Reviewing our existing policies
"As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures, and are working to implement additional safeguards to further secure our information systems." =
"Oh Shit! we were supposed to keep this stuff secret and now someone has got hold of it, and this has been made public. Quick!, we need a press release to calm things down."
Maybe consider encrypted file store? Two-factor authentication? Firewalls?
I have no idea what their existing security policies are, but they certainly need reviewing by someone competent. My experience of 'high powered' types is that they are not that interested in IT security when it causes senior managers to have to do menial things like using a strong password to log on (which is not written down on a table attached to the computer), encrypting laptop hard drives, or even keeping said laptop out of public view when going for a drink or meal, or maybe not clicking on every link or attachment in every email they receive.
Or is 'reviewing our existing policies' actually a euphemism for 'looking for a scapegoat'*?
Not that I'm cynical or anything.
*Not one of the senior partners, probably an IT bod like 'head of IT security' or 'Chief Technical Officer' rather than the partner who didn't want to pay for IT security because (s)he got bored with the presentation.