Long-term home working will have had its pros and cons for many legal practitioners over the last 18 months. But, with new research showing that many law firms plan to switch to a permanent model of hybrid working as restrictions ease, questions and challenges are thrown up around privacy and compliance.
Here, Brian Rogers, Regulatory Director at law technology specialist Access Legal, discusses the most overlooked compliance procedures during the pandemic and the processes law firms should consider introducing to their remote working policies to ensure clear boundaries are set.
The pandemic has undoubtedly altered the way law firms conduct their day-to-day business, not least when it comes to the working habits of teams. In fact, our own survey of 3,500 law firms found that 85 per cent of legal practices plan to offer a mix of home and office working going forwards.
Keeping client, case and practice data safe and secure will always be a top priority for law firms, but with many employees now regularly working remotely, it makes managing the risk of data breaches and leaks much more difficult.
Looking at our own research, our survey found several compliance essentials that some firms have evidently disregarded during the Covid-19 lockdowns, but will need factoring into their plans going forwards.
While there were evident disparities in competency and supervision arrangements, policies and procedures and Business Continuity Plans, there were four main areas of compliance that appeared to be the most overlooked.
Nearly half (49 per cent) of the firms we spoke to said they had not carried out a Data Protection Impact Assessment (DPIA) when moving to remote working. A DPIA is a process designed to help firms systematically analyse, identify and minimise the data protection risks of a project or plan; moving to a remote working operation is likely to fall within such a definition.
Ultimately, it’s up to the firm to decide whether its processing is of a type likely to result in high risk, taking into account the nature, scope, context and purposes of the processing. But with almost half of firms failing to carry out an assessment, I’d certainly say that client data could be at high risk from cybercrime and data loss. This is especially if this data is being accessed and stored using an employee’s personal IT equipment that may not have appropriate security software installed and is accessible by other members of the family.
Firms should ensure that when they move to their post-lockdown working arrangements, they carry out a DPIA so they can identify potential risks to data and mitigate these where possible. Firms that fail to assess and mitigate data risks could face action from both the Solicitors Regulation Authority and the Information Commissioners Office, with professional indemnity insurers likely to take an interest should data be lost, and negligence claims made as a consequence.
It came as quite a surprise when 43 per cent of firms told us that they had not updated fully, or at all, their cyber security policies since moving to remote working with all the risks that this can bring.
Recently a top-50 firm was hit by a cyber-attack, which led to some of its client data being stolen, so it is clear that such attacks are still going on and are being aimed at firms of all sizes.
It is critical for firms to implement and enforce appropriate cyber-related policies, systems and procedures. Not only will the SRA take an interest in firms that fail to take appropriate steps to protect client data, but so will PII insurers via their proposal form questions.
Despite the recent focus the SRA has been putting on compliance with money laundering legislation, 40 per cent of the firms we spoke to had not reviewed or updated their AML Practice Wide Risk Assessments. This goes against the requirement to note reviews even where no updating is found to be necessary. In reality, it is likely the requirements for training, policy, control and procedure updates, supervision, and ongoing monitoring of employees would all have needed updating during the pandemic and certainly will going forwards.
Other areas of the PWRA likely to require review/update as a consequence of Covid-19, include client base stability, referral arrangements, change in the types of transactions handled and client identification processes (face-to-face and remote).
Almost a quarter of firms (22 per cent) negated to review their health and safety assessment when staff were initially forced to work from their own homes in March 2020. With firms having the same responsibility for those working at home as they do for those in the office, adjustments should be made to fulfil health and safety obligations, including carrying out home workstation risk assessments.
Home working can cause work-related stress and affect people's mental health, with being away from managers and colleagues making it difficult to get proper support. Firms need to put procedures in place so they can keep in direct contact with home workers and recognise signs of stress as early as possible. It is also important to have an emergency point of contact and to share this so staff know how to get help if they need it.
It sounds somewhat contradictory to say that compliance comes with risk, but remaining fully compliant with a proportion of your team in the office and others at home, could present a challenge when it comes to employee privacy.
Some organisations have taken things to the extreme to ensure standards are maintained, through the use of digital tools to monitor employees remotely. These include real-time activity tracking, the ability to take screenshots at regular intervals, keystroke logging and even screen recording.
Research from global research firm Gartner found that at the start of lockdown in March 2020, 16 per cent of businesses put new tracking software on the laptops of remote employees and, by July, that number had increased to 26 per cent of companies.
Although firms will argue that the use of such technology demonstrates a focus on productivity and transparency, others say that it is a draconian, ‘Big Brother’ move.
But what are the alternatives to ensure that some form of boundary between compliance and privacy remains in place?
While there is no legal obligation to provide and pay for broadband for homeworkers, a growing number of organisations are opting to install a dedicated work broadband connection for remote employees. From a compliance point of view, this approach offers both control over the Internet Service Provider and enhanced security, allowing you as the employer to stipulate that the dedicated internet connection can only be used for work purposes. When the employee has finished work for the day, they simply switch to their own internet connection, helping to keep work and personal life separated.
Alongside simple measures like this, we are also seeing a growing number of companies wanting to adopt single sign-on shared working platforms, which connect departments, give instant access to real time data and analytics and allow for progress reporting. Documents and policies can be kept in one place, ensuring your teams are working from the most up-to-date versions.
Software solutions like this offer the transparency and accountability that management teams need, while at the same time not proving invasive for staff, allowing them to get on with the job they are passionate about.
There has been a lot to consider over the last 18-months and there will certainly be a lot more to think about in the months to come. There are many law firms out there doing the right things and there are some that, for one reason or another, are not. Either way, now is the time to review policies and procedures to protect the firm and its clients by staying on top of compliance, whilst at the same time, meeting the expectations of a hybrid workforce.
Copyright © 2021 Legal IT Professionals. All Rights Reserved.