The Legal Ombudsman (LeO) has urged law firms that use web-based email such as Yahoo, AOL and Hotmail to invest in a more secure corporate email solution or risk paying out to victims of cybercrime.
There are still plenty of law firms that use web email but LeO highlighted it as one of the factors it would consider when considering complaints by clients who have been the victims of cybercrime during their dealings with lawyers.
In recently published guidance on how it deals with complaints involving cybercrime, LeO cited a firm whose web email was hacked and whose client was told to send the deposit for a house to a fraudster’s account.
Two months earlier, the email provider had revealed that its accounts had been hacked and users’ details compromised, but the firm had failed to take any steps to protect against the risk that its details may have been stolen.
Furthermore, LeO said, the firm failed to warn the client about the risks of cybercrime at any point throughout the retainer, and their bank details were not included within their client care letter as per best practice – instead, the client had emailed to ask for them.
The firm was ordered to reimburse the client’s lost deposit, as well as the costs he incurred having to abort the purchase.
LeO said: “While being the victim of an attack will not in itself mean your service has not been reasonable, we have directed a number of lawyers to reimburse clients for losses they have incurred where the lawyer failed to take reasonable steps to protect themselves and their clients from the risks, and/or where they have not taken appropriate steps after being informed of an attack.”
The guidance said that, in considering these types of complaints, LeO would look at whether or not the lawyer/firm has followed any best practice issued by their regulator and professional body, and listed “basic” steps it would expect to see.
As well as the corporate email, these included keeping all software up to date; ensuring all laptops, PCs and mobile devices were encrypted and required a password when switched on; having staff use a suitably complex PIN or password and change their passwords if systems may have been compromised; and “creating a security focused culture in the office”.
Lawyers should also warn clients about the risk of cybercrime, both at the outset and at appropriate times throughout the retainer.
LeO said it would also investigate what steps were taken to deal with the incident when the lawyer became aware of it.
It also cited a contrasting case study of a diverted deposit, which turned out to be due to the client being hacked.
This meant LeO did not have to judge the strength of the firm’s security systems when considering the complaint, but instead looked at what steps the firm had taken to warn her about the risks of cybercrime.
The firm included its bank details in the client-care letter, which the client signed, along with a warning that these details would not change and should she receive an email purporting to be from them asking for money to be sent to a different account, to contact them immediately before transferring any money.
It also added a similar warning in the footer of all emails in red font, as well as in the draft completion statement underneath the firm’s bank details.
LeO said that these warnings were sufficient and the firm’s service had been reasonable.