Why information security has now become a costly issue for law firms

Information security is a bit of a given in law firms - it's a given that it occurs, but it's not always actually done. But I still don't think it's sinking in that it can cost a law firm tens of thousands of pounds.

It's not like lawyers and the business services people who work in law firms don't realise the information they deal in is, usually, sensitive and commercially useful to others - they know this very well. But because law firms have not traditionally been forced by their regulator to worry about some parts of digital information security (email being a main one), some things still go wrong.

There's another reason things go wrong, though it won't be a popular one for me to say - partners and senior associates. Some partners and senior lawyers, and they're not all older members of the profession, think they are somehow outside the normal rules of behaviour, both in terms of manners and actions.

These are the kinds of lawyers who tell IT to get stuffed when someone dares to say they can't take huge amounts of client information home, or they want untrammelled access to sensitive information regardless of what platform they're using to access it. They OWN the firm, damn it, and no one tells them what to do.

Perhaps the Information Commissioner might be the person to give them a wake-up call, because recently Solicitors Journal reported that A4e, a law firm in the Midlands, was fined £60,000 for allowing a laptop with 24,000 clients' details on it to leave the premises unencrypted. It was later stolen in a burglary.

Quite what any firm is doing putting 24,000 clients' details on any device that's not encrypted is beyond me. It's beyond stupid. The Commissioner's fine was, in my opinion, lenient.

More depressing is that one of the first two fines the ICO has imposed under its new regime of fat penalties went to a law firm. You'd have thought law firms would know better. Obviously some of them don't.

Law firms need to wake up to information security, soon, because if more firms end up in trouble like A4e in future, the ICO will likely think an example needs to be made. And you don't want that to be you.