<img src="https://secure.leadforensics.com/103303.png" style="display:none;">
Skip to content
Contact us
All posts

Criminal Legal Aid: The Grey Area Firms Can’t Ignore

  LawFinity  ·  2 minute read

Since the LAA’s Criminal Legal Aid requirement for Cyber Essentials came into force, most firms have focused on the obvious question:

Do we have Cyber Essentials in place?

What’s less often discussed, and far more likely to cause problems later, is how BYOD (Bring Your Own Device) fits into that compliance.

BYOD isn’t explicitly banned — but that’s not the reassurance it sounds like

If you read the guidance from the LAA, the SRA, or IASME, you’ll notice something important.

None of them explicitly state that firms cannot allow personal devices to access business systems.

But equally, none of them say that you can.

What they do state, consistently, is that any device accessing firm data must meet a baseline level of security.

That distinction matters.

Because once a personal device connects to your systems or accesses client data, the question stops being who owns the device — and becomes who is responsible for the data.

The answer is always the firm.

The question firms should be asking

Rather than asking whether BYOD is “allowed”, a more useful question is:

How do we know that a personal device accessing our data meets Cyber Essentials standards?

For many firms, the honest answer is: it doesn't.

Personal devices are typically:

  • not fully managed by the firm

  • not consistently patched or monitored

  • outside the scope of formal security controls

From a Cyber Essentials perspective, that makes them an unmanaged risk.

And unmanaged risks are exactly what audits, insurers, and regulators focus on after an incident.

A real-world example we see regularly

Consider a common scenario.

An employee accesses a firms systems using a personal laptop.
A client file is downloaded or saved locally to that device.

Later, the same laptop connects to unsecured public Wi-Fi — for example in a coffee shop.
The device is compromised.

At that point:

  • the data belongs to the firm

  • the liability sits with the firm

  • Cyber Essentials compliance is likely questioned

  • cyber insurance may be challenged or refused

This isn’t about malicious behaviour or poor intent.
It’s about a gap in control.

There’s also the inverse risk:
If a personal device is already compromised and then reconnects to the firm’s network, it can introduce malware, spread laterally, or allow unauthorised access to other systems.

Why this matters for Criminal Legal Aid firms in particular

For firms holding Criminal Legal Aid contracts, the stakes are higher.

A Cyber Essentials failure doesn’t just mean a technical issue — it can mean:

  • questions over contract compliance

  • increased scrutiny following a breach

  • difficulty demonstrating “reasonable security”

  • insurance disputes at exactly the wrong time

In many cases, these issues only surface after something has gone wrong.

By then, it’s too late to retroactively prove controls were in place.

Where IT providers often fall short

In fairness, this is a grey area rather than a clearly defined rule change.

But it’s also an area that should already be part of the conversation between firms and their IT providers.

At a minimum, your IT provider should be able to clearly explain:

  • whether personal devices are permitted to access firm systems

  • how those devices are secured and controlled

  • how compliance is maintained and evidenced

If that conversation hasn’t happened, it doesn’t necessarily mean you’re non-compliant, but it does mean you’re relying on assumptions.

How LawFinity approaches the issue

At LawFinity, we start with visibility.

We run a security assessment that shows:

  • which devices can access firm data

  • whether access controls are correctly configured

  • where confidential information may be more open than expected

In many cases, firms are technically “working”, but not configured in a way that stands up to Cyber Essentials scrutiny.

Once gaps are identified, they’re usually straightforward to fix and more importantly, to maintain — so compliance doesn’t drift over time.

The bottom line

Cyber Essentials doesn’t explicitly ban BYOD.

But it does place responsibility squarely on the firm for any device that accesses its data.

For Criminal Legal Aid firms, that makes BYOD a conversation worth having before a breach, audit, or insurance claim forces the issue.

If you’re unsure how this applies to your firm, or would like to sense-check your current setup, contact us.