More than half of data breaches at legal firms in the UK are caused by insiders, according to a report from document management service NetDocuments.
Based on an analysis of data from the Information Commissioner’s Office (ICO), covering the period from the third quarter of 2022 to the second quarter of 2023, six-in-ten identified data breaches in the UK legal sector originated with staff rather than with outside threats such as external malicious actors.
During the period, data from legal firms relating to 4.2 million people was compromised – amounting to 6% of the UK population. Almost half impacted customers, and 13%impacted employees.
The main types of data concerned were basic personal information, at 49%, economic and financial data, at 13%.
Health data also accounted for 10% of all information leaked while 10% of all exposed data pertained to official company documents, the research found.
David Hansen, VP for compliance at NetDocuments, said the research highlights the scale of risk faced by legal firms who store and process vast quantities of highly sensitive data.
"Law firms and legal institutions handle vast amounts of sensitive and confidential information, which puts them at increased risk of cyber-attacks," he said.
"But it’s not just external threats like ransomware that law firms need to watch out for. Law firms must be vigilant to insider data breaches – whether intentional or accidental. This requires robust cyber security measures to govern access to documents, without hampering staff productivity."
Just over a third of breaches were caused by sharing data with the wrong person, via email, post or verbally, according to NetDocuments.
A quarter originated with phishing and ransomware attacks while the loss or theft of devices containing personal data also contributed to a slew of data breaches.
Similarly, misplaced paperwork was also a key issue highlighted in the study.
Meanwhile, four-in-ten data breaches were caused by human error such as verbal disclosure, a failure to redact or use bcc, the alteration of data, hardware misconfiguration, or documents emailed or posted to the wrong recipient.
Law firm data breaches harm client confidence
"For law firms, guarding against insider threats is not just a matter of protecting data; it's a commitment to safeguarding client and employee confidentiality," said Hansen.
"Data loss prevention must be an essential part of cyber security strategies. Taking this proactive approach can help law firms fortify their defenses and prevent exfiltration and the unauthorized or inappropriate use of data."
Last summer, the National Cyber Security Centre (NCSC) issued a report highlighting the threats faced by the UK legal sector and offered advice on how to improve cyber security.
Discover how you can protect yourself from encrypted attacks
DOWNLOAD NOW
According to the report, legal firms are prime targets for attackers due to the fact they handle highly confidential, commercially sensitive, and often personal information.
The Solicitors Regulation Authority reported in 2020 that three quarters of solicitors firms had been the target of a cyber attack, with 18 law firms falling victim to ransomware attacks in 2021 alone. Nearly three-quarters of the UK’s top 100 law firms have been affected by cyber attacks.
In one recent example, international law firm Orrick, Herrington & Sutcliffe - which specializes in advising companies in the wake of cyber attacks - suffered its own data breach.
Data belonging to more than 600,000 people was exposed in the breach, with leaked information including dates of birth, customer names and addresses, as well as government ID numbers, passport details, and social security numbers.
