Remote working challenges for law firms

Some of the key challenges being faced:

• Meeting regulatory obligations
• Hardcopy client records inaccessible
• Cybersecurity risks
• Client confidentiality and data protection
• Maintaining competency.

Meeting regulatory obligations

The Solicitors Regulation Authority (SRA) has made its position clear in relation to its approach during these hard times but you must not take advantage of this more relaxed approach; client protection is key:

“We will take a proportionate approach: this includes our approach to enforcement. If we do receive complaints, we would take into account mitigating circumstances, as set out in our enforcement strategy. This includes focusing on serious misconduct, and clearly distinguishing between people who are trying to do the right thing and those who are not. We would recommend that if you do face compliance difficulties linked to the virus, you should clearly document the approach you have taken.”

Accessing hardcopy and case management client records

With the Government introducing a near-complete lockdown it is now going to be difficult for you to access hardcopy client files, which is likely to lead to delays in dealing with client matters, and as a consequence, this could lead to complaints; although the SRA has said it will be taking a more relaxed approach to such complaints it has expected you to have appropriate contingency plans in place to cope with such events.

With the number of people now working remotely the pressure on the internet is massive and therefore the UK may decide to follow the same steps taken by other European countries, namely restricting the use of the internet to ensure key organisations/workers are able to use it without degradation. You should now start to assess how your firm will be able to operate should internet usage be restricted.

Cybersecurity risks

Criminals are actively taking advantage of the current crisis and are stepping up their cybercrime activities with scams to try and hack systems and steal client money. Due to the lack of time some firms have had to prepare for wholesale working from home, many will have had to ask their staff to use their own IT equipment, much of which could be exposed to cyber-criminals due to their systems not being sufficiently protected.

PII insurers will still be expecting your firm to protect client money and they will expect all reasonable steps to be taken to ensure this happens; due to the impact Covid-19 is having on all businesses, insurers are likely to be very exposed to significant future claims, so many claims could be challenged where it can be shown that reasonable steps were not taken.

Client confidentiality and data protection

The SRA has made it clear that client protection is core to all it does, so you need to ensure that you do all you can to ensure the confidentiality of client data, this includes client information in hard (files) and soft (computer) formats.

Working from home can present a number of risks to client data, for example, family members and visitors being able to see it, or client information being overheard during telephone calls; not all people working from home have the ability to work from a dedicated office and will, therefore, be working at kitchen tables, in lounges, etc., but appropriate precautions will still have to be taken to mitigate identified risks.

Since many people have been forced to stay at home there has been an increase in the number of data subject access requests (DSARs) being made to law firms, and these have thrown up a number of issues, including:

• Inability to properly identify those making DSARs (client being unable to visit offices or get someone to certify identity documents)
  
  
• Inability to access all personal data being held due to it being in closed archive facilities or in back-up systems that require access by IT support companies not currently/fully operating
  
  
• Inability to meet the 31-day deadline for responding to a request.

There has not yet been any guidance from the Information Commissioner’s Office (ICO) in relation to complying with the Data Protection Act during the Covid-19 crisis, so you need to take all reasonable steps to ensure you comply; the key is to communicate appropriately with data subjects and set their expectations over the response to their request. As with the SRA, you should keep notes about what you have done and why, so if a complaint is made to the ICO you can justify what you have done.

Maintaining competency

You must ensure that the service you provide to clients is competent and delivered in a timely manner and that those providing legal services maintain their competence to carry out their roles and keep their professional knowledge and skills up to date; supervisors and managers remain accountable for the work carried out by these individuals and effectively supervise work being done for clients.

Since the current competency arrangements were implemented many firms have adopted competency programmes that have relied on internal meetings/discussions, etc., rather than attending formal training courses, but when working from home such arrangements may no longer be viable, therefore new arrangements need to be put in place, for example, e-learning.

With access to online training, research, online conferencing, etc., it will be hard to justify to the SRA that someone is unable to maintain their competency; if they can’t, they should not be working on client matters.

Key steps to consider

The following steps should be considered to reduce the risks of working from home:

• Allocate appropriately protected business-owned IT equipment to anyone working from home on client matters and remind staff how and where they can report any potential cyber-risks.
  
  
• Communicate regularly with all staff on working from home policies, including working from home safely, cyber and information security protection of personal data in accordance with data protection laws such as GDPR) when using shared WIFI and use of company VPNs.
  
  
• Review internal policies, procedures and controls to ensure that there are no increased risks that would otherwise be mitigated or controlled in normal circumstances. Staff should still be able to get easy access to the firm’s policies and procedures, including use of email, internet, social media and points of key contact should any reports need to be made.
  
  
• Provide regular updates between teams and management via conference calls to help ensure staff are both clear on their operational objectives and supported properly.
  
  
• Members of the management team should ensure that appropriate levels of supervision are maintained, and staff should be able to easily contact their supervisors and key teams (IT, accounts, etc.) when required.
  
  
• Remind staff not to work on client matters in public places or when using free insecure WIFI connections and ensure hard copy files are stored securely when not in use and are not accessible by others when being worked on (spouse, partner, children, visitors, etc.)
  
  
• Ensure breaches, complaints, claims, undertakings, DSARs, suspicious activity reports, etc., are notified to the appropriate compliance officer (COLP/COFA/MLRO/MLCO) and reported to the SRA/NCA/ICO where appropriate; if an online risk and compliance system is used by your firm ensure it continues to be updated as required.

Working from home is going to become the new “normal” over the next few weeks and months, so making sure your firm is able to operate effectively and compliantly during this period will be critical. 

 

We are here to help you through this tough period by providing a number of products/services that can be used remotely:

• Compliance helpline
  
  
• Free regulatory and compliance webinars
  
  
• Risk and compliance management system
  
  
• E-learning training library
  
  
• Learning management system (LMS)
  
  
• Policies & procedures library
  
  
• Risk & compliance advisory services