The legal profession is one of the sectors of the economy most frequently the subject of data breaches and increasingly the target of scams and attacks by cyber criminals, according to the Solicitors Regulation Authority (SRA).
Meanwhile, the authority has revealed that it took regulatory action on 300 occasions last year in relation to the misuse of client money, and received an average of 118 reports on the subject each month.
In its 2015/16 risk outlook, the regulator highlighted research published by the Information Commissioner’s Office at the end of June, which placed solicitors and barristers fifth out of more than 40 sectors for data breaches, ahead of general business, lenders, and central government.
The SRA said cybercrime attacks included those using ‘ransomware’, through which hackers encrypt data and demand payment for it to be released back to the firm.
Another scam is to use details gained from hacking the firm to impersonate a bank or client, often targeting conveyancing firms on a Friday afternoon when they “are likely to be holding significant amounts of money”.
A further scam connects cybercrime and bogus firms, for example when criminals use modified bank details to steal money. The SRA’s spring risk outlook revealed that more than 700 reports of bogus law firms were made in 2014, an annual increase of more than 25%.
Cybercrime was “an increasingly prevalent threat to modern business practices”, said the latest risk assessment, quoting the City of London Police Commissioner, who said in April 2015 that cybercrime could be “bigger than the drug trade”.
Solutions to data breaches need not be expensive, the SRA stressed: “Government Communications Headquarters (GCHQ) estimate that 80% of cyber-attacks could be prevented if businesses follow simple guidance. They point to basic guidance, such as educating employees to avoid guessable passwords, not opening attachments in unsolicited e-mails and not using personal e-mail to send and receive work-related documents.”
The SRA identified eight areas of priority risk altogether. In addition to IT security and bogus firms, these were money laundering; improper, abusive litigation; lack of independence; lack of diversity, misuse of client money; and poor service, particularly for vulnerable people.
The regulator said reports of potential money laundering and breach of anti-money laundering regulations, due to inadequate systems and control over the transfer of money, affected a wide range of law firms and “continue to rise”. It said that in the last year it had received 184 reports.
In relation to the misuse of client money, the SRA said it took some sort of regulatory action on almost 300 matters, ranging from monitoring to referring individuals to the Solicitors Disciplinary Tribunal. In 2014, the Compensation Fund paid out some £24m, including to clients whose money was misused.
The regulator warned that the misuse of client money could result from even a brief lapse in supervision, with serious consequences: “We have also seen cases where a firm’s lack of appropriate supervision of just one individual has caused harm both to clients and the ongoing viability of the firm when client money was misused.”
Accompanying its explanation of why a lack of a diverse and representative profession was a priority risk – including that diversity improves the administration of justice – the SRA added a case study to illustrate how an inclusive approach can also deliver a commercial advantage. It involved a firm which, after recruiting a disabled solicitor, started to offer services aimed at disabled clients, leading to business benefits.
The section on abusive litigation – the misuse of legal proceedings to gain an unfair advantage or benefit for a client, or the solicitor – covered ground dealt with by an SRA report on the subject earlier this year.
Risk associated with a lack of independence included reference to research on the pressures facing in-house counsel, published in April by Professor Richard Moorhead at University College, London.