This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Crisis of confidence: Data protection issues for law firms in the EU

Feature
Share:
Crisis of confidence: Data protection issues for law firms in the EU

By

Firms in the EU are at higher risk of incurring penalties for failing to protect client data, warn Andrew Horrocks and Charlotte Worlock of Clyde & Co

Firms in the EU are at higher risk of incurring penalties for failing to protect client data, warn Andrew Horrocks and Charlotte Worlock of Clyde & Co

Over the past decade, lawyers have increasingly come to rely on new technologies. In their day-to-day practice, many legal professionals use electronic files, smartphones and laptops, and many client communications are conducted via email and videoconference. While these new technologies provide numerous benefits to firms and their clients, the increased use of such technologies also poses increased risks to the confidentiality of personal data held on behalf of clients, employees and others.

Electronic data breaches are on the rise across all industries, including the law, and breaches resulting from third-party hackers or human error regularly grab the headlines. Legislators and regulators are responding to these growing risks with tougher rules and penalties.

Firms should ensure that confidential information, including personal data, is adequately protected from loss or theft – or risk incurring serious professional, regulatory and legal penalties, not to mention civil claims and costs to their business.

Common risks

While third-party hacking attacks by groups such as Anonymous are frequently in the news, confidential information is often exposed through simple human error. The Ponemon Institute’s 2010 annual study UK Cost of a Data Breach found that while malicious or criminal attacks account for 29 per cent of all data breaches, 61 per cent of breaches occur for other reasons, such as negligence or systems failure.

In this regard, firms should be aware of the risks posed to confidential client information by the loss or theft of unencrypted devices such as laptops and USB drives. Encryption of data helps to secure it as it is often difficult to physically secure all access to networks. For example, lost or stolen smartphones (including both Blackberries and iPhones) can be hacked in order to access data.

Although a BlackBerry device is automatically wiped of all information if the wrong password is entered ten times, a Russian software developer has discovered that the BlackBerry offline backup scheme allows access to passwords and encrypted business data for those who gain access to backup files.

iPhones and iPads have also been revealed to be susceptible to hacking. In 2011, the Fraunhofer Institute for Secure Information Technology announced that passwords for internal networks can be revealed within as little as six minutes if an iPhone or iPad is lost or stolen – even if the device itself is password protected.

Further, unsecured wifi networks, such as those provided in cafes and airports, potentially expose data to ‘snoopers’ via programs freely available online. These make it simple to see what other users of an unsecured wifi network are doing and then log on as them at the sites they visited.

Additionally, videoconferencing facilities are often insecure. Most firms today use internet protocol videoconferencing systems, which make communications clearer. However, these systems are often set up outside the office firewall, leaving the system open to attack.

In addition, videoconferencing systems are frequently outfitted with a feature that automatically accepts inbound calls. As such, some firms are unwittingly putting their systems on the internet and allowing anyone to listen in unnoticed.

Data breach implications

Regulatory considerations

The unauthorised disclosure of personal information clearly triggers various professional obligations for legal professionals, not least a solicitor’s fundamental duty to protect the confidentiality of client information.

As well as potentially attracting '¨civil liability to clients for negligence '¨and/or under the common law of confidence or privacy, lawyers found in breach of such professional obligations also risk incurring professional and reputational penalties, which can go far beyond those administered by legal and regulatory authorities.

In May 2011, Andrew Crossley of the now-defunct UK firm ACS:Law, was fined £1,000 by the Information Commissioner’s Office (ICO) as a result of his failure to keep private data secure. This led to a distributed denial of service attack against ACS:Law’s website and the exposure of private information belonging to 6,000 individuals (including ISP account details, names and addresses, IP addresses, credit card details and references to individuals’ sex lives, health and financial status).

The ICO found that serious flaws in ACS:Law’s IT security system had contributed to the breach. While the ICO stated that the fine could have been as much as £200,000, it chose to administer only a nominal fine since Crossley lacked the means to pay.

By contrast, in January 2012, the Law Society of England and Wales disregarded Crossley’s bankruptcy and ordered him to pay £70,326.55 and delivered a two-year suspension from practising as a lawyer.

The Law Society found Crossley in breach of numerous professional obligations, including acting contrary to the best interests of his clients and the good standing of the legal profession, and acting without integrity.

Reputational harm

In the event that firms are found to have failed to keep personal data secure, they also risk incurring harm to their reputations. The Ponemon Institute’s 2010 study found that lost business ranked as the biggest contributor to overall data breach costs.

Recovering customers, profits and business opportunities after data breaches pose the greatest cost hurdles for firms. Clients, particularly those who themselves face close scrutiny from regulatory authorities in respect of the protection of confidential information, will not look kindly on a law firm’s security procedures coming under criticism.

Financial consequences

A law firm that suffers a loss of confidential client data is at a high risk of major financial impact. For example, such a firm might be sued by the affected client(s) for negligence, breach of confidence and/or privacy for any losses they claim they have suffered as a result.

In addition, the firm itself might incur internal costs, such as a forensic IT investigation into the cause of the breach, identifying and providing notification of the breach to affected client(s), or even retaining a public relations agency to manage the firm’s reputation after such an incident.

