Email Policy (Sept25)

Introduction

Email improves aspects of the service that we offer to clients and increases the efficiency of our work. However, improper use of email has the potential to cause losses that our firm could be held liable for. Additionally, improper use may result in non-compliance with various statutory requirements or our regulatory obligations and could threaten the security of our information management systems.

Purpose

This policy aims to explain how our email system should be used by all of us and any other parties working on our behalf.

Scope

This policy applies to all of us, including managers, consultants and any third party that this policy has been communicated to.

General principles

You should take the same care with communications by email as you would a letter. In particular:

• The same care should be taken over legal advice given by email.
• The same supervision principles apply. Before sending out substantive legal work by email, you should ensure that it has the approval of any relevant supervisor.
• Put a copy of every email sent in the appropriate electronic matter file.
• Protect confidentiality and privilege. Use of email can lead to information being accidentally sent to the wrong person (e.g., from inadvertently clicking “reply all”).

Permitted use

The firm’s email system exists for the purposes of the firm’s business. Personal use of our email system is acceptable provided:

• The use is minimal and mainly outside of working hours;
• The use does not interfere with client or firm commitments;
• Usage avoids any possible confusion between your personal dealings and responsibilities and those of the firm;
• Usage complies with all other related policies operated by the firm; and

 Needless to say, no emails should be sent which may reflect badly on the firm, for example, by reason of abusive, obscene, sexist, racist, harassing, defamatory, scurrilous or illegal content, including breach of our data protection obligations.

Monitoring and privacy

Emails which you send and receive using the firm’s email system are no more private than letters which you send or receive in the course of your work. The firm reserves the right to inspect emails to and from your account without necessarily notifying you first or seeking your consent. For example, this might be done if you are absent from the office and it is necessary to check on the progress of work.

It might also be done to address legal, regulatory or performance concerns, or for a variety of other reasons. Accordingly, for your own protection do not use the firm’s email system for sensitive personal matters.

Retention and destruction of emails

Email correspondence on client matters is subject to the normal retention periods which apply to client files. See the Retention and Disposal Policy for more information.

Otherwise, each member of staff is responsible for reviewing and deleting stored emails for which they are responsible. You should delete emails which are no longer required. Bear in mind our statutory, regulatory and business needs to keep records, but also our data protection obligation not to keep personal data for longer than is necessary.

Email Guidelines

In managing your emails, bear in mind these guidelines, as matters of good practice.

Sending emails

• Always re-read an email carefully before pressing “send”. For example, check the following:
• Are the email addresses for the intended recipients, correct?
• Huge liabilities may arise from sending confidential information to the wrong person. Be very wary of the “Reply all” and Auto-Complete/autofill email address functions and double check that the correct recipient(s) is/are selected.
• Set up the delay email sending option which will allow you to recall or edit an email before it is sent for a designated period of time.
• Have you created unintended liabilities? An email may create an enforceable contract, undertaking or guarantee. If in doubt, do not send.
• Might the email cause needless offence or misunderstanding or the tone be interpreted negatively? Consider using the telephone rather than emailing, as it is easier to ensure that the wrong impression is not given. Or leave the email in your drafts folder for an hour and reconsider it before sending.
• Have attachments actually been attached?
• Are you sending the correct version of a document?
• Where appropriate, are attachments in pdf rather than Word form (so that they cannot be readily changed)?
• Where possible, put the gist of the email/ key words relating to the content in the subject line, to help get your message over. For example, “I need the completion funds today” might be a more helpful subject line than the more ambiguous “Your transaction”.
• Bear in mind that email is not a secure medium. If working on highly confidential matters, discuss with your client whether it is acceptable to send information by email.
• Adopt the rule of thumb – “Don’t send the email if you would not be happy for the SRA or the Court to read it.”
• Remember that even if emails have been deleted, it may later be possible to restore them.

Receiving emails

• Remember the guidance you have been given at other times on information security. For example, take steps to reduce the likelihood of being a victim of phishing. This is when attackers attempt to trick users into doing ‘the wrong thing’ such as clicking a bad link that will download malware, sabotage systems or steal intellectual property and money.
• Do not click on suspicious attachments or links. Do not assume an email was actually sent by the person who appears to have sent it. Do not pay money to an account simply on the basis of instructions in an email. If you have any concerns about an email you receive, you should refrain from opening it and seek advice from a director.
• Limit the number of emails in your Inbox. If you have too many emails in your Inbox, that makes it difficult to keep track of what does and does not require attention.
• An Inbox is not a To Do list. It is for messages you have not yet properly read and considered. Aim to keep the emails in your Inbox below 20, and regularly get it to zero. Use separate folders for e.g., “Action required” (which you should regularly review) and “Old correspondence” (which is simply a dumping ground for emails you are unlikely to need to read again, but which you are not yet ready to delete).
• Always go back to the original source – if you want to be sure that an email you receive really from an organisation you have an existing relationship with, visit their official website, log in to your account or phone their advertised phone number, rather than using links or contact details within the email. Also check to see if the official source has already told you what they will never ask e.g., your bank may have told you they will never ask for a password.

