Law firms should ensure that compliance officers for legal practice (COLPs) are closely involved in information security policies, a study has advised after finding that a majority of firms contacted had already suffered data breaches.
Reporting on a survey of law firms’ information security practices, commissioned by Oyez Professional Services, the IAAITC network of accountancy firms found COLPs in a majority of the 30 firms surveyed had not been given “strategic responsibility” for data security.
This finding was “perhaps at odds with the Solicitors Regulation Authority, which firmly holds them, as senior managers and lawyers, responsible when things go wrong”, it said.
Two-thirds of the officials surveyed were COLPs, but a third of them – and more than half of all respondents – felt it was appropriate that responsibility for information security was delegated to others.
Further, around a third of firms were unaware that the SRA’s code of conduct requires compliance with legal obligations when handling personal data, namely the Data Protection Act 1998 (DPA), it said.
In a white paper accompanying the survey, Oyez said: “The DPA has eight principles with which you and your staff must understand and comply. Lapses in the protection of personal data, when they occur, can be more and more costly not just in terms of monetary loss but also in terms of reputational damage for your firm.”
However, the survey pointed out that while COLPs may be held to blame for information security breaches, “Ultimately under both the SRA code of conduct and the [DPA] the responsibility rests with the partners/owners of the firm regardless of where the day-to-day responsibility is delegated.”
In other findings, 40% of firms thought a security breach was “likely or inevitable”, with 18 of the 30 admitting to having suffered a breach already.
While a healthy 84% of firms had information security policies, fewer than a third had “basic policies covering the sending and receiving of personal data via secure e-mails, or saving and retrieving files securely from a laptop, for example”.
Of particular concern were firms’ attitudes to encryption. Half of firms reported having “either no policy or a poorly followed policy on encryption”. But a lack of encryption was “a major factor resulting in many of the monetary penalty notices and undertakings issued by the Information Commissioner’s Office”, the report said. Last week Stoke-on-Trent City Council was fined £120,000 after an in-house solicitor sent unencrypted sensitive e-mails to the wrong address.
Concluding, the authors said: “Whilst firms recognise [the problem] and acknowledge the potential financial, regulatory and reputational impact a breach in information security could have on the firm, there is a lack of the necessary appropriate actions to achieve the legal and regulatory requirements to protect the integrity of personal data.
“Formulation of polices in an ad hoc way rather than through the implementation of any rigorous methodology, and the lack of regular evidence-based training would be suggestive of a profession not yet coming to terms with what it really means to be fully compliant with the legal and professional regulation.”