Jessica Clay explains how you can continue complying with your regulatory obligations during lockdown
The SRA Standards and Regulations (StaRs) may have had a mixed reception since their launch in November 2019, but they have certainly provided an opportunity to take stock of how you practise and introduce essential steps to ensure ongoing compliance with your regulatory obligations.
Little did we know then that the coronavirus (COVID-19) pandemic was coming and was set to test our systems and processes. We rely upon them and they have the potential, when they underperform or malfunction, to impact our ability to comply with our regulatory obligations.
While COVID-19 inevitably still gives rise to a sense of uncertainty, many now feel much more comfortable working remotely. But, as is often the case with anything that becomes comfortable, there is an associated risk of complacency. So while, at the start of lockdown, there was certainly an element of ‘survivor mentality’, resulting in heightened awareness, there is now a danger that as this wears off, you could leave yourself exposed to some fundamental risks in respect of complying with your regulatory obligations.
StaRs – the relevant provisions
Within the Solicitor Regulation Authority’s (SRA) regulatory arrangements, there are key provisions to be aware of when considering how best to comply with your regulatory obligations – and which might be engaged in the event of non-compliance.
- Principle 7 – you act in the best interests of each client.
- Principle 2 – you act in a way that upholds public trust and confidence in the solicitors’ profession and in legal services provided by authorised persons. (This principle is only likely to be engaged in the event of much more serious non-compliance with your regulatory obligations.)
SRA Code for individuals
The SRA Code of Conduct for Solicitors, RELs and RFLS (the code for Individuals) includes the following rules.
- Paragraph 4.2 – you safeguard money and assets entrusted to you by clients and others.
- Paragraph 6.3 – you “keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents”.
For those with supervision responsibilities, paragraphs 3.5 and 3.6 are also key. These state that where you supervise or manage others providing legal services, you are accountable for their work and must effectively supervise their client work. Additionally, you need to ensure that those you manage are competent to carry out their role, and keep their professional knowledge and skills – as well as their understanding of their legal, ethical and regulatory obligations – up to date.
It is also worth remembering that your employer has a responsibility to you under the SRA Code of Conduct for Firms to have in place effective governance structures, arrangements, systems and controls that ensure you can comply with your regulatory obligations (see paragraph 2.1(b)).
The risks in working remotely
What are some of the key risks you might face during the COVID-19 lockdown, and in trying to comply with your regulatory obligations?
Documentation and removable media
While offices slowly reopen as lockdown eases, many lawyers continue to work remotely.
The increased risk of data breaches and loss of confidential information (through hard copy documents being transported and kept at home, rather than in offices with the necessary security, systems and controls in place) is inevitable.
You can minimise this risk by, wherever possible, working digitally and avoiding hard copy documents. This includes taking fewer handwritten notes during phone calls or virtual meetings; instead, consider typing contemporaneous notes or, where this is not possible or preferable, seeking support from colleagues to do this on your behalf. Should detailed meeting notes or the compiling of electronic bundles be needed, this might require you to expand your team for a particular client to include administrative support or input from colleagues with an advanced technological skill set. This is not necessarily a cost that you will be able to justify passing on to your client, so bear that in mind along with how this sits with your obligations to the client, including costs information.
There is a risk of complacency when working remotely
If working electronically in this way is not possible, consider transporting and storing documents in a locked receptacle. If you have supervision responsibilities, you may want to stipulate the types of lockable storage you would prefer individuals to use, wherever possible. For example, a large lockable filing cabinet or lockable drawer within a desk is likely to be harder to steal than a portable lockable rucksack. Where this is not possible, remember (and remind others) to keep your working environment as secure as possible, by setting a home security alarm and/or closing windows when you / they go out. These are basic steps you can take to minimise the chances of confidential information being mislaid or stolen. Likewise, avoid using removable media to transport data or, if you cannot, ensure the device is encrypted.
Finally, if you have not done so already, you may want to consider notifying parties with which you have previously corresponded or which have relied upon service by post, that, wherever possible, correspondence should be electronic only. While this might not apply to everyone, it should help manage the associated risks of not receiving key documents and communications, such as missing key deadlines.
