Rachael Eyre, certified data protection practitioner, looks at law firms’ duties to establish a client’s identity when they call the office.
We are all familiar with the routine. After sitting in a queue to speak to your bank, insurance company, phone company (etc.), the call handler proceeds to go through a data protection screening exercise. They want to know they are speaking to the right person and aren’t giving away any personal information unlawfully – or allowing an imposter to change things on your account.
When a law firm receives a call from a person claiming to be a client, are we supposed to go through a similar process?
It would make sense, given that lawyers hold extremely sensitive information about people’s legal affairs.
And of course, the legal profession has very strict confidentiality requirements in addition to data protection requirements. Client information must be kept confidential. There are very few exceptions.
The easiest way for a would-be fraudster (or jealous ex, or business competitor…) to get their hands on confidential information is to phone the solicitor for an update, pretending to be the client. They don’t need fancy IT skills or hacking software.
Back when I was an in-house Compliance Manager I remember being thrown by a question from a BSI Auditor. He pulled a team member up for not carrying out a data protection check on a client when they called in.
I was quite proud of my colleague’s response when he turned to the Auditor and said, ‘My dear sir, I do actually know my clients!’ (or words to that effect).
I explained to the auditor that the legal profession is not the same as a bank or utility company. We are usually familiar with our clients, and will often have met them to make a personal connection.
In some cases it would be dangerous to rely on a tick-box ‘data protection check’. Imagine an abusive ex-partner trying to get information about your client. It would be easy for them to lay their hands on all of the questions a typical data check would cover. It would be harder for them to impersonate your client’s voice and manner.
A solicitor who had been a conveyancer in the 1980s, long before AML checks, once told me a horror story which I still use in trainings to highlight the importance of getting to know clients. He was selling a property for a married couple. He had met Mr and Mr had brought in both passports. The fee earner had insisted on speaking with Mrs to confirm instructions, and she had telephoned in. She confirmed who she was, including date of birth and address. The transaction went ahead. Months later, the fee earner found out the person on the phone had been the mistress. Mrs was dead and under the patio.
Now, in a way the auditor was right. You do need to ensure that it is your client you are speaking with. In a post Covid world, where remote working is common and meeting clients face to face is not, how can this be done without putting up barriers? Doing the data point checks is an easy solution from a tick box compliance perspective, but does not really offer you a strong risk based solution and can be breached by a motivated fraudster.
If you have met your client face to face, or are the person who speaks with them as you are going through the onboarding process, then you may be able to say ‘I know my client, recognise their voice and know it is them through the interactions I’ve had with them’. Brilliant.
But it may be that other people who weren’t involved in the initial discussions may handle updates. So, how do you safeguard that client’s personal information? Here are some suggestions:
- Data point check – file number, postcode, date of birth etc. Make this your first line of defence, but understand that someone else might know the answer to these questions.
- Get to know the client well enough that you can recognise their voice. This can include video chats (I’m not going into deep fakes here as it is far too scary, but one to keep an eye on).
- Set up a password as part of the onboarding process. It will have to be something easy to remember. This is helpful if the client may speak to several different members of staff.
- Ask them what their last call or email was about. This should be easy to verify on the file.
- Use a secure platform instead. There are apps designed for legal teams to interact with their clients on a daily basis. A smartphone user would have to know their password in order to get into the system.
- Bonus tip 1: record that you checked your client’s identity. An attendance note that records the steps you took is useful from a self-preservation point of view.
- Bonus tip 2: put it in a policy. From a business management point of view, it will always help to have clear expectations of team members, and the steps they should take.