Could a Poor Password Risk Breaching a Solicitors Duty of Confidentiality?
As cyber threats grow and professional obligations tighten, legal practitioners need to revisit an often overlooked topic: passwords. A recent fine ICO fine brings this into sharp focus.
The impact of cyber-attacks has been obvious for all to see this year. Marks & Spencer and Co-op have been the most high-profile UK examples however the use and reuse of weak passwords have come into sharp focus in the United States after investigations by 404 Media, the New York Times and others found that senior government officials utilised weak passwords accessible in data leaks.
Our duty to client confidentiality hasn't changed. It is ingrained within the SRA's Code of Conduct for Solicitors and has featured in cases our highest courts.
Data breaches are largely investigated by the Information Commissioner's Office which has the power to levy fines, but given the duty of confidentiality is a positive one, could the act of using a weak password and practising poor password hygiene violate our professional responsibilities?
UK Law Firm Fined for Poor Password Practices
In April 2025, the Information Commissioner's Office levied a £60,000 fine on a Merseyside-based firm "to put appropriate measures in place to ensure the security of personal information held electronically", in a breach which saw 32GB of data, including client data, taken from the firm.
The breach was discovered when the National Crime Agency alerted the firm that the files had been published on the dark web.
The ICO disclosed that an administrator account which is often a default account in many content and client management systems, and therefore not often used, was secured by a password that was compromised by a brute force attack.
A brute force attack is where software rapidly tests countless passwords until it gains access.
According to cyber security company Hive Systems, the most powerful consumer hardware of 2025 would take 15 minutes to crack an 8 character password consisting of numbers only, 3 weeks for lowercase characters only, but 15 years for passwords consisting of upper and lower case characters.
Hive points out an important caveat to their analysis, in that if your password uses dictionary words, has been reused between websites or has previously been stolen, the estimated time to brute force a password is "instantly."
Had multi-factor authentication been enabled on the account, this vector of attack by itself would not have been possible.
In a reply to a request for comment, the CEO of the firm in question stated that the firm had fully cooperated with the ICO Investigation but disagreed with the conclusions reached by the ICO and has lodged an appeal.
The CEO also highlighted the firm’s commitment to robust standards in both legal practice management and cybersecurity through their independent Lexcel and Cyber Essentials certifications which are intended to assure clients and stakeholders to their adherence to best practices.
A Curious Chronology
The ICO Penalty notice states that a Notice of Intent was sent to the firm on the 11th of December 2024, to which the firm replied on the 29th January 2025.
According to the SRA register, however, on the 1st of April 2025, 14 days prior to the publication of the final decision, the firm closed.
The managing director of the firm is now associated with a new firm which has been recognised by the SRA since late February 2025, which bears a similar name to the original firm.
These changes raise an important question as to whether a firm can mitigate the impact of a fine through changes to its structure.
Prior to 2018, the Information Commissioner had the power only to levy a fine on a data controller. This created enforcement challenges as the ICO became an unsecured creditor to companies that had wound up or entered insolvency prior to paying the fine. To combat this, the ICO had to resort to working with other regulators to find ways to take enforcement action.
The Privacy and Electronic Communications (Amendment) Regulations 2018 changed this position in respect to enforcement under the Data Protection Act, but in doing so created another hurdle to enforcement.
The amendment to Section 3B of the Data Protection Act 1998 (which still governs the mechanism of fines through an associated statutory instrument) provides that the ICO can take action against an officer of the company, be that a director, member or secretary, if it can be proven that the contravention that led to the penalty either:
(a) took place with the consent or connivance of the officer, or
(b) was attributable to any neglect on the part of the officer.
The use of these powers in the context of a data breach remains untested.
Professional Standards Beyond Data Protection Law
The positive obligation of firms to maintain client confidentiality is well established in the SRA Code of Conduct for Solicitors and in common law as demonstrated in Lord Millett's leading judgment of Prince Jeffrey Bolkiah v KPMG [1998] UKHL.
"Whether founded on contract or equity, the duty to preserve confidentiality is unqualified. It is a duty to keep the information confidential, not merely to take all reasonable steps to do so."
Given this high standard and the findings of the ICO the SRA arguably could have the option, if it so desired, to bring disciplinary action against the firm or one of its officers.
Regardless of whether you work in the context of a firm or as a sole practitioner, it is clear that secure use of IT systems is a personal responsibility that may have a significant professional impact if poor security practices continue.
Although it will never be possible to have taken every possible step to meet the 'unqualified' standard in Bolkiah as new attacks and vulnerabilities appear on a daily basis, as it pertains to the "front door" to your data, your password, there are practical steps that can be taken.
Protecting Your Clients - And Yourself
According to the National Cyber Security Centre, organisations forcing users to frequently change passwords and requiring complex alphanumerical passwords is an outdated approach that is a poor defence against social engineering and password guessing attacks.
The emphasis now is on utilising techniques such as three random words (avoiding names, dates and sports teams) which is easier to remember and encourages better password hygiene.
An example could be SlugSmokeballMemories. Now that this has been published, it's best that you use this only as inspiration for your own new password. Experts suggest that passwords of at least twelve characters using this technique provide the best security and that your professional passwords should not be reused, especially on personal services.
Changing passwords less frequently also helps. Password overload often leads to poor practice like using post-it notes with a hint to the password stuck on the palm rest of laptops.
Two-factor authentication, preferably using an app provides even better security and is easy to configure for most services.
Finally, using a password manager with a strong 'three random words' password to access your secure vault of passwords can provide even more protection.
Many popular services will even alert you if one of your passwords has been compromised. According to Bitwarden, a popular free password manager, the example password above would take centuries to crack. It is worthwhile collaborating with your firm's IT team to ensure any apps you use are authorised.
How AI Supports - And Threatens - Legal Cybersecurity
AI is of course one of the hottest topics in the legal community. However where AI shines with meeting these obligations is its ability to provide simplified, tailored guides to setting up any of these services, and allowing less technology savvy professionals to ask questions about any error messages they may get along the way.
Of course, it is not wise to feed a password into an AI system, but utilising it for guidance may make password management less of a chore.
However AI also enables those with little technical knowledge to learn the tools needed to perform an attack on a computer system, especially given its ability to write code that can easily be run.
Dealing with your passwords may not be glamorous, but it is a fundamental necessity of modern working life. Protecting clients begins with protecting access. Find a few minutes this week to update your passwords – and maybe your firm’s policies too.