As a consequence of Covid-19, law firms have made a wholesale shift to remote working. This creates risks with regard to data and documents, including confidentiality and security.
The SRA will expect firms and individuals to have adequate measures in place in this new working environment to keep client information confidential. Accordingly, it is important that individuals are reminded of the steps to be taken to mitigate the risks posed, whether this is via training, risk bulletins or updated protocols on remote working.
Security and confidentiality
Individuals working on networks that are not secure and that can be accessed by others poses security and confidentiality risks. In order to mitigate these risks, an individual's home router and wi-fi network should be secured via adequate password protection (default passwords set by manufacturers can often be found online and their use risks routers being compromised). The router's software should also be updated regularly.
It is important that individuals are reminded that they must only work on client matters via a Virtual Private Network (VPN) or a secure digital workspace operated by the firm and should not send client data or documents outside such systems – for example, to personal email addresses – or save documents locally on personal devices. If documents are saved locally, there is a further risk that they may sync automatically with any cloud storage in use on the device.
The use of personal devices in and of itself also poses risks, particularly if they are shared devices. This means that it is important that ground rules are in place with regard to their use. If personal devices are shared, separate passwords for access by different individuals should be implemented. Personal devices will also not necessarily have the controls and detectors installed as standard on firm systems. To limit the risks, such devices should have up-to-date anti-virus software protection and adequate firewalls. Operating systems will typically have in-built firewalls but they may need to be enabled. Software updates also need to be installed regularly. Without such steps, there is a risk of delivering malware into the office network or allowing client data to leak out.
Meetings have been replaced by video-conferences. Concerns have been voiced about the way in which some forms of video-conferencing may lack sufficient security and/or encryption, meaning they can be recorded and hijacked. They are also not necessarily products for which licences may be purchased that would include GDPR-compliant terms limiting or protecting the use of data. This also means that their use will not necessarily be subject to any contractual protections.
The use of such platforms creates risks but the following steps may limit them:
- The application of a password to the video-conference;
- "Locking" the video-conference where applicable;
- Disabling any "recording" functionality;
- Not using any "upload" functionality to share documents or data with other participants;
- If a screen is to be shared, disabling email notification pop-ups to ensure that confidential information is not inadvertently displayed to others;
- Using pre-agreed code names when referring to clients, matters, third parties and any other confidential or sensitive information;
- Verifying the participants: if a new connection enters, the identity of the attendee should be confirmed.
On the issue of listening in, it is also important to bear in mind that devices such as "smart" speakers may record confidential discussions and should be turned off when an individual is working.
The "low-tech" risks that firms face from remote working should also not be overlooked:
- Individuals may share accommodation with people who work for other firms or for commercial entities with potentially conflicting interests. Individuals need to bear this in mind and ensure that any phone or video calls cannot be overheard; computer screens cannot be seen and are locked when unattended; and hard copy documents are secure when not in use.
- The removal of hard copy documents from the office environment creates a heightened risk of data breaches and loss of confidential information. It may also contravene Service Level Agreements / Outside Counsel Guidelines, which may prohibit confidential information being removed from the office, or permit it only with prior approval. It would be prudent for a log to be maintained of any files removed. Temporary exemptions to applicable restrictions in Service Level Agreements may also need to be requested from clients.
- Individuals should be encouraged to work digitally where possible. However, it is necessary to balance the risks from printing documents against the issues that may arise from reviewing documents on screen (a known source of claims). If documents are printed, they will need to be transported to the office in due course to be disposed of via secure shredding.
Law firms have long been a target of cyber criminals but the risks are increased when individuals are working remotely and face-to-face verification is not possible. Criminals are also using phishing attacks that exploit Covid-19 concerns and vulnerabilities. Accordingly, it is important that individuals are vigilant and that firms have in place revised verification policies.
While entire firms working remotely creates new and different risks, they can be mitigated to a significant degree via careful ongoing management, communication and training. The people-related risk issues arising from remote working, including supervision, management and mental health, will be the focus of our next briefing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.