This prevents people gaining inadvertent or unauthorised access to data.

If encryption is going to work for lawyers, Mr Rice believes identifying the most suitable form of encryption is essential. "Using effective encryption is usually easier to manage than adopting an alternative means of providing a similar level of data security," he stated.

And with financial penalties of up to £500,000, lawyers and law firms will find that investing in security software upfront will be worth it in the long run.