Blogs

Two screens on a desk containing data spreadsheets

Time to audit data compliance?

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

Time to audit data compliance? Read More »

Lettered cubes spelling out the word "Consent"

Teal Tales: Consent for missing CDD information

We get many calls from firms who have unusual compliance queries. They are my favourite calls!

Today’s tale is a common one, and the issue it raises is a common misconception. In fact, we had 2 calls about this on the same day, with similar issues.

“We’re ready to complete, there is a third-party funder, we’ve asked for source of funds information, but it’s not forthcoming. Can I get consent?”

The answer to that question will depend on the facts of each case, and whether there is a suspicion of money laundering.

Quite often in these situations I ask the firm what they are suspicious about, they will say, the fact the clients are refusing to provide the information is making me suspicious. And that is true.

However, consent, or a defence against money laundering will only be given if there is a suspicion of money laundering; for there to be money laundering, you need to know or suspect there is criminal property.

So, the next question I ask is what is the suspected criminal conduct, and very often the answer is, “I have no idea” or “I don’t think there is any”.

If the firm can not detail on the Suspicious Activity Report what they think the criminal property is, and the suspected criminal conduct from which it is thought to have come from, the NCA are unlikely to accept it as a valid SAR.

Having no idea won’t get you there, you won’t have the relevant suspicion.

If you can’t get consent for missing CDD information, what can you do?

Regulation 31 stipulates that you must not establish a business relationship with someone for whom you can’t complete your due diligence enquiries. So, if you’re in a position that you can’t complete your CDD enquiries because of an uncooperative client or third party, you may need to withdraw.

Many people who contact us about this are concerned about how to explain to their client without telling them they are suspicious. If you don’t already, you should consider setting out your source of funds and wealth policy at the very beginning, explaining to the client the depth you are likely to go to and then if they do not provide the information, you can point to the policy and withdraw from acting.

If you are already in receipt of funds, the situation will be a lot more difficult, you may need to press the client further for the information, and keep returning to the question, do you suspect any criminal conduct.

Get in touch

If you have compliance questions and need help, why not try our Ask Teal service. For more information, contact our experts today.

Teal Tales: Consent for missing CDD information Read More »

Mindful policies

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

These examples of policies are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

Get in touch

If you’d like help with your policies and procedures, simply get in touch with one of our helpful experts today.

Mindful policies Read More »

Stack of paperwork with 2 stamps on top. One marked "Regulations" and one marked "Rules"

The Data Protection Regulations Amendment 2019

Draft Regulations to create a ‘UK GDPR’ were published by the Government this week to ensure that the UK is ready for Brexit. The Data Protection Regulations Amendment 2019 introduce a large number of technical amendments to the GDPR, Data Protection Act 2018 (DPA18) and the Privacy Electronic Communications Regulations 2003 (PECR). The Withdrawal Act makes provision for the GDPR to form part of UK domestic law from 30th March 2019 as a ‘UK GDPR’.

But what does this mean in practice?

  • The text of UK GDPR is fundamentally the same as the GDPR which came into force on 25th May 2018, but it will correct language deficiencies from the European text
  • Extra-territorial application is retained – non-UK controllers and processors that sell into the UK or monitor UK residents online will have to comply with the UK GDPR
  • In some circumstances, non-UK controllers will need to appoint a representative within the UK
  • Previous EU adequacy decisions are revoked BUT the UK will deem EEA countries, EU and EEA Institutions and Gibraltar as having adequacy decisions
  • The ICO will be responsible for standard contractual clauses to facilitate the export of personal data from the UK and will not need EU Commission approval
  • The ICO will continue to be able to authorise new binding corporate rules
  • The ICO will be responsible for any tasks previously undertaken by other EEA Supervisory Authorities for processing of personal data or UK residents
  • PECR will be amended to align the definition of consent with the UK GDPR

UK based businesses that deal solely with UK based personal data will largely remain unaffected. But, if your business deal with non UK business partners and there is a transfer of UK personal data then you will need to review carefully whether any of the changes will affect you (don’t worry Team Teal can help!).

The Regulations still need to be approved by Parliament so watch this space.

Get in touch

If you need help with data protection and GDPR, get in touch with our experts today.

The Data Protection Regulations Amendment 2019 Read More »

EU flag flying on grey skies

EU-US Privacy Shield and Brexit – What you need to know

After a turbulent few months, the Privacy Shield was re-approved by the EU Commission at the end of last year and with Brexit looming, if you are a Privacy Shield participant there are some steps you may need to take before 30th March 2019 to ensure you can continue to receive personal data from the UK.

