As well as their own corporate information, law firms hold a wealth of client information – including confidential business data, proprietary information and intellectual property, litigation strategy information, personally identifiable information, and other legally privileged information. The need to protect this information is obviously paramount for every responsible firm.
CISCO’s 2015 Annual Security Report ranked law firms the seventh most frequent target for cyber criminals; last year the ICO investigated 173 UK law firms for a variety of incidents that may have breached the Data Protection Act 1998 (DPA) according to the Law Society Gazette. If found guilty of breaching the DPA, law firms can face fines of up to £500,000 from the ICO, as well as a damaging loss of credibility.
Last year, the Information Commissioner, Christopher Graham, warned the legal profession to improve its information security practices following 15 reported data breach incidents involving members of the legal profession in three months. Mr Graham commented:
“The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.”
ISO 27001 and best-practice cyber security
Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
As the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’
An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls.
An ISMS addresses people, processes and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.
ISO 27001 adoption among the legal profession
Many leading law firms, including Allen & Overy, Clifford Chance and Bond Pearce have achieved ISO 27001 certification to prove their commitment to securing their clients’ data:
“This certification provides real business benefits when working with our clients and future clients, especially within the financial industry.”
Allen & Overy
“It is quite surprising other law firms haven’t adopted this, but they tend to operate on a peer review system. Hopefully if they see others in the same field trying for it, they will do the same.”
“Retaining our ISO 27001 certification demonstrates our high level commitment and understanding of security requirements to ensure our client information and data remains fully secure.”
Free paper: ISO 27001 for Law Firms
Having worked with the top law firms including Eversheds, Freshfields, and Slaughter and May, IT Governance knows the importance of implementing robust information security best practices within the legal profession.
For more information about ISO 27001, and to learn how we can help your firm achieve a robust information security posture, download our free paper, ISO 27001 for Law Firms >>