Although written for barristers, the recommendations below would broadly apply to any lawyer practising without the support of an IT team.
As a practising barrister, your working life is probably busy, hectic and mentally exhausting, and the thought of having to consider the security of your IT equipment is more than likely not one that bears too heavily on you. “My PC, laptop, smart phone, tablet, and networks etc all come with ‘built in’ security so that’s enough” I hear you say. Well, sorry to burst your bubble, but it’s not enough unless you can afford to pay out thousands of pounds in financial penalties to the Information Commissioner or by way of compensation in the event of there being any significant loss or compromise to your client personal information.
The old adage “information is power” is indeed true, particularly in the case of client personal information, and so when it is in the wrong hands, the risks to you and your clients are high in terms of breach of confidentiality, lack of information integrity and availability and, from your practice perspective, severe reputational damage. Client personal information must be regarded as a valuable asset as it enables you to build and maintain your relationship with a client; this relationship is dependent upon trust and comes with a high expectation of confidentiality. Unfortunately, as with all other valuable assets, they may attract the attention of less scrupulous individuals resulting in attacks being made to gain access to the information, regardless of the format the information is in. In the case of information held electronically, such attacks may take the form of technical assaults such as:
- viruses passing your information back to the hacker;
- exploitation of security back doors in IT systems;
- other IT system users with unrestricted access straying into databases, folders, files etc, for which they have no reasonable need to access.
These types of attack constitute criminal offences under the Data Protection 1998 (DPA) or the Computer Misuse Act 1990. However, these alone are not a deterrent, which is why you have to take all reasonable and practicable measures to secure the personal information entrusted to you.
Which IT security measures?
By virtue of your being a practising barrister, processing personal information on behalf of your clients and other individuals associated with the particular action involving your client, you are deemed to be a Data Controller within the meaning of the DPA section 1(1) and as such you must meet the legislative obligations set out within the Act (details and guidance can be found on https://ico.org.uk). In regard to IT security, you must meet the requirements of Schedule 1, Principle 7. Unfortunately, this contains little detail about what security measures are actually required, save for the need to ensure that the level of protection is appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, damage or destruction.
So what do you need to do? Thankfully, the Bar Council has provided comprehensive guidance as to what technical and organisational issues should be considered (http://bit.ly/2cMAyK7). In respect of the specific IT security issues, I provide a brief summary below of the main underlying requirements that you will need to consider before you put in place the specific measures to address the issues covered by them.
Risk based approach
When considering what level of protection is appropriate to the harm that may result from unauthorised or unlawful processing, and accidental loss, damage or destruction, it is necessary to adopt a risk based approach: it is necessary to evaluate the IT solutions available and their cost against the level of harm that may be incurred to the data subjects in circumstances particular to your practice. It is important that any technical measures should fit the needs of your practice and it is worth noting that these don’t necessarily have to be expensive or onerous, indeed, they may even be free!
Factors that need to be evaluated before deciding on technical measures include the following:
- Is the information sensitive or personal within the meaning of the DPA – ie does it contain details of racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health, sexual life, commission or alleged commission of any offence or proceedings in respect of any offence or alleged offence?
- Would you lose the individual’s trust, confidence or business as a consequence of any security breach?
- Is the information of interest to anyone not directly involved in the proceedings?
- Would you suffer financial loss or loss of reputation as a consequence of any security breach?
If the answer to any of the above is “yes”, then you will need to consider what are the perceived deliberate or accidental threats and vulnerabilities associated with the information and the likelihood of them actually occurring, eg physical environment (fire, flood, extremes in temperature etc), technical environment (software or hardware failure, power fluctuation, maintenance error etc) and people (unauthorised usage, willful damage, theft etc).
Once the above factors have been identified, you will then need to assess the probability and impact of the risk occurring on a simple scale of Low, Medium, High, Very High.
There is no “right” way to do this, as long as you have given this some consideration from a practical and pragmatic perspective, but I should point out that if you are undertaking any work on behalf of, or involving a Government organisation, such as CPS, MOJ, MoD etc, the information will have already been assessed as to the risk impact level – this being generally assessed as Medium to High risk – and the following requirements are basic guidelines to treat this level of risk. For information assessed as a Very High Risk, the appropriate security measures will need to be considered in conjunction with those instructing you. Such measures may need to be tailored to meet the specific circumstances of the information in question.
Common physical requirements
Details of IT equipment should be documented to enable appropriate measures to be applied.
Static equipment should be physically positioned so as to reasonably prevent unauthorised access, damage and interference, eg away from unlocked windows, away from fire hazards etc.
Equipment should be maintained only by an authorised person in accordance with the supplier’s service requirements.
Portable equipment or removable media should not be left unlocked and unattended when not in use or in public places. (Types of portable equipment or removable media include laptops, tablets, smart phones, USB sticks, CDs etc.)
Contracts setting out specific information processing and security measures should be put in place with any system provider.
Common system requirements
An assessment should be made as to current and future information storage capacity to ensure equipment performance; such assessment should take into account the retention period applied to the information, as it must be irretrievably deleted once there is no lawful need for it to be retained any longer.
Software should be installed to protect the integrity of the information, eg network firewalls, anti-virus or anti-malware products etc.
Frequent back-ups should be taken to maintain the availability of the information. Backed-up information should be stored separately and the same security measures applied.
Cryptography should be used to provide privacy and authenticity in terms of electronic communication, particularly in terms of document sharing, audio and video conferencing.
AES 256-bit encryption should be considered if the information is of a particularly sensitive nature, such being applied at a network, full hard disk, an individual file, or removable media level. In the event of encrypted information being shared, the password (key) to unlock the information should be provided to the recipient separately. Encryption should be applied before any information is transferred to cloud services for storage as this will prevent the service provider from gaining access to the information.
Authentication should be considered as it provides assurance that the integrity of the information is intact and its original source.
Activation of remote disable or wipe facility should be undertaken if portable equipment supports this functionality.
Secure email systems such as CJSM (see http://cjsm.justice.gov.uk), should be used to transmit messages containing sensitive information. Such messages should not be transmitted over unsecured wifi. It should be noted that emails transmitted over CJSM cannot be stored on cloud services that have not been approved by the CJSM service provider.
Common system access requirements
Access to IT equipment and networks should be restricted to only those who have a need to do so.
Default supplier passwords should be altered following equipment installation or set up.
Nominated users should have separate log-on accounts and must not share accounts.
User accounts should be accessible only by a unique user identifier and strong password with a minimum of 9 characters comprising letters, symbols and numbers.
User passwords should not be shared or re-used and must be changed frequently.
Lynda Minns is an independent Information Management and Information Assurance Consultant specialising in data protection compliance and risk assessment for information security in the UK Justice System. Email email@example.com.
Image cc by-sa Blue Coat Photos on Flickr.