The lurking infosec threat

                                                                        First impressions

The flow of info between private client solicitor and client contains some of the most sensitive client data imaginable – detail on the client’s financial position , assets and liabilities.

The means by which that sort of data is collected by the solicitor varies: anecdotally, from our own discussions in the sector, the most common current method is probably e mail, but a surprising amount of information is still obtained in hard copy, even via old fashioned post.

What also emerges from conversations is that few practitioners employ robust modern information security measures in this context. For example encryption techniques –   often regarded as the gold standard and widely used in other sectors – seem largely ignored by this part of the legal world.

This article goes on to provide a quick high level look at some of the risks the private client practitioner may be running in this area; then we’ll explain why meeting this challenge could be a  real opportunity for the legal practice, rather than a pure risk management/compliance headache.


Other sectors have grappled with an ever increasing wave of infosec regulation for years. The banking industry for example has to contend with regulations from numerous sources, most notably the Financial Conduct Authority and the Prudential Regulation Authority.

There’s maybe not the same breadth and volume of infosec regulation applicable exclusively to the legal sector but  various sources of law and regulation, particularly on client confidentiality, apply. For example para 6.3 of the SRA’s Code of Conduct for Solicitors  requires the solicitor to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents. Common law, statute and other regulations reinforce this same basic rule.

But  perhaps more fundamentally even than the regulatory perspective, confidentiality is at the core of the solicitor’s trusted adviser status: it is alarming to think of the potential for damage to that status from an unauthorized disclosure of sensitive client information arising from a security breach.

Infosec risks

Assume the solicitor is collecting information from the client primarily by e mail. The infosec risks are many and varied:-

  • Lack of encryption: without end-to-end encryption, sent email messages can be intercepted and read by unauthorized parties. (Without any encryption the e mail message is also prone to interception during transmission.)
  • Data leakage: the risk of human error cannot be eliminated. For example the relevant firm’s employees may inadvertently send sensitive or confidential information via email to the wrong recipients.
  • Phishing attacks: e mail is vulnerable to phishing attacks, where attackers impersonate legitimate entities to trick users into providing sensitive information such as passwords, credit card numbers, or personal information. Phishing emails often contain malicious links or attachments that, when clicked or downloaded, can compromise a user’s system.
  • Spoofing: involves forging the header information of an email to make it appear as though it originates from a trusted source. This technique is often used in phishing attacks or to spread malware.
  • Malware Distribution: Email attachments and links can be used to distribute malware such as viruses, ransomware, or trojans. Unsuspecting users may inadvertently download and execute malicious code by opening attachments or clicking on links in emails.

Getting positive

On the face of it many in the sector seem to be running real risks. (Our ongoing research – see Next steps below – will test/validate this.) It may be that assessment and implementation of available solutions will need to move up the agenda of already harassed management  with responsibility for Operations, IT etc. But can these challenges be turned into an opportunity ? An end-to-end encrypted digital platform for client interactions can mitigate the risks. But it’s potentially so much more than a compliance solution. That digital portal introduces real positives that probably haven’t figured highly in the discussion before: an alternative/additional channel to support all manner of client interactions like document collaboration, document signing, periodic review processes, cross selling and other marketing initiatives etc….in short, ongoing client engagement.

(2018 SRA guidance encouraged the use of technology to simplify and improve existing processes. The first example cited: “ Online document portals… that improve communication ……with clients and others, giving progress updates, automating routine tasks and offering the ability to create, store and sign legal documents electronically.”)

Another factor is coming up the agenda. Whether the private client solicitor recognizes it yet or not, there’s a growing volume of clients and prospective clients out there who have a growing expectation of a digital portal experience, comparable to their experience when dealing with major banks and other financial institutions, for example.

So rather than just another item on the Ops/IT To Do list, those in the firm with responsibility for areas like client service, client experience and marketing should also be joining in the digital portal initiative…..

Next steps…

In the coming weeks, we will be conducting research among UK private client solicitors to delve deeper into these themes and explore the industry’s readiness for change. We invite you to contribute your insights and experiences to this important discussion. The survey will take just 5 minutes of your time, and participants will have the chance to win up to £250. This is not only an opportunity to reflect on your practice’s path forward but also to contribute to shaping the future of your profession in the digital era. (Contact us at:

This article was submitted to be published by Legado as part of their advertising agreement with Today’s Wills and Probate. The views expressed in this article are those of the submitter and not those of Today’s Wills and Probate.

Read more stories

Join nearly 5,000 other practitioners – sign up to our free newsletter

You’ll receive the latest updates, analysis, and best practice straight to your inbox.