The Law Society has produced a practice note, which helps to inform a legal firm of their responsibilities and the action that is required if they should fall victim to a digital scam. The purpose of their document is not to supply guidance on protection from cyberattacks. Instead it intends to inform partners, compliance officers and senior management of their duties in safeguarding client accounts and the data and monies held within them.
Who Is At Risk Of A Digital Scam?
Law firms of any size can fall victim to a digital scam. Any firm which holds client accounts is vulnerable to attempts of online theft. ‘Phishing’ is the method that is often used by fraudsters to obtain information and money from bank accounts. Digital scams are carried out by email or telephone and aim to confuse a bank employee or the client by impersonating someone credible. By doing so, they are then able to obtain confidential bank account details and passwords. This information is enough to allow the fraudsters to steal the client’s money and send it to their own bank accounts where they will make a rapid withdrawal of funds, often before the loss is noticed by the client or the law firm.
Once it is evident that a digital scam has taken place, the Law Society states that a ‘breach of trust’ and ‘serious misconduct’ has taken place due to the effect on the client. Therefore a law firm has a responsibility to contact a number of organisations in order to try and contain the situation. This may help to recover the client’s money and to hold on to the firm’s professional reputation.
- Inform Your Bank
Contact your own bank without delay to inform them of the possible theft of information and funds from your client’s account. Take note of the times and the content of any communications with the bank so that you have a record of all correspondence. Your bank will be expected to freeze the client’s account to prevent further losses and also to contact the receiving bank account to inform them of the situation. This may help to recover lost funds unless the fraudsters have already made a withdrawal.
- Inform The Police
In the event of a cyber attack, it is imperative that a law firm contacts the police and obtains a crime reference number from Action Fraud at the National Fraud and Cyber Crime Reporting Centre on 0300 123 2040.
- Inform Your Professional Indemnity Insurer
A law firm has a responsibility to inform their professional indemnity insurer of any circumstances that may cause a claim to be filed on their PII policy. However, in doing so, it is necessary to consider client confidentiality duties, which can only be waived with the express approval of the client.
- Inform the Solicitors Regulation Authority (SRA)
Another immediate organisation to inform is the SRA who can be contacted on 0121 329 6827 or emailed at firstname.lastname@example.org
They will be able to work closely with you to safeguard your client’s interests and may be able to speed up the police’s involvement in your case.
Drawing Up An Action Plan
You must demonstrate to your clients, to the SRA and to the public that you are acting professionally and responsibly in order to try and limit the damage to your client and to the firm’s reputation. Drawing up an action plan is the best way to accomplish this.
You may wish to call upon the services of a Cyber Incidence Response (CIR) team who can advise you on why the incident took place and prevent it from recurring in the future. Preferred CIR providers can be found on the government’s website.
An urgent matter which must be attended to is the loss of money from the client’s account. The SRA expects immediate assurances that you have put measures in place to have the money returned to the client’s account without delay. Early communication with the banks and insurance companies should give a law firm some idea on whether they are likely to get the money replaced swiftly or whether a panel of investigators will need to be appointed. In the meantime it is the partners of the law firm who are responsible for the shortfall in the client funds.
If you are having difficulties in obtaining the lost money from your insurance company or from the bank, then you should seek expert legal counsel to give you advice on how to keep your firm afloat.
Informing Your Client
Once you have informed all the necessary regulatory organisations, it is of course important that you let your client know what has happened and the steps that you have taken to try and contain or correct the digital scam. If your client’s funds are needed urgently, for example during a house purchase, then your bank may set up a separate account for you to use for this purpose. The SRA recommends that you work closely with them under their own supervision during this entire process. It may be necessary to close your firm temporarily whilst the stolen funds are replaced from private sources if not from the banks or insurance companies.
Getting Back On Track
All firms that have been subject to a digital scam should take time to review and refine their business processes. Training should be given in
It can be extremely damaging for the reputation and the finances of a law firm if you’re the victim of a digital scam. To ensure that your legal firm is protected by leading technology providers and a comprehensive IT security strategy, call us today for a free review of your IT infrastructure.