Posted by Samantha Jefferies, VP EMEA at Legal Futures Associate DocsCorp
Nearly half (48%) of the top 150 law firms have reported data breaches since the GDPR came into force in May 2018. And, of those breaches, 41% were a result of emailing the wrong person.
These statistics were reported by Tim Hyman, a certified data protection officer with over 20 years’ experience as an IT director among the UK’s top 20 law firms. He obtained the figures through a freedom of information request to the Information Commissioner’s Office (ICO).
Mr Hyman said the prevalence of human error “presents no surprises.” Reports from the ICO in the two years prior to the GDPR show the number of breaches in the legal industry was rising steadily, mostly as a result of human error.
Though there has not been an example of a law firm receiving a heavy financial penalty under the GDPR, he believes it is only a matter of time.
Firms have long tried to find a balance between helping staff work efficiently and working securely. Many are averse to software that slows users down through pop-ups or delays to the email server.
The ICO, however, recommended training and process improvements to most of the top 150 firms included in the report. Mr Hyman said: “If nothing else, these numbers could help provide focus for protection strategies.”
In about 20% of reported breaches, the ICO recommended new processes, including:
- Ensure appropriate checking and verification procedures when sending out personal data in any format; and
- Ensure you follow up with incorrect email recipient to confirm the deletion.
Protect staff from emailing the wrong person.
Emailing the wrong person is a risk for more than just the top 150 firms. Almost half (43%) of all data breaches reported to the ICO in the first half of last year were the result of incorrect disclosure. And more and more firms are starting to use technology to help ensure staff send the right information to the right person and reduce the likelihood of a data breach.
Email recipient checking technology assesses the domain names of recipients and assigns a risk level based on whether they are internal, external, or public domains. The sender is prompted to confirm what they are sending and to whom they are sending it.
This technology acts as a layer of defence against mistakes that can be embarrassing – like hitting ‘Reply All’ to an email you were blind copied on – and damaging, like sending a spreadsheet full of personal details to the wrong person.
When it is a mistake that goes beyond the confines of the firm’s internal network, its reputation is put on the line. A top US law firm representing PepsiCo sent an email to other lawyers and a Wall Street Journal reporter by mistake. In doing so, it revealed that its client was under investigation by the Securities & Exchange Commission.
The firm asked the reporter to delete the email, which he claimed to have done. However, he had printed the email and kept hard copies. It is nearly impossible to put the genie back in the bottle when mistakes like this happen.
Avoid leaking sensitive information
The UK government experienced an embarrassing leak when it accidentally revealed highly personal details of more than 1,000 New Year Honours recipients last month. The people affected were incredibly high profile and included the likes of Sir Elton John and former Director of Public Prosecutions Alison Saunders.
The breach happened when the spreadsheet was published online without any of the personal information deleted or redacted.
And it’s not just information on the page that can get your firm into trouble. Every file contains metadata, which in turn can include personal information requiring protection. The files law firms are sharing contain an Aladdin’s cave of sensitive and personal information. Track Changes, hidden columns in spreadsheets, or columns left in documents can tell the reader much more than the sender intended.
Every document or email attachment leaving your firm should be cleaned of metadata to prevent accidental information leaks. Removing metadata means that the recipient will only be sent what would be printed.
Three of the breaches reported by the top 150 firms were due to failed redaction. Law firms should never underestimate the importance of a proper redaction tool. It just takes one mistake, or one staff member not adequately trained to have a full-blown redaction fiasco.
Paul Manafort’s lawyers learned the hard way last year when a failed redaction exposed potentially incriminating information about their client, said to be the clearest evidence yet of coordination between the Trump presidential campaign and the Russians.
Redaction seems to have been attempted in Word or PDF by drawing a black box over the text or highlighting it in black. But, when the document was distributed, the text layer was still there. You could read it just by copying/pasting it into a new document.
A valid redaction tool completely burns out the text layer from a document. It can’t be undone or uncovered because it no longer exists in the file. Would your firm’s current redaction method pass the test?
At the end of the day, everyone makes mistakes. And we have all emailed the wrong person at least once. You can, however, use technology as a safety check to stop emails going to the wrong person and keep sensitive information safe.
You can download the full Legal Top 150 Data Breach Report here.