As law firms grapple with the challenge of new ways of working during the COVID-19 pandemic, it is important to ensure regulatory compliance, as well as the safety of employees and maintaining client service. Information security and supervision standards for example remain critical planks of a firm’s regulatory obligations no less in these difficult times.
So what are some of the key regulatory risks law firms face in respect of COVID-19 and how can these be tackled?
Hard copy documents/removable media
Remote working increases the risk of data breaches and loss of confidential information through hard copy documents being transported and kept at home, rather than in offices with the necessary systems and controls in place. Colleagues should work digitally wherever possible and be advised against working from hard copy documents and minimising the need to make handwritten notes of calls or virtual meetings they attend – typed notes should be encouraged.
If working digitally is not possible, for whatever reason, transporting and storing documents in a locked receptacle should be compulsory. Employer firms should also remind lawyers to keep their working environment as secure as possible, by setting a home security alarm and closing windows when they go out for example. Likewise, the use of removable media to transport data should be discouraged and, where such media is used, the importance of the relevant device being encrypted must be clearly communicated.
Data security generally
Of course remote working introduces data security risks beyond inadvertent disclosure or loss of hard copy papers/removable media. Laptops should be encrypted and firms should have a system to track devices and delete data from tablets and phones remotely if they are lost or stolen. The Solicitors Regulation Authority (SRA) also recommends two-factor authentication for email and log-ins, where possible.
Colleagues should be reminded to work in private environments where conversations of a confidential nature cannot easily be overheard and computer screens cannot be easily seen by third parties. The importance of locking computer screens when unattended (even within one’s home) should be reinforced.
Likewise if virtual meetings are held, the ability to ‘share your screen’ through providers such as Skype for Business should be used with caution especially if external parties are involved. Password protected attachments to emails (with the password being provided separately) are advisable.
If colleagues are using public wifi hotspots they should be reminded these can be unsecure and vulnerable to hacking.
Being away from the office should not lead to a relaxed attitude to the importance of one’s regulatory obligations. Individuals should be aware that they are responsible for the professional judgement they exercise when working at home and that the various discussions and decisions taken on a particular case, for example around disclosure or potential conflict points, should be carefully recorded. This should include reasoning for why they have chosen to act in a certain way, so that they can justify their decisions, should they need to, in the future. The SRA’s Enforcement Strategy recognises, however, that mistakes do happen; clear record keeping will help the SRA decipher between honest mistakes and those that are less excusable.
The SRA Code for Individuals at paragraph 3.5 makes clear that when supervising others in the provision of legal services, practitioners remain accountable for any work conducted on their behalf. Even when working remotely, it is important that regular supervision meetings still continue to ensure close monitoring of work and workloads to act as a check on standards and the quality of output. Although not in the office, partner visibility is important to ensure juniors feel able to raise questions and concerns and to encourage open and frequent communication channels.
Many firms will have established tried and tested procedures to enable remote working for their employees as the push for agile working in the legal sector has intensified over recent years. Therefore whilst firms are mostly well equipped for the large-scale change in working practices that the COVID-19 pandemic has precipitated, they would still be well advised to remind partners and their employees of their security and supervision policies and procedures.
The new SRA Codes for firms and individuals apply no less stringently during this difficult period and the SRA will expect the highest standards to be followed and maintained even with a reduced workforce or one that is working remotely.
Jessica Clay and Charlotte Judd are members of Kingsley Napley’s regulatory practice.