Lawyers are among the most vulnerable to information breaches, according to the Information Commissioner’s Office
Mixed messages are coming out of the UK’s information and data watchdog about just how vulnerable the legal profession is to cyber security breaches – indeed, about just how severe the threat is to businesses overall.
On the one hand lawyers in the enforcement division of the Information Commissioner’s Office (ICO) point out that most recent self-reported breaches of data protection legislation do not relate to cyber issues.
“That’s one of the lesser problems at the moment,” says Catherine Bamford, a senior ICO solicitor, citing statistics for the past quarter that show the office handled only seven cases of private information erroneously uploaded to websites.
More problematic are the relatively straightforward cases of stolen laptops and other portable devices containing unencrypted information. Even old-fashioned paper documents and what, for most, is the prehistoric technology of fax machines feature prominently.
A lesson for lawyers
Bamford says that so far no large UK law firm has self-reported a breach to the office. And in the past quarter the office has issued just one notice to the legal profession, a sole practitioner’s practice that paid the price for economising on technology. Still, the story is a salutary one for that segment of the profession.
The lawyer had installed an off-the-shelf web package for the business that was designed for home computing and not suitable for holding sensitive client information. Simon Rice, the ICO’s group manager for technology, explains that the solicitor was acting in a copyright infringement matter that involved loading personal details of several individuals on what turned out to be an insecure system.
The firm was targeted by hackers with an interest in the case and the system was far too vulnerable to withstand the attack.
“It didn’t take them long to bring the whole thing down and for security to be breached,” says Rice.
That incident had serious ramifications for the firm. The solicitor was initially subject to a £200,000 fine but was slashed to £1,000 on an application regarding the lawyer’s financial position. Even so, the practitioner was eventually bankrupted.
“The main issue for sole practitioners,” says Bamford, “is that they don’t have access to the same level of IT advice as the bigger law firms. They don’t have access to comprehensive information security advice.”
While only the one firm has been in the ICO frame in recent months, the office still places the wider legal profession fourth on its list of sectors at risk of information breaches, behind health, local government and education. Bamford says barristers in particular seem prone to losing laptops containing unencrypted and detailed client information.
Fax of the matter
The legal profession is also vulnerable to breaching data protection regulations when sending fax correspondence – not because Luddite lawyers are wedded to an increasingly arcane technology, but because the courts are.
“We’ve had cases where both barristers and solicitors have sent to courts faxes containing highly sensitive information,” reveals Bamford. “The document then either sits in a tray without the lawyer confirming it has been collected or the lawyer presses the wrong button and sends information to a completely random fax machine.
“In our last newsletter we issued a warning over sensitive information being sent by fax to the Asylum and Immigration Tribunal. In one case a fax went to the wrong number because one digit was mistakenly entered. Without the right processes in place, such mistakes will happen.”
Taking paperwork out of firms and chambers also causes problems. Lawyers regularly leave sensitive documents on trains or in cafes. Bamford and Rice acknowledge it would be impossible to conduct a legal practice without travelling with hard copy files, but they caution that lawyers must be vigilant.
“It’s not that lawyers shouldn’t take papers out of the office, but that they must ensure they take only what they need, minimising the information carried about,” adds Bamford. “They must be aware of the information they carry out of the office and treat it appropriately. In other words, don’t leave it lying around on a cafe table while you get a cup of coffee. It falls into the don’t-be-stupid category. A lot of this is common sense.”
While cyber security issues and law firms have not yet featured heavily on the ICO’s radar, Rice maintains a wave could still hit.
“It can take as long as six months for an organisation to be aware a cyber breach has occurred,” he says, pointing out that cyber attacks are a relatively recent phenomenon. “In some cases an organisation will never know that someone came in, had a snoop around and left again. You can’t notify something you don’t know about.”
For Bamford, the issues are, ultimately, fairly simple.
“Law firms and chambers hold a lot of confidential information as well as personal data about their clients and others,” she says. “If they’ve got any sense they will self-regulate and employ best practice. Otherwise, their clients are going to get pretty hacked off with them pretty quickly.”
The legal department at the Information Commissioner’s Office is some 15-strong, with around six people dealing with Freedom of Information Act issues and two on the front line
of enforcement. Catherine Bamford is one of those enforcement specialists, joining the ICO seven years ago. She came to the office four years before that, having trained at now defunct City law firm Turner Kenneth Brown and then doing stints at Manchester personal injury specialist James Chapman & Co and the in-house department at BT.
What is the ICO?
The Information Commissioner’s Office (ICO) grew out of the Data Protection Registrar, which was launched in 1984.
The present commissioner is the former director-general of the Advertising Standards Authority, Christopher Graham, and the head of legal is Geraldine Dersely.
In England and Wales, the office deals with issues under the ambit of the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and, across the UK, the Freedom of Information Act 2000 and the Environmental Information Regulations 2004.
Its annual budget is £20m and the office has more than 372,000 organisations registered as notifying to it.
Security tips from the ICO
– Keep servers in discreet and bespoke rooms; do not leave back-up devices unattended; and separate web servers from main file servers
– Regularly scan networks with up-to-date anti-virus and anti-malware products
– Maintain a well-configured firewall
– Restrict system access to trusted users with their individual usernames and passwords; enforce strong password creation and frequent changes; and limit the number of failed log-ins
– Train staff to recognise phishing emails and other malware
– Remove unused software and services from devices and always change manufacturers’ default passwords