Information security

Why this risk matters

  • Solicitors and firms handle very sensitive information. If that information is lost or stolen, it can harm their clients’ interests.
  • Hard copies of information can be lost or stolen, and cannot easily be encrypted.
  • Protecting electronic information presents challenges, as cybercriminals do not need to be physically present to access it.
  • The General Data Protection Regulation (GDPR), in force from 25 May 2018, will changes the rules relating to protecting personal information. Solicitors and firms need to be prepared.


  • Cybercrimes and scams aimed at stealing information include:
    • Malware – harmful software that includes viruses and ransomware programs. These encrypt files and demand a ransom in return for a decryption key.
    • Phishing and vishing – where a criminal uses email or telephone to obtain confidential information, such as a password, through building a personal relationship with a solicitor or law firm employee.
    • CEO fraud – where a criminal impersonates a senior figure at a law firm through hacking or buying a very similar email address to indicate authority and order money transfers.
    • Identity theft – where bogus firms copy the identity and brand of a law firm.
  • We receive around 40 reports of confidentiality breaches each month. All solicitors and firms must take care to understand the threats and how to avoid them.
  • Where firms do not take reasonable steps to protect information, we will take action. The Solicitors Disciplinary Tribunal fined a solicitor £20,000 for practice management failures that included failures to dispose of client files securely.


  • Many threats to information target people, rather than electronic systems. Firms should train staff to recognise common scams. Our report IT Security: keeping information and money safe, has more information on common scams.
  • Non-electronic information can be protected by steps such as locking files away at night, and being careful not to discuss sensitive information on the telephone where others can overhear.
  • The best defence against ransomware is a backup that is not constantly connected to the firm’s system.
  • The Government endorsed Cyber Essentials scheme can help firms check that they have a secure system, and offers different levels of certification to suit different sizes of business.
  • The National Cyber Security Centre and Action Fraud give a range of guidance on protecting information security from fraud and cyber threats. Their one-page summaries can be useful for staff training sessions and reminders.
  • The Information Commissioner’s Office has launched an advice line and accessible guidance aimed at small businesses preparing for GDPR. They have also updated their twelve steps to take now guidance. They also presented at our 2017 Compliance Officer Conference.

Further information

Print page to PDF