StaRs: Time to prioritise, but not to panic
Little did we know then that Covid-19 was around the corner and set to test our systems and processes yet further. Whilst the uncertainty around Covid-19 inevitably gives rise to a sense of unease, this can be seen as another opportunity to step back and prioritise, to ensure you are complying with your regulatory obligations during these otherwise uncertain times. Reviewing systems and processes now could ensure future work systems that help you achieve optimum standards in terms of business continuity, security, and supervision during unpredictable times. In turn, this could improve not only your firm’s capability in respect of regulatory compliance, but services for clients and, ultimately, client satisfaction. This ever-changing and uncertain climate could, in fact, bring about positive change for law firms.
So what are some of the key regulatory risks law firms face in respect of Covid-19 and how can these be tackled?
The clear message from the government - to avoid all unnecessary travel and to work from home wherever possible - has made remote working more a necessity than an option.
The increased risk of data breaches and the loss of confidential information through hard copy documents being transported and kept at home, rather than in offices with the necessary systems and controls in place, is inevitable.
Colleagues should work digitally wherever possible and be advised against working from hard copy documents and minimising the need to make handwritten notes of calls or virtual meetings they attend – typed notes should be encouraged. This may mean firms need to expand their teams working for particular clients to include administrative support, input from paralegals or individuals with an advanced technological skill-set, should detailed notes of meetings or conferences be needed.
If working digitally is not possible, for whatever reason, transporting and storing documents in a locked receptacle should be made compulsory. You may want to give further thought to suggesting the types of lockable storage you would prefer individuals to try to use, wherever possible. For example, a large lockable filing cabinet or lockable drawer within a desk is likely to be harder to make off with than a portable lockable rucksack. Where this is not possible, you may want to remind colleagues to keep their working environment as secure as possible, by setting a home security alarm and closing windows when they go out. This is about reminding colleagues of basic steps they can take to minimise the chances of confidential information being lost or stolen. Likewise, the use of removable media to transport data should be discouraged and, where such media is used, the importance of the relevant device being encrypted must be clearly communicated.
It may be that you will need to consider reviewing underpinning policies with a view to amending them or, at the very least, reminding colleagues of their existing obligations.
Colleagues should consider notifying parties with whom they have corresponded by post previously / relied on service of documents by post, that correspondence should be electronic-only going forward (wherever possible). This is in anticipation of any full office closures should isolation measures be ramped up in the UK in the coming days and weeks and to manage the associated risks of missing key documents and communications.
Remote working introduces further risks to data security beyond inadvertent disclosure or loss of hard copy papers/removable media.
Colleagues should be reminded to work, where necessary and indeed where possible, in private environments where conversations of a confidential nature cannot easily be overheard and computer screens cannot be easily seen by third parties. The importance of locking computer screens when unattended (even within one’s home) should be reinforced. Colleagues should be encouraged to avoid predictable passwords and consider using password managers.
Working from home does not always mean literally ‘from home’. Accordingly, colleagues should be reminded that public Wi-Fi hotspots are not secure and vulnerable to hacking, and it is hard to prove that a hotspot belongs to the company or individual it claims. The SRA advises that in most cases, modern websites (using HTTPS) will protect you from risk. Using work mobiles as ‘hot spots’ may be a necessary alternative if another secure network is unavailable, but be aware there can be increased costs associated with this method.
Due to difficulties in contacting individuals on office telephone numbers or limited availability of support staff to contact various individuals on behalf of lawyers, colleagues may need to send more emails than usual. Likewise, sharing a confidential document in person in the office will now most likely be done virtually or via email. Colleagues should be reminded to check and double check email addresses used, to authenticate email addresses by independent means wherever possible, and to password protect attachments to emails (with the password being provided separately) to best protect against any potential breaches.
The ability to ‘share your screen’ through providers such as Skype for Business should also be used with caution and, in some circumstances, limited to internal meetings. Colleagues should be advised to ensure only appropriate material/data is shared with the parties attending a particular meeting or call. Disenabling email pop-ups is one precaution worth considering so that confidential information is not inadvertently displayed to others whilst screen sharing.
Laptops should be encrypted and firms should have a system to track devices and delete data from tablets and phones remotely if they are lost or stolen. The SRA also recommends two-factor authentication for email and log-ins, where possible.
If colleagues think that a data breach has occurred, they should be reminded of whom to report this to within your firm, and how. They should also be reminded of the requirement for this to be done promptly (given the 72 hour deadline under the GDPR to report where there has been a breach of personal data).
