Security Training

Legal professionals did not receive training

Employee contracts

Legal professionals had formal agreements to security policies in their contracts


Saw a security policy on start.

Background checks

Were not aware if their organisation does this

* Research in the legal sector in the US and UK (250 in each)

What are legal and law enforcement agencies doing with new employees to safeguard sensitive information?

New employee on-boarding is the process of helping new staff adjust to the social and performance part of their new role quickly and smoothly. Most organisations already have a process in place to implement and track on-boarding to ensure that employees are given the right guidance, but it doesn’t always include guidance on how to protect the organisation and its clients’ sensitive information. This process is especially important in the legal sector where that information can be particularly sensitive.

Training new employees on data protection

The ethical standards designed to protect attorney-client privileged communications and other legally privileged information such as patents, copyright and trade secrets are well known in law. Legal firms need to train and educate their employees from day one on how to work in a way that protects the organisation and its clients’ information. Meanwhile law enforcement bodies have an obligation to keep criminal data private.

This is why having a security policy which is shared with all employees is a basic requirement of all user security regulations. For instance the ISO 27001, the international Standard that specifies best practice for information security management systems (ISMS), includes a security policy in its set of information security objectives. However, it was surprising to see that almost a third (28.8%) of professionals in legal practices in the US were not given information security training during on-boarding. The number in the UK was similar (31.2%).

When asked if employees had seen a security policy during on-boarding, only 60% (US) and a lower 47% (UK) said they did. Similar figures 58% (US) and 46% (UK) were asked to sign an information security document.

In the UK, Lexcel, the legal practice quality mark for excellence in practice management and excellence in client care, states that practices must have an information management and security policy in place including the management of user accounts and training personnel on information security.

Background Checks

For most organisations in highly regulated industries like the legal sector, integrity is of the utmost importance – in fact, the organisation’s reputation will rest on it. Without background checks on candidates, you won’t know who you are inviting into your organisation. However only 60% (US) and 43% (UK) of professionals said that they were aware that their organisation runs background checks on new employees.

Lexcel stipulates in its People Management section that practices should have procedures to deal effectively with recruitment section and this should include references and identity checking.