This article was first published on Lexis®PSL on 21 August 2014.
Corporate Crime analysis: With reports of data breaches increasing across all sectors, the Information Commissioner's Office (ICO) has turned its attention to the legal profession. Amber Lewis, director of media, technology and IP at Pitmans LLP, explains how law firms can improve detection methods and protect themselves from monetary penalties.
What threat do data breaches pose to the legal profession?
Solicitors in England and Wales are required by the Solicitors Regulation Authority (SRA) to behave in a way that maintains the trust the public places in them and in the provision of legal services. Any failures in their ability to keep personal information secure and confidential will ultimately undermine the trust and confidence the public places in the legal profession. Whether a breach is the result of the failure to act diligently and manage the risks associated with storing personal information (either at an individual or firm level) or is the result of cybercrime, it still amounts to a breach of that trust ultimately affecting the clients a firm can attract and retain.
Have you noticed an increase in the number of data breaches involving the legal profession?
Although the ICO has specifically targeted the legal profession, there has been an increase in data breaches across all sectors. This is not only because there has been an increase in the number of breaches. It is also due to the heightened awareness of, and interest in:
- data breaches among the public and the media
- greater efforts and resources being placed by the legal profession in detecting breaches generally
- greater efforts on the part of the ICO in relation to the monitoring and enforcement of breaches
How difficult is it for those in the legal profession to keep documents secure? Are barristers and solicitors under increasing pressure to achieve this?
Pressure in the legal profession to keep data secure and confidential is not new. However, the electronic storage of data (in addition to and/or as a substitution for paper storage) over the last decade has obviously introduced a totally new and ever-challenging dimension to data security. The legal profession is no different to any other sector in that they can no longer rely on physical security and separation of information and will find it increasingly difficult to keep electronic documents secure as cyber risk becomes more and more sophisticated.
In 2013 the SRA found that law firms were not undertaking a sufficient level of due diligence when outsourcing data processing and storage to an external provider. The increasing popularity of cloud computing combined with the heightened requirements of client confidentiality faced by solicitors and barristers was the basis for 'Silver Linings: cloud computing, law firms and risk' which set out the SRA's views on the risks faced by law firms through use of cloud computing. The document sets out the best practice for law firms to ensure they do not compromise the security of their data particularly where outsourcing these types of data processing services. Recommendations include, for example:
- ensuring staff working remotely have properly secured communication channels
- the firm has a secure private cloud (or private area of a hybrid cloud) for client confidential material
- cloud hosting and data centre providers' security obligations are sufficiently robust but also being regularly monitored
What damage is necessary to meet the statutory threshold for breaches under the Data Protection Act (DPA)? And what penalties can be incurred as a result?
Damage is not necessarily a prerequisite to a breach of the DPA. Under DPA, s 4(4), a data controller is obliged to 'comply with the data protection principles in relation to all personal data with respect to which he is the data controller'. However, where an individual wishes to exercise a right to object to the processing of their personal data by serving a s 10 notice, the Commissioner must also be satisfied there has been a serious contravention that was likely to cause 'substantial damage or distress'.
Following a breach of the DPA--and for the purposes of determining an individual's entitlement to compensation (s 13) and/or whether the ICO can issue a monetary penalty notice (s 55A)--the ICO must also address the concept of substantial damage or substantial distress. While DPA does not attempt to define these thresholds, the ICO more helpfully sets out on their website that in most cases, substantial damage would be considered 'financial loss or physical harm', and substantial distress would be 'a level of upset or emotional or mental pain, that goes beyond annoyance or irritation'.
Monetary penalties are intended to act as a sanction and a deterrent. The statutory maximum for a monetary penalty is currently set at £500,000 (although this is likely to increase significantly in the near future with the introduction of the new Regulation). Other penalties include the ICO serving an enforcement notice requiring the data controller to take or refrain from taking specified actions, and/or exercising other powers of assessment including issuing request for assessment notices and information notices.
What practical advice would you give to firms looking to keep their records in order?
The overriding emphasis should be on detection. It is inevitable some kind of breach will occur--the important point will be whether the firm is even aware that a breach has occurred, what steps it takes to address the breach and how quickly those steps are taken. Each of these elements require a range of technical and organisational measures in place including a meaningful policy addressing the storage and handling of data, on which all staff are trained and which is practised from the top down by example from senior management. Such policies need to address:
- the use of and access to portable devices, computer systems, emails and directories (the approach to 'Bring Your Own Device' in many firms is simply totally at odds with how devices are used in practice)
- having appropriate password policies and data encryption methods in place
- data retention and destruction policies
- keeping anti-virus and security software up-to-date
- having appropriate insurance in place
Are new technologies helping matters or do they pose other difficulties?
Technologies enabling remote working and the electronic storage, transfer and sharing of data have transformed the legal profession and its ability to meet the needs of its clients. Clearly these technologies also come with an array of risk and compliance issues. The majority of individuals and organisations are still ignorant of or reckless to the extent of the risks surrounding data security and how to effectively navigate around them. Cybercriminals are continuously creating more and effective ways to bypass security systems and penetrate networks often without detection. Good data security should be built on a model of continuous improvement to allow for adjustments to be made in line with technological advancements. We work in conjunction with experienced information security professionals to advise our clients on how to stay ahead of this rapidly changing and increasingly valuable area of risk and compliance.