The Law Society’s 2015 risk and compliance conference heard that a firm is only as safe as its weakest link. Jonathan Rayner reports.
Be afraid. Be very afraid. ‘The typical cybercriminal is not a spotty teenager,’ Francis Dingwall (pictured) warns delegates at the Law Society’s 2015 risk and compliance conference. ‘He is every bit as professional as we are.’
The information commissioner is ‘concerned about lawyers’, says Alison Matthews, reminding delegates about a recent £70,000 fine imposed for the wrongful release of personal data online. ‘Beware bogus firms,’ SRA chief executive Paul Philip cautions. ‘There were more than 700 reports to the SRA of bogus firms in 2014.’
This is not paranoia. There is nothing delusional about the threat faced by law firms in the digital age. ‘Amazon spends millions on digital protection,’ Tony Flaherty points out, ‘and so cybercriminals go for Amazon’s smaller suppliers as soft targets. Don’t let your firm be a soft target.’ If you were not nervous about hacking and data loss before this conference, then you will certainly have left it looking over your digital shoulder. ‘All laptop computers should be encrypted,’ another speaker insists, ‘before they are stolen from the back seat of a partner’s car.’
The SRA’s Philip gives the keynote address. ‘Thirty per cent of Solicitors Disciplinary Tribunal cases concern the misuse of clients’ money,’ he notes. He goes on to blame the problem on firms’ failure to train and supervise staff adequately and on poor controls and recording systems regarding who can access client accounts. ‘It’s simple really,’ he says. ‘It’s not your money so don’t touch it.’
Philip moves on to anti-money laundering (AML). ‘The SRA is conducting a programme of AML visits to 500 firms,’ he says, ‘and one in 10 of those firms needs a second visit. That’s very worrying.’ It is so worrying, he adds, that it has prompted the international Financial Action Task Force on money laundering to come to the UK soon and inspect the legal profession. He concludes: ‘The ball is in the profession’s court. And always remember you are an officer of the court.’
Matthews, of Alison Matthews Consulting, begins by reminding delegates that the Data Protection Act (DPA) provides a range of safeguards and protections for personal data. ‘But don’t concentrate exclusively on the DPA,’ she warns. ‘Operating in silos does nobody any favours. Data protection should work closely with information security and information technology. A joined-up approach is best.’
She recalls that in August 2014 the information commissioner issued a formal warning to lawyers ‘given the sensitive nature of the information held by firms’. She stresses that due diligence poses a ‘huge challenge’ to firms. ‘How well do you know your suppliers?’ asks Matthews. ‘Expert witnesses and counsel – how good is their data protection? What contracts have your business development people signed the firm up to?’ She urges firms to undertake a data audit ‘to identify just what data you hold’.
Effective data protection needs an effective ‘compliance culture’, Matthews says, one that has ‘buy-in from senior management’. No member of staff should be ‘too scared or embarrassed’ to come forward and report data breaches. ‘That applies to all staff,’ she emphasises.
‘Every member of staff must be trained. You cannot have a secretary talking in the lift about a bad client or a paralegal discussing a transaction on his mobile phone while on the train. How do you vet cleaners? Contractors must have identifying badges. You must be alert for “tailgating”, when someone slips through the entrance door after a genuine member of staff has gone through it. Be willing to challenge a stranger, even if he or she turns out to be a newly appointed partner.’
Matthews concludes with a litany of the seemingly routine that can go dreadfully wrong. The litany includes sending medical records to the wrong client, addressing a letter incorrectly, files or laptops lost, confidential waste not shredded and the wrong recipients copied into emails. ‘Such mistakes,’ she says, ‘can cost the firm a fine of up to £500,000 and also have a devastating reputational impact. Train everyone, even partners, and make sure you have a robust disaster recovery system in place.’
Delegates are next warned about the dangers of social media and the threat of the wrong messages going viral within minutes of being sent. JE Consulting’s principal Jo Edwards says: ‘More than 50% of the adult population of this country has a social media account, as is evidenced by the increasing number of cases in employment tribunals where social media is cited. There has also been a rapid rise in cases of online libel and cyberbullying.’
Social media can play a positive role in marketing or raising brand awareness, says Edwards, but there are also real dangers: ‘Do all staff know what is appropriate or otherwise to post online? Do any staff have access to the firm’s social media site after hours – when they are in the pub, perhaps? Are employees allowed to use social media during working hours? Law firms need a policy for online reputation management that protects the brand and gives clear guidelines for employees.’
