Survey reveals another headache for COLPs that their firms are ignoring: data security


Data security: most firms expect a breach

Law firms should ensure that compliance officers for legal practice (COLPs) are closely involved in information security policies, a study has advised after finding that a majority of firms contacted had already suffered data breaches.

Reporting on a survey of law firms’ information security practices, commissioned by Oyez Professional Services, the IAAITC network of accountancy firms found COLPs in a majority of the 30 firms surveyed had not been given “strategic responsibility” for data security.

This finding was “perhaps at odds with the Solicitors Regulation Authority, which firmly holds them, as senior managers and lawyers, responsible when things go wrong”, it said.

Two-thirds of the officials surveyed were COLPs, but a third of them – and more than half of all respondents – felt it was appropriate that responsibility for information security was delegated to others.

Further, around a third of firms were unaware that the SRA’s code of conduct requires compliance with legal obligations when handling personal data, namely the Data Protection Act 1998 (DPA), it said.

In a white paper accompanying the survey, Oyez said: “The DPA has eight principles with which you and your staff must understand and comply. Lapses in the protection of personal data, when they occur, can be more and more costly not just in terms of monetary loss but also in terms of reputational damage for your firm.”

However, the survey pointed out that while COLPs may be held to blame for information security breaches, “Ultimately under both the SRA code of conduct and the [DPA] the responsibility rests with the partners/owners of the firm regardless of where the day-to-day responsibility is delegated.”

In other findings, 40% of firms thought a security breach was “likely or inevitable”, with 18 of the 30 admitting to having suffered a breach already.

While a healthy 84% of firms had information security policies, fewer than a third had “basic policies covering the sending and receiving of personal data via secure e-mails, or saving and retrieving files securely from a laptop, for example”.

Of particular concern were firms’ attitudes to encryption. Half of firms reported having “either no policy or a poorly followed policy on encryption”. But a lack of encryption was “a major factor resulting in many of the monetary penalty notices and undertakings issued by the Information Commissioner’s Office”, the report said. Last week Stoke-on-Trent City Council was fined £120,000 after an in-house solicitor sent unencrypted sensitive e-mails to the wrong address.

Concluding, the authors said: “Whilst firms recognise [the problem] and acknowledge the potential financial, regulatory and reputational impact a breach in information security could have on the firm, there is a lack of the necessary appropriate actions to achieve the legal and regulatory requirements to protect the integrity of personal data.

“Formulation of polices in an ad hoc way rather than through the implementation of any rigorous methodology, and the lack of regular evidence-based training would be suggestive of a profession not yet coming to terms with what it really means to be fully compliant with the legal and professional regulation.”

Tags:




Blog


Use the tools available to stop doing the work you shouldn’t be doing anyway

We are increasingly taken for granted in the world of Do It Yourself, in which we’re required to do some of the work we have ostensibly paid for, such as in banking, travel and technology


Quality indicators – peer recommendations over review websites

I often feel that I am banging the SRA’s drum for them when it comes to transparency but it’s because I genuinely believe in clarity when it comes to promoting quality professional services.


Embracing the future: Navigating AI in litigation

Whilst the UK courts have shown resistance to change over time, in the past decade they have embraced the use of some technologies that naturally improve efficiency. Now we’re in the age of AI.


Loading animation