Law firms could face a £500,000 fine if they lose unencrypted laptops or data sticks containing personal information, under new proposals.

A government consultation sets out new powers for the information commissioner to levy hefty fines on organisations that breach the Data Protection Act 1998.

The £500,000 maximum fine could be imposed for any ‘serious’ breach of data protection that caused ‘substantial damage or distress’, if the firm was reckless or deliberate in allowing the breach to occur.

Peter Church, solicitor in the technology, media and telecoms practice at magic circle firm Linklaters, said law firms could be vulnerable to fines if they failed to use encryption methods to properly protect data. He said: ‘Law firms are data controllers and subject to the Data Protection Act. They are therefore at risk of being issued with [a fine].

‘The biggest risk to law firms will be data security. Most of the enforcement action taken by the information commissioner so far has been for security breaches, particularly involving mobile data devices such as laptops and USB sticks.

‘The doomsday situation for law firms will be where the client provides full information about all of its employees [on a mobile device], and that goes missing. Or a law firm HR department will lose a laptop containing details of all the lawyers who work for that firm.’

Church said that in this kind of situation, past enforcement action by the information commissioner’s office indicates that it would consider that there had been a ‘serious breach’, and that the loss of the data had caused ‘substantial distress’ to the individuals whose data had been lost.

He added: ‘Would losing a laptop or data stick that contains substantial amounts of personal information be considered reckless? There have been so many cases now of unencrypted laptops being stolen, that it would be hard to argue that it was not reckless.’

The current maximum level of fine that the information commissioner can impose is £5,000. The new provisions, which would raise the maximum fine level to £500,000, could come into force next April.