The current Coronavirus pandemic is posing a considerable headache for businesses across the length and breadth of the UK, and indeed the whole world. Law firms are needing to react quickly to ensure the continuity of their operations. Indeed, this week many Solicitors have been urgently setting up their home offices and implementing restrictions for social distancing. Law firms switching to a home working model do need to be careful, however, that in doing so, they are not inadvertently breaching SRA and data protection rules. While we are in unprecedented times (by modern standards), maintaining standards and quality of service remain vital to ensure public confidence in the legal system.
Switching from an office-based operation to a predominantly home-based setup imposes a number of compliance risks which must be understood and managed.
Data protection considerations
In recent years, law firms have been working hard to ensure that sensitive data is kept secure in accordance with data protection rules and GDPR. Homeworking cannot be allowed to risk the potential breach of client data, and hence measures may need to be considered. For example, if an employee is using their own laptop/computer for work purposes, there is a risk that without the same security and anti-virus protection offered by their work device, client data may not be secure. Where possible, law firms should ensure that the same IT environment as used within the office environment is mirrored for home offices. This includes providing laptops with appropriate security software and ensuring everyone uses VPN connectivity to connect to corporate/office networks while working.
Review your home working policy as a matter of priority to ensure that it is up to date with any measures to ensure accordance with GDPR and data protection laws. This should also include your policy on ‘bring your own’ (BYO) devices to ensure that any computers, mobile phones, tablets used for work purposes are secure and safe to use.
Record-keeping procedures should also be reviewed, especially for more traditional paper-based law firms. Holding private client records at home, unless kept in a secure locked cabinet, may pose a risk of a data breach.
Finally, whereas client matters can be discussed in privacy within an office environment, it is imperative that employees understand that online meetings and telephone calls must be conducted in a manner which does breach client confidentiality.
Accounts rules, anti-fraud and anti-money laundering
You may also need to review and adapt existing policies, procedures, and processes designed to guard against fraud, anti-money laundering (AML), and any other relevant legislation. These cannot be relaxed due to homeworking. For example, make sure your procedure for undertaking customer due diligence can still be carried out by a member of staff not physically present in the office.
Homeworking also must not harm compliance with the SRA’s account rules and code of conduct rule 5.2, which requires firms to “safeguard money and assets entrusted to you by clients”. This will entail making sure that working from home does not compromise how client accounts are managed, accessed, and transactions recorded.
Health and safety
Regardless of the reason for working from home, law firms still have an obligation to protect the health and safety of their employees. This includes ensuring that home-based staff receive a health and safety risk assessment to ensure that their working environment conforms with the law. The Health and Safety Executive (HSE) provides specific guidance on homeworking, including how to carry out a display screen equipment (DSE) assessment. This may require you to provide a suitable desk and chair, monitor, keyboard, and mouse, and to ensure they are set up correctly for your workers.
Coronavirus cyberattacks are on the rise
Unfortunately, there are always private individuals and state-sponsored actors who will do all they can to take advantage of serious disruptions such as Coronavirus, for their own gains. There are now many reports of criminals exploiting public fears associated with the Coronavirus pandemic to launch cyberattacks. This includes Coronavirus themed phishing attacks and other scams to steal money and sensitive data. Law firm staff working from home should be aware of the prevalence of such cyberattacks, how to spot them, and what to do if they suspect they have been targeted.
Other SRA compliance considerations
There are many other SRA compliance requirements which law firms need to ensure are not compromised by working from home. From the SRA Code of Conduct for Firms , these include (but are not limited to):
- Rule 1.3 – you perform all undertakings given within an agreed timescale or if no timescale has been agreed then within a reasonable amount of time.
- Rule 2.1 – you have effective governance structures, arrangements, systems and controls in place that ensure compliance with all the SRA’s regulatory arrangements
- Rule 3.1 – you keep up to date with and follow the law and regulation governing the way you work
- Rule 4.3 – You ensure that your managers and employees are competent to carry out their role, and keep their professional knowledge and skills, as well as understanding of their legal, ethical and regulatory obligations, up to date.
It is all too easy to let standards slip in times of crisis, but law firms and professionals need to do all they can to ensure ongoing compliance with SRA and data protection regulations, in the interests of clients, businesses, and confidence in the profession. To achieve this, review the SRA’s standards and regulations to double-check that your firm remains compliant after switching to a home-based working model. Doing so will prompt any gaps or risks to be identified and dealt with. Reviewing the basics will help your firm retain its fundamental standards of service during what it is a highly unusual time.
We have been helping solicitors and other legal professionals with professional disciplinary and regulatory advice for over 20 years.