I say ‘may need to take’ because it all depends on whether the Brexit Withdrawal Agreement is approved by the UK Parliament. If approved, there is an 18 month transitional period so Privacy Shield commitments will not need to be updated until 31 December 2020.

However, if the Agreement is not approved then Privacy Shield commitments will need to be updated by 30th March 2019 so it is advisable to start to look at this now.

So what do you need to do?

  • Update publicly facing privacy policies to specifically state that Privacy Shield Commitments extend to personal data received from the UK.
  • If transferring HR data then the HR Privacy Policy will also need to be updated.
  • Maintain your certification by completing an annual re-certification.

If you are a UK business that deals with a Privacy Shield Certified business then you should make sure that steps are being taken to make the relevant changes in time.

Get in touch

If you need help with this or any of the other regulatory compliance changes that are happening this year then don’t hesitate to contact us today.

EU-US Privacy Shield and Brexit – What you need to know Read More »

Couple signing an agreement with professional person

Ten point plan for IDD compliance

This may appeal to those of you who like me are a little lost when someone talks to you about the Insurance Distribution Directive. Let’s start from the basics, The Insurance Distribution Directive (IDD) is a new European directive that has replaced the Insurance Mediation Directive (IMD). It applies to Firms who conduct insurance distribution activities and its introduction will change the way relevant firms work. The SRA recently announced the approval by the Financial Conduct Authority and the Legal Services Board of its rules to comply with the directive, reflected in the changes made to the SRA Handbook 2011on 1 October 2018.

In summary the Directive aims to enhance consumer protection when buying insurance – including general insurance, life insurance and insurance-based investment products (IBIPs). It also focuses on supporting competition between insurance distributors by creating a level playing field. Like the IMD, the IDD covers the authorisation, passporting arrangements and regulatory requirements for insurance and reinsurance intermediaries. However, the application of the IDD is wider, covering organisational and conduct of business requirements for insurance and reinsurance undertakings. It’s also important to mention in order the demonstrate firms and employees possess appropriate knowledge to perform their duties, CPD of at least 15 hours are required to complete this.

In practical terms the definition of ‘insurance distribution’ in the new directive has been defined as the activities of advising on, proposing, or carrying out other work preparatory to the conclusion of contracts of insurance, of concluding such contracts, or of assisting in the administration and performance of such contracts, in particular in the event of a claim. That means Law firms involved in personal injury, conveyancing and probate will most likely be carrying on insurance distribution activities e.g. arranging for clients’ after the event insurance in a personal injury matter or insurance for defective title in a conveyancing matter.

Another important reference are the SRA rules particularly regarding the SRA Financial Services (Scope) Rules 2001 (Scope rules) and the SRA Financial Services (Conduct of Business) Rules 2001 (COB rules). The specific requirements which relate to insurance distribution activities are set out in Appendix 1 of the COB rules.

Here are 10 steps you may consider when you deal with IDD compliance:

Step 1

Notify the SRA using a FA8 form if you propose to conduct insurance distribution services. The SRA will inform the FCA on your behalf who maintains a register of firms which includes those that are carrying on insurance mediation activities. Before submitting the completed form be sure to provide some basic information like details of your firm’s insurance distribution officer, the identities of shareholders or members that have a holding in your firm that exceeds 10%, and the amounts of those holdings, the identities of persons who have close links with your firm as per close links definition under Article 13 point 17 of Directive 2009/138/EC and information that those holdings or close links will not prevent you exercising your supervisory or regulatory functions. Failing to register when required to do so is likely to be breaching the general prohibition which is a criminal offence under section 23 of the Financial Services and Market Act 2000 and you may find that the contracts of insurance arranged for clients are invalid.

Step 2

When appointing an insurance distribution officer, you must make sure that they are competent and understand the terms and conditions of policies offered, laws covering the distribution of insurance products, claims and complaints handling requirements, how to assess a customer’s needs.

Step 3

Make sure that you do not carry on any insurance distribution activities unless you have in place a policy of qualifying professional indemnity insurance. More information about the obligations on you can be found in the SRA Indemnity Insurance Rules 2013.

Step 4

Consider Rule 3 of the COB rules setting out the sort of information that you must provide about you, your firm and the services you can provide when arranging insurance e.g. inform the client you are regulated by the Solicitors Regulation Authority for this work and the scope of your services, i.e. that you can only carry on insurance distribution activities limited to those not prohibited by your Scope Rules.

