Information security

Why this risk matters

  • Solicitors hold sensitive and confidential information about their clients and must protect it. Any loss of that information can have financial, reputational or personal consequences for the client, and for the solicitor that loses it.
  • Information security is not just about technology and protecting electronic information. It is also about protecting printed data and sensitive discussions in the office or when working outside the office.


  • There were 512 concerns reported to us about breaches of confidentiality in 2017 and a further 122 in the first quarter of 2018.
  • For all sectors in the first quarter of 2018, the Information Commissioner’s Office (ICO) received:
    • 97 reports of cyber security incidents.
    • 119 reports of lost paperwork.
    • 284 reports of data being sent to the wrong person by email, post or fax.
  • This increase may be because of the increased awareness of data protection and the launch of the ICO’s Personal Data Breach helpline.
  • The most common legal sector breaches reported to the ICO are confidential emails and letters being sent to the wrong person and lost or stolen paperwork.


  • Firms can protect information by:
    • double-checking emails and letters are being sent to the right address, for example some email systems will flag external email addresses
    • protecting physical documents, for example by locking filing cabinets at night and taking precautions when transporting documents
    • making sure that sensitive conversations are not overheard
    • keeping electronic data backed up securely
    • using appropriate encryption when storing and transferring personal data
    • understanding and meeting their General Data Protection Regulation (GDPR) and Data Protection Act 2018 obligations.
  • When there is a serious breach of confidentiality, firms will need to report them to us and consider whether a referral should be made to the ICO by following their guidance on reporting a breach. The ICO has an advice line and accessible guidance to help small businesses comply with GDPR. The Law Society also has a guide for solicitors on GDPR compliance.
  • Our report, Information security: keeping information and money safe, provides more detail on common information security threats and on the best practices for how to deal with them.
  • When we learn about criminal activities or frauds targeting firms, we issue scam alerts to warn the public and law firms about known threats. There is also a quarterly round up of these alerts to show the high-risk scams for both members of the public and solicitors
  • When a loss of client data is reported to us, we take action where needed. While we recognise that no defences are perfect, we will act where client information is exposed, and the firm had not taken appropriate steps to protect it or report it to us promptly.
Print page to PDF