Back to top
Article

Who would steal our files?

1 June 01

The potential implications and the risk control points arising from the theft of files or equipment

by Alistair Sim, Charles Sandison

If asked to consider what events might result in the destruction or loss of files, most of us would probably think of fire or flood as the most likely causes.  An office conflagration or inundation can have devastating consequences for any business but the theft of files and equipment could be equally disastrous for a legal practice.

A firm of solicitors recently experienced a break-in at their premises. The firm’s offices were secured as usual at close of business. During the course of the night, intruders gained access to the office. It appears that the raid had as its objective the removal of as much electronic equipment as the thieves could carry away. They removed hard disks, monitors, cabling, software and caused damage to the office. None of the equipment has been recovered.

Potential consequences

  • Confidentiality breach?
A large amount of data residing on various systems has been lost with the theft of the hardware and much of that data was highly confidential. There must be a risk of confidentiality being compromised and of sensitive information getting into the wrong hands. There have been well publicised instances where laptops apparently containing ‘top secret’ information have been stolen. Notwithstanding that, if stolen, systems are likely to be reformatted and sensitive data wiped, the situation can cause significant anxiety to those concerned.
  • Accounts Rules Compliance problems?

Even where procedures have been agreed for the backing up of accounting records, experience shows that, in practice, those procedures are sometimes allowed to lapse with the result that back-ups are taken much less frequently than intended. If the latest back-up tape is continually left in the computer, there is a risk that the precious tape will disappear along with the hardware in the event of a burglary.

In that event, there may be severe practical difficulties in demonstrating compliance with the Accounts Rules because of the loss of equipment and up to date back-up. This situation could continue until replacement hardware and software is obtained, the latest accounting information loaded from the latest back-up available and postings brought up to date. Replacement software may not always be available straight away and this may compound the delay.
  • Accounting problems generally?
Apart from potential problems in demonstrating compliance with the Accounts Rules, the loss of a firm’s up-to-date accounting records would inevitably impact on its day-to-day business. What if there were significant numbers of transactions settling in the immediate aftermath of a theft?
  • Software costs?
Is there provision in the firm’s software licensing agreement for the software to be replaced at a token cost? If not, the software application may require to be repurchased at full cost. In any event, the replacement cost ought to be covered by the firm’s office insurances provided the sums insured and wordings are adequate.
  • Re-work and lost productivity
The theft of computer equipment can have an enormous impact on a business in terms of re-work and lost productivity. Cashroom staff may have to spend a considerable amount of time re-posting information. Time will be expended by support staff in reconfiguring replacement software. If word processing files have not been backed up to date, there may be a considerable amount of work involved in recreating documents and that may also involve considerable input from fee earners.

Inevitably, partners and others will end up investing substantial time dealing with all of the above.

Lessons to be learnt

The consequences of the recent theft have led to a reappraisal of the firm’s risk management procedures. It is unlikely that thieves would have wanted, or been able, to remove paper files to such devastating effect and the risk controls which have now been put in place take far more account of the potential consequences of a break-in and theft of computer equipment.

The ‘paperless office’, now being contemplated by some practices, will create even greater dependence on the availability of firms’ IT systems. Security arrangements and contingency plans therefore become increasingly important.

For firms involved in investment management with records held electronically, it could be enormously disruptive and damaging to be unable to access up to date information on shareholdings, particularly if the problem occurs around the end of the tax year or a Budget involving eg Capital Gains Tax changes.

Action points

  • Physical security

Review security arrangements at a very basic level – making sure that those persons with office keys are aware of their duties regarding securing the premises and setting any alarm systems. Practices without approved building alarm systems should perhaps review whether such a system might be a worthwhile investment. Installation may also help to gain a reduction in office insurance premiums.

  • Systems back-up procedures

Audit/review/test back-up procedures to ensure that they are effective. Allocate responsibility for such procedures. Provide appropriate guidance and training to the staff concerned.

Secure, off-site storage of back-ups must be an essential element of a practice’s back-up procedures.

  • Insurances

Review insurance arrangements to ensure that the scope of cover and the sums insured are adequate and check, specifically, the events in which business interruption cover will apply and the period for which that cover will operate. For some types of cover, insurers require to have details of the firm’s equipment and it is therefore essential that insurers are advised timeously of any acquisitions of new equipment/software.

  • Contingency planning

Have a plan in place describing, prioritising and allocating responsibility for the action to be taken in the event of a theft, fire, flood etc. and records being lost or destroyed.

The plan should include a list of contact details of those who may be able to provide assistance according to the type of event. This might include –

  • the police
  • the firm’s office insurers
  • the Master Policy insurers (per Marsh), at least on a precautionary basis – it may be that loss of systems and data will result in claims
  • particularly if the firm’s accounting records have been compromised, the Society’s Chief Accountant.
  • the firm’s accountants
Arrangements might be made for temporary relocation to other premises in the event of the firm’s offices being destroyed or severely damaged. Ideally, there will be facilities to enable IT systems to be re-instated on a skeleton basis, sufficient to allow the practice to continue its business.

The information in this page is (a) intended to provide guidance on matters of practical risk management and not on issues of law and (b) is necessarily of a generalised nature. It is not specific to any practice or to any individual and should not be relied on as stating the correct legal position.

Alistair Sim is Associate Director in the Professional Liabilities Division at Marsh UK Limited (e-mail: Alistair.J.Sim@marsh.com)

Charles Sandison is a Consultant with the Business Risk Consulting Division at Marsh UK Limited (e-mail: Charles.Sandison@marsh.com)