Risk Update September 2021

The breadth and extent of cover under the Solicitors Regulation Authority (SRA) Minimum Terms and Conditions (MTC) continues to attract attention in many ways. Aggregation, under which multiple claims may be subject to one policy limit, continues to occupy us in several cases where it can mean firms have inadequate cover. There have been many articles on the recent Court of Appeal decision in Baines v Dixon Coles & Gill [2021] EWCA Civ 1211, holding that multiple claims arising from acts of theft from a solicitor’s client account could not be aggregated because they did not arise out of a series of related acts or omissions. A link is on www.legalrisk.co.uk/News.

The judgment of Nugee LJ also touches on, without deciding, the issue of allocation of money following multiple thefts from a mixed account and whether a shortfall should be allocated across all clients, or merely the one in respect of whom the solicitor has made the relevant entry in the firms’ ac-counts (suggesting the latter is less likely).

The extent of cover under the MTC for cyber incidents is under consideration by the SRA with refinements to the provisions expected, but not before many firms renew on 1 October 2021. The SRA intends only to provide clarification, and not to alter the scope of cover or exclusions. Nonetheless, it remains the case that firms should take out separate cyber cover, particularly to provide access to emergency support in the event of an incident.

Many firms are finding insurance market conditions challenging, particularly those who have been involved in investment schemes. Great care needs to be taken when notifying insurers of these, and in any subsequent proposal for renewal. In order to maximise the prospects of them being effective, block notifications require a thorough understanding of insurance law, the policy wording and the probable basis of future claims. We have advised several firms on these issues, and on a large number of substantial coverage disputes.

The Home office has published a circular: Money laundering: the confidentiality and sensitivity of suspicious activity reports (SARs) in the context of disclosure in private civil litigation. This also addresses data subject access requests under UK GDPR.

HM Government has launched a consultation on Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Statutory Instrument 2022 which closes on 14 October 2021.

Global Financial Integrity has published a report, Acres of Money Laundering: Why U.S. Real Estate is a Kleptocrat’s Dream. Although primarily focused on the USA, this report is a comparative analysis of real estate money laundering regulation in the G7.

The Financial Action Task Force (FATF) has published a report: Money Laundering from Environmental Crime.

Links to the above are on www.legalrisk.co.uk/News. Extensive additional AML resources are on www.legalrisk.co.uk/AML.

On 20 July 2021, the European Commission published its AML legislative package with proposals to establish an AML Authority from 2024 employing approximately 350 people, and create a single European Union rulebook for anti-money laundering across the Europe-an Union, including rules on customer due diligence, beneficial ownership and the powers and task of supervisors and Financial Intelligence Units.

The latest IBM Cost of a Data Breach Report 2021 reports that business email compromise was responsible for only 4% of breaches, but had the highest average total cost of the 10 initial attack vectors in the study, at $5.01 million. The second costliest was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).

The Information Commissioner’s Office (ICO) has published a consultation on draft international data transfer agreement (IDTA) and guidance to replace Standard Contractual Clauses (SCCs) which adopts a different approach from the EU’s new SCCs for international data transfers mentioned in our July 2021 issue but includes an addendum which can be used alongside the EU SCCs. It includes a format for carrying out required risk assessments for transfers of data to countries which have not been granted adequacy status under UK GDPR.

In Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), claims for breach of confidence, misuse of private information, and common law negligence arising from a data breach were struck out, leaving a claim for breach of the Data Protection Act 1998, in relation to the seventh data protection principle. Any misuse of data was by the attacker, not the defendant, claims are confined to breaches of data protection legislation, and there was no concurrent liability for negligence. The case has important practical implications because it effectively precludes recovering the cost of After The Event (ATE) insurance premiums.

We have advised many US firms on extra-territorial enforcement of the EU General Data Protection Regulation and UK GDPR contains similar provisions. Our website contains a link to The Sedona Conference Commentary on the Enforceability in U.S. Courts of Orders and Judgments Entered Under GDPR which contains a comprehensive analysis of the issues.

In a further transatlantic development, a claim for damages under UK GDPR was dismissed by the US courts as the UK courts were the appropriate forum. See Elliott v. Pubmatic, Inc. (4:21-cv-01497), California Northern District Court.

Links to the above can be found on www.legalrisk.co.uk/News.

The European Data Protection Board (EDPB) has published Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Although not technically binding in relation to UK GDPR this will nonetheless be of interest as it contains extensive guidance. This and other extensive data protection resources are on www.legalrisk.co.uk/Data.

An issue is beginning to emerge on regulation of volume personal injury claims. This is the requirement to ensure that claims handling staff work at the direction and under the super-vision of a suitably qualified lawyer in order to fall within the exemption from Financial Conduct Authority regulation of claims management companies. The SRA Transparency Rules are attracting further regulatory attention with most firms having had to confirm their compliance; guidance was issued on 4 August 2021.

The SRA’s Upholding Professional Standards 2019/20 report addresses several key themes, including sexual harassment, non-disclosure agreements, money laundering, dubious investment schemes, wellbeing, bullying, and improperly brought consumer claims. We are advising many firms on investigations into these issues.

The Law Society has published a useful Practice Note, Providing services and taking on roles outside your practice as a solicitor, which addresses the regulatory and insurance considerations in a number of common situations – school governors, trustee of a charity, non-executive directorships and giving legal advice to friends or family members. There is also a further Practice Note on Solicitors offering legal services to the public from un-regulated entities.

Undertakings have been the focus of much discussion, following the decision of the Supreme Court in Harcus Sinclair LLP and another v Your Lawyers Ltd [2021] UKSC 32, confirming that they are not enforceable against incorporated practices (or non-solicitor practices) under the inherent jurisdiction over solicitors as officers of the court. Guidance is expected from the Law Society. Although the Supreme Court suggested that, pending any legislative change, the issue might be addressed by seeking a personal undertaking from a solicitor, we think that is an un-desirable option for many reasons.

Links to the above are on www.legalrisk.co.uk/News.