The Solicitors Regulatory Authority is the body responsible for the regulation of the legal profession here in the UK and the SRA Handbook sets out the standards and requirements that UK law firms are expected to achieve and observe.
The SRA has chosen to adopt an outcomes-focused and risk-based approach to regulation, so that clients receive services in a way that best suits their needs.
Because of this approach there are no specific information security requirements within the regulatory framework. However, the 10 principles upon which the framework is based, and the outcomes and indicative behaviours used to judge compliance with SRA guidelines, do have some implied information security requirements.
Indeed, it could be argued that 6 of the 10 basic principles of the SRA framework could and should be applied to information security. These include:
- Principle 1 – uphold the rule of law and the proper administration of justice;
- Principle 4 – act in the best interests of each client;
- Principle 5 – provide a proper standard of service to your clients;
- Principle 7 – comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner;
- Principle 8 – run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles;
- Principle 10 – protect client money and assets.
In order to simplify the work involved in complying with the information security requirements of the SRA Handbook, the approach to compliance should be broken-down into 3 key areas:
1. Business Management – how your organisation approaches security;
2. Technology Management – the critical IT components which need to be considered;
3. Staff Management – how your staff need to be involved, managed and encouraged.
1. Business Management
The way your business is managed and operated has a key role to play in its approach to information security. Where senior management adopt and encourage security as a key business philosophy, then the organisation will operate more securely because security is at the heart of everyone’s thinking.
It is where senior management don’t adopt and encourage a secure approach to business that you will find the bulk of data security breaches, poor levels of compliance and a higher risk for the business, its employees and its clients.
Law firms should look at three key ares of their business:
- Business Culture – how the organisation views security and how this is communicated to employees;
- Business Planning – implementing appropriate security policies, assigning roles and responsibilities for security and effective business continuity planning;
- Business Operations – how the business integrates security into its day-to-day operations including 3rd party services, risk management and data protection.
2. Technology Management
The way your IT is operated and managed forms the fundamental backbone of information security. Where technical security controls are implemented, managed and adhered to, businesses will generally be more secure and compliant.
It is in organisation’s where IT security controls are poorly implemented, incorrectly managed and/or bypassed for the sake of convenience you will find the majority of security issues, Data Protection Act violations and inadequate compliance to SRA regulations.
Some of the key areas to look at from a technology perspective are:
- User Access Controls – usernames and passwords, inactivity lockout, role based access, logging and auditing;
- Network Security – system standards, hardening, firewalls and routers, wi-fi, security software, vulnerability management and penetration testing;
- Portable Device Security – security and encryption of laptops, tablets, smart phones and PDAs;
- Online Security – internet access, web-based services and applications, corporate and personal use of web services and social media;
- Disaster Recovery – handling incidents which affect your IT systems, applications and data.
3. Staff Management
People are key when it comes to effective information security and data protection. If they have the right tools, encouragement and training they will be your greatest security control.
It is when your staff don’t understand the issues around information security, when they find it easier to bypass controls in order to get the job done that legal firms are put at risk.
The best way to encourage your employees is to looks at:
- Joiners, Movers, Leavers – build information security and data protection into your regular HR processes and encourage it at every stage of employment;
- Performance Reviews – ensure your annual appraisal system includes information security requirements against which your staff can be measured and assessed;
- Security Awareness & Training – implement a security awareness programme which includes multiple aspects such as newsletters, posters and even online or classroom based training;
- Reporting & Whistleblowing – encourange and even reward employees who raise issues or suggest improvements.
Because of the way the SRA Handbook and regulatory framework is written, it doesn’t contain any specific information security requirements. However, in many areas of the framework it does require that you take reasonable steps to protect your business and your clients.
At the end of the day, security will cost money. But if it enhances your reputation and builds client trust it is money well spent.
The failure to implement security effectively might not only cause your firm problems with the SRA, it might also cause you significant financial and reputational losses and even land you in court for breaching the Data Protection Act.