Jean-Yves Gilg

Editor, Solicitors Journal

Courts and justice sector see 500 per cent rise in data breaches

Courts and justice sector see 500 per cent rise in data breaches


Human error main cause as solicitors and barristers see 127 per cent increase in security breaches

The legal sector has suffered a major rise in data security breaches with human error the primary cause, new research has revealed.

Figures obtained via a freedom of information request to the Information Commissioner's Office (ICO) found a 500 per cent rise of Data Protection Act breaches in the courts and justice sector and a 127 per cent rise among law firms and barristers' chambers over the last three years.

Speaking at the Ark Group's 9th regulatory compliance for law firms event last December, Richard Syers, the ICO's lead policy officer, explained that solicitors and barristers had been the subject of 4.5 per cent of all data breaches reported to his office over the last year.

Research from 2015 found that over half of UK legal professionals believed their companies were not doing enough to prevent security breaches. One in ten lawyers admitted to having no measures at all in place to decrease the risk of data loss.

The analysis of the latest data by Egress Software Technologies show that in Q1 of 2016, human error accounted for almost two-thirds of all incidents reported to the ICO - far outstripping other causes, such as insecure webpages and hacking, which stands at 9 per cent combined.

Information posted, emailed, or faxed to the wrong recipient accounted for 28 per cent of breaches, while loss and theft of paperwork accounted for 17 per cent. Other causes included insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.

Commenting on the figures, Egress CEO Tony Pepper said the revelations should be a 'major concern for all organisations'.

'Human error and data breach incidents continue to go hand-in-hand. Time and again we're faced with this reality and yet as today's statistics show, little effective action seems to have been taken to improve the situation,' he said.

'Clearly at a board level, mistakes continue to be made as priorities aren't balanced, leaving companies exposed.'

The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will impose a mandatory notification within 72 hours for breaches where sensitive personal information is put at risk. This is likely to lead to an increase in reported incidents for private organisations.

The GDPR will also increase the maximum monetary penalties for non-compliance to either €20m or 4 per cent of annual worldwide turnover - whichever is higher - for organisations found in breach.

'Corporate organisations are already increasingly coming under the spotlight following several high-profile breaches of consumer data over the last 12 months and the GDPR will only amplify this,' continued Pepper.

'Additionally, as individuals become more aware of the data these companies hold and the measures they're putting in place when processing and sharing it, they will inevitably also put pressure on organisations to better protect their data - or they will simply take their custom elsewhere.'