A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector. In the period between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year). In total, data relating to 7.9 million people was compromised, amounting to 12% of the UK population.
External breaches jumped from 40 percent to 50 percent of the total number of incidents in the past 12 months, with phishing attacks (56% of external attacks) being the most common threat to legal firms. However, insider breaches still accounted for half of all reported data incidents; and more than a third (39 percent) of internal breaches were deemed the result of human error.
“Legal data breaches impact more than one ten people in the UK, so it is imperative that firms continue to shore up their internal and external defences,” said David Hansen, VP, Compliance at NetDocuments. “At a time when the sector is continuing to digitalise, legal firms need to strike the right balance between keeping data secure, while still allowing their employees to collaborate and work productively.”
NetDocuments’ analysis of ICO data highlights the common internal causes of all data breaches in the legal sector:
- Overall, 39 percent of all data breaches occurred from human error (e.g., failure to redact or use bcc, alteration of data, hardware misconfiguration).
- 37 percent of all data breaches occurred from sharing data with the wrong person (e.g., via email, post or verbally).
- 12 percent of all data breaches occurred from losing data (e.g., loss/theft of device containing personal data, or of paperwork or data left in an insecure location).
Almost half of all internal and external cases (44 percent) impacted customers, while 18 percent impacted employees. Beyond basic personal information (42 percent), the most common types of data breached were economic and financial data (13 percent), health data (10 percent), and official documents (10 percent).
“This new analysis firmly underlines that the legal sector can’t ignore data protection. Firms handle sensitive documents every hour of every day, so maintaining security when introducing new technologies must remain the highest priority,” David Hansen continued. “Given the uptick in AI adoption, guardrails that mitigate against human error are also imperative. AI has the power to drive productivity and efficiency in the legal sector, but it must not compromise data security.”
