Jim Watson, managing director of data destruction service Shred Easy, and Daniel Berke, a fraud solicitor at Lewis Hymanson Small in Manchester and London, look at data protection among law firms and discuss the recent decision to allow the Information Commissioner’s Office to levy fines of up to £500,000 to organisations which seriously breach the Data Protection Act.
The root of the problem lies with the ingenuity and adaptability of the criminal fraternity. Identity theft and fraud has become one of the fastest-growing areas of crime, increasing by a phenomenal 36% last year. To give an indication of the scale of the problem, the losses are equivalent to £631 a year, for every household in Britain.
It means that anyone handling personal details, credit card information, addresses, bank account details etc, for another party is bound by law to protect this data. In the electronic age, when such information can be circulated around the planet in a microsecond, the risk is constant.
Confidential data crime
Recent cases of employees stealing data from employer’s confidential files and cases of confidential data being left in the street only serve to exacerbate fears. The prime reason for the exponential growth in the crime is the casual way many of us have customarily dealt with potentially damaging data. We leave files lying around on our desks, slip them into unlocked filing cabinets and we take old or unserviceable PCs, laptops and discs to the dump, with the hard drive and memory bulging with confidential data.
In short, the nature of business means dealing with confidential data. We absolutely must review and, if necessary, revise the way we deal with this risk.
The clear answer is to change our working practices to make life as difficult as possible for the criminally inclined – or those tempted by the ease of access to other people’s money. All current documents containing sensitive information should be kept under lock and key when not in direct use. Store rooms should be accessible only to the most trusted staff. Think about where or when a client, dishonest employee, temporary worker, cleaner or occasional maintenance tradesman could access written or electronic data. Then act to remove that possibility.
The lawyer dimension
Lawyers and law firms need to be particularly mindful of throwing away data unless it has been permanently destroyed because of the highly confidential nature of their work. Solicitors will also be aware of the contentious issue of the Data Protection Act and how anyone who handles personal information has to comply with a number of important principles. Law firms also generate volumes of confidential data and so in terms of space as well as legal obligations need to completely destroy all records and files.
On 23 April 2008 the Information Commissioner’s Office (ICO) prosecuted a north London solicitor for offences under the Data Protection Act. Samuel Koranteng of Koranteng Hughes & Co was fined a total of £704.20 in fines and costs. The prosecution followed Mr Koranteng’s failure to notify as a data controller despite repeated reminders from the ICO of his obligations under the Data Protection Act. Under the Act, organisations that process individuals’ personal information may be required to notify with the Information Commissioner at a nominal cost of £35 per year.
Simon Entwisle, chief operating officer at the ICO, said: “The Data Protection Act ensures that people’s personal information is properly protected. We stand ready to use our powers to prosecute the small minority of businesses that flout the Act by failing to notify with the ICO. This case forms part of the ICO’s ongoing campaign to ensure that all solicitors and law firms that process personal information notify with us. Mr Koranteng was fined more than four times the usual cost of notifying, as well as legal costs – this prosecution should serve as a reminder to all other solicitors of their obligations under the Act.”
If threatening a penalty, the ICO will take a business’s turnover, sector, size and the data breach into account before considering a fine. This will be determined by:
- Carefully considering the circumstances, including the seriousness of the data breach;
- The likelihood of substantial damage and distress to individuals; and
- Whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches.
These new heavy fines are a warning to all organisations to destroy their confidential data securely and are part of the ICO’s overall regulatory toolkit. He is not afraid to use it.
The answer is to monitor and control the use and flow of data much more carefully, take extra security precautions and, perhaps most importantly, take some expert advice about disposal of your printed mater, IT equipment and data stored on all manner of tapes discs, micro chips and USB sticks.
Destroying the evidence
These materials can now be destroyed highly effectively and efficiently. Perhaps equally as important, these materials can be recycled too, so organisations can fulfill their environmental obligations while protecting themselves from prosecution and their clients and stakeholders from risk. A single visit from a state-of-the-art shredding truck can completely dispose of a mass of collected confidential data.
Every business has a responsibility to shred their confidential documents and electronic data. Confidential data in the wrong hands can end in theft, a fine or the downfall of a business.