Rule 10-4 Reports

August 31, 2021

Lawyers are required to take reasonable security measures to protect their records against the risk of loss, destruction and unauthorized access, use or disclosure, as per Rule 10-4 of the Law Society Rules.  If you have lost custody or control of any of your records for any reason, you must immediately notify the Law Society in writing of all relevant circumstances.

While there are many circumstances in which you might report under Rule 10-4, the top four reported breaches are:

  • Misdirected correspondence;
  • Lost or misplaced records or electronic devices;
  •  Hacking or unauthorized access of servers or email addresses, including ransomware; and
  • Theft.

Misdirected correspondence

Many mistakes can happen when sending correspondence which highlight the need for careful attention to detail.

When sending correspondence by email, always double-check email addresses and attachments before pressing “send.” You may wish to adopt electronic encryption for sensitive documents, which requires the recipient to enter a password before they can obtain access. The article Email: Preventing a Mailstrom (Publications: Insurance Issues: Risk Management - 2009 No. 2 Fall) is available on the Law Society website and provides some useful tips on risk management if you accidentally send an email to an unintended recipient.

When sending correspondence by mail, it is also important to carefully review the contents and any enclosures. Be careful if you are using precedents or templates and ensure that a previous client’s information is not accidentally included.

Remember that you are responsible for the direct supervision of staff and assistants to whom you delegate particular tasks and functions pursuant to section 6.1-1 of the Code of Professional Conduct for British Columbia. If a staff member makes an error in sending correspondence on your behalf, you are obligated to report the incident to the Law Society as their supervisor.

Lost or misplaced records or electronic devices

Losing client materials or electronic devices, such as your laptop or cellphone, can be devastating. You should ensure you have adequate measures in place to protect your records and electronic devices when they are removed from your office, such as thoroughly performing a check for all possessions before moving to any new location.

Hacking or unauthorized access of servers or email addresses

These days, lawyers are increasingly reliant on technology in their practices. However, it is important to be aware that all technology is potentially vulnerable to attack from outside sources. Servers and email accounts may be infiltrated by third parties and, in some cases, these hackers may demand ransoms in exchange for releasing locked data and files (ransomware).

Take appropriate steps to harden your systems against attack. Contact your IT provider to assess your systems and determine whether additional security measures should be put into place, such as back-up servers. This is especially important if you are a sole practitioner or working remotely, as losing access to systems and accounts will have a particularly negative impact on your ability to continue working until the attack has been resolved. Remember to regularly change your password and consider implementing an “Acceptable Use” policy for internet and email. A model policy is available on the Law Society website: Practice Resource: Sample internet and email use policy.

Theft

The majority of thefts reported pursuant to Rule 10-4 involve office and vehicle break-ins. When it comes to protecting your office from burglary, lawyers are encouraged to consider additional security measures such as keeping loose devices and client materials in locked cabinets when not in use, secondary locking mechanisms on windows and doors, or installing a security system if you do not already have one. Securing Personal Information: A Self-Assessment Tool for Organizations from the BC OIPC is a helpful tool for evaluating, maintaining, and improving your office security arrangements.

Vehicle thefts may be avoided by never leaving items unattended or in plain sight. Even if your vehicle is being parked overnight at your home, removing any client materials or devices from your car and taking them inside will prevent an unfortunate incident from occurring.

Have questions?

Should you find yourself needing advice following a breach under Rule 10-4, Law Society practice advisors are available to discuss the situation with you. You may also wish to consult a privacy lawyer, who can provide legal advice on your obligations to contact any clients or other individuals who may have been affected by the breach.

Insurance coverage

The Lawyers Indemnity Fund has recently added a cyber and privacy insurance program that may provide coverage for each these four risks, including theft if it involves an electronic device or communication. Information about the coverage and reporting a claim is available on the LIF website: Your Cyber Coverage | LIF.