Risk Update May 2022

Ransomware and other attacks on law firms have resulted in a number of incidents which have been publicised in the legal press, including an Information Commissioner’s Office (ICO) monetary penalty of £98,000 against a criminal legal aid firm, and successful applications for court orders against ‘persons unknown’. How much these will achieve in practice only time will tell, but they may help reduce the risk of publication in the press.

Lessons from the ICO case include the need to keep software patched up to date, use multifactor authentication (MFA), and encryption.

A report by information security service provider Tessian highlights an increase in phishing activity, and particularly involving emails relating to Ukraine.

Meanwhile, a report on Law.com, Ukraine-Russia Conflict Prep: 4 Ways Firms Should Strengthen Their Cybersecurity Efforts, gives some specific examples, citing Mark Sangster, chief of strategy at Adlumin. These include two cases where firms were exposed to ransomware through malicious links in documents –

• Hackers posing as law students building relationships with law firm managing partners sending a link to a document purporting to be a survey;
• A file share link in an email opened by a staff member because it was titled as the name of the case in which the firm acted, in-formation having been taken from public court documents and press coverage of the case.

A warning was given on receipt of unexpected MFA requests for sign on to online accounts, perhaps out of hours or from other countries: these should prompt a password change and informing the firm’s IT department.

Online purchases from services such as Amazon or eBay and streaming subscriptions were also highlighted as presenting risks.

We have previously encouraged firms to buy cyber insurance, though our March 2022 Risk Update posed the question of whether insurers might seek to rely on war and terrorism exclusions. We understand from insurance brokers that cyber cover is becoming significantly harder and more expensive for law firms to obtain, and may take time. One major insurer has ceased covering law firms. Early renewal is therefore essential – where possible.

The Solicitors Regulation Authority (SRA) has updated its guidance on Confidentiality of client information. This includes guidance on submissions to legal directories, information barriers, due diligence on law firm mergers and acquisitions, and responding to third party complaints to the Legal Ombudsman. A link is on www.legalrisk.co.uk/News.

Two overseas conflicts cases may be of passing interest. Revolaze, L.L.C. v. Dentons US L.L.P., 2022-Ohio-1392 is a decision of the Ohio Court of Appeals, Eighth District, in the United States, arising from a patent infringement claim. The court held that US and Canadian members of a verein were to be treated as a single law firm for conflict purposes. The case involved use of laser abrading technology to create the worn and faded look on new jeans and other denim garments, instead of the traditional sandblasting or hand sanding (which carried the risk of silicosis, and may result in death). The judgment also provides an interesting insight into litigation funding.

Margetak v Hughes, 2022 ABPC 91 is a Canadian decision on its particular facts but of passing interest in relation to confidential information which might have been acquired from a previous retainer for a different party. The court rejected a husband’s application to disqualify a law firm acting for a wife in matrimonial proceedings, having failed to prove that the firm had acquired confidential information relating to his finances when acting for his previous wife.

Links to the cases are on our dedicated Conflicts resource page, www.legalrisk.co.uk/Conflicts.

Since our March 2022 Risk Update, there has been much activity in relation to Ukraine and Russia with many names added to sanctions lists almost daily, highlighting the need to screen clients on an ongoing basis and to understand precisely the checks which electronic service providers are making. The Economic Crime (Transparency and Enforcement) Act 2022 introduces a ‘strict civil liability’ test for monetary penalties. The Law Society has published guidance on this and other measures in the Act.

The Office of Financial Sanctions Implementation (OFSI) updated its Russia guidance in line with the current and emerging circum-stances of Russia’s invasion of Ukraine, and its general guidance by adding a paragraph to Chapter 4 on ownership and control and its approach to the aggregation of different designated persons’ holdings in a company.

The Financial Conduct Authority published a statement on Events in Ukraine – impact on financial markets, with a warning of insider dealing risk issues.

The United Arab Emirates (UAE) has been added to the Financial Act Task Force (FATF) grey list – of some significance as wealthy Russians are reported to be moving their money and activities there.

FATF has published a Public Consultation on its Risk-Based Guidance to the Real Estate Sector.

Links to documents mentioned above are on www.legalrisk.co.uk/News. A link to an article by Frank Maher in New Law Journal, Russian sanctions compliance: the Devil no longer wears Prada, is on www.legalrisk.co.uk/publications.

SIF provides cover of £1 million per claim for solicitors upon expiry of the six year compulsory run off cover under the SRA Minimum Terms and Conditions where their practices have closed without a successor practice. This was due to end on 30 September 2022, having previously been extended.

The SRA has announced that it will seek agreement from the Legal Services Board (LSB) for a further 12 month extension to enable detailed consideration of key points raised in feedback.

Meanwhile the LSB has published a discussion paper: Financial Protection Arrangements for consumers. At its board meeting on 26 April 2022, the LSB approved a project to improve the way frontline regulators approach financial protection for consumers.

There are two points of particular significance. First, while the apparent aim is to avoid unnecessary cost for law firms (and by ex-tension, consumers), the issue really comes down to the claims. Someone has to bear the losses, whether that be insurers, a compensation fund, the law firm – or the client. How that is funded, is only a secondary consideration based on matters such as convenience, management cost, and capital requirements.

Secondly, we note that the LSB paper refers to the claims data which the SRA collected from the insurance market for the period from 2004 to 2014. It must not be forgotten that the data was fundamentally flawed for two reasons: it did not include data from insurers which had become insolvent (and in many cases probably had the worst claims experience), and the published data bizarre-ly, for reasons which have never been explained, omitted claims which were reserved but not paid, so the conclusions which can be drawn from it are few and they should not form the basis of future decision making.

A case on general insurance, Quadra Commodities SA v XL Insurance Company SE & Others [2022] EWHC 431 (Comm) is of note as it is the first reported decision involving a claim for damages against an insurer under section 13A of the Insurance Act 2015 for alleged failure to pay a claim within a reasonable time. This aspect of the claim failed.

See www.legalrisk.co.uk/News for links to the above.