Data and cybersecurity generally
Remote working introduces further risks to data security beyond inadvertent disclosure or loss of hard copy papers / removable media.
Think about your day-to-day ‘home office’. Where necessary and possible, try to work in a private environment where others cannot overhear your confidential conversations. If you share your working space, think about wearing a headset, so at least one half of your conversation – importantly, the half you have no control over – cannot be heard. The same caution applies to your computer screen and making sure its content is not visible when it should not be. It is quite easy to overlook the importance of locking your computer when it is unattended (even at home).
Equally, try to avoid predictable passwords, consider using password managers and ensure you update your password regularly. Re-boot your computer and run updates regularly, so that your antivirus software remains effective. The SRA also recommends two-factor authentication for email and log-ins, where possible.
Remain alert to phishing and other scams, as fraudsters are exploiting this situation to attack both vulnerabilities in systems and also any drop in our alertness levels
In the past, working from home did not always mean literally ‘from home’. This will become much more relevant as lockdown measures ease and public spaces, such as cafes, open up. Accordingly, always remember that public wifi hotspots can be unsecure and vulnerable to hacking, and it is hard to prove to whom a hotspot belongs. The SRA advises that in most cases, modern websites (using HTTPS) will protect you from risk. Also, remain alert to phishing and other scams, as fraudsters are exploiting this situation to attack both vulnerabilities in systems and also any drop in our alertness levels. This could lead to data loss or unlawful access to client funds, resulting in serious non-compliance with your regulatory obligations.
Due to difficulties in contacting individuals on office phone numbers or the limited availability of support staff to contact individuals on behalf of lawyers, you will most likely need to send more emails than normal. Likewise, sharing a confidential document will now most likely be done via email. So always remember to verify email addresses by independent means wherever possible, and to password-protect attachments (with the password being provided separately), to best protect against potential breaches, which could lead to you failing to comply with your regulatory obligations.
The ability to ‘share your screen’ through Skype for Business and Zoom should also be used with caution and, in some circumstances, limited to internal meetings. Colleagues should be advised to ensure only appropriate material / data is shared with the parties attending a particular meeting or call. Disenabling email pop-ups is one precaution worth considering, so that confidential information is not inadvertently displayed to others while screen-sharing. Also, make sure if you are heading into separate ‘Zoom rooms’ that this has worked, and you have verified all attendees before starting to discuss anything confidential.
The themes of accountability and exercising your judgement pervade the StaRs. This could not be clearer than in the introduction to the code for individuals, which states that you “must exercise your judgement in applying these standards to the situations you are in and deciding on a course of action, bearing in mind your role and responsibilities, areas of practice and the nature of your clients”. It goes on to state that you are “personally accountable for compliance with this Code – and our other regulatory requirements that apply to you – and must always be prepared to justify your decisions and actions”.
The SRA Code of Conduct for Firms further emphasises the breadth of staff accountability. While noting that any serious breach(es) or failure to meet the standards may lead to regulatory action against the firm, its managers or compliance officers, the code also notes that action might be taken “against employees working within the firm for any breaches for which they are responsible”.
This makes it very clear that wherever we are working, we remain accountable for our actions and we also need to be able to justify why we have acted in a certain way. It is also a reminder that working remotely should not lead to a relaxed attitude towards one’s regulatory obligations. You should be aware that you are responsible for the professional judgement you exercise, and that any decisions you make on a case, particularly on complex issues where you could have arrived at a different outcome, should be carefully recorded. This should include reasoning for why you have chosen to act in a certain way, so that you can justify decisions, should you need to. The SRA’s enforcement strategy recognises, however, that mistakes do happen; clear record-keeping will therefore help to decipher the difference between honest mistakes and less excusable ones.
While networking was perhaps the furthest thing from our minds at the start of lockdown, we have started to explore innovative ways of running virtual networking events. So, if you are responsible for organising and paying for these, make sure you record expenses and these are processed in accordance with your firm’s policies. One practical suggestion would be to photograph these and email them in to be processed.
While there may seem a lot to consider, most of these measures are ones that we should all aim to have in place, regardless of where we are based. This becomes even more relevant if, as seems probable, remote working becomes a more regular feature of our working lives.