There are various terms used around information security.  Cyber security, for example, may sound like the stuff of science fiction or, to some, the stuff of scaremongering or sales pitches.  Whatever terms are used, the objectives are essentially the same — keeping information safe and secure and preventing it getting in to the wrong hands or being interfered with or compromised.  

There is a clear link between information security and exposure to external frauds and scams.  This is an additional critical reason why protecting information, whether held electronically or as hard copy, is essential for solicitors.

WHAT IS “INFORMATION SECURITY”?  It is about protecting:

• The confidentiality of information — and preventing its misuse.
• The accuracy of that information, and preventing unauthorised alteration of data or documentation.

WHY IS IT PARTICULARLY RELEVANT TO SOLICITORS?

It is a critical issue for solicitors because confidentiality of client information and integrity of data are at the heart of the solicitor-client relationship.  The external frauds and scams scenarios we have considered have involved situations where fraudsters have acquired and misused information about:

• Transactions on solicitors’ client bank accounts.
• Solicitor-client relationships including transaction details and email correspondence.
• Colleague names, roles, and responsibilities.

However, fraudsters have managed to acquire such information that has assisted them to commit confidence tricks and access firms’ systems or online banking.  Perhaps some of this information has been elicited by eavesdropping conversations, shoulder-surfing on public transport, gaining entry to office premises, using malware to access computer systems or by harvesting personal details on social media.

Preventing fraudsters accessing information is at least a partial obstacle in their way.  Observing good information security practices is at least part of the solution. 

IS IT REALLY CRITICAL FOR ALL SOLICITORS?

Information security is relevant not just for solicitors working on high-profile corporate deals or big-name clients.  It’s equally relevant to all solicitors.  Clients instructing solicitors in relation to wills, house purchases, or matrimonial matters are entrusting their solicitors with confidential information which requires to be appropriately safeguarded.  Any breach of information security could result in exposure to a claim against the firm as well as potential regulatory action.

WHAT OTHER INFORMATION IS AT RISK?

In addition to information relating to the particular instruction, client verification information (for example, bank details, address, and passport numbers) stored as part of the firm’s anti-money laundering procedures could be very valuable to criminals.  Our identity is important and valuable, and, as we have already seen, fraudsters are increasingly using the identities of others for the purposes of committing frauds.   

INFORMATION SECURITY IN PRACTICE

Information security is NOT just an IT issue, it is A BUSINESS RISK, although IT is an important factor to be considered in ensuring effective information security.  Consider the following facts from CompTIA’s 2012 Annual Trends in Information Security study:

• 10% of information security lapses are caused by technology problems.
• 30% are the result of inadequate procedures.
• 60% are caused by human error.

WHAT RISK CONTROL MEASURES ARE APPROPRIATE? 

All firms are likely to have policies/procedures to address key risk priorities.  These will typically include:

• Physical office security measures.
• Clear desk policies.
• Password disciplines.
• Policies on the use of internet, memory sticks, etc.

INFORMATION SECURITY — ACTIONS 

Each colleague is responsible to ensure their actions are not leaving them or the firm exposed to an information security lapse, by:

• Complying with the firm’s policies and procedures.
• Not having identification passes on view when out of the office.
• Locking computers/other electronic devices with passwords, use encryption technology if possible.
• Not leaving items containing confidential information on public view or unattended.
• Ensuring that conversations on public transport about confidential matters cannot be overheard.
• Ensuring, while travelling, information being accessed by laptops/tablets cannot be read by others.
• Maintaining awareness of key risks & risk controls by reading risk management articles & risk alerts.
• Consider undertaking e-learning module Cyber Security for Legal and Accountancy Professionals.

INTERCEPTION OF EMAIL CORRESPONDENCE

Solicitors handling the administration of an estate contacted a beneficiary overseas to notify him of his entitlement to a quarter share of his late aunt’s estate.  At intervals thereafter, there were email exchanges between the solicitors and the beneficiary regarding progress with the estate and the beneficiary’s prospective entitlement.

When the solicitors emailed the beneficiary in connection with an interim payment to account, the beneficiary responded with details of his bank account.  However, it transpired that this email wasn’t from the beneficiary; it was from a fraudster who had intercepted the email correspondence.  The bank details were for the fraudster’s bank account.

Fortunately, the solicitor handling the estate was suspicious of the email and contacted the beneficiary (not by email) to establish whether it was genuine.  The solicitor’s vigilance meant the fraudster’s attempted fraud was thwarted.  A fraudster can easily intercept email correspondence between solicitors and their clients, where clients at some point provide their bank details to the solicitor for remittance of funds or any other type of payment arrangement.

In another case, the finance team in a small law firm acted on an internal email instruction to make an immediate bank transfer of a significant sum of the firm’s own funds.  This email instruction appeared to have been sent by the firm’s senior partner.  The emails in both cases were sent by fraudsters masquerading as the selling solicitors and senior partner respectively.  The bank account details in the emails related to the fraudster’s bank account. 

As always, awareness is a crucial element of a solicitor’s risk controls — ensuring all colleagues, including cash room/finance team, are aware of the risks and potential exposure to this type fraud.  However, other items should be considered too:

• Validation/verification of client bank account details — Whenever a client provides bank account details/instructions for the first time (or any changes), it’s essential that these are verified. 
• If the client has provided the (new) details/instructions by email, when contacting the client for confirmation be sure to do this by a different form of communication, eg by telephone or by letter. This minimises the risk that a fraudster who provided a fraudulent payment instruction, eg by email, is also in a position to provide false validation by intercepting your email request for confirmation.
• Perhaps bank account details should only be provided by email if the email is encrypted.
• Watch out for any change to your client’s email address. It may be a subtle change, designed to deceive. For example: - the original Joe.bloggs@hotmal.com becomes Joe.bloggz@hotmail.com

To cater for Malaysian lawyers, this article was adapted and amended from the original article authored and written by JOHN KUNZLER, Marsh Placement Specialist.