The COVID-19 challenge is unprecedented, both for the economy and for many aspects of the South African legal system, especially law firm practice management.
Many law firms have now closed their offices due to the COVID-19 pandemic and staff are now working remotely from their homes, but this is presenting some firms with a number of significant challenges, including those that already had what they thought were robust Business Continuity Plans (BCPs) because none of the firms factored in the pandemic in their BCPs.
Most of the challenges being faced by law firms include –
- failing to access the hardcopy client records;
- cybersecurity risks;
- client confidentiality and data protection; and
- maintaining competency.
Accessing hardcopy and case management client records
With many law firm employees working from home with the introduction of nationwide movement restrictions, it appears difficult for one to access hardcopy client files from time to time, which is likely to lead to delays in dealing with client matters, and therefore, this could lead to complaints. In some instances, employees are forced to carry client files home, which have confidential information in the files. The risk of losing the file and the confidential information falling into the wrong hands is huge and it may open the firm up to litigation on the basis of negligence.
For law firms with robust information technology (IT) systems, the access of such systems remotely has also been cited as a challenge. Many systems had been built for onsite access and, as such, would require additional configuration for them to be accessible remotely. In addition, the access of such systems from home requires that security be of higher priority. Networks need to be secured to ensure that no data is lost in transit or hacked.
Users working from home also face a huge challenge in ensuring the confidentiality of the information that they are working with. The likelihood that such information can be accessed by their family members or relatives is higher as some employees do not have proper secured office space at home.
Cybersecurity risks
‘Criminals are actively taking advantage of the current crisis and are stepping up their cybercrime activities with scams to try and hack systems and steal clients’ money. Due to the lack of time, some firms have had to prepare for … working from home, and many will have had to ask their staff to use their own IT equipment, much of which could be exposed to cyber-criminals, due to their systems not being sufficiently protected’ (Brian Rogers ‘Remote working challenges for law firms: steps to reduce home working risk’ www.theaccessgroup.com, accessed 8-9-2021).
‘Financial criminals have followed closely behind, quickly adopting and exploiting online and electronic tools to their own illicit ends’ (Brian Svoboda-Kindle CFCS Certification Examination Study Manual – preparing for the certified financial crime specialist examination 6 ed (Miami: 2019)). ‘Hackers, acting alone or in teams, breach the data systems of major corporations and government agencies to steal and resell customer data, from bank account access codes to credit card and tax identification numbers’ (Svoboda-Kindle (op cit)).
The most prevalent cybersecurity risks stem from:
- ‘Phishing refers to the act of sending an e-mail or other electronic message falsely claiming to be a legitimate communication in order to manipulate the recipient into providing confidential information. Typically, a phishing message will direct the recipient to a [fake] website with the same look and feel as the legitimate website of a business, government agency or other organisation, and instruct the unsuspecting user to divulge sensitive information such as passwords, credit card numbers and bank account information’ (Svoboda-Kindle (op cit)).
According to Felix Richter ‘The most common types of cyber crime’ (www.statista.com, accessed 7-9-2021), phishing was the number one type of Internet crime in 2020.
- Social engineering – ‘is the act of deceiving or manipulating a target into turning over confidential information or personal data. … Assisted by technology, social engineering schemes exploit human tendencies to trust appearances and take communications at face value, particularly those from authoritative persons or sources. Social engineering schemes can and often do occur through multiple channels. Some social engineering schemes may use phone calls impersonating a bank employee, auditor or law enforcement agent to deceive a target into turning over confidential information. Others may use social networks to contact targets, build credibility by conducting background research on targets, or create fake profiles to impersonate a target’s real friends or business associates. … Consequently, there is no one-size-fits-all strategy for guarding against social engineering at organisations, whether banks, businesses or government agencies. One low-tech, but effective, solution is employee training’ (Svoboda-Kindle (op cit)). Through user awareness program organisations can equip system users with the knowledge of detecting most attacks before they have a negative impact on the business.
- Business e-mail compromise (BEC) – ‘is a variant of social engineering that has been lucrative for cybercriminals. In simple terms, a fraudster impersonates someone else via e-mail to deceive a target into making a wire transfer, processing a payment or otherwise taking actions that will transmit funds to the attackers. In one common example, cybercriminals send a message to a company employee in accounts payable or the finance department that appears to be sent from the CEO, CFO or other executive. The message will request immediate payment to a vendor or other party, indicating it is a very urgent matter – the payment must be completed before the close of business. … Attackers will either spoof the sender’s e-mail address or create a new address that looks nearly identical. In other cases, attackers obtain a target’s e-mail account credentials and take control of it to send messages. In a variation, messages are sent directly to a financial institution, purportedly from a business executive controlling the account, directing that funds be transferred to another party immediately’ (Svoboda-Kindle (op cit)). Most business e-mail compromise attacks have targeted very senior personnel within organisations and by successfully impersonating such people, criminals are able to get away with huge amounts of money or valuable information.