Organisation

• Clients appreciate a speedy response to emails. However, constantly monitoring emails as they arrive is distracting and stressful. The best approach is to turn off the alert that tells you an email has arrived. Instead set aside a few periods of time each day when you review and respond to emails. If an email can be dealt with reasonably swiftly, it is much more efficient to read and respond once, than it is to read it then plan to come back to it later. Where appropriate, consider setting up an “Out of Office” reply that acknowledges receipt of emails and provides a timeframe for a response.
• Filing emails (both sent and received) promptly and correctly is vital. Use electronic folders accordingly. Get into the habit of going through your Inbox and sent folder at the end of each day and checking that relevant emails have been filed.
• When away from the office, ensure someone will check your emails at least daily. Give them Delegate access or access to shared folders within your inbox. For longer periods of absence, consider setting up the automatic forwarding of emails to a colleague’s inbox.  Remember to set up the Out of Office Assistant with a timeframe for a response and signpost where urgent queries should be redirected in the meantime.

Accessing the firm’s email system via mobile devices

The same guidelines and email etiquette apply irrespective of where or how you access the firm’s email system.

Security is a big concern for mobile devices. We have, therefore, put the following safeguards in place on all firm issued mobile devices:

• Password protection or biometric security is activated (such as facial recognition) before the phone can be opened and emails accessed.
• A remote disable/wipe function is set up so that email data can be deleted remotely when a device is lost or stolen.
• We use an email service that syncs across all devices to ensure that employees can always access the latest emails, even if they lose their mobile device.

NOTE – we encourage our people to have a work-life balance and do not expect them to respond to emails outside of business hours. Managers are encouraged to restrict emails outside of business hours to a minimum.

(Please refer to our Bring Your Own Device Policy for details of our requirements when accessing work emails from personally owned devices).

EMAIL SPECIFIC CYBERSECURITY RISKS

Viruses and phishing emails

Emails pose a significant security threat to the firm as they can be used to distribute viruses and spyware or for phishing attempts. Phishing is when attackers attempt to trick users into doing ‘the wrong thing’ such as clicking a bad link that will download malware, direct them to a fake website, sabotage systems or steal intellectual property and money.

Whilst Mimecast provides protection that can reduce the risk, it cannot remove it entirely.

We expect all employees to follow the guidance below to reduce the likelihood of becoming the victim of a phishing attack:

• If you receive an email from an organisation that the firm does not do business with, treat it with suspicion. If you are unsure about it, report it to Colin Bailey or Nicola Robinson.
• Question suspicious or unusual requests and ask yourself if they are genuine – if in doubt, contact the organisation directly using contact details from their official website.
• Pay close attention to detail – consider whether the following are to the standard you would expect in an email from the person/organisation in question: spelling, grammar and punctuation, logos and graphics, design and quality? Anything which is not quite as you would expect could indicate a scam.
• Consider whether the email is addressed to you by name – reference to generic terms such as ‘valued customer,’ ‘friend’ or ‘colleague’ can be a sign that sender does not actually know you and the email is part of a phishing scam.
• Do not assume that an email was actually sent by the person who appears to have sent it. Look at the sender’s name and email address – does it sound legitimate or is it trying to mimic someone you know?
• Is the email claiming to be from someone official, for example the firm’s bank, a doctor, another solicitor’s firm or a government department? Criminals often pretend to be important people or organisations to trick you into doing what they want.
• Do not click on suspicious attachments or links.
• Be wary of emails which contain veiled threats asking you to act urgently or which provide a limited time to respond such as ‘within 24 hours’ or ‘immediately’.
• If it sounds too good to be true, it probably is – do not pay money to an account simply based on instructions in an email.
• If you think you might have been a victim of phishing, or have any concerns about an email you receive, you should refrain from opening it where possible and seek advice from Colin Bailey or Nicola Robinson without delay. They will then consider the appropriate next steps such as changing passwords and running antivirus software.
• Another area to be aware of is spear phishing, which is an email/electronic communications scam which targets a specific individual or group and involves a series of communications to establish trust and gather information, which leads to the payoff when the recipient’s bank account details are changed to those of the fraudster.

Email modification fraud

Email modification fraud has become a common type of cyberattack experienced by law firms and mostly involves clients or firms being duped into sending funds to a fraudster’s account. Attacks can be very sophisticated and involve almost imperceptible changes to email addresses, while others are more crude attempts.

Time and personal pressures can mean that firms and clients miss the signs of an attack, which may take place randomly or on a more targeted basis, with fraudsters monitoring and intercepting emails during a transaction. Modified emails often impersonate the firm or the client in order to obtain money or sensitive information such as passwords.

To protect our clients from the impact of email modification fraud, we have the following controls and policies in place, which all employees must be familiar with and adhere to:

• All employees’ email signatures and key outgoing communications to clients, such as the Client Care Letter and letters requesting funds, must include a cyber fraud warning that the firm would never change its bank details by email and to telephone the firm immediately if there any concerns in this regard.
• All employees receive training and an annual refresher on cybersecurity risks which highlight the importance of regularly scrutinising emails and being vigilant about spotting the signs of a potentially fraudulent email.
• If instructions are received to change banking details, we require clients to provide written authorisation by post before the changes are accepted and acted upon.
• Our IT department undertake regular checks on firm email accounts to establish whether they have been compromised with malicious auto-forwarding rules.
• Any employee who is concerned that they may be a victim of email modification fraud must seek advice from Colin Bailey or Nicola Robinson without delay, to discuss the appropriate next steps and must do so before taking any further action on the matter. 

Review of this policy

This policy will be reviewed at least annually by Nicola Robinson (COFA)

September 2025