Information security is a substantial risk for the legal sector. Law firms are an attractive target to cyber criminals due to the vast wealth of personal and private information in their possession.
Cyber-attacks on UK law firms increased by a fifth between 2014 and 2016, with nearly three quarters of the country’s top 100 targeted in 2015, according to PwC’s 25th Annual Law Firms’ Survey.
Despite the increasing threat, and the potential financial and reputational damage following a breach, a survey by online legal magazine, Legal Week, found that only 35% of law firms had a response plan in place for cyber-attacks. This is compared to 52% for non-legal professions.
With the European Union’s General Data Protection Regulations (GDPR) due to come into force in May 2018, legal firms that fail to appropriately secure personal data will face severe fines in the event of a breach. The regulations could affect organisations throughout the world because they apply to any company that handles the personal data of Europeans. The GDPR defines a personal data breach as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Fines imposed following a breach could be as much as 4% of a firm’s annual global turnover, or €20 million, depending on which is greater. Furthermore, should a firm be fined under GDPR they are also likely to face personal litigation from the individuals whose data is lost. The total cost of a breach could therefore be far greater than the fine, and might see senior partners being taken to court and even imprisoned should the breach show negligence.
To understand your legal data protection obligations, it is necessary to understand what is considered personal data. This is an area that can cause confusion. An individual’s name? That’s certainly personal information. But what about an email address? Or a photograph? Or an ID number that, when combined with other information you hold, could be used to identify someone?
For years, we have understood personal data in terms of the Data Protection Act 1998: that personal data is any data, whether by itself or when combined with any other data you possess or are likely to possess, by which a living individual is identifiable.
This includes any opinions or decisions pertaining to an individual, such as notes from performance review meetings, or recruitment notes on a candidate’s suitability for a role.
Under the GDPR, the definition of personal data has been expanded and is considered “any information relating to an identified or identifiable natural person”.
This means that if any data you hold can identify an individual, either directly or indirectly, then it is considered personal data. If an individual can be identified by reference to “an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” then it is personal data.
For organisations, this includes work email addresses, company car details, and work phone numbers. An email address, whether it is firstname.lastname@example.org or…
Click here to read more