UK data privacy watchdogs at the ICO investigated 173 UK law firms for reported breaches of the Data Protection Act (DPA) last year.
A total of 187 incidents were recorded last year, with 173 firms investigated for a variety of DPA-related incidents, of which 29 per cent related to "security" and a similar 26 per cent related to incorrect disclosure of data. The figures come from a Freedom of Information request by encryption services firm Egress Software Technologies.
Hackers target solicitors in order to get their hands on the confidential data of their clients for identity fraud or other reasons. Accountants and other professional services firms are also on the front line of attacks, with cyber-spies as well as profit-motivated criminals all having a pop.
Information Commissioner Christopher Graham issued a warning to law firms last August, following a string of data breaches, Computing reports. In addition, professional body the Law Society issued a practice note 12 months ago, warning that the use of cloud computing services in law firms could break the Data Protection Act.
Evidently this advice was not put into practice by scores of law offices up and down the UK, and the issue of insecure practices in law firms is far from restricted to Blighty.
Recently published US research by incident response outfit Mandiant uncovered that at least 80 per cent of the country’s 100 biggest firms had been involved in a breach since 2011.
Separate US research revealed that 89 per cent of US law firms use unencrypted email as a primary means of communication. Almost half of American law firms use free, cloud-based file-sharing services like Dropbox for "privileged information", according to LexisNexis Legal & Professional.
Tony Pepper, chief exec at Egress, commented: “The warning signs regarding data security within the legal sector have been clear for people to see for some time now.
"What [the FOI request] demonstrates is the scale of issue and the number of firms guilty of not providing adequate data security measures in order to protect the highly sensitive client information they manage and share. For whatever reason, there seems to have been a major disconnect between the priority placed on protecting this data and the consequences of a breach." ®