Latest News

PwC and Iron Mountain say 40% of law firms don’t know if they’ve lost data

Sensitive and confidential information held by legal firms is at risk of exposure because many do not check whether their employees implement information security measures, according to new research by information management company Iron Mountain and PwC. Four in 10 (42%) law firms surveyed across Europe did not know whether or not they had suffered a data breach in the previous three years.

More than half (56%) of respondents admitted that, despite introducing a strategy to manage information risk, they had failed to monitor its effectiveness. A similar number (59%) had allocated responsibility for information risk management to a specific individual or team, but did not check performance; and more than half (54%) did not track whether policies for the secure disposal of information were being implemented properly.

PwC surveyed senior managers at 600 leading European businesses (including 125 law firms) to develop an Information Risk Maturity Index for mid-sized businesses (250 to 2500 employees). The scores, assessed across the legal, financial services, insurance, manufacturing and engineering, and pharmaceutical sectors suggest that many businesses are woefully unprepared to address and manage information risks such as data breaches, data loss and non-compliance. The average score for European companies was 40.6 against an ideal score of 100, with the legal sector scoring an average of just 33.3. The financial services sector scored highest with an average score of 46.3.

Commenting on the survey results, Christian Toon, head of information security at Iron Mountain Europe said: “Our information risk study reveals a worrying level of complacency across the legal sector in Europe. There’s absolutely no point in pouring resources into information security if no one takes any notice. All the money and technology in the world will not protect your sensitive data if staff are not properly trained, monitored and supported so that information security is a responsibility that is front of mind. The drive for this must come from the very top of the business.”