After The Horse Has Bolted

Email Security - Shutting the barn door after the horse has bolted?

I have spent the last 6 months working in the legal sector around secure information. One thing that struck me is why do law firms not take email and client communications seriously?



Every few weeks there are stories in the news about how people have lost money thanks to their law firms:



'Fraudsters hacked emails to my solicitor and stole £340,000 from my property sale'



The Information Commissioners Office, according to Freedom of Information requests has, in the last 12 months, investigated 175 law firms for 185 potential data breaches.



The ICO also highlights in its data trends that the fourth most common data breach is around email.



The Bar Council has given the following guidance on communications:

  • E-mail is a potentially insecure method of communication. Appropriate steps, such as encryption during transmission, should be taken if it is considered necessary to send particularly sensitive information by e-mail and if required by your client.
  • You should take care when using the 'auto complete' function that is offered by some email systems to ensure that you do not accidentally select the incorrect email address.
  • Caution is advised when using the carbon copy (cc) function and blind carbon copy (bcc) function to ensure that you are not sending data to the incorrect recipient.

Another interesting fact is that 93% of Data Breaches were caused by human error, with 31% of the worst security breaches in 2014 across all industries in the UK being caused by human error.



According to Christopher Graham, UK Information Commissioner, on 05 August 2014 “The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling.”



The final thoughts from the ICO:



“While encryption sounds like a complicated means of protecting sensitive personal information, the crucial aspect to making it work is to identify the most suitable form of encryption and follow a common sense approach to keeping the key, and therefore the data, secure. Using effective encryption is usually easier to manage than adopting an alternative means of providing a similar level of data security.



And the time and cost of proper encryption is put into sharp perspective by a quick glance over the penalties issued in three recent cases where encryption wasn’t used (£700,000 in total). The price of getting it wrong could therefore extend well beyond upsetting people…”



So, in summary, next time you are using a law firm, will you be asking them how they are going to protect your data?