UK & Europe
As a consequence of Covid-19, law firms have made a wholesale shift to remote working. This creates risks with regard to data and documents, including confidentiality and security.
The SRA will expect firms and individuals to have adequate measures in place in this new working environment to keep client information confidential. Accordingly, it is important that individuals are reminded of the steps to be taken to mitigate the risks posed, whether this is via training, risk bulletins or updated protocols on remote working.
Security and confidentiality
Individuals working on networks that are not secure and that can be accessed by others poses security and confidentiality risks. In order to mitigate these risks, an individual's home router and wi-fi network should be secured via adequate password protection (default passwords set by manufacturers can often be found online and their use risks routers being compromised). The router's software should also be updated regularly.
It is important that individuals are reminded that they must only work on client matters via a Virtual Private Network (VPN) or a secure digital workspace operated by the firm and should not send client data or documents outside such systems – for example, to personal email addresses – or save documents locally on personal devices. If documents are saved locally, there is a further risk that they may sync automatically with any cloud storage in use on the device.
The use of personal devices in and of itself also poses risks, particularly if they are shared devices. This means that it is important that ground rules are in place with regard to their use. If personal devices are shared, separate passwords for access by different individuals should be implemented. Personal devices will also not necessarily have the controls and detectors installed as standard on firm systems. To limit the risks, such devices should have up-to-date anti-virus software protection and adequate firewalls. Operating systems will typically have in-built firewalls but they may need to be enabled. Software updates also need to be installed regularly. Without such steps, there is a risk of delivering malware into the office network or allowing client data to leak out.
Meetings have been replaced by video-conferences. Concerns have been voiced about the way in which some forms of video-conferencing may lack sufficient security and/or encryption, meaning they can be recorded and hijacked. They are also not necessarily products for which licences may be purchased that would include GDPR-compliant terms limiting or protecting the use of data. This also means that their use will not necessarily be subject to any contractual protections.
The use of such platforms creates risks but the following steps may limit them:
On the issue of listening in, it is also important to bear in mind that devices such as "smart" speakers may record confidential discussions and should be turned off when an individual is working.
The "low-tech" risks that firms face from remote working should also not be overlooked:
Law firms have long been a target of cyber criminals but the risks are increased when individuals are working remotely and face-to-face verification is not possible. Criminals are also using phishing attacks that exploit Covid-19 concerns and vulnerabilities. Accordingly, it is important that individuals are vigilant and that firms have in place revised verification policies.
While entire firms working remotely creates new and different risks, they can be mitigated to a significant degree via careful ongoing management, communication and training. The people-related risk issues arising from remote working, including supervision, management and mental health, will be the focus of our next briefing.