LeO urges lawyers to ditch web email providers


Cybercrime: LeO sets out standards

The Legal Ombudsman (LeO) has urged law firms that use web-based email such as Yahoo, AOL and Hotmail to invest in a more secure corporate email solution or risk paying out to victims of cybercrime.

There are still plenty of law firms that use web email but LeO highlighted it as one of the factors it would consider when considering complaints by clients who have been the victims of cybercrime during their dealings with lawyers.

In recently published guidance on how it deals with complaints involving cybercrime, LeO cited a firm whose web email was hacked and whose client was told to send the deposit for a house to a fraudster’s account.

Two months earlier, the email provider had revealed that its accounts had been hacked and users’ details compromised, but the firm had failed to take any steps to protect against the risk that its details may have been stolen.

Furthermore, LeO said, the firm failed to warn the client about the risks of cybercrime at any point throughout the retainer, and their bank details were not included within their client care letter as per best practice – instead, the client had emailed to ask for them.

The firm was ordered to reimburse the client’s lost deposit, as well as the costs he incurred having to abort the purchase.

LeO said: “While being the victim of an attack will not in itself mean your service has not been reasonable, we have directed a number of lawyers to reimburse clients for losses they have incurred where the lawyer failed to take reasonable steps to protect themselves and their clients from the risks, and/or where they have not taken appropriate steps after being informed of an attack.”

The guidance said that, in considering these types of complaints, LeO would look at whether or not the lawyer/firm has followed any best practice issued by their regulator and professional body, and listed “basic” steps it would expect to see.

As well as the corporate email, these included keeping all software up to date; ensuring all laptops, PCs and mobile devices were encrypted and required a password when switched on; having staff use a suitably complex PIN or password and change their passwords if systems may have been compromised; and “creating a security focused culture in the office”.

Lawyers should also warn clients about the risk of cybercrime, both at the outset and at appropriate times throughout the retainer.

LeO said it would also investigate what steps were taken to deal with the incident when the lawyer became aware of it.

It also cited a contrasting case study of a diverted deposit, which turned out to be due to the client being hacked.

This meant LeO did not have to judge the strength of the firm’s security systems when considering the complaint, but instead looked at what steps the firm had taken to warn her about the risks of cybercrime.

The firm included its bank details in the client-care letter, which the client signed, along with a warning that these details would not change and should she receive an email purporting to be from them asking for money to be sent to a different account, to contact them immediately before transferring any money.

It also added a similar warning in the footer of all emails in red font, as well as in the draft completion statement underneath the firm’s bank details.

LeO said that these warnings were sufficient and the firm’s service had been reasonable.




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Reports

Our latest special report, produced in association with Temple Legal Protection, looks at the role of after-the-event (ATE) insurance in commercial litigation post-LASPO. We are at a time when insurers, solicitors, clients and litigation funders work ever more closely to create funding packages that work for all of them, with conditional fee and even damages-based agreements now part of many law firms’ armoury.

Blog

18 October 2019

Will your staff have confidence in your compliance officers?

The introduction of the SRA Standards and Regulations on 25 November 2019 will see new issues coming into focus for you and your firms over the reporting of serious breaches to the SRA.

Read More

Loading animation