In 2014, the UK Data Protection regulator, the Information Commissioner’s Office (ICO), issued a blog emphasising the importance of solicitors and barristers keeping personal information secure, following a number of data breaches involving the legal profession. A year later, 4% of UK data security incidents reported to the ICO still involved UK lawyers. Some mistakes were silly and avoidable, such as instances of faxing papers to the wrong recipient, and therefore weren’t easy to predict. Other types of human error could have been anticipated more easily.
The modern worker increasingly works on the go or from home, and carries all sorts of private data with them when outside of the office. These workers will be holding data in a variety of ways, such as on mobile phones, laptops and USBs, and the chances are some of these will get lost. While USBs may seem an outdated method of transporting data, 60% of businesses last year said they had over 5 in operation at work, while every year 22,000 USBs are found by dry cleaners. Just last year the loss of a USB by the Queen’s security detail detailing her routes to and from the airport caused a national outcry. This would have been a non-event had the USB been encrypted, and so when found by a member of the public been inaccessible. Hacking dominates the headlines for data losses, but it is still human error and accident that account for the majority of data breaches.
While law firms may not be handling data as important as the Queen’s security measures, they should treat all data they are handling exactly as if it is. The coming changes to the General Data Protection Regulations in May 2018 will mean far more stringent data privacy policies, with the loss of a client’s data potentially leading to fines of up to £17 million, or up to 4% of global turnover. While those levels of fines will be only for the most serious of breaches, brand damage and loss of confidence from clients can have equally damaging results. No one is exempt from the data protection laws – Greater Manchester Police received a fine of £150,000 when an unencrypted storage device was stolen from a police officer’s home in a domestic burglary.
Encrypting all your data and devices may sound expensive, but it’s a small change in comparison to the potential penalties a business can accrue. Clients need to have absolute faith that their lawyers aren’t mishandling their data. The ICO explicitly recommends that firms “store personal information on an encrypted memory stick or portable device” so that even if lost it is “virtually impossible” to access the information. By encrypting all your data on the move, you are taking a step in the right direction to becoming GDPR compliant.
Law firms across the country by now will have given advice and guidance to their clients on what the upcoming updates to the UK’s law on personal data mean. These same firms must not be remiss in taking the pre-emptive measures to protect their own clients. That is why safeguarding all files regardless of how sensitive they may be, must take precedence and thus be safely stored on secure flash drives or SSDs.
Authored by Paul Figini, a UK based data protection consultant, on behalf of Kingston Technology.