Solicitors hold sensitive and confidential information about their clients and must protect it. Any loss of that information can have financial, reputational or personal consequences for the client, and for the solicitor that loses it.
Information security is not just about technology and protecting electronic information. It is also about protecting printed data and sensitive discussions in the office or when working outside the office.
There were 512 concerns reported to us about breaches of confidentiality in 2017 and a further 408 reports in the first three quarters of 2018. This shows an increasing trend compared to the same period in 2017.
Most of the information security breaches reported to the Information Commissioner's Office (ICO) for all sectors are:
confidential emails, faxes and letters being sent to the wrong person
lost or stolen paperwork.
What firms can do
Firms can protect information by:
double-checking emails and letters are being sent to the right address, for example some email systems will flag external email addresses
protecting physical documents, for example by locking filing cabinets at night and taking precautions when transporting documents
making sure that sensitive conversations are not overheard
keeping electronic data backed up securely
using appropriate encryption when storing and transferring personal data
understanding and meeting their General Data Protection Regulation (GDPR) and Data Protection Act 2018 obligations.
Solicitors have always needed to work on the move, and remote and home working are becoming more common. It is important that solicitors take care to keep information safe while outside the safety of a secure office.
When we learn about criminal activities or frauds targeting firms, we issue scam alerts to warn the public and firms about known threats. There is also a quarterly round up of these alerts to show the high-risk scams for both members of the public and solicitors.
When a loss of client data is reported to us, we recognise that no defences are perfect and take action where needed. We will act where:
client information is exposed
the firm had not taken appropriate steps to protect it or report it to us promptly.