Risk management: answers to frequently asked questions about information security, flagging exposure to external frauds as a current security concern and priority for the profession
There are various buzz terms around information security. Cyber security, for example, may sound like the stuff of science fiction or, to some, of scaremongering or sales pitches. Whatever terms are used, the objectives are essentially the same – keeping information safe and secure, and preventing it from getting into the wrong hands, being interfered with, or compromised.
What is “information security”?
A: Information security is about protecting:
- the confidentiality of information and preventing its misuse;
- the accuracy of that information and preventing unauthorised alteration of data and documentation.
Why is it particularly relevant to solicitors?
A: Information security is a critical issue for solicitors, because confidentiality of client information, and integrity of data, are at the heart of the solicitor-client relationship.
Is it really critical for all solicitors?
A: Information security is relevant not just for solicitors working on high-profile corporate deals or big-name clients. It is equally relevant to all solicitors. Clients instructing solicitors in relation to wills, house purchases or matrimonial matters are entrusting their solicitors with confidential information which requires to be appropriately safeguarded. Any breach of information security could result in exposure to a claim against the firm, as well as potential regulatory action.
What other information is at risk?
A: In addition to information relating to the particular instruction, client verification information is at risk. For example, bank details, address and passport numbers, stored as part of the firm’s anti-money laundering procedures, could be very valuable to criminals. Our identity is important and valuable. Worryingly, fraudsters are increasingly using the identities of others for the purposes of committing frauds.
What is “identity theft”?
A: This can mean pretending to be a client, or even pretending to be a solicitor, in order to access confidential information or commit a fraud.
According to CIFAS, the UK’s fraud prevention service, identity crimes are the fastest growing types of fraud in the UK. They involve criminals making use of details to get past an organisation’s security measures: from dates of birth to financial details, passwords and so on.
Identity theft crime may take the form of:
- identity theft, sometimes referred to as impersonation fraud, when a criminal uses the details of a genuine victim to impersonate them and, for example, open new accounts;
- identity fraud, where a criminal “makes up” an identity – often involving forged documents – in order to get products or services;
- account takeover fraud, where the fraudster has enough details (such as passwords) to bypass security on the victim’s accounts and take over the running of them.
How has identity theft affected solicitors?
A: Previous Journal articles and risk alerts issued by the Law Society of Scotland and Marsh have raised awareness of situations where fraudsters have masqueraded as:
- the true owners of residential properties – engaging solicitors in the sale or mortgaging of “their” properties (see “Managing the Fraud Risk”, Journal, September 2007, 36);
- existing clients of solicitors – and, by intercepting email correspondence between solicitors and (genuine) clients/beneficiaries, giving solicitors instructions to remit funds from balances held for the (genuine) client/beneficiary (see “Danger Spots”, Journal, February 2014, 38);
- a genuine law firm acting on behalf of a party (in reality the fraudsters) to a property/commercial transaction, with the ultimate objective of procuring a transfer of funds into a bank account represented as a solicitors’ client bank account, but in reality a bank account set up by or under the control of the fraudsters (see “A Year in Focus”, Journal, May 2013, 38).
How were the fraudsters in these various situations able to satisfy the vetting procedures and processes of lending institutions, banks and other parties, including solicitors? How were they in possession of detailed information about those they were impersonating, about transactions, about banking processes, and thereby able to establish credibility and convince others of their credentials? At least part of the answer is down to the fact that information had been compiled from public sources, as well as overcoming information security and taking advantage of information security lapses.
How are solicitors affected?
A: In some of these situations, the victim who is defrauded is the genuine client, perhaps a lender or other legitimate party to the transaction. In some of these cases, those who have been defrauded look to solicitors to make good their losses, alleging that the solicitor failed in some way to fulfil a duty of care to protect the position of the defrauded party.
Recent experience demonstrates how, by stealing banking and other confidential information, fraudsters can gain access to bank accounts.
Is this all about effectiveness of IT security?
A: Information security isn’t just an IT issue, although IT is an important factor to be considered in ensuring effective information security.
Consider the following facts from CompTIA’s 2012 Annual Trends in Information Security study:
- 10% of information security lapses are caused by technology problems;
- 30% are the result of inadequate procedures;
- 60% are caused by human error.
As an illustration of the human factor, as part of recent fraudulent schemes, fraudsters have used some form of confidence trick or “social engineering” (the psychological manipulation of people into divulging confidential information or performing actions), in their attempts to induce cashroom personnel to reveal online banking PINs or passwords.
What risk control measures are appropriate?
A: All firms are likely to have policies and procedures to address key risk priorities. These will typically include physical office security measures, clear desk policies, password disciplines, and policies on the use of internet, memory sticks etc.
All colleagues also have an individual responsibility to ensure that their actions are not leaving them or their firms exposed to an information security lapse, by:
- complying with the firm’s policies and procedures;
- not having identification passes on view when out of the office;
- locking computers and other electronic devices with secure passwords, and using encryption technology where possible;
- not leaving items containing confidential information on public view or unattended;
- ensuring that conversations on public transport about confidential matters cannot be overheard;
- ensuring that, while travelling, information being accessed by laptops/tablets cannot be read by others;
- maintaining awareness of key risks and risk controls by reading risk management articles and risk alerts.
Consider undertaking the Marsh eLearning course on Information Security, which is available on the Marsh website for Scottish solicitors, is free of charge and provides 0.5 hours’ CPD.
If you need a reminder of your username and password for the website, contact firstname.lastname@example.org
Alistair Sim is a former solicitor in private practice, who works in the FinPro (Financial and Professional Risks) National Practice at Marsh, global leader in insurance broking and risk management. To contact Alistair, please email email@example.com
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Conduct Authority.
“Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning.
The key questions to keep under constant review are; Who would want access to our information and how could they acquire it? How could they benefit from its misuse? Can they sell it, amend it or even prevent staff or customers from accessing it? How damaging would the loss of data be? What would be the effect on its operations?”
(Excerpt from the website of the Centre for the Protection of National Infrastructure www.cpni.gov.uk/advice/cyber/).