In the first edition of this newsletter a year ago, we looked at how risks can emanate from the most unpredictable sources. We highlighted two areas of risk - handling of confidential/privileged client or third party data and potential regulatory action arising from breaches of the Solicitors Accounts Rules. Those risks still remain of concern to the profession.
Last year we reported on the decision in Vidal-Hall & Ors v Google  EWCA Civ 311. The Court in this case held that where a data breach had caused anxiety and stress, but not financial loss, the Claimants were still entitled to compensation. Law firms hold a significant amount of sensitive data on behalf of their clients and third parties, we were concerned that Vidal-Hall might give rise to a new source of claims. We understand, however, that the appeal was withdrawn following agreement between the parties but this was quickly followed bythe Panama data leak. This case which involved the law firm, Mossack Fonseca, has been a wake up for many and highlights the vulnerability of storing confidential data electronically. Professional advisers should reflect on the reputational damage they may cause to themselves and their clients if a leak was to occur.
The risk of cyber attacks, giving rise to significant data breaches, shows no sign of abating. In the UK Government's 'Cyber Security Breaches Survey 2016', which was published in May. 65% of large companies reported that they had detected a cyber security breach or attack in the past year, with 25% of these experiencing a breach at least once per month. The survey found that, despite this, only 69% of businesses consider cyber security a high priority for senior managers.In the case of small businesses, only 22% of their staff have had cyber security training in the past 12 months. This is concerning as it is often administrative staff who fall prey to cyber scams.
Our advice remains the same as it was a year ago. Data and client money should be held securely, encryption should be used where appropriate, mobile devices should have security features and all staff should receive appropriate training. In the event of an attack, prompt notification to Insurers is paramount.
Breach of the Solicitors Accounts Rules
In the case of Fuglers, the SRA successfully demonstrated to the SDT that the firm had breached the Solicitors Accounts Rules by allowing its client account to operate as a bank account. The deposit of funds in a client' account by a client must relate to an underlying transaction or must form part of a "service" which a law firm would normally offer. If it is not, the firm will be in breach of Rule 14.5 of the Solicitors Accounts Rules, which can lead to severe sanctions and reputational damage.
We predicted that the SRA would bring proceedings of a similar nature against firms for breaches of the Solicitors Accounts Rules and that its success in Fuglers would be a blueprint for action against other firms, Unfortunately for the profession, this has proved to be correct.
Firms will have to continue to focus on external threats to their security.
The importance of appreciating these risks is compounded by the fact that often a standard professional indemnity insurance policy will not respond to all of the financial consequences of a data breach and in many cases will not respond at all to regulatory proceedings brought by the SRA.
For risk partners, it is all the more important that firms focus on training, supervision and effective risk management and planning, in particular in these areas.