We are all probably experts now in remote working, but confidentiality risks need to be reassessed into law firms’ revised working methods. The practical tips outlined below may help law firm leaders alleviate any client concerns whilst ensuring productivity is maintained and leading their firm effectively.
How are your systems adapting to the challenges of remote working? Is everything safe in a nice secure IT infrastructure, so the days of paper files and storage problems are long gone? Hopefully.
The media recently reported that that US firm Grubman Shire Meiselas & Sacks was targeted by hackers, with 756 gigabytes of data taken and a ransom demand allegedly received. This serves as a timely reminder of the risks: data has value and the risks of data security are ongoing.
What technology are you using?
It is worth law firms taking stock of the working practices adopted during the Covid-19 pandemic by individuals in their team. Are they uniform or do they vary? I was talking to lawyers in the same firm who preferred different video conferencing software and different instant messaging apps to communicate within their teams, but this meant that the security features differed, and they had not noted the differences. Firms should be setting the standards expected, training their team to be consistent, and monitoring the risks on an ongoing basis.
The ethos of the SRA Standards & Regulations 2019 (STaRs) introduced last November is to enable solicitors and law firms to exercise their professional judgement to put in place appropriate measures for themselves in the context in which their business operates and to empower the professional to do the right thing against the Standards. As the SRA’s resources introduction to the rules states: 'They [the STaRs] also put more trust in your professional judgment and give you more choices over how and where you work.'
Confidentiality is a core professional obligation on law firms so how do you show you have led the firm to achieve it?
Ask your team to confirm which systems they are using
Sharing best practice is a great way to learn from each other. You can identify what people are doing well and ensure the guidelines of the firm reflect the risks and benefits of using, for example instant messaging, email, screen sharing and video tools. Processes such as preparing court bundles can be automated, but who knows which system to use? A 'hints and tips' guide is a great way to help everyone make the most of their firms’ technology, and highlight the systems you wish to avoid due to their security defects or the chance that things could go wrong. For example, I would not use Instagram to send a message to a client, but I might use messaging services Signal or WhatsApp due to their end to end encryption.
Leadership – set the standards
Encourage your team to remain alert about confidentiality in a different working environment and set out the expectations you have as a firm. Law firm leaders should lead by example on the standards expected.
Consider having an authentication process for devices accessing your firms’ systems, such as a 2FA (two factor authentication). Various forms exist, including a token or dongle, which many banks use, as well as a password or some other unique feature such as location or multiple passwords. The key is - it is beyond a single password.
Remind everyone of the risk of clicking on links and opening attachments which could be a scam.
Where are people working?
Consider conducting a risk assessment of the working location of your staff. For example, can they speak confidentially all the time or only by appointment?
If people need to be talking on the phone or via video platforms in a shared house - this can be easily resolved by the employee using a headset to ensure calls cannot be overheard.
Does your system lock people out if the device is not accessed for more than a few minutes? Your IT team can set up automated lock outs. The appropriate time limit may vary from when you are in the office.
Do you have secure email? This encrypts email to the end user and could help protect data by ensuring a password is required to open the email if it contains sensitive material such as medical notes or financial details. The password should be shared by a different messaging method i.e. WhatsApp or Signal message.
Are the firewalls and anti-virus software up to date? When accessing a laptop's video camera does the security software check with you that this is permitted?
Do your devices have encryption? If so, it should be set up to encrypt everything as devices outside the office are more prone to being lost or stolen. For nearly a decade I have used an example of a QC having had a laptop stolen from home as a case study in my data protection training material. It is not just your own actions but the actions of other people which impact on data and its loss.
Most devices can be remotely locked and encrypted. Firms should consider putting this is in place now, because as we start to move out of lockdown it is likely that those devices will be in public areas and more prone to loss or theft as we travel in the new environment – perhaps whilst distracted by social distancing.
Many law firms will already have had in place arrangements to protect client information for remote workers in normal times. In the Covid-19 era the landscape has changed, so those job functions and personnel coming to the challenges without that existing training and awareness of confidentiality being in-built to remote working will need some guidance and support.
Think through the risks for your particular firm, document the steps taken to guide your team and remind colleagues of the best practices to adopt. Ensure the risks to confidentiality are minimised in the context of your client base.
Paul Bennett is a solicitor and professional regulation partner at Bennett Briegal LLP and a member of the law management section committee of the Law Society. The section are publishing regular updates to support law firm leaders