Step 5

Set out information that you will need to give to your clients about any remuneration you receive for arranging the insurance and any fees that might be payable by the client in accordance with Part 8 and 9 of Appendix 1 of the COB rules.

Step 6

If you collect a fee from a client, you must disclose the exact amount of that fee (not an estimate or range). If the exact amount is not known, then the method of calculation must be provided. Any information you give to the client must be in a “durable medium” being fair, transparent and not misleading.

Step 7

In addition to providing information about the status of your firm, you must provide your clients with information confirming, that you are an insurance intermediary, as opposed to an insurer and that you cannot manufacture insurance products; whether you provide a personal recommendation in respect of the insurance products offered; whether you act on behalf of the client and/or the insurer. If you act for both you will need to explain in what circumstances you can act for each party, and if you have “10% or more” of the voting rights in an insurer (for example, as a shareholder).

Step 8

You must in comply with chapter 1 SRA Code of Conduct 2011 “honestly, fairly and professionally in the client’s best interests”.

Step 9

Comply with outcomes in Chapter 8 of the SRA Code of Conduct 2011 by making sure that your marketing communications, addressed to clients or potential clients are fair, clear and not misleading. Marketing communications should always be clearly identifiable as such.

Step 10

Ensure you have sent the client a summary document for general insurance products in the form of an Insurance Product Information Document (IPID) before you conclude a contract. The insurer is required to draw up the IPID and must set out the key information a client will need to make an informed decision about the product.

Get in touch

If you have any questions at all about IDD compliance, insurance generally or regulatory compliance, then get in touch with one of our experts today. An initial call is always free.

Ten point plan for IDD compliance Read More »

Table top cube calendar dated 25 May

GDPR six months on……

It’s been six months since GDPR came into effect on 25th May. Despite the Y2K like panic in the run up to May, the world did not come crashing down and despite some high profile data breaches, the ICO is yet to issue its first fine under the new regime.

But what has happened in the last 6 months and what is still to come?

ICO updates

Over the last six months the ICO have made several updates to their online guidance, including:

  • A more comprehensive and in-depth analysis of what constitutes personal data has been added to the online guide and also a separate detailed publication – here
  • Individual sections on each core principle including guidance and practical examples – here
  • A significantly expanded section on international transfers – here
  • A significantly expanded section on the exemptions, including those in schedules 2-4 of the Data Protection Act 2018 – here
  • Updated security guidance – here
  • New guidance on encryption and passwords for online services – here

The ICO have also updated their guidance on the right of erasure in respect of backups. They have confirmed that the right is also applicable to data held in backups and the updated guidance emphasises the need to ensure erasure from backup systems as well as from live systems. For delayed erasure for backups they maintain the position that it is important to put the data ‘beyond use’. They’ve also finalised the detailed guidance on children and the GDPR.

The ICO have confirmed that the number of self-reported data breaches for the first half of 2018 was more that for the whole of 2017. As a result, the ICO have issued an update to remind organisations that reports only have to be made where the breach is likely to threaten an individual’s security. Organisations are encouraged to call the ICO helpline before making a report – and remember if you are in any doubt you can always ask Teal Compliance who are always on hand to help!

Consultations/Feedback

On 12th November 2018, the ICO issued it’s consultation on the new proposed Direct Marketing Code.

The Data Protection Act 2018 required the Commissioner to produce an improved code which provides practical guidance and promotes good practice. The new code will only cover the rules under PECR and will only be updated once the new E-Privacy Directive is finalised. The consultation is open until 24th December.

The ICO is also asking parents, carers, and those who work with children to give their views on the draft Age Appropriate Design Code which set the standards which must be followed by those who provide online services and apps for children – this consultation is open until 5th December 2018.

Fines/court cases

Whilst we are yet to see the first ‘GDPR’ fine, there have been a number of high profile ICO enforcement actions and some high profile Court cases in the last six months.

WM Morrisons Supermarkets Plc v Various

The Court of Appeal ruled that the supermarket must pay compensation to thousands of employees who were victims of a data beach in 2014. The High Court ruled in 2017 that the supermarket was vicariously liable for this breach so Morrisons took the claim to the Court of Appeal. Morrisons had argued that they should not be liable for this breach because they had safeguards in place to protect the data. This stance was challenged by more than 5,000 past and current staff. Morrisons have indicated that they will now take the decision to the Supreme Court. This is a stark warning to employers that they can be held viciously liable for data breaches caused by employees even if they have appropriate safeguards in place.

