Data breach

A data breach is the release of private information to unauthorised people or into uncontrolled environments, for example the internet. This can happen on purpose or accidentally.

It’s likely that your firm will suffer a data breach at some point. There are steps you can take to defend against this.

Causes of a data breach

Law firms hold personal and financial data that make them attractive targets to cyber criminals. Breaches can also be caused by staff.

The main causes of a data breach in law firms include:

  • loss or theft of paperwork
  • data sent to the wrong person
  • loss or theft of an unencrypted device


Your reporting duties will depend on the kind of data that is released.

The General Data Protection Regulation (GDPR) defines personal data and limits its scope to such data.

If a breach of personal data is likely to result in a risk to the rights and freedoms of individuals, it must be reported to the ICO. Data controllers can be fined more than £10m for failing to report a breach.

Read more about cybersecurity and GDPR

You can report all breaches to:

This will raise awareness of current risks and allow others to learn from the event.

You may need to notify the data subject if the breach is likely to result in a high risk to their rights or freedoms under the EU Charter of Fundamental Rights and other protections.

You may not need to do this if you can prove the data was protected with encryption or a similar security measure.


How to protect your firm from cyber attack

ICO’s guide to personal data breaches and notification form

> Next section: Supply chain attacks

> Back to contents list

Cybersecurity news digest

Stay up to date with all things cyber with our weekly cybersecurity and GDPR newsletter.


Risk and Compliance annual 2020

Join this conference to keep up-to-date on hot topics in legal risk and compliance.

Risk and Compliance annual 2020 > More