Risk Update

Recent Risk Reading — Another Law Firm Data Breach (HIPAA), New Client ID Requirements in Canada, SRA Risk Webinars

Burr & Forman Faces Data Breach of Health Care Client Information” —

  • “Am Law 200 law firm Burr & Forman experienced a data breach that affected nearly 20,000 people, according to a public notice that said the incident occurred when ‘an unauthorized actor gained access to certain documents and information’ on the firm’s systems.”
  • “The firm said it was the victim of an October data breach that was ‘quickly contained.’ However, the firm said its analysis indicated the breach impacted the data of two health care clients subject to HIPAA. ‘We continue to address this matter with those clients directly and to comply with all required notices and actions,’ said Kathryn Whitaker, chief marketing officer, in a statement.”
  • “The firm, represented by Constangy, Brooks, Smith & Prophete, said it received the personal information in connection with its legal services for client Oceans Healthcare, according to the report. Another client was not identified.”
  • “An investigation determined the affected data included some protected information, such as names, Social Security numbers, medical coding information with dates and insurance data, according to a breach incident report.”
  • “In a ‘Notice of Data Security Incident’ posted on its website, the Birmingham, Alabama-based law firm said it ‘enhanced its network security’ and reported the incident to the FBI after learning of the incident.”
  • “It then began conducting an investigation and began notifying affected individuals of the incident earlier this week, including providing ‘resources’ to assist them, the notice stated.”
  • “Burr & Forman is one of the latest Am Law 200 law firms reporting a data breach. As The American Lawyer reported this month, 2023 saw a rise in law firm data breaches, as well as class action litigation tied to the events. Bryan Cave Leighton Paisner, Cadwalader, Wickersham & Taft and Smith, Gambrell & Russell were all sued over data breaches last year. Cadwalader and Smith Gambrell had their suits dismissed; Bryan Cave was dismissed as a defendant in one lawsuit as another is ongoing.”
  • For more see their: “Notice of Data Security Incident

Are you ready for the Law Society’s new client ID requirements on January 1, 2024?” —

  • “As of January 1st, 2024, the Law Society of Ontario requires lawyers who only meet with clients virtually to verify their clients’ identity online by authenticating their identification documents, or using an alternate, approved verification method. This ends the emergency virtual-verification measures that permitted verification through simply viewing identification documents online.”
  • “The virtual authentication of identity is done via technology that does multiple searches/verifications of the client’s identity. For examples of such technology, the Law Society of Ontario refers lawyers to a directory maintained by the Digital Identification and Authentication Council of Canada.”
  • “The Law Society does not restrict lawyers to only using the suppliers in the DIACC directory, provided the technology satisfies the Law Society’s criteria to determine whether an individual’s government-issued photo identification document is true and genuine.”
  • “If you will not be meeting your client in person, you will be required to virtually verify their identity and authenticate their identification documents if your legal services include the receipt, payment or transfer of funds. The Law Society has created several resources to provide additional details.”
  • “Are you ready to authenticate your client’s identification? What technology will you be using?”

The SRA has several February relevant risk webinars in the works, see their events page for registration details: “Events and speakers” —

  • Completing your firm-wide risk assessment (7 February 2024)
  • Speakers: Mandeep Sandhu, Head of Proactive AML Supervision, SRA, Kati Kalia-Hona, AML Proactive Supervision Team Leader, SRA, Susannah Eaton, AML Team Manager, SRA
  • Having a firm-wide risk assessment in place is not only the foundation on which all your anti-money laundering processes are built, it’s also a legal requirement.
  • We published updated guidance on preparing and completing your firm-wide risk assessment in September, and also published an updated template which may help you in devising your own assessment.
  • In this free webinar, we will discuss:
    • Provide tips and information on completing a firm-wide risk assessment
    • Work through examples of how you might use/adapt the template we have published
  • We recommend you have your firm-wide risk assessment with you during the webinar, so you can review it alongside the session.
  • You will also get the chance to put your questions to our expert panel, in particular on any queries you may have about devising and completing your own assessment. Questions for our panel can be submitted in advance when you book your place, or you can submit them live during the webinar.

 

  • Completing client/matter risk assessment – A practical guide (12 February 2024| YouTube)
  • Speakers: Mandeep Sandhu, Head of Proactive AML Supervision, SRA, Declan Brown, AML Regulatory Manager, SRA, Michelle Clement, AML Regulatory Manager, SRA
  • Our recent thematic review of client/matter risk assessments found that less than half of those produced within firms were compliant with the rules. This led to us issuing a warning notice on the issue.
  • In this free webinar, we will discuss:
    • Why it is important that you have compliant client/matter risk assessments
    • Common areas of non-compliance
    • Hints and tips on completing your own assessments
  • We will also illustrate how you might use and personalise the client/matter risk assessment templates we published in October 2023.
  • You will also get the chance to put your questions to our expert panel, in particular on any queries you may have about devising and completing your own assessment. Questions for our panel can be submitted in advance when you book your place, or you can submit them live during the webinar.