By Legal Futures’ Associate The Access Group
In an ideal world incidents and issues would not happen, but unfortunately, we don’t work in such a world. At some point something is likely to go wrong whether it be a mistake on a client file, or a cyber breach or incident. When an incident does occur, rectifying and learning from it is the important thing.
The SRA recognises that firms don’t operate in an ideal world and that incidents happen, but they will be looking for firms to act appropriately in resolving issues and making sure any detriment to clients and reputational damage to the profession is reduced as much as possible.
When an incident happens
Handling incidents effectively and promptly is key for clients, firms and the SRA. To do this you must:
- Ensure appropriate incident management policies and procedures are in place.
- Have audit trails to show how you have dealt with matters.
- Provide evidence of how incidents have been managed. This is more than likely to be needed by the SRA (conduct/regulatory issues), professional negligence insurers (negligence notifications), the Legal Ombudsman (complaints), the Information Commissioners Office (data breaches), etc.
How quickly do I need to report an incident?
Firms will need to act fast when an incident occurs as many regulators have defined periods for making initial reports, for example data breaches may need to be reported within 72 hours. Operating clear and effective internal communication lines will be critical so that incidents can be reported to the appropriate people quickly; some firms have found themselves facing regulatory action for failing to act even when the original incident turned out not to be as bad as first thought. For example, failing to deal with a complaint in line with a firm’s procedure because it was felt it was unjustified could lead to a £400 case fee and compensation being awarded even if the complaint itself was found to be unwarranted by the Legal Ombudsman.
What to do if you sent an email to the wrong person?
A regular breach that occurs in many firms is where emails are sent to the wrong person by mistake; such a mistake would normally need to be reported to the COLP and the person responsible for data protection. Subject to what is contained in the email it could be a minor breach (just name and address) or a serious breach (includes sensitive data such as medical information). A minor breach that does not form part of a trend would not need to be reported to the SRA, whereas a serious breach or a trend of non-serious breaches would. A serious breach would probably need to be reported to the ICO as well (within 72 hours). Even if the breach was minor, and therefore not reportable to the client under the ICO requirements, it would need to be reported to the client under the SRA’s rules relating to breaches of confidentiality; this is regularly missed by firms because they focus purely on complying with data protection legislation.
Incidents will happen, download our legal brochure to find out how The Access Group can help you be prepared with our specialist collection of interactive eLearning courses and risk and compliance software designed to support law firms with their governance, risk and compliance management.
Contact us for more details.