Under the EU’s General Data Protection Regulation (GDPR), aggrieved data subjects can sue firms for failing to secure their personal data properly. New statistics from the Information Commissioner’s Office (ICO) showed that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.
Processing personal data is an intrinsic part of legal work. If you can't guarantee the confidentiality, integrity and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.
When the EU's GDPR supersedes the Data Protection Act 1998 (DPA 1998) on 25 May 2018, law firms as data controllers will face "effective, proportionate and dissuasive" administrative fines between 2% to 4% of their annual global turnover or €20 million – whichever is greater – for breaches.
When you consider the scale of the new fines, the recent surge in data security incidents affecting law firms is sobering. The GDPR mandates that data breaches be reported to the supervisory authority – the ICO – within 72 hours of their discovery. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.
Information security, not just cyber security
Although most firms have embraced new technologies, the information handled by legal professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity and availability maintained.
The ICO found that loss and theft of paperwork accounted for 26% of data security incidents in 2015/16. Data being posted or faxed to the incorrect recipient accounted for 17% of incidents. Make no mistake: these are data breaches, just as incidents caused by cyber- attacks are, and under the GDPR you'd be just as liable. Breaches of the 'integrity and confidentiality' principle, which mandates the use of appropriate security, incur fines at the upper end of the scale.
Cyber security measures, while extremely important, are only part of your compliance obligations: to secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can't prevent you from leaving a folder full of case notes in your car.
Information security: the holistic approach
Information security isn't just a job for the IT department: it's the responsibility of every single employee, from partners to trainees, from clerical staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO/IEC 27001:2013 (aka ISO 27001).
ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients' information – and demonstrate your compliance with the GDPR.
Many leading law firms, including Clifford Chance, Allen & Overy and Linklaters, have already achieved certification to the Standard, but it is not just an approach for larger organisations. ISO 27001 sets out an approach based on regular risk assessment, which can – and, indeed, should – be tailored to each organisation's requirements, and is as suitable for smaller practices as it is for large city firms.
The GDPR mandates that data controllers implement "appropriate technical and organisational measures"; Annex A of the Standard lists 114 such measures – known as 'controls' – that you can use in order to address the risks you have identified. (You can also use other controls as part of your ISMS, but these must be checked against Annex A.)
Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.
For example, from Annex A of ISO 27001:
- A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfil the GDPR's principles of purpose limitation and storage limitation.)
- A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. (This will help you fulfil the GDPR's principles of accuracy, and integrity and confidentiality.)
- A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organisation's premises. (This will help you comply with the GDPR's principles of storage limitation, and integrity and confidentiality.)
- A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR's principles of accuracy, and integrity and confidentiality.)
There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.
You can find more information about ISO 27001, and how it can help you demonstrate compliance with the GDPR, on IT Governance's website
Buy the newest (2013) version of the international Standard for information security management systems (ISMSs)
Check our General Data Protection Regulation resources