According to PwC’s latest law firm report, 73% of the top 100 UK law firms reported that they had suffered a security incident in the last 12 months (up from 62% in 2015). These are the firms with the biggest IT budgets and entire risk and compliance teams devoted to ensuring they stay on the right side of the regulatory line; and still they can fail.
While cyber security dominates the headlines, other behaviours pose equally serious threats. Of the security incidents suffered by law firms, 41% related to incidents caused by staff and 35% resulted from loss or leakage of confidential information.
What’s the worst that could happen? With the EU General Data Protection Regulation (GDPR) coming into force in 2018, firms could face fines of up to 4% of global annual turnover for serious contraventions of the rules. That’s plus the potential damage to client relationships and the firm’s reputation.
In a world of agile working and where people are working at pace to meet client expectations, storing and processing personal and confidential data has never been more important. Are you confident that your firm has the right approach to managing sensitive information?
Firms are investing in information security accreditation ISO 27001, but are they getting the basics right? The issue we most frequently come across concerns information barriers.
Almost all law firms use information barriers to keep client or matter information confidential. When a firm is involved in a potentially newsworthy matter or for a high-profile client, information barriers permit access only to named individuals.
All too often, the information barrier process is poorly thought through, with the focus on setting up a fee earner. Little attention is given to how those fee earners will be supported.
How often does your firm consider document production or other administrative services when putting an information barrier in place? Could the people typing documents, scanning or filing be breaching information barriers without even realising?
Perhaps a PA is included as part of the team behind the barrier, but what happens when they are on holiday or if someone else has delegate rights to the same fee earner’s inbox? In our experience, multi-delegate rights can inadvertently cause major problems for information barriers.
Anyone not behind an information barrier won’t even know that such a barrier exists. We estimate that in most firms, information barriers are breached at least once during their existence. Unless there is a negative consequence, those firms remain none the wiser and so do not learn from their mistakes. Ignorance is no defence.
In our experience, the best-case scenario involves one senior person having full oversight of all information barriers in operation at the firm. There needs to be a robust, publicised and easy to follow protocol for setting up an information barrier, including representatives from risk and compliance, IT and administrative services.
We know that for an information barrier to be effective, it should involve the smallest number of people possible. Those people need to be aware of their responsibilities and, when they are away from the office, know how to make alternative arrangements.
This approach, supported by our emphasis on cross-training, ensures that there are a sufficient number of people from each Intelligent Office service able to work on the matter and to cover holidays or shift patterns. Training and refreshers delivered ‘little and often’ ensure that information security remains front of mind for all Intelligent Office staff at all times.
Despite the underlying threat to reputation, relationships and the bottom line, not all firms apply the same degree of rigour to information barriers. If they can’t get these, seemingly simple, things right, how can their clients have confidence that more complex security arrangements are robust?
As the leading provider of PA and administrative support to the UK legal market we have unrivalled experience of working on hyper-sensitive matters within law firms. Our proactive approach ensures that we deliver a service that helps our clients uphold their obligations.