40% of European Legal Firms Don’t Know Whether They Have Lost Data

Sensitive and confidential information held by legal firms is at risk of exposure because many do not check whether their employees implement information security measures, according to new research by information management company Iron Mountain and PwC.

Four in 10 (42%) legal firms surveyed across Europe did not know whether or not they had suffered a data breach in the previous three years.

The research marks the launch of Europe’s first information Risk Maturity Index, a benchmark to help organisations evaluate their ability to address information risk.

More than half (56%) of respondents admitted that, despite introducing a strategy to manage information risk, they had failed to monitor its effectiveness. A similar number (59%) had allocated responsibility for information risk management to a specific individual or team, but did not check performance; and more than half (54%) did not track whether policies for the secure disposal of information were being implemented properly.

The research findings revealed that the impact of such complacency can be catastrophic. Law firms that acknowledged having experienced a data breach listed reputational damage, professional liability and exposure as the main impacts.

PwC surveyed senior managers at 600 leading European businesses to develop the Information Risk Maturity Index for mid-sized businesses (250 to 2,500 employees). The scores, assessed across the legal, financial services, insurance, manufacturing and engineering, and pharmaceutical sectors suggest that many businesses are woefully unprepared to address and manage information risks such as data breaches, data loss and non-compliance. The average score for European companies was 40.6 against an ideal score of 100, with the legal sector scoring an average of just 33.3. The financial services sector scored highest with an average score of 46.3.

The Information Risk Maturity Index provides a guide for organisations to measure their level of sophistication in managing information. It is based on a set of measures that, if put in place and frequently monitored, will help protect the digital and paper information held by an organisation. The index represents a balanced approach to preventing information risk, including strategic, personnel, communications and security measures.

Commenting on the survey results, Christian Toon, head of information security at Iron Mountain Europe, said: "Our information risk study reveals a worrying level of complacency across the legal sector in Europe. There’s absolutely no point in pouring resources into information security if no one takes any notice. All the money and technology in the world will not protect your sensitive data if staff are not properly trained, monitored and supported so that information security is a responsibility that is front of mind. The drive for this must come from the very top of the business."