General Data Protection Regulation
Anyone thinking they have had a soft landing since GDPR came into force last May needs to remain alert. Heightened awareness of consumer rights has resulted in more complaints to the Information Commissioner’s Office (ICO) and an increase in data subject requests. Requests are also increasingly being used as a tool in employment and partnership disputes, as a way of obtaining pre-action disclosure. Law firms can expect to see this impact on both their client work and their own business affairs.
Meanwhile, businesses have made significantly more breach reports to the ICO. What will the primary cause of law firm data breaches be? Hacking and ransomware attacks by foreign states? Possibly, but far more likely are the mundane causes closer to home – emails sent to the wrong person (the largest cause of legal sector breaches, according to ICO statistics), or files left on trains or in coffee shops.
A problem for firms is the proliferation of documents replete with special category (sensitive) data in large areas of their work, such as medical records in personal injury or clinical negligence cases (often copied multiple times for instructions to experts and counsel), court bundles and so on. With every copy, the risk of a data breach increases. Who knows what comes of the court bundles at the end of a case?
We should expect action from the ICO in the more egregious cases. But if that happens, it will not be the end of the matter, as the Solicitors Regulation Authority will doubtless feel bound to act as well.
The legal profession has been in the spotlight since the Panama Papers were published and that glare is likely to increase. Investigative journalists are continuing their efforts, and the fact that matters under investigation date back years, when compliance requirements may have been far less demanding than now, may provide little comfort to a firm in their sights.
The profession is under relentless pressure from politicians and law enforcement officers who perceive, rightly or wrongly, that lawyers (aka ‘professional enablers’) are at the heart of the problem.
Inevitably, therefore, regulation of the profession and enforcement will be ramped up. The SRA is under scrutiny from its own regulator, The Office for Professional Body Anti-Money Laundering Supervision (OPBAS). So expect the pain to be shared. Many firms have yet to do risk assessments, despite it being 18 months since the passing of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
Regulation 21 requires a firm, ‘where appropriate with regard to the size and nature of its business’, to establish an independent audit function. Many larger firms have yet to do so; an SRA visit may be only around the corner. Expect policies and procedures to be examined critically. Be cautious about over-engineering processes, because you may be held to a higher standard than firms which have not set themselves such demanding requirements.
Claims and insurance
The pattern of recent years – a fall in claims by number, but more high-value claims – will continue. There is a perception of more large corporate claims. We have also seen a large number of high-value claims from failed investment schemes, particularly student lets and hotel schemes, where we have been advising on a variety of coverage issues. Insurers have suffered heavy losses from such schemes.
Aggregation, by which insurers may in effect treat multiple claims from similar causes as subject to one policy limit, is an increasing issue: some firms have found themselves tens of millions of pounds short on cover due to this.
Expect the insurance market for solicitors to contract. The Lloyd’s market is nursing losses of £2bn, the economy may be affected adversely by the uncertainty over Brexit (and there have been reports of falling house prices). Historically, a poorly performing economy has usually been followed by increased claims.
While I am a practising solicitor not an insurance broker, there are reasons to suspect that some firms may find it difficult to obtain cover even though their claims record has not been bad. If they have been involved in areas of practice where insurers have seen heavy claims, insurers may prefer to offer terms to the easier risks and put the others into the ‘difficult pile’, from which they may not resurface.
The new SRA Handbook, renamed ‘SRA Standards and Regulations’, will provide challenges. It may be shorter but much guidance will follow.
For solicitors there is a risk that where the rules are unclear, conduct will be judged with hindsight. It is all too easy for a regulator to say that guidance published from time to time merely reflects what the position always was – as indeed the SRA did when it beefed up the guidance on independence in 2009.
Permitting solicitors to practise in unregulated firms will give rise to new risks (and scams), as many have predicted. While it may also give rise to opportunities, I doubt they are as good as the SRA appears to believe. For firms already practising, any perceived savings on professional indemnity insurance will simply not be there, once account is taken of the cost of run-off, or, if they continue to operate a regulated firm, the assessment of premiums based on past fee income.
The year ahead offers many challenges, but historically the profession has generally been quite resilient. The majority will doubtless still be here for the start of 2020, if slightly older and more weary.
You may also find our weekly Cybersecurity & GDPR news digest helpful. Subscribe here, to stay up to date for free.
Frank Maher is a partner at Legal Risk in Liverpool