The survey, which canvassed risk responsibility, confidentiality and compliance, found that two-thirds of respondents indicated that information about clients is openly accessible to all staff within the firm.

“I am surprised by that figure,” said Andrew Fisher (pictured), Clayton Utz’s national manager of technology/infrastructure services when speaking to Lawyers Weekly about the survey. “We have very stringent rules about who can and can’t access client information.”

Fisher said that Clayton Utz didn’t participate in the survey.

All published survey responses were confidential, with one participant citing “strict protocols, separation barriers, locking-down information, physical separation of teams, printing restrictions” as steps taken by his/her firm to ensure client confidentiality is maintained.

Despite such measures being mentioned by survey participants to protect client confidentiality, the survey found that most respondents did not know how much their firm invests in risk management. One respondent said their firm spends less than one percent (0.5%) of turnover on risk management.

Clayton Utz has three dedicated risk management staff. Fisher declined to say how much his firm spends on risk management, but indicated that large law firms such as Clayton Utz would only be increasing risk management spend and staff in the future.

“We are increasingly being asked by our clients to be ISO 27001 certified and that hasn’t been something we have been asked for in the past,” said Fisher.

He said his firm is working towards being compliant with ISO 27001standards, which brings information security under the direct auspices of management control.

Currently, Clayton Utz, like many firms, leaves control of access to client documents under the supervision of the relevant client relationship partner or partner-in-charge of a matter.

“The partner can say, ‘well I only want  junior lawyers to have access to certain information,  but I want some senior associates to have access to half the documents, etc’.

“We have in place extensive granular protection procedures right down to the user level.”

Avoiding conflict
Survey respondents cited commercial conflicts of interest and regulatory requirements as two key areas of concern that require the implementation of information barriers.

Despite the high proportion of respondents indicating that client information is easily available, most firms indicated that improved processes and additional training have been implemented in a bid to better preserve client confidentiality.

“We’ve added additional training and are looking at ways of improving how files are managed by fee earners to make sure files are secured electronically,” said one respondent.

At Clayton Utz, the identification of potential conflicts is run through a dedicated set of computer-checking mechanisms.

“We will also send an email around to find out if any partners are working on restricted matters that we should know about and use a number of provisions to avoid conflicts,” said Fisher.

The IntApp survey also found that respondents expect external audits to increase in parallel with the increased level of client expectations, with half of the respondents indicating that their firm has been subject to an external information security audit.