WHITEPAPER - Risk-Assessment in Legal Firms

WHITEPAPER - Risk-Assessment in Legal Firms


Legal professions have always taken appropriate measures to protect the confidentiality, integrity and availability of the information they hold. Many appreciate the time-honoured threats posed by careless or dishonest individuals and are now aware of, and understand, the current data security challenges faced as a result of developments in technology and changing working environments.

In the coming years, legal institutions of all sizes will face an explosive growth in data that will need careful and considered management. Specialist legal software has made data generation more efficient and increased laptop use has made sensitive practice data more vulnerable to loss or exposure. Taking these new variables into account, legal firms need to review traditional risk-based approaches to information security and reflect on the new threat-levels faced.

In addition to technological developments, a change in regulatory requirements has resulted in a lower tolerance of mismanagement of practice data. The Data Protection Act 1998 and other security guidelines have been reviewed after a series of high-profile data exposure cases. The growing complexity of information management and regulation requires more functional and flexible approaches to information security in legal firms.

Purpose and structure

The purpose of this document is to assist responsible partners in identifying the new threats to information integrity and security. Partners should then undertake a current risk-assessment based on the advice therein and use it as a reference point when implementing an overall information security policy.

Risk-assessments should be reviewed annually alongside ongoing data protection compliance reviews. Guidance on developing a working information security policy can be obtained through the Law Society website (www.lawsociety.org.uk).

New Data Challenges

Data Growth

A 2008 study from research firm IDC found that data requirements in organisations are growing at an annual rate of 60 percent. The study found that although 70 percent of the digital universe is created by individuals, it is companies who are responsible for the security, privacy, reliability and compliance of over 85 percent of that data.

In the legal industry, a burgeoning adoption of laptops, use of specialist legal software and long-term email retention requirements have all contributed to explosive data growth. Laptops help produce data outside office environments and traditional working hours, legal software provides users with rapid ways to compile and utilize data sets and five-year retention requirements on electronic communications have all contributed to unprecedented levels of data to be managed.

Traditional data management systems like tape backup and storage will, sooner or later, struggle to cope with the increasing amount data. It is likely that, without significant investments, data security, integrity and availability will be compromised as hardware is placed under repetitive strain and organisation and management becomes more difficult.

As a result of this rapid growth, legal firms need to find new ways to manage the increasing amount of data in more cost efficient and effective ways, that will not sacrifice the security or integrity of data in the process.

Mobile Data

The increasing use of laptop and mobile devices among legal firms has started to raise significant issues regarding the security of the data contained upon them. Flexible methods to control the exposure of sensitive data outside office premises need to be explored in order to negate common threats and comply properly with legislation.

Most firms already implement encryption technologies; however, employees and contractors rarely behave reliably – often writing usernames and passwords down. Additionally, the responsibility of a core process like backup is often left at the discretion of the end user and this results in irregular and unreliable backups, and a decentralised distribution of company data.

Data that is frequently used and changing offsite is more difficult to manage than when onsite, because risk of exposure and data loss is much higher. As a result, responsible firms should now identify flexible ways to control the usage and backup of practice data outside office environments as well as inside.


As of April 6th 2010 the Information Commissioners Office (ICO) will be able to issue fines of up to £500,000 for organisations found guilty of negligent data security breaches. Statutory provisions such as the Data Protection Act 1998 should be taken seriously by managing partners when designing an internal information security policy.

Lawyers, along with all other controllers of personal data, are subject to the provisions of the Data Protection Act 1998 - the seventh principle of which ‘requires data controllers to take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.

There are nine related legal and regulatory compliance guidelines regarding the access, distribution and storage of information. They include: The Data Protection Act 1998, The Regulation of Investigatory Powers Act 2000, The Computer Misuse Act 1990, The Human Rights Act 1998, Freedom of Information Act 2000, Copyright Designs and Patent Act 1988, Police and Criminal Evidence Act 1984, Health and Safety (Display Screen Equipment) Regulations 1992 and the Protection of Children Act 1999.

Firms must take reasonable steps to ensure the reliability of any employees or contractors who have access to personal data in accordance with the nine provisions listed above.

Risk Assessment

In light of these new developments, practice managers should acknowledge and carry out current risk-based assessments of their information security requirements. An up-to-date risk-based assessment will then go on to form part of a detailed policy for information management that satisfies existing and future data security considerations.

A risk-based approach

A risk-based approach in information security involves identifying:

  • A firm’s information assets
  • Threats to those assets, likelihood and impact
  • Methods to reduce, avoid or transfer the associated risks

Identifying information assets

Firms probably already regard certain information as more sensitive or valuable than other information; for example, confidential client data, staff salaries or internal management papers. Each of these might form a category of information requiring a particular level of protection.

