Law firms ignoring client confidentiality during M&As
SRA guidance and EU data protection regulations are being flouted, says consulting law firm
Law firms are showing an 'alarming level of ignorance' by not keeping client information confidential when buying and selling other legal businesses, according to a consultant lawyer.
Citadel Law, a specialist consulting law firm specialising in personal injury work, argues that for a purchasing firm to access client files, in order to complete a merger or acquisition (M&A), would be a breach of client confidentiality.
Ethical guidance issued by the Solicitors Regulation Authority (SRA) in January 2015 recommended that firms should take sufficient steps during M&A negotiations to protect confidential client information and, where appropriate, seek client consent before any disclosures are made.
Lesley Graves, Citadel Law's managing director, said some solicitors were unaware of the SRA guidance while others have chosen to ignore it.
'Many law firms, and those advising them, are operating under the misapprehension that it is necessary to allow access to client files in order to complete deals, this just isn't true,' she said.
'Every week I see examples of this being flouted and when I raise it most solicitors tell me they had no idea, yet ignorance will be no defence if the SRA come knocking.'
Graves suggested that firms are approaching due diligence in the wrong way. 'They should be focused on the firm's financial situation and records, talking to fee-earners and reviewing operations, technical ability and governance, rather than delving into confidential client files.
'Early in our operational due diligence process, significant disclosure of pertinent MI [management information] that impacts on asset value is requested but with client details redacted,' she continued.
'We find that working within SRA guidelines to be a far better approach as it puts the focus on operational issues as a whole rather than individual files - which is hit and miss, costly, and breaches SRA guidelines.'
Firms who engage in the unethical practices also flout the Data Protection Act 1988, advised Graves, who warned M&A practitioners to pay close attention to the EU General Data Protection Regulation.
In April 2016, the European Parliament approved the new regime, which seeks to hold data holders to greater account and give citizens greater control over their data. The new regulation will apply across the EU from May 2018.
'Firms need to get to grips now with what they are doing and how to comply with the new regime,' added Graves.