FEBRUARY 2022 – ARTICLES & ITEMS OF INTEREST

The Legal Quality Standard of Ireland
FEBRUARY 2022 – ARTICLES & ITEMS OF INTEREST
ILRS TO BECOME THE LQSI
We are rebranding. From 1 March 2022, we will be known as the Legal Quality Standard of Ireland or LQSI. We will be using the new logo (above) from 1 March 2022 and audit certificates for audits completed after that date will be issued with this new logo. New logos for accredited firms to be used will now include the year of accreditation. This will be done to protect the integrity of the standard. If you wish to be sent the new LQSI logo for your standard, or an updated accreditation certificate, please contact your auditor and they will arrange for it to be sent to you in early March. The former ILRS logo will continue to be valid for at least one year. We will continue to keep our former website (www.ilrs.ie ) live for the next year and there will be clear re-direction in place from the old site to the new website, www.lqsi.ie .
COMPLAINTS – PERSONAL GRIEVANCE OR PROTECTED DISCLOSURE?
The article looks at “What is a Protected Disclosure?”, the case of “Baranya v Rosderra Irish Meats Group Limited” in brief this case concerned an employee who had been a butcher employed in a meat factory whose task involved ‘scoring’ a large number of carcases on a daily basis. He claimed he was dismissed as a result of indicating that he was in pain and asking to be reassigned to a different role. The employer denied that the employee’s complaint included an allegation that any personal pain was caused by the carrying out of his butchering duties and contended that the dismissal was due to the employee walking off the production line, having not waited for management to address his request to change jobs.
It discusses the scope of the legislation ‘Hogan J. in the Supreme Court commented “many complaints made by employees which are entirely personal to them” could amount to a protected disclosure, including complaints by an employee that his or her personal health or safety is endangered by workplace practices. The court noted that the Code of Practice on Protected Disclosures refers to a distinction between protected disclosures and grievances and that the Labour Court had been influenced by this consideration notwithstanding no such distinction is drawn by the Protected Disclosures Act 2014. This he said led to the High Court into error in reaching a conclusion that a purely personal complaint regarding workplace health and safety essentially fell outside the scope of the Act.’
‘Organisations should therefore be alive to the possibility that a protected disclosure will arise where complaints although in the nature of a personal grievance, raise workplace health and safety concerns whether expressly or by necessary implication.’
To view this article in full see https://issuu.com/256media/docs/parchment_winter_2021-flipbook?fr=sNDI2MTQxOTYxNTc this case is also discussed in this month’s Law Society Gazette.
DPC PUBLISHES ANNUAL REPORT FOR 2021
On the 24 February 2022, the Data Protection Commission published its annual report for 2021.
The highlights of the 2021 Annual report include:-
- 31 Case Studies
- The DPC received 7,469 queries and 3,419 complaints from individuals in 2021, and concluded 7,081 queries and 3,564 complaints, including 1,884 complaints received prior to 2021;
- 6,549 valid data protection breaches recorded; 6,274 were concluded;
- Just under 52% of complaints were concluded within the same calendar year;
- In 2021 the most frequent GDPR topics for queries and complaints continued to be Access Requests, Fair-Processing Disclosure, Direct Marketing and Right to be Forgotten;
- In 2021, the DPC concluded 5 large-scale inquiries; sent forward 4 draft decisions to the EU co-decision making process; referred 1 case to the EU dispute resolution mechanism on foot of which the DPC issued a finalised decision; issued a further 9 preliminary drafts of decisions for submissions to regulated entities and complainants in advance of finalisation, and sought submissions on statements of issues or inquiry reports from relevant parties in a further 17 inquiries.
- In September, the DPC announced a conclusion to a GDPR investigation it conducted into WhatsApp Ireland Ltd. The decision was subject to the EU dispute resolution process, after which the DPC imposed a fine of €225 million on WhatsApp, in addition to an order for WhatsApp to bring its processing into compliance.
- 138 electronic direct marketing investigations were concluded in 2021 and two telco companies were prosecuted for persistently contacting customers who had opted out of correspondence.
- During 2021 the DPC continued to carry out cookies investigations, examining a significant number of websites to assess compliance with the relevant legislation, i.e. Regulations 5(3), 5(4) and 5(5) of the ePrivacy Regulations (S.I. 336/2011). That legislation provides that consent must be obtained for placing any information on a user’s device, or accessing information already stored on their device, unless one of two limited exemptions are met. It is important to note that the law applies not only to websites, but also to mobile apps and other products that use cookies or similar tracking technologies that access a device. Investigations and enforcement in this area will continue to be a key element of the DPC’s activities in 2022 and in the coming years
To view the report in full see https://www.dataprotection.ie/sites/default/files/uploads/2022-02/Data%20Protection%20Commision%20AR%202021%20English%20FINAL_0.pdf
SOCIAL ENGINEERING ATTACK ON LAW FIRM
In this year’s recently published DPC Annual Report Case Study 25 detailed therein relates to a social engineering attack on a Law Firm.
