Recent high-profile information security lapses will impact on the running of law firms, says Dr Chris Pounder, especially given a lax approach to compliance and security


The recent, well-publicised security breaches will have one important consequence: in future, all organisations may have to prove they have maintained the appropriate security standards. Law firms, now heavily dependent on their IT systems, will also be buffeted by the winds of change that are now blowing away years of complacency towards security management.



The past decade has seen all regulators and governments gradually develop binding rules covering the governance of IT systems. This development originated with the frenetic activity surrounding the millennium bug, which demonstrated that a functioning modern economy was totally dependent on its computer systems. The 9/11 atrocity some 18 months later shed light on the fact that far too many systems were simply incompatible and not resilient in the face of a terrorist incident or a catastrophic act of God. Then the collapse of some multi-national corporations, such as Enron, demonstrated that some organisations would hide their financial problems by using reporting systems that were not fit for purpose.



The political response to these problems was to enact legislation that gave powers to ministers or regulators to impose standards with respect to interoperability, governance and resilience. The use of legislation in relation to governance of IT systems was established as a fact of life.





Regulatory response



The spate of security lapses that followed the Revenue & Customs fiasco have dealt another shock to the system of IT governance. The public now know that far too many organisations have a relaxed attitude to basic security management, and this conclusion has again jolted the political system into a regulatory response. As the data items of concern are details such as names, addresses and bank account details, the main regulatory vehicle of change will be the Data Protection Act.



Already, the government has conceded that it intends to provide increased powers to the Information Commissioner in relation to inspection and audit, and has introduced a two-year custodial offence where malpractice with respect to personal data can be linked to staff malfeasance. On the horizon is further legislation that gives the commissioner the ability to name and shame transgressors, to order compliance with best security practice, to punish a breach of security obligations, and a requirement that organisations tell individuals that their personal details have been lost.





Control or process



Under the current Data Protection Act, a law firm can act in two capacities: as a 'data controller' or a 'data processor'. The former occurs when the firm is in control of all aspects of the processing of the personal data (such as in relation to details about its staff or customers); the latter occurs when providing services to clients that require the processing of their personal data (such as examining personal data in order to provide advice).



When acting as a data controller, law firms have a number of statutory obligations. First, they must undertake a risk assessment in relation to their processing and put in place counter-measures that reduce the identified threats. Second, they should ensure that their security arrangements are not out-of-date, that their procedures or practices conform with best practice and that all staff are made reliable (such as by training in relevant practices and procedures). In this regard, the security standard ISO 27001/27002 will emerge as the benchmark which will be used by regulators to judge these matters.



A client of a law firm would sometimes see the firm as a data processor. Here, the act requires the client, as data controller, to be satisfied that the law firm's security practices are appropriate to the processing of its personal data, and to achieve this obligation the client might demand, from the firm, contractual guarantees and insist on mechanisms that prove that any guarantee is worth the paper it is written on. This could involve the firm producing evidence that staff have been trained, or that instructions have been followed, or that the firm's security procedures are subject to an independent audit.





Changing environment



So, imagine the future: a lawyer loses a laptop containing personal data in a car that is stolen, or leaves the laptop on a train. Regulators will ask all the obvious questions: Why can't the law firm recover from this loss? Who authorised the lawyer to take the personal data out of the office, and why was the data on the laptop unencrypted? There might even be an obligation to inform the Information Commissioner of the loss of personal data, and the commissioner might then ask for all individuals concerned to be notified. These are circumstances that could produce damaging publicity for the client and law firm, and undermine client relations.



In serious cases, a security incident could also be referred to the Solicitors Regulation Authority. Section 4.01 of its Code of Conduct states that 'you and your firm must keep the affairs of clients and former clients confidential except where disclosure is required or permitted by law or by your client'. A breach that is a result of a laissez-faire attitude to security management could easily spell trouble.



Law firms have relied on their innate culture of client confidentiality. It has served them well for decades. However, law firms should recognise that the political and social environment is changing. They would be well advised to ensure that this culture is supported by a rigorous approach to security and governance of all their IT systems, and which also provides evidence that firms have met their regulatory obligations.



Dr Chris Pounder is editor of Data Protection Quarterly, published by Pinsent Masons