According to PwC’s latest law firm report, 73% of the top 100 UK law firms reported that they had suffered a security incident in the last 12 months (up from 62% in 2015). These are the firms with the biggest IT budgets and entire risk and compliance teams devoted to ensuring they stay on the right side of the regulatory line; and still they can fail.
While cyber security dominates the headlines, other behaviours pose equally serious threats. Of the security incidents suffered by law firms, 41% related to incidents caused by staff and 35% resulted from loss or leakage of confidential information.
What’s the worst that could happen? With the EU General Data Protection Regulation (GDPR) coming into force in 2018, firms could face fines of up to 4% of global annual turnover for serious contraventions of the rules. That’s plus the potential damage to client relationships and the firm’s reputation.
In a world of agile working and where people are working at pace to meet client expectations, storing and processing personal and confidential data has never been more important. Are you confident that your firm has the right approach to managing sensitive information?
Firms are investing in information security accreditation ISO 27001, but are they getting the basics right? The issue we most frequently come across concerns information barriers.
Almost all law firms use information barriers to keep client or matter information confidential. When a firm is involved in a potentially newsworthy matter or for a high-profile client, information barriers permit access only to named individuals.
All too often, the information barrier process is poorly thought through, with the focus on setting up a fee earner. Little attention is given to how those fee earners will be supported.
How often does your firm consider document production or other administrative services when putting an information barrier in place? Could the people typing documents, scanning or filing be breaching information barriers without even realising?
Perhaps a PA is included as part of the team behind the barrier, but what happens when they are on holiday or if someone else has delegate rights to the same fee earner’s inbox? In our experience, multi-delegate rights can inadvertently cause major problems for information barriers.
Anyone not behind an information barrier won’t even know that such a barrier exists. We estimate that in most firms, information barriers are breached at least once during their existence. Unless there is a negative consequence, those firms remain none the wiser and so do not learn from their mistakes. Ignorance is no defence.
In our experience, the best-case scenario involves one senior person having full oversight of all