- Account takeover: ‘Account takeover is one of the more common forms of identity theft, occurring when a fraudster obtains unauthorised access to an individual or organisation’s financial accounts. The nature of the takeover and the level of sophistication can vary. In the simplest form, an attacker could use malware, phishing or other techniques to obtain a person’s online banking credentials, then access the account and initiate transfers. More elaborate attacks might gain account credentials and some personally identifying information (such as the victim’s tax identification number or answers to online security questions) and use this to change the official mailing address or online banking credentials with that individual’s financial institution. Once accomplished, the fraudster can perform unauthorised transactions using the victims account without the victim’s knowledge (cash withdrawals, check orders, wire transfers, online banking transactions, etc)’ (Svoboda-Kindle (op cit)).
- Use of malware: ‘Malware is a class of malicious or intrusive computer code (or software application) that includes viruses, trojan horses and computer worms used by attackers to obtain personal/non-public user information. They can also be used to gain access to or control over private computer systems and databases or interrupt a computer’s functionality and availability to its users. Malware’s objective is typically to remain undetected, either by actively hiding within a computer system or by simply not making its presence on a system known to the user’ (Svoboda-Kindle (op cit)).
Ransomware has come out as the number one menace of the COVID-19 period. ‘Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them’ (https://en.wikipedia.org, accessed 8-9-2021). According to David Ferbrache, ‘criminal groups are increasingly switching to COVID-19 themed lures for phishing exploiting your consumers’ and employees’ concerns over the pandemic and the safety of [their] loved ones.
There’s also evidence that remote working increases the risk of a successful ransomware attack significantly. This increase is due to a combination of weaker controls on home IT and a higher likelihood of users clicking on COVID-19 themed ransomware lure e-mails given levels of anxiety’ (David Ferbrache ‘The rise of ransomware during COVID-19’ https://home.kpmg, accessed 8-9-2021).
Client confidentiality and data protection
Law firms ‘need to ensure … the confidentiality of client data, which includes client information in hard (files) and soft (computer) formats.
Working from home can present a number of risks to client data, for example, family members and visitors being able to see it, or client information being overheard during telephone calls; not all people working from home have the ability to work from a dedicated office and will, therefore, be working at kitchen tables, in lounges, etc, but appropriate precautions will still have to be taken to mitigate identified risks’ (Rogers (op cit)).
Maintaining competency
Law firms ‘must ensure that the service [they] provide to clients is competent and delivered in a timely manner and that those providing legal services maintain their competence to carry out their roles and keep their professional knowledge and skills up to date’ (Rogers (op cit)).
Key steps for law firms to consider
‘The following steps should be considered to reduce the risks of working from home:
- Allocate appropriately protected business-owned IT equipment to anyone working from home on client matters and remind staff how and where they can report any potential cyber-risks.
- Communicate regularly with all staff on working from home policies, including working from home safely, cyber and information security protection of personal data in accordance with data protection laws … when using shared WiFi and use of company VPNs.
- Review internal policies, procedures and controls to ensure that there are no increased risks that would otherwise be mitigated or controlled in normal circumstances. Staff should still be able to get easy access to the firm’s policies and procedures, including use of e-mail, Internet, social media and points of key contact should any reports need to be made.
- Provide regular updates between teams and management via conference calls to help ensure staff are both clear on their operational objectives and supported properly.
- Members of the management team should ensure that appropriate levels of supervision are maintained, and staff should be able to easily contact their supervisors and key teams (IT, accounts, etcetera) when required.
- Remind staff not to work on client matters in public places or when using free insecure WiFi connections and ensure hard copy files are stored securely when not in use and are not accessible by others when being worked on (spouse, partner, children, visitors, etc).
- Ensure breaches, complaints, claims … are notified to the appropriate compliance officer … ; if an online risk and compliance system is used by your firm ensure it continues to be updated as required’ (Rogers (op cit)).
- Where law firms believe they are not adequately equipped to deal with cyber risks, they need to approach organisations with such skills to assist them formulate proper strategies to help them increase their ability to deal with such threats.
‘Working from home is going to become the new “normal” over the next few weeks and months, so making sure your firm is able to operate effectively and compliantly during this period will be critical’ (Rogers (op cit)).
Cledwin Dzinamarira LLB (Hons) (UFH) is a Practitioner Risk Manager at the Legal Practitioners Fidelity Fund in Centurion.
This article was first published in De Rebus in 2021 (Oct) DR 8.