Identifying the various categories of information held by the firm is an essential prerequisite to securing it appropriately and effectively.

Threats, likelihood and impact

To map the range of threats to information assets it may help to distinguish the security objectives of confidentiality, integrity and availability. Each objective points to a different range of (sometimes overlapping) threats; for example, third-party theft will compromise an information asset’s confidentiality, whilst staff error could affect its integrity; a power cut or mains water leak may affect the same document’s availability.

Threats are usually summarised by short descriptions. The simplest way to assess likelihood and impact is to categorise each as high, medium or low.

Risk reduction, avoidance and transfer

The effectiveness of countermeasures will depend on the nature and source of a threat, along with its likelihood and potential impact. Opportunities can then be found to reduce risk to an acceptable level, avoid it or transfer it (through insurance, indemnity or by agreement, for example).

With any risk management solution – some amount of risk will always remain. However, one of the advantages of a systematic approach to information security is that the level of residual risk the firm finds acceptable can be established. Once established, appropriate management decisions can be taken.

A comprehensive risk-based assessment of information security can be a complex task. One way of ensuring that it is approached systematically is by using an appropriate template. To aid in the process of risk-assessment, taking into account existing and future threats, firms may wish to use the example template and listed threats illustrated below:

Asset Description of threat Likelihood Impact Countermeasures Residual risk
Practice management software databases on office servers Hardware failure; computer virus;
Fire, flood or theft by third party.
Risk to integrity and availability of client and personal data
M H Employ a reliable off-site backup programme
Maintain a professional firewall
Encrypt backup data copies
Secure premises
Locked rooms
Alarm systems, etc.
Electronic files stored on employee laptops Theft by third party;
Accidental loss,
Decentralised distribution of practice data
Risk to confidentiality, integrity and availability of client data
H H Employ an effective laptop encryption solution
Adopt a centralised backup process
Information in electronic comms between Office A and Office B Access by third party
Risk to confidentiality, integrity and availability of client data
M H Implementation of encrypted internal comms (VPN)
Maintain an active firewall
Electronic communications traceable for five years Hardware failure;
Computer virus;
Access by third party
Risk to confidentiality, integrity and availability of client data
M M Implement a secure email archiving solution L
Hard copy client files Theft by third party.
Risk to confidentiality, integrity and availability of client data.
L H Secured premises
Locked rooms
Alarm system in offices
Locked filing cabinets/safe
Clear desk policy
Visitor access procedures
Staff training and awareness

The table shows the different types of asset along with a description of a few example threats each faces (fire, flooding and theft is common to many), the likelihood, impact, countermeasures and an assessment of residual risk. In this simple example, levels are ascribed to high (H), medium (M) or low (L) categories. Note that the assets listed are mainly reflective of electronic forms of data. Hard copy data risk-assessment is also relevant and should be given simple consideration upon development of this risk-assessment. In practice, firms will want to make a comprehensive list of all the threats to each asset and are likely to want to group types of assets together in their risk assessment tables. A straightforward H/M/L categorisation scheme may nevertheless be sufficient. Risk can be managed by reducing its likelihood or its impact. It is rarely possible to eliminate a threat though one way to do so – perhaps as a way of managing unacceptably high risk that cannot be otherwise reduced – is to cease a particular activity.

The task of analysing the different types of risk to different assets and identifying countermeasures is, potentially, time consuming and specialist. To some degree it is likely to be a team effort and firms may need to seek expert advice either in relation to carrying out the exercise or to identify appropriate countermeasures.

Where resources do not permit a comprehensive risk-based information security assessment firms may nevertheless benefit from carrying out a basic, high-level exercise in which they consider categories of asset, risk and countermeasures. This will help to identify any areas which their information security is particularly weak or non-existent. At the very least, a detailed risk-assessment process will serve to raise awareness within the firm as the threats they need to be aware of.


Technological developments will never cease - their acceptance and adoption is the only sure way to remain competitive in the longer term. Those firms who will perform best in years to come will embrace the benefits that technology brings and also take a rigorous approach to the data management challenges presented alongside them.

Effective information security relies heavily upon understanding and properly managing a firm’s information assets. Good information management is the lifeblood of all knowledge-based professions and industries, and can only contribute to a firm’s overall efficiency and profitability.

Information security is one of the foundations of trust that will underpin the legal profession in the 21st century. In the longer term, it is to be hoped that the reputation of a firm that takes information security as seriously as the management of other aspects of its practice, will gradually grow in reputation.

Share this post

Join our cloud community

Join our cloud community Sign up for email updates