Lloyd v Google LLC

The High Court has refused to grant leave to serve a claim form on Google Inc outside the English Jurisdiction in relation to the ‘Safari workaround’ which involved Google allegedly using cookie technology on the iPhone safari browser to obtain browser-generated information about iPhone users between 2011-2012 without their knowledge.

ICO Prosecution under the Computer Misuse Act 1990

A motor industry employee has received a six month prison sentence following the first prosecution to be brought by the ICO under the Computer Misuse Act 1990. The worker, who was employed by Nationwide Accident Repair Services accessed thousands of customer records containing personal data without permission, using his colleagues’ log-on details to access the Audatex system. He then continued to do this when he changed employer. Confiscation proceedings under the Proceeds of Crime Act are in progress to recover any benefit obtained as a result of the offending.

Enforcement Decisions

  • Metropolitan Police 16th November 2018 – issued an enforcement notice on concerns relating to the Gangs Matrix
  • Facebook Ireland Ltd – 24th October 2018 – £500,000 fine for breaches of data protection law
  • Heathrow Airport – 8th October 2018 – £120,000 fine for failing to ensure the security of personal data
  • Equifax Ltd – 20th September 2018 – £500,000 fine for failing to protect personal data relating to a cyber attack in 2017
  • Bupa Insurance Services Ltd – 28th September 2018 – £175,000 for failing to have effective security measures in place

In addition, there have been a number of fines relating to nuisance emails/calls –

  • Secure Home Systems £80,000 (for 84,347 nuisance calls to TPS subscribers)
  • ACT Response Ltd £140,000 (for 496,455 nuisance calls to TPS subscribers)
  • Boost Finance Ltd £90,000 (for nuisance emails about pre-paid funeral plans)
  • Oaklands Assist UK Ltd £150,000 for nuisance direct marketing calls

All of these cases highlight that ICO will act where it becomes aware of a data breach or due to breaches of PECR, so it’s more important than even to make sure that your processes are up to date being used by your employees AND just as importantly that you have all the documentation you need to demonstrate accountability just in case the ICO do get in touch with you.

E-Privacy update

The controversial update to PECR is experiencing further delays and is now not expected to be ready until Spring 2020. Keep an eye on our website for the latest updates.

Get in touch

Contact our experts at Teal Compliance if you have any data compliance related questions. An initial call is always free.

GDPR six months on…… Read More »

Two men calculating an invoice

The new transparency rules: what you need to know

The Legal Services Board have approved the SRA’s proposed change to the transparency rules. But, what does this mean for your law firm and how are you going to ensure you comply with the new rules by the December 2018 deadline?

What’s the aim of the transparency rules?

The aim of the changes is to assist clients by providing clarity in relation to their legal fees.

The rationale came from the recent Competition and Market Authority report, where it was apparent that consumers wanted more information to enable them to make informed decisions about the range of services available to them when accessing legal services. The report found that the prices charged and the services offered were unclear, descriptions were ambiguous and that the client was not always getting what they expected.

What are the changes?

Under the rules, law firms will be required to publish on their website, their price and service information for specified legal services which include:

  • Debt recovery (up to £100,000)
  • Employee and employer tribunal claims (unfair/wrongful dismissal)
  • Immigration
  • Licensing applications for business premises
  • Probate
  • Residential conveyancing
  • Road traffic offences

The rules do not apply for publicly funded work.

In addition, firms will be required to display the new SRA digital badge which essentially provides a layer of protection against fraudulent activities,

Other changes include the requirement to publish the firm’s complaints procedures, including how and when complaints may be made.

As a firm, you will be required to publish:

  1. A full description of services offered, which also should be included in your Client Care Letter/Terms of Engagement
  2. The costs of services: These must be clear, no more hidden additional fees. If it is not possible to provide the total costs, you should provide details of the costs in stages, and what each stage entails.
  3. Hourly rates -v- fixed fee: If the firm is charging on an hourly rate basis these will need to be published. Consider placing these on the profiles of the fee earners on the service pages, so potential clients can see the information sooner rather than later. Firms may also want to consider an hourly rates table on their website. If you are offering fixed fees, ensure that you clearly set out what is and isn’t included in the fee.
  4. Disbursements: Provide clarity and certainty (where possible) as to what the disbursements will be during the matter. For example, for conveyancing transactions firms may want to consider providing a full list on the website of possible disbursements. In other matters, the firm may want to consider listing the types of disbursements that may need to be funded, so that it does not come as a surprise to the client.
  5. VAT: Be clear as to what will have VAT added.
  6. Referral Arrangements: You will need to disclosure any referral agreement you have in place, including how much you will receive. This information should also be in the Client Care letter/Terms of Business.

