Study from PwC and Iron Mountain shows four in 10 legal firms don’t know whether they have lost data

London Apr 27, 2012 – Sensitive and confidential information held by legal firms is at risk of exposure because many do not check whether their employees implement information security measures, according to new research by information management company Iron Mountain and PwC. Four in 10 (42 per cent) legal firms surveyed across Europe did not know whether or not they had suffered a data breach in the previous three years. The research marks the launch of Europe’s first ‘Information Risk Maturity Index’, a vital benchmark to help organisations evaluate their ability to address information risk.

More than half (56 per cent) of respondents admitted that, despite introducing a strategy to manage information risk, they had failed to monitor its effectiveness. A similar number (59 per cent) had allocated responsibility for information risk management to a specific individual or team, but did not check performance; and more than half (54 per cent) did not track whether policies for the shredding of confidential waste and the secure destruction of digital information were being implemented properly.

The research findings revealed that the impact of such complacency can be catastrophic. Law firms that acknowledged having experienced a data breach listed reputational damage, professional liability and exposure as the main impacts.

PwC surveyed senior managers at 600 leading European businesses to develop the Information Risk Maturity Index for mid-sized businesses (250 to 2500 employees). The scores, assessed across the legal, financial services, insurance, manufacturing and engineering, and pharmaceutical sectors suggest that many businesses are woefully unprepared to address and manage information risks such as data breaches, data loss and non-compliance. The average score for European companies was 40.6 against an ideal score of 100, with the legal sector scoring an average of just 33.3. The financial services sector scored highest with an average score of 46.3.

The Information Risk Maturity Index provides a guide for organisations to measure their level of sophistication in information management. It is based on a set of measures that, if put in place and frequently monitored, will help protect the digital and paper information held by an organisation. The index represents a balanced approach to preventing information risk, including strategic, personnel, communications and security measures.

Commenting on the survey results, Christian Toon, head of information security at Iron Mountain Europe said: “Our information risk study reveals a worrying level of complacency across the legal sector in Europe. There’s absolutely no point in pouring resources into information security if no one takes any notice. All the money and technology in the world will not protect your sensitive data if staff are not properly trained, monitored and supported so that information security is a responsibility that is front of mind. The drive for this must come from the very top of the business.”

Iron Mountain has called on businesses across Europe to commit to responsible information management: ensuring that information is valued and protected at every stage of its journey through the business, and that all confidential waste documents and digital data are securely disposed of at the end of the life cycle.