Survey reveals another headache for COLPs that their firms are ignoring: data security


Data security: most firms expect a breach

Law firms should ensure that compliance officers for legal practice (COLPs) are closely involved in information security policies, a study has advised after finding that a majority of firms contacted had already suffered data breaches.

Reporting on a survey of law firms’ information security practices, commissioned by Oyez Professional Services, the IAAITC network of accountancy firms found COLPs in a majority of the 30 firms surveyed had not been given “strategic responsibility” for data security.

This finding was “perhaps at odds with the Solicitors Regulation Authority, which firmly holds them, as senior managers and lawyers, responsible when things go wrong”, it said.

Two-thirds of the officials surveyed were COLPs, but a third of them – and more than half of all respondents – felt it was appropriate that responsibility for information security was delegated to others.

Further, around a third of firms were unaware that the SRA’s code of conduct requires compliance with legal obligations when handling personal data, namely the Data Protection Act 1998 (DPA), it said.

In a white paper accompanying the survey, Oyez said: “The DPA has eight principles with which you and your staff must understand and comply. Lapses in the protection of personal data, when they occur, can be more and more costly not just in terms of monetary loss but also in terms of reputational damage for your firm.”

However, the survey pointed out that while COLPs may be held to blame for information security breaches, “Ultimately under both the SRA code of conduct and the [DPA] the responsibility rests with the partners/owners of the firm regardless of where the day-to-day responsibility is delegated.”

In other findings, 40% of firms thought a security breach was “likely or inevitable”, with 18 of the 30 admitting to having suffered a breach already.

While a healthy 84% of firms had information security policies, fewer than a third had “basic policies covering the sending and receiving of personal data via secure e-mails, or saving and retrieving files securely from a laptop, for example”.

Of particular concern were firms’ attitudes to encryption. Half of firms reported having “either no policy or a poorly followed policy on encryption”. But a lack of encryption was “a major factor resulting in many of the monetary penalty notices and undertakings issued by the Information Commissioner’s Office”, the report said. Last week Stoke-on-Trent City Council was fined £120,000 after an in-house solicitor sent unencrypted sensitive e-mails to the wrong address.

Concluding, the authors said: “Whilst firms recognise [the problem] and acknowledge the potential financial, regulatory and reputational impact a breach in information security could have on the firm, there is a lack of the necessary appropriate actions to achieve the legal and regulatory requirements to protect the integrity of personal data.

“Formulation of polices in an ad hoc way rather than through the implementation of any rigorous methodology, and the lack of regular evidence-based training would be suggestive of a profession not yet coming to terms with what it really means to be fully compliant with the legal and professional regulation.”

Tags:




Blog


Five key issues to consider when adopting an AI-based legal tech

As generative AI starts to play a bigger role in our working lives, there are some key issues that your law firm needs to consider when adopting an AI-based legal tech.


Bulk litigation – not always working in consumers interests

For consumers to get the benefit, bulk litigation needs to be done well, and we are increasingly concerned that there are significant problems in some areas of this market.


ABSs, cost and audits – fixing regulation after Axiom Ince

A feature of law firm collapses and frauds has sometimes been the over-concentration of power in outdated and overburdened systems of control.


Loading animation