- A medium-sized law firm reported that it was the victim of a social engineering attack. A staff member opened an email from a malicious third party that secretly installed malware on their computer. The malware enabled monitoring email communications and permitted the bad actor to defraud a client of a sum of money.
- The firm reported the breach to the DPC.
- Through its DPC engagement with the firm, the DPC established that the firm used a widely used cloud email service which was managed by a contractor. Basic security settings such as strong passwords were not properly enforced and multi-factor authentication was not implemented.
- Upon becoming aware of the incident, the firm immediately commissioned a full investigation to establish the root cause and the extent of the breach. Based on the findings of the investigation, the firm responded promptly and implemented further technical security measures as well as additional cyber security and data protection training to all staff.
- The DPC requested that updates be provided on the implementation of appropriate organisational and technical security measures to prevent a reoccurrence of a similar breach.
- This case demonstrates in stark terms that an organisation cannot assume that it has adequate measures in place simply because it uses an established service provider for functions such as email, or engages a third party to manage applications. Controllers and processors must still ensure that they have security measures that are appropriate to any risk that may be posed to the personal data for which they are responsible.
To view this case study and other case studies see https://www.dataprotection.ie/sites/default/files/uploads/2022-02/Data%20Protection%20Commision%20AR%202021%20English%20FINAL_0.pdf
REPORT DETAILING CYBER THREATS TO THE UK LEGAL SECTOR
The Law Society of Northern Ireland’s website contains a report titled “The cyber threat to UK legal sector”. This 20 page report aims to help law firms understand current cyber security threats and the extent to which the legal sector is being targeted. It also offers practical guidance on how they can protect their practice. The cyber threat applies to law firms of all sizes and practice, from sole practitioners, high street and mid-size firms, in-house legal departments up to international corporate firms.
The report explains phishing, data breaches, ransomware and supply chain compromise and how to mitigate against these threats.
It also contains at Annex B, Small Business Guide Actions which contains a checklist of Policy actions, Technical actions and Training and Awareness actions.
To view this report see https://www.lawsoc-ni.org/DatabaseDocs/med_7625870__thecyberthreattouklegalsectorncsc.pdf
ONLINE CYBER SECURITY SERIES
The Law Society Small Practice Support Service is running a series of web-based information sessions. This three part cyber-security series will take place in March in conjunction with the Law Society Technology Committee.
The sessions are:-
- Cyber security (2 March) Mitigating the risk of cyber-attack – Rory O’Neill,
- Cyber security (9 March) What insurers require legal firms to do – Brian O’Mara, O’Leary Insurances,
- Cyber security (16 March) CIS controls (formerly known as Critical Security Controls) to secure your legal firm’s future range security operation.
For more details see https://www.lawsociety.ie/gazette/top-stories/2022/key-info-sessions-on-cyber-threats-for-business
DATA BREACHES AND WHEN TO NOTIFY
In this month’s Law Society Gazette Brendan Quinn writes an article titled “Minority Report” discussing data breaches and when to notify a breach.
He states ‘Incidents must be documented, even where an assessment determines that reporting is not required.
Breaches can have serious consequences beyond data protection – legal, financial, and reputational – for solicitors, their clients, and other stakeholders
In a worst-case scenario for some businesses, a breach can put them out of business. Therefore, solicitors should actively implement safeguards to minimise the risk of breaches occurring, through staff training, appropriate security, and technical and organisational controls to protect their data. This is particularly important in the case of solicitors, due to the special importance and value attaching to legal professional privilege’.
Article 4(12) describes a personal-data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
This article lists some of the Control Failures, Integrity Breaches and Personal-Data Availability.
Brendan Quinn concludes by stating ‘How to prepare:-
- Develop and implement a data-breach response plan,
- Implement training programmes for employees,
- Develop templates for breach notifications,
- Consider test procedures on high-risk applications,
- Apply appropriate security measures to protect high-risk data, and finally
- Use privacy-enhancing technologies.’
To read this article in full see https://www.lawsociety.ie/globalassets/documents/gazette/gazette-pdfs/gazette-2022/janfeb-2022-gazette.pdf#page=49
LQSI SPRING WELLNESS SERIES
We at the LQSI are very excited to launch this new initiative, our inaugural Spring Wellness Series. The last two years have taken their toll on everyone. We feel firms need to focus on their most important resource, their staff. We have included Staff Wellbeing as part of our audit standard since 2019. We are aware that can be costly for firms to run these events and so we are delighted to offer this complimentary series of webinars to our accredited clients.
We have an excellent line up of contributors for this series. The LQSI wellbeing initiative is open to all staff in our currently accredited firms. We are holding lunch time sessions (1pm-2pm)each Tuesday in March.
- 8 March – Mindfulness and Self Compassion– with Barry Lee
- 15 March – Movement and Breath Awareness – with Elaine Harris
- 22 March – Healthy Lunch Options – Cooking Demo with Ciara’s Kitchen
- 29 March – Nourishing Creative Expression – with Elaine Harris
For further information, contact your firm’s auditor.