The Solicitors Regulation Authority (SRA) has warned of confidentiality risks from law firm mergers and acquisitions, arguing that it should not be necessary to allow access to files to complete a deal.
In a guidance note published this month, the regulator also highlighted confidentiality dangers arising from cloud computing and complex global business structures.
The SRA said there were pressures on law firms, when considering a possible merger or acquisition, to allow third parties access to confidential client information.
“Firms that are undertaking professional risk due diligence during the merger and acquisition process have a number of issues to consider, including the need to ensure that client confidentiality is not put at risk.
“During negotiations sufficient steps need to be taken to protect confidential client information and, where appropriate, to seek clients’ consent to any disclosure of confidential information.”
The SRA said firms should also “have regard to their obligations to protect price-sensitive information” relating to the firm and its clients.
It gave the example of firms sharing confidential client information during the due diligence stage of a merger which never happens. “In our view, it cannot be argued that no merger or acquisition can be completed without disclosure of client files,” the SRA said.
It said “other options to establish the viability of a merger or acquisition” could be explored, such as accounting and billing records, records of all active and closed matters and the use of representations and warranties.
The SRA said there are many benefits associated with cloud computing but in assessing its value to a firm, it should also consider how best to manage the risks and challenges: “Confidential client information stored in a cloud, potentially in a foreign jurisdiction may be more vulnerable to disclosure.
“Firms need to be able to demonstrate that they have considered the risks and that clients have consented to their information being stored in a particular way.
“There is an obligation for firms to clearly state where client information is being held. However, this may be difficult for firms if service providers themselves are unaware of the exact locations.”
Similar considerations were important for outsourcing or services provided across jurisdictions.
The regulator said there was a greater risk that “in complex firm structures, particularly global law firms”, confidential client information might be shared with third parties without consent.
Firms should provide clients “with an explanation of the group structure”, the SRA advised, before seeking consent to the disclosure of confidential information to separate legal entities or non-authorised individuals in the group.
The SRA gave the example of a firm with offices in “numerous jurisdictions”, which presented itself as “one firm” with common branding.
In fact the firm was an LLP incorporated in England and Wales with a branch office in Europe, and five other offices across the world which were all separate entities, including in Hong Kong, the USA and South Africa.
In the example, the firm’s “business acceptance unit” was based in Hong Kong, which carried out money laundering and conflict checks for all offices.
A partner based elsewhere sent details of a client business and its potential acquisition target to Hong Kong, only to find stories emerge in the press that an “overseas government agency” had hacked into the law firm’s computer systems.
“In our view, the partner should specifically discuss with the client details relating to the group’s ownership structure and that the initial conflict check will be undertaken and/or shared with other entities,” the guidance note advised.
“There may be circumstances where material is seen by an office in a foreign jurisdiction and partners should actively consider whether it is in the client’s best interests for the client’s information to be subject to restricted access.”
The regulator said the duty of confidentiality to clients must be reconciled with the duty of disclosure to them.
“Where firms cannot reconcile these two duties, then the protection of confidential information is paramount.”