Information security

Why this risk matters

  • Solicitors hold sensitive and confidential information about their clients and must protect it. Any loss of that information can have financial, reputational or personal consequences for the client, and for the solicitor that loses it.
  • Information security is not just about technology and protecting electronic information. It is also about protecting printed data and sensitive discussions in the office or when working outside the office.


  • There were 512 concerns reported to us about breaches of confidentiality in 2017 and a further 408 reports in the first three quarters of 2018. This shows an increasing trend compared to the same period in 2017.
  • Most of the information security breaches reported to the Information Commissioner's Office (ICO) for all sectors are:
    • confidential emails, faxes and letters being sent to the wrong person
    • lost or stolen paperwork.

What firms can do

  • Firms can protect information by:
    • double-checking emails and letters are being sent to the right address, for example some email systems will flag external email addresses
    • protecting physical documents, for example by locking filing cabinets at night and taking precautions when transporting documents
    • making sure that sensitive conversations are not overheard
    • keeping electronic data backed up securely
    • using appropriate encryption when storing and transferring personal data
    • understanding and meeting their General Data Protection Regulation (GDPR) and Data Protection Act 2018 obligations.
  • Solicitors have always needed to work on the move, and remote and home working are becoming more common. It is important that solicitors take care to keep information safe while outside the safety of a secure office.
  • When there is a serious breach of confidentiality, firms need to email our Report Team and consider whether a referral should be made to the ICO by following their guidance on reporting a breach. The ICO’s advice line and accessible guidance helps small businesses comply with the GDPR. The Law Society has a guide for solicitors on GDPR compliance.
  • Our report, Information security: keeping information and money safe, gives more detail on common information security threats and on the best practices for how to deal with them.

What we are doing

  • When we learn about criminal activities or frauds targeting firms, we issue scam alerts to warn the public and firms about known threats. There is also a quarterly round up of these alerts to show the high-risk scams for both members of the public and solicitors.
  • When a loss of client data is reported to us, we recognise that no defences are perfect and take action where needed. We will act where:
    • client information is exposed
    • the firm had not taken appropriate steps to protect it or report it to us promptly.