The Gazette next sits in on a workshop session given by Tracey Calvert, a director at Oakalls Consultancy, on the impact of financial instability on compliance culture. ‘Financial instability is often linked to the dishonest use of client money and is at the root of risk to the public interest,’ says Calvert. She urges compliance officers for finance and administration (COFA) to be alert for signs of financial instability, such as the inability to pay debts, poor standards of service and key individuals leaving the firm.
Another sign is lack of transparency, where just an ‘inner circle’ of top management has access to the accounts. COFAs should never be blocked from auditing the accounts, she says, but should be able to look at the figures on a regular basis, checking for tell-tale risks such as partners’ drawings exceeding profits. ‘A firm is only as safe as its weakest link,’ says Calvert.
‘COFAs should do all they can to foster accountability and a reporting ethos. They should be given the freedom to spot trends and pinch points and identify unprofitable teams. They should also be able to monitor overheads and ask what contracts are not delivering value for money.’
Calvert tells delegates that planning for compliance, including finance management, is time well spent. ‘A culture of compliance is reassuring for clients and helps attract the best new recruits,’ she says. ‘It gives an unambiguous message to staff. And it tells criminals to steer well clear of your firm.’
The conference opens up to the floor with a discussion, chaired by Pearl Moses, the Law Society’s lead consultant on risk and compliance, of hot topics for the year ahead. Moses’ colleague, Joseph Torgbor, reminds delegates that compliance applies to everyone working at a law firm. He calls for improved training for support staff, ‘who carry out a lot of work before a matter even arrives on a lawyer’s desk’.
Calvert, who spoke earlier, points out that partners and postroom staff need different levels of training around client confidentiality and AML: ‘But all need to live and breathe what they have learned, rather than hearing about it on their induction day and promptly forgetting it.’ Lead Law Society finance and accounting consultant Prashant Joshi cautions against ‘throwing the baby out with the bathwater’ and making ‘scapegoats’ of the accountants.
A more fruitful approach, he suggests, is to have a ‘client wash-up’, which is an informal debate with the client and colleagues after the transaction is completed to discuss how well (or otherwise) the case was handled. ‘This is an improvement on paper feedback forms,’ he says.
The conference begins to draw to a close with a presentation, ‘The mind of the cybercriminal’, from Dingwall, a partner at legal regulation firm Legal Risk. He says that most corporations are alive to the risk of cybercrime, with the result that criminals have to spread their nets wide to find a weak spot in their defences. Law firms, often without the resources to install state-of-the-art protection, can be a back door to the corporate information they seek.
Ironically, old-fashioned paper, says Dingwall, can be a ‘pretty secure’ way of storing and transmitting data. ‘You can lock it up in filing cabinets behind locked doors,’ he says. ‘You can also destroy it by shredding the documents. But it is slow to transmit and expensive to store. Electronic storage and transmission, however, is portable, convenient, fast, and data can be manipulated and shared. But the price you pay for convenience is insecurity. Electronic data can be hacked, copied remotely or intercepted.’
Dingwall goes on to identify two contrasting demographic types that pose different – but equally serious – threats to a firm’s digital security. On the one hand, he says, there are ‘digital immigrants’, who are people born before 1985 and who find much of the technology ‘a bit baffling’. In contrast, ‘digital natives’, he says, born post-1985, are comfortable with the technology, but ‘treat data very liberally with no respect for privacy’.
Both groups are potentially dangerous to a firm, he stresses, unless carefully trained. Is there no hope for law firms? ‘Establish defensive layers of protection,’ asserts Dingwall. ‘Identify the risk, evaluate it, manage it. And when there’s a breach, tell it early and tell it all.’
The final word is left to the Law Society’s information security manager, Tony Flaherty. He quotes a 2014 Department for Business, Innovation & Skills survey that found that 81% of large organisations suffered a security breach in 2014. Awareness of the risks is a potent weapon against a cyber-attack, he says, except people are often ‘too busy doing their day job to bother or they think it’s not their job, it’s IT’s job’.
Flaherty concludes: ‘Hackers are constantly finding new ways around our defences. Staff training should be mandatory, accessible and entertaining. There should be an awareness programme for all staff. And senior management must buy into it. No excuses, no delays.’
The Law Society’s Risk and Compliance Service helps COLPs, COFAS and others with risk management responsibilities in a variety of ways.
Jonathan Rayner is Gazette staff writer