Rather than issue financial penalties, the Information Commissioners
Office (ICO) has opted for a subtler approach to law firm data breach. The information watchdog has the power to issue fines of up to 500k for serious breaches of the Data Protection Act but has chosen instead to issue a warning and reminder to law firms instead. This warning shot across the bows comes after fifteen breaches over three months from UK law firms. The ICO has had its fair share of criticism when it comes to issuing financial penalties; many of those critics cite the bias toward public bodies that have been singled out for fines. But this is a clear warning that the ICO has the personal data handlers of all sectors in its sights and fifteen breaches in three months is surely a trend that needs halting immediately. Without a doubt, some of the information collected, stored, managed and deleted by law firms has to be among the most sensitive and personal of all data. The need for solicitors and barristers to be paragons of data protection virtue is clear. We are experiencing rising levels of cybercrime, fraud and hacking but there is also increasing awareness of how to report it and businesses are now looking to the law to support them and gain legal redress when their own or their supply chain data is breached or hacked. So the implications are far reaching; not only from the perspective of the data subjects who may be breached by their solicitors information handling practices, but from the commercial considerations for solicitors. Not only could they be facing an eye-watering and potentially practice-closing fine, but even a smaller fine or ICO notified undertaking could result in loss of credibility and therefore business.