Risk Update November 2020

Two issues arise –

•  Protecting the firm and partner assets in the face of resistance from clients and third party lenders and financiers who seek to rely on the firm’s advice;
• The prohibition on limiting liability below the compulsory £2m/£3m when firms’ and individuals’ insurance cover for that may not be available in the future.

The first is an issue primarily for larger firms and we have recently advised a major European firm on this.

The second arises from the prohibition on limiting liability below the compulsory limit contained in rule 3.2 of the SRA Indemnity Insurance Rules 2019 – a provision previously contained in the SRA Code of Conduct but which might now more readily escape notice.

However, there are several ways in which the insurance available to cover a claim may be less than the minimum which prevailed when the work was done. These include claims –

• After the six year compulsory run-off (subject to the continuance of Solicitors Indemnity Fund Ltd, which in any event offers only £1m cover), this can happen quite easily in conveyancing and trusts;
• Where firms have switched to a regulator with lower prescribed limits of cover (and substantially less run off protection);
• Where firms have been taken over by an Alternative Business Structure (ABS) which has a waiver from the insurance rules;
• Where claims aggregate with a single policy limit, because they arise (broadly) from similar causes.

Although the Solicitors Regulation Authority (SRA) has abandoned proposals for reform for the present, the recent insurance renewal for many firms has shown that there are dark clouds on the horizon, as noted below.

Section 28 of the Legal Services Act 2007 requires that regulatory provisions are proportionate. It has to be asked whether it is proportionate to prevent firms limiting their liability below the current minimum when such cover may not be in force at the time a claim is made. Is it in any event proportionate to impose such a provision when the value of the subject matter of the instruction in some cases may be a small fraction of that?

We are continuing to audit some of the largest UK and US law firms (remotely due to pandemic restrictions) under Regulation 21 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and advise on responses to investigation by the SRA following monitoring visits and fraud incidents which have exposed inadequacies in procedures.

The Treasury Committee has published a Call for Evidence for Inquiry into Economic Crime. The Committee will review the UK’s anti-money laundering and sanctions regimes, including the work of OPBAS and the professional body AML supervisors, the impact of the FinCEN papers, corporate liability for economic crime and the work of Companies House.

The European Commission’s list of high-risk third countries was amended on 1 October 2020, adding The Bahamas, Barbados, Botswana, Cambodia, Ghana, Jamaica, Mauritius, Mongolia, Myanmar, Nicaragua, Panama and Zimbabwe. Afghanistan, Iraq, Vanuatu, Pakistan, Syria, Yemen, Uganda, Trinidad and Tobago, Iran and North Korea remain on the list. Bosnia-Herzegovina, Ethiopia, Guyana, Lao People’s Democratic Republic, Sri Lanka and Tunisia have been delisted.

There have been a number of developments in relation to the new UK sanctions regime and links are on our website www.legalrisk.co.uk/News.

We are often called upon to advise on conflicts issues, including substantial cases with a cross-border angle. The American Bar
Association has published Formal Opinion 494 on Conflicts Arising Out of a Lawyer’s Personal Relationship with Opposing Counsel. A link is on www.legalrisk.co.uk/Conflicts with a large number of other resources.

Aggregation, under which multiple claims from (broadly) similar causes may be subject to a single policy limit, is a significant
issue on many claims on which we are presently advising. In Baines v Dixon Coles and Gill [2020] EWHC 2809 (Ch) the judge
held that multiple thefts of money by a solicitor from the accounts of different clients did not fall to be aggregated.

Many solicitors’ firms had difficulty renewing their insurance on 1 October 2020 and these were not only those with particularly bad claims histories. A few firms failed to obtain cover, but many faced dramatic increases in premiums and excesses (sevenfold for both premium and excess in one case we saw).

The large increase in premium carried with it a commensurate increase in the cost of run off cover should the firm succumb to
the pressures of the pandemic. Issues then arise over the provision in many policies which purport to make individual members of Limited Liability Partnerships and limited companies personally liable for excesses and run off premiums; we have advised several firms on this, including contentious cases.

We have also seen some insurers become more aggressive on coverage issues and are advising several firms on claims where
this arises, including many multimillion pound disputes (over £100m in one case).

Links to the above are on www.legalrisk.co.uk/News.

Revised guidance from the Information Commissioner’s Office (ICO) on Right of Access and Subject Access Requests provides additional guidance on stopping the clock for clarification, what is a manifestly excessive request, and what can be included when charging a fee for excessive, unfounded or repeat requests.

Two monetary penalty notices issued by the ICO following data breaches provide useful information on root causes which are informative for professional services firms.

British Airways was fined £20m. The causes of breaches include failure to use multi-factor authentication (MFA), failure to address known Citrix security issues, failure to apply user access management (the principle of least privilege) and failure to implement application whitelisting or blacklisting. Other measures which could have been implemented included penetration testing and logging access to certain files, monitoring of failed log in attempts and monitoring of guest accounts.

Marriott International Inc was fined £18.4m. The notice identifies risks from acquisition of other businesses, in this case Starwood, which may have undiscovered security vulnerabilities – equally applicable to law firm mergers.

Again, MFA issues featured significantly, though these were not taken into account in fixing the penalty due to assurances on which Marriott had relied. Factors considered included insufficient monitoring of privileged accounts, insufficient monitoring of databases, control of critical systems (through whitelisting), and lack of encryption of payment card data and passport numbers.

Marriott’s submission that Article 33 of GDPR requires a data controller to be reasonably certain that a personal data breach has occurred before notifying the ICO was rejected: instead, a data controller must be able reasonably to conclude that it is likely a personal data breach has occurred.

The SRA has published a useful webinar on cybercrime.

Links to the above are on www.legalrisk.co.uk/News.