Lost in the post

Lost in the postNowadays it’s so easy for vast quantities of data to leave the workplace – on CDs and DVDs, on laptops, on USB sticks. Inevitably some of it is mislaid, lost or stolen. When two CDs went astray containing personal details of 25 million people, businesses realised that if confidential data is going to leave the office it ought to be encrypted.

Like other businesses, law firms have had to spend money on firewalls to guard against network intrusions and anti-virus measures to prevent infections. Now they’re confronted with the consequences of the growing awareness that confidential data must be secured when it leaves the office.

Laptop disks and USB sticks will need to be encrypted – it’s not feasible to quarantine the personal data on them and the Information Commissioner has stated clearly that personal data must be encrypted. Clients may not yet have raised the issue, but there’s no way that they would accept the suggestion that their confidential information is less worthy of protection than the personal data of individuals.

In 2007, Marks & Spencer (M&S) employed an independent company to work on its pension scheme. The company was given a laptop containing the personal details of 26,000 M&S employees. The laptop was stolen in what was described as an opportunistic theft. The Information Commissioner issued an enforcement notice against M&S. Despite the loss being from the possession of a third party, M&S were liable as the data controller. It was held that they should have ensured that the contractor’s laptop was encrypted. No doubt, in any future contracts with third party data processors, M&S will be inserting a provision requiring the encryption of any such data before it leaves the safety of the workplace.

In all of this, very little has been said about the route by which more confidential data leaves the office than any other – email. Over the last 10 years the growth of the use of email as a means of transporting data has been exponential. The availability of cheap high-speed Internet connections has made it possible for us to use email as the primary means of sending large quantities of information to each other. The Radicati Group predict that next year, the average business user will be sending and receiving in excess of 160 emails a day, more than 30 of them with attachments.

Where does all this leave the lawyer? Pro rata the average lawyer probably sends out a higher proportion of confidential information in his emails than anyone apart from an MI5 agent. Much of that information will also constitute personal data. Yet more than 90 per cent of it is sent insecurely.

So, how long can this gaping security hole remain ignored? It seemed that the issue wouldn’t be addressed until some major scandal hit the news. Then Shirley Porter’s emails were hacked, leading to the multi-million pound settlement with Westminster Council – still nothing happened. Perhaps if someone authoritative took a clear stance on the issue it would make a difference. Yet the Law Society has published email guidelines for years recommending that lawyers adopt automatic encryption systems – nobody appears to read them.

It looks like any change to the way we send our electronic mail will only end up happening as the result of a general increase in awareness of the importance of securing information before it leaves the office – all because two CDs got lost in the post.

David Ford is CEO of Securecoms and former managing partner of Tarlo Lyons

To read another special report on data protection from Andrew Rigby at Brodies, click here.