While lawyers’ traditional professional indemnity insurance products might provide coverage for a third-party claim arising from a data breach, such a product may not also cover first party (i.e. the firm’s own) costs associated with a breach.

Accordingly, law firms should consider putting in place a strategy in advance '¨to decide how they will manage a '¨data loss from compliance, IT, PR '¨and client perspectives.

Such a strategy might also include the purchase of a specialised data breach insurance product, which can provide first-party coverage for notification costs, forensic investigations and credit monitoring, along with a list of approved suppliers and privacy counsel. These products are commonplace in the US '¨and are increasingly available in the UK.

Data protection legislation

Current UK legislation

The protection of personal data in the UK is currently governed by the Data Protection Act 1998 and the ICO '¨has the power to administer penalties '¨of up to £500,000 for serious breaches '¨of the Act.

Under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, notification of a data breach is currently only mandatory for telecommunication companies and internet service providers.

Proposed EU legislation

On 25 January 2012, the European Commission announced a proposed uniform European data protection regulation to replace the 1995 EU Data Protection Directive.

The draft regulation is broad in scope and is intended to apply to all enterprises handling personal data belonging to EU residents. Its definition of an enterprise is “any entity engaged in an economic activity, irrespective of its legal form, thus including, in particular, natural and legal persons, partnerships or associations regularly engaged in an economic activity”, and therefore includes law firms located both in and outside Europe.

The majority of the requirements and penalties are expected to come into force in about two years. The draft regulation contains many burdensome obligations which will require firms to introduce additional compliance measures. As such, firms should be proactive in ensuring compliance or risk heavy fines and prosecution. Below are highlights of the proposed new EU regime.

Compulsory notification

1. Notification to national supervisory authority. The draft EU regulation introduces a general notification obligation for all enterprises – including law firms – which requires notification to the relevant national supervisory authority in the event of a breach of EU residents’ personal data. Firms will be required to notify “without undue delay” and, where feasible, no later than 24 hours after they become aware of the breach, or else provide a reasoned justification.

The notification must include:

  • a description of the breach;

  • contact information for the firm’s data protection officer (see below);

  • recommended measures to mitigate possible adverse effects of the breach;

  • a description of the consequences of the breach; and

  • a description of any measures proposed or taken to address the breach.

2. Notification to affected individuals. When a breach is likely to adversely affect the protection of an individual’s personal data or privacy, notification must also be provided to the data subject(s).

However, if the breached data is encrypted, there is no such requirement to notify the data subject(s). This follows the general US approach and enables firms to avoid some of the highest costs arising from a breach.

3. Penalties. Penalties for intentional or negligent failure to notify can reach up to €1m for individuals, or two per cent of an enterprise’s worldwide annual turnover. Such penalties bring data protection legislation in line with EU competition law. Individuals also have the right to seek judicial remedy against any enterprise which violates the regulation.

4. Practical effect. Given the rise in data breaches, the notification requirement will likely prove extremely burdensome to firms. In particular, the 24-hour notice requirement is unlikely to offer sufficient time for most firms to be able to investigate and assess the impact of a breach as well as offer advice on mitigating measures. However, it appears that the “where feasible” qualification could offer a useful exception for such instances.

The potential financial impact is also likely to be heavy, as firms will be responsible for the costs of notification, forensic investigations and credit monitoring, as well as regulatory and civil liability arising as a result of breach of confidentiality obligations, breach of contract and loss of intellectual property.

Data protection officer

Any enterprise employing more than 250 staff is required to appoint a dedicated data protection officer to ensure compliance with the regulation’s obligations.

Accordingly, many medium to large firms may need to employ additional expert staff to ensure that they fulfil this requirement or risk incurring heavy penalties.

Personal data management

The proposed regulation introduces '¨the principles of transparency and '¨privacy by design, pursuant to which enterprises are required to provide transparent, easily accessible and understandable information regarding '¨their handling of personal data. Accordingly, firms may be required to '¨keep a record of their personal data processes and provide this information '¨to supervisory authorities upon request.

 

Minimising the impact of a data breach

  • Implement clear written policies and procedures for the protection, storage and use of clients’ personal data. Review these annually and enforce them.

  • Appoint a data protection officer to ensure compliance with the proposed EU regulation as soon as its obligations come into force.

  • Encrypt portable data-bearing devices such as laptops and USB memory sticks, especially for extensive business travellers.

  • Password-protect BlackBerries and other mobile devices and implement a 24-hour hotline to report losses or theft.

  • Carry out regular tests on IT security and firewalls and act on the results.

  • Have a data breach response strategy in place in case of an incident or suspected incident.

  • Purchase specialist insurance coverage for first-party costs associated with a breach, such as notification costs, forensic investigations and credit monitoring, as well as civil and regulatory claims arising from breach incidents.

  • Include in terms of business a provision dealing with the extent to which the firm accepts civil liability for its clients’ confidentiality and privacy.

 

andrew.horrocks@clydeco.com

charlotte.worlock@clydeco.com