ICO cautions law firms over breaches

The Information Commissioner’s Office (ICO) has issued a warning to legal firms that personal information, including paper files, must be kept secure.

The cautioning towards barristers and solicitors comes as the ICO has been informed of a number of data breaches related to the law profession.

Over the last three months, the organisation claims that it has received complaints for 15 incidents involving members of the legal industry.

Read more: UK retailer Office suffers data breach

The ICO notes that it is able to serve a penalty of up to £500,000 when there is evidence that the Data Protection Act has been broken.

It says that although such monetary penalties are often reserved for companies or public authorities, barristers and solicitors can be classed as data controllers in their own right, making them legally responsible for personal information they handle.

Because such data is often very sensitive, the ICO says, breaches can often meet the statutory threshold for issuing a fine.

The organisation also claims that because those in the profession often carry large quantities of information in folders and files to and from court, the risk of data breach is increased.

Small number of breaches outweighed by information significance

“The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle and the fact it is often held in paper files rather than secured by any sort of encryption, that number is troubling,” claimed Information Commissioner Christopher Graham.

“It is important that we sound the alarm at an early stage to make sure the problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach,” he added.

Following its warning, the ICO has issued some guidelines for legal firms wishing to increase security and minimise data breach risk.

These include keeping paper documents secure by locking information away when not in use and not leaving it in places such as a car overnight.

Porthole ABesides this, it is recommended barristers and solicitors only carry information essential to the tasks in hand and where possible, information must be stored on an encrypted portable device.

{MPU PlaceholderThe ICO also recommends only keeping information for as long as necessary and making sure all data is permanently deleted before disposing of electronic devices.

Read more: Data breach stories: Top 10

The organisation and The Bar Council are currently working together to ensure that Information Security Guidance provided to legal professionals in England and Wales is updated.