In discussing the data breach at Panamanian law firm Mossack Fonseca, which saw the release of the 11.5 million documents already known as the ‘Panama Papers’, the media has understandably focused almost entirely on the tax affairs of Mossack Fonseca’s clients. There’s another issue at stake, however: data security.
Without wishing to comment on client probity, it must be acknowledged that the nature of the legal profession is such that all law firms – without exception – will hold substantial amounts of information that they and their clients won’t want to be made public.
Legal professional privilege is a fundamental principle of justice, and clients must be sure that what they tell their lawyers in confidence remains confidential. Likewise, lawyers must know that the information they hold is protected from malicious or inadvertent disclosure.
Whatever it relates to, if law firms cannot guarantee the security of the information they hold, then their professional standing will suffer, as might their clients.
According to the BBC, Mossack Fonseca partner Ramon Fonseca has stated that the data was stolen by a hacking attack from abroad and that his firm has filed a complaint with the Panamanian Attorney General’s office.
All law firms should take the Panama breach as a wake-up call, especially as law firms were ranked the seventh highest target for cyber criminals by CISCO’s last Annual Security Report.
Are your systems safe from cyber attack? Are your paper records secure? Are you confident that the information you hold is always safe?
Information security best practice
Principle 7 of the Data Protection Act states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
And as the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’
An ISO 27001-compliant information security management system (ISMS) provides a risk-based approach to data security that can be applied across the firm and throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture and business efficiency while providing a higher level of confidence to customers and stakeholders, as well as allowing you to meet your legal and regulatory data protection obligations.
ISO 27001 adoption among the legal profession
According to the latest ISO Survey, there was a 17.6% growth in the number of ISO 27001 certificates in the UK last year, and many leading law firms, including Allen & Overy, Clifford Chance and Bond Pearce have already achieved certification to the Standard as a means of proving their commitment to securing their clients’ data:
“This certification provides real business benefits when working with our clients and future clients, especially within the financial industry.”
Allen & Overy
“Retaining our ISO 27001 certification demonstrates our high level commitment and understanding of security requirements to ensure our client information and data remains fully secure.”
“It is quite surprising other law firms haven’t adopted this, but they tend to operate on a peer review system. Hopefully if they see others in the same field trying for it, they will do the same.”
Free paper: ISO 27001 for Law Firms
Having worked with top law firms including Eversheds, Freshfields, and Slaughter and May, IT Governance knows the importance of implementing robust information security best practices within the legal profession.
For more information about ISO 27001, and to learn how we can help your firm achieve a robust information security posture, download our free paper, ISO 27001 for Law Firms >>