Posted by Ben Mitchell, Vice President, Sales – EMEA, at Legal Futures Associate DocsCorp
In December 2017, the Information Commissioner’s Office (ICO) reported that data security incidents between April and June 2017 had increased by 15% compared to the previous year.
This is nothing new – data breaches have been on the rise for years. Yet law firms are often more concerned about protecting sensitive information from external threats than from a far more likely cause: human error.
Human error was behind the forwarding of confidential plans from The Bank of England to The Guardian. The sender included the wrong recipient in the email and inadvertently (and embarrassingly) released details of the top-secret Project Bookend – described as “the bank’s contingency plan in the event of Britain leaving the EU, unknown even to most of its employees”.
Ever since, autocomplete has been disabled and staff at the UK’s main financial regulator must now enter every single address manually.
Many email security systems don’t safeguard against human error before the user clicks ‘Send’, so even firms that think they are protected may not be able to prevent a breach similar to this.
In 2018, with a tightening of data breach regulations under GDPR, it’s more important than ever for law firms to cover their bases. Here’s why emails should be at the top of the list of potential information security risks to address.
More than half of data breaches in 2017 happened because of human error
The ICO found that of the 335 reported incidents of data breaches between April and June 2017, more than half were a result of data being “disclosed in error” from human action. More than a third (37%) of all data breaches reported were due to information being sent to the wrong recipient.
The ICO also reported that cyber security incidents decreased by 8% in the July-September 2017 quarter. It is the second consecutive quarter in which reported cyber incidents have gone down.
Human error over email is punished just as severely as a cyber-attack under GDPR
Sending personal information like bank account details, names, or addresses to the wrong person is viewed as mismanagement of data under GDPR. The organisation responsible could face a fine of up to €10m or 2% of annual global turnover (whichever is greater).
More serious offences could be fined up to €20m or 4% of its global turnover (whichever is greater). These are the same harsh financial penalties levelled at organisations that are victims of cyber security attacks.
Metadata in email attachments can also constitute a breach
Microsoft Office documents contain metadata that isn’t always obvious to the sender. Metadata could be anything from the document’s author to potentially embarrassing ‘Track Changes’ comments.
For law firms that charge by the hour, the total editing time shown in document metadata could also present its own set of issues. Staff need to know exactly what they’re sending, before they click ‘Send’, to properly manage their data.
The most comprehensive form of protection against human error over email is an application that integrates directly with your email to confirm that the email addresses entered are the intended recipients and that the sender knows exactly what information they are sending.
It goes without saying that, in 2018, law firms should be arming their staff with tools to prevent accidental leaks of sensitive information. The costs to the firm, both in monetary and reputational value, are far too great to ignore.