Information security

Why this risk matters

  • Solicitors and firms handle very sensitive information. If that information is lost or stolen, it can harm their clients’ interests.
  • Written information can be lost or stolen, and cannot easily be encrypted.
  • Protecting electronic information presents challenges, as cybercriminals do not need to be physically present to access it.
  • The General Data Protection Regulation, in force from 25 May 2018, will change the rules relating to protecting personal information. Solicitors and firms need to be prepared.


  • Cybercrimes and scams aimed at stealing information include:
    • Malware – harmful software that includes viruses and ransomware programs. These encrypt files and demand a ransom in return for a decryption key.
    • Phishing and vishing – where a criminal uses email or telephone to obtain confidential information, such as a password, through building a personal relationship with a solicitor or law firm employee.
    • CEO fraud – where a criminal impersonates a senior figure at a law firm through hacking or purchasing a very similar email address to impose authority and order money transfers.
    • Identity theft – where bogus firms copy the identity and brand of a law firm.
  • We receive around 40 reports of confidentiality breaches each month. All solicitors and firms must take care to understand the threats and how to avoid them.


  • Many threats to information target people, rather than electronic systems. Firms should train staff to recognise common scams. Our paper IT Security: keeping information and money safe, has more information on common scams.
  • Non-electronic information can be protected by steps such as locking files away at night, and being careful not to discuss sensitive information on the telephone where others can overhear.
  • The best defence against ransomware is a backup that is not constantly connected to the firm’s system.
  • The governmentally endorsed Cyber Essentials scheme can help firms check that they have a secure system, and offers different levels of certification to suit different sizes of business.
  • The Information Commissioner’s Office has launched an advice line aimed at small businesses preparing for GDPR. They have also updated their twelve steps to take now guidance.

Further information

Print page to PDF