How can you make this work on your website?

Firms will be considering how to achieve this. You should consider the “user experience” how will your clients find out this information. The draft guidance to support these rules suggests the information should be easily navigable if it is not on your home page. Some firms are creating specific pages, others are building this into an online quote tool, or are considering connecting to price comparison sites. There is an increasing number of firms that are white labelled under other organisations and they will all need to align, particularly in relation to conveyancing where clients can obtain online quotes.

Complaints information must also be published and should include your complaints handling procedure as well as details about how and when a complaint can be made to the Legal Ombudsman.

Firms must also display in a prominent place its SRA number and digital badge.

What if I don’t have a website?

If a firm does not have a website the firm must make the information available on request. Firms are not expected to create a website simply to comply with these rules.

Get in touch

If you require any help or assistance in navigating the new rules, or wish to speak to us about risk management, or find out more about our website auditing service, then feel free to get in touch with our experts today. An initial chat is always free.

The new transparency rules: what you need to know Read More »

Someone typing on laptop with a credit card in hand

Latest cybercrime risks to the legal sector and how to manage them

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014.  The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

  • Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;

  • Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;

  • Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.

  • Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

  • Implementing processes to verify (via independent means) invoices and account details for money transfers;

  • Using ‘cooling off’ periods for changing account details for high value transactions;

  • Encouraging a culture where suspicious transactions are queried;

  • Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;

  • Monitoring user access of systems;

  • Keeping software, and especially operating system (OS), up to date;

  • Control what software and applications you choose to allow into your firm; and

  • Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently.  According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

  • Restructuring

  • Downsizing

  • Changes in business processes

  • When major new policies are being developed, changed or implemented differently

  • Following identification of weaknesses

  • The introduction of new computer systems

  • After an incident of fraud

Get in touch

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls, please feel free to get in touch.

Latest cybercrime risks to the legal sector and how to manage them Read More »

Ten and twenty pound notes (sterling) scattered

New Government focus on AML

When I decided to start ABC and Teal I was very clear about one thing. I will not scaremonger, use fear to sell our services.

In compliance there are serious consequences for failing, massive fines in Data Protection and custodial sentences in AML, not to mention striking off by the SRA!

But you all know those things. You don’t need me to tell you that compliance needs to be effective in your firm to mitigate the risks of these consequences.

The consequences often seem very remote – unlikely, not something that will apply to me – and I think that is correct most of the time.

However, I have woken this morning to more criticism of our profession by Ben Wallace, Security Minister, saying solicitors must do more to prevent money laundering, and that failure to report will lead to sanctions and prosecutions.

I sat in a meeting this week, as I do many weeks, with lawyers who do not recognise this criticism of being professional enablers or of under reporting. Who don’t understand why they are being criticised, or “tarred with the same brush”.

Today’s message from government is clear – professionals who enable money laundering will be scrutinised, and there is a high probability of action.

My message today is this – MLROs/COLPs/MLCOs – ask yourself these 5 questions to establish whether you are confident your firm is doing enough.

  1. Are you confident your policies and procedures are effective? Have you had any examples where something should have been spotted earlier, particularly if you have had a production order about a case.
  2. Are you confident all issues are reported to you? Have you had any reports from the high risk areas? If not, are you confident staff know what to look for?
  3. Do you turn cases away because you have concerns about the due diligence, source of funds? If the answer is yes you can point to evidence which says your risk assessment process works in weeding out suspicious cases and stopping money laundering.
  4. Does your CDD procedure properly consider the source of funds? Often CDD is mainly focused on Client ID – which does not prevent money laundering. You need to be able to demonstrate you have considered the source of funds and wealth and thought about any red flags.
  5. Are you confident on the law, what you must report, what the level of suspicion is, how to report?

If any of these answers are no, I would urge you to address them urgently.

Help is available on the Law Society website, the updated guidance from the Legal Sector Affinity Group is essential reading.

Get in touch

We can help too! Find out more about our AML services or alternatively, contact one of our helpful experts today.

New Government focus on AML Read More »