As part of our StaRs blog series, my colleagues Shannett Thompson and Charlie Roe commented on how the twin themes of accountability and exercising judgement pervade the StaRs. The introduction to the Code for Individuals stresses, ‘[y]ou must exercise your judgement in applying these standards to the situations you are in and deciding on a course of action, bearing in mind your role and responsibilities, areas of practice and the nature of your clients.’ It goes on to state, [y]ou are personally accountable for compliance with this Code – and our other regulatory requirements that apply to you – and must always be prepared to justify your decisions and actions.”
The Code for Firms further emphasises the breadth of accountability for a firm and its staff. Whilst noting that any serious failure to meet the standards or serious breach(es) may lead to regulatory action being taken against the firm, its managers or compliance officers, the code also notes: ‘[w]e may also take action against employees working within the firm for any breaches for which they are responsible.’
A reminder to colleagues of their obligations under the respective Codes is recommended. Being away from the office should not lead to a relaxed attitude to the importance of one’s regulatory obligations. Individuals should be aware that they are responsible for the professional judgement they exercise when working at home and that the various discussions and decisions taken on a particular case, for example around disclosure or potential conflict points, should be carefully recorded. This should include reasoning for why they have chosen to act in a certain way, so that they can justify decisions, should they need to, in the future. The SRA’s Enforcement Strategy recognises, however, that mistakes do happen; clear record keeping will help the SRA decipher between honest mistakes and those that are less excusable.
Colleagues will need to keep records/evidence of expenses (for example, duty solicitors having to get taxis to police stations to avoid public transport during the outbreak) perhaps by taking photographs of them and emailing them to their administrative support teams so that they can be processed in accordance with the firm’s expenses policy (and/or billed promptly to the client as a disbursement, as opposed to when normality resumes which may well be months away). For those individuals without a work phone, they will want to keep a record of work calls made using their personal phone package. Likewise, colleagues may wish to buy computer screens or office supplies to enable them to work more comfortably from home. Firms will need to consider whether their existing policies cover such eventualities or whether interim policies will need to be introduced to ensure fair and efficient work patterns at home.
The Code for Individuals at paragraph 3.5 makes clear that when supervising others in the provision of legal services, practitioners remain accountable for any work conducted on their behalf. Delegating work does not, therefore, break the chain of personal accountability. Practitioners must exercise their professional judgement as to whether the individual to whom they have delegated is sufficiently experienced and able to complete the work in question. When working remotely, it is important that regular supervision meetings still continue to ensure close monitoring of work and workloads to act as a check on standards and the quality of output. Although not in the office, partner visibility is important to ensure juniors feel able to raise questions and concerns and to encourage open and frequent communication channels.
The need for electronic signatures for, amongst other things, letters, court documents, and bills (to ensure they are enforceable) is something to add to the checklist; whilst there is not a one size fits all solution, firms should consider their own approaches and policies on the signing of documents, to ensure they are workable and adequate for remote working and amend these if necessary.
With the announced closure of schools for most children, and the inability to rely on older family members to assist with childcare, the demands on working parents is a consideration that should be high on the agenda for firms. Encouraging colleagues to communicate any particular stresses on their time and working environment will be key. Discussing flexible ways of working and the ability to share work and personal commitments during the day will help colleagues feel supported and ensure efficient work patterns.
Any existing policies on working from home/flexible working may need to be revisited.
A comprehensive, and ongoing, review of all existing policies and procedures to ensure their adequacy in dealing with the various issues arising from the current situation as they occur should be considered. Additionally, clear internal communications should be issued, reminding colleagues of the existence and availability of a firm’s policies and procedures and any amendments made to them.
Many firms will have established tried and tested procedures to enable remote working for their employees as the push for agile working in the legal sector has intensified over recent years. Whilst firms are likely well equipped for this large-scale change in working practices for, what seems to be, the foreseeable, the importance of reviewing and improving systems in this context to ensure continued compliance with regulatory obligations will help achieve one of the ultimate aims during this difficult time; to ensure, as far as possible, that it is ‘business as usual’.
A shorter form version of this blog was published by Legal Week on Friday 20 March.
Jessica Clay is a Senior Associate in the Regulatory department and specialises in legal services regulation, with a focus on regulatory compliance, legal ethics, investigations and public law matters.
Charlotte Judd is an Associate in Regulatory department and assists and advises on matters including defending regulated individuals, organisations and corporates; advice for regulators and public bodies and legal services regulation.
Skip to content Home About Us Insights Services Contact Accessibility