Managing risks in the modern law firm
Certain of the risks associated with innovations in the way firms operate, such as homeworking
The move to working from home rather than an office base has been facilitated by modern telecommunications systems that enable employees to access company IT facilities easily from a remote location, however you need to consider the risk management issues involved.
There are the issues of supervision and checking of work which may be more difficult with colleagues working remotely. There are also health and safety, security and insurance considerations.
Health and safety
Employers are required to ensure the health, safety and welfare of all employees so far as is reasonably practicable and employers are considered to be responsible regardless of where their employees’ workplace happens to be.
Employers have to ensure a safe workplace and safe use of any equipment and of any materials involved and that duty extends to the use of work equipment in the home. Consideration needs to be given to the possibility of harm being suffered not just by home workers themselves but also by their families and visitors.
The environment in which the home worker is working must be suitable. For instance, employers need to ensure that electrical equipment is both supplied and maintained in good condition and that there is adequate lighting. Crucially, employers must ensure that there are suitable arrangements for the detecting and warning of fire and that there are suitable means of escape if fire does occur.
Many home workers use computer equipment. The Health and Safety (Display Screen Equipment) Regulations 1992 apply to their workstation and work arrangements just as they do to those of office based employees. Guidance needs to be provided on how to do workstation assessments and follow up any problems identified.
Essentially, any health and safety requirement that applies in a traditional workplace will also apply where employees are based wholly or partly at home.
Ideally, home workers should have a room dedicated to work, with facilities to shut away work papers and files. It is advisable that home workers do not use their business computer for home purposes, unless stringent precautions are taken to prevent damage to and corruption of work media and software, including by viruses. In any event, home workers should follow standard good IT housekeeping procedures, such as regularly checking software for viruses and backing up data.
Home security is also important. Depending on the value of the work equipment, additional protections may be appropriate.
It will normally be the employer’s responsibility to insure equipment used by the home working employee. If damage or injury occurs, the employer is likely to be vicariously liable for the negligent acts and omissions of the employee regardless of where the work is done, subject only to the proviso that the employee was ‘at work’ at the time. The employer could also be legally liable if the employee suffers a work related injury.
Care is needed to ensure that policy wordings are sufficiently wide to cover equipment used by employees who are working at home. If any equipment, including laptop computers, are moved to and from company premises/employee homes, the property policy should be checked, if applicable, to ensure that such transits are covered under the terms of the policy. The public liability and employers’ liability insurer should also be informed that employees are working from home.
There are requirements for employers to provide information to employees to meet statutory duties and also to provide information as regards good practice.
Many law firms, in addition to communicating by e-mail, now have their own websites.
Subject to the policy terms and conditions, the Master Policy can be expected to provide cover for any claim arising where services have been provided over the internet in the same way as if the services had been supplied in a more conventional way. However, it is suggested that you contact Marsh for confirmation that your proposed use of the internet falls within the scope of Master Policy cover.
Note: there are risks associated with the operation of a website which are likely to fall outside the scope of Master Policy cover and regular office insurances. An example is loss arising out of damage to your website arising from unauthorised access. However, there are specialised insurances available for these particular risks and your own insurance adviser will be able to advise on these insurances.
Although most claims and losses arising out of the operation of a website and the provision of legal services over the internet are likely to be covered under the Master Policy or capable of being insured, you will nevertheless want to ensure that you operate your website in a way which minimises the risk of losses and claims arising.
Consider the difference in the risks associated with (a) preparing wills and powers of attorney based on instructions received over the internet where there is no opportunity for you to verify the identity and capacity of the granter and (b) the provision of proforma documentation or advice, subject to appropriate warnings, caveats and disclaimers.
The Society seeks to discourage the former activity which creates opportunities for dishonesty or deception if there is no opportunity for you to verify the identity and capacity of the granter. For guidance, please contact the Society.
In addition, the following points might be addressed as elements of your risk management systems and procedures to minimise the risks to your firm -
- Regularly reviewing content of website
- Establishing a procedure for approval of changes to content
- Addressing legal/compliance issues eg. copyright, disclaimers
- Addressing the risk of acquiring/transmitting viruses
- Instructing a survey of your security risks by an approved supplier
- Conducting an audit of e-Business security risk
- Educating personnel on e-Business issues
- Considering risks in maintaining a discussion page
- Reviewing insurances for ‘cyber coverage’
Some firms are beginning to investigate the practicalities of operating on a substantially ‘paperless’ basis.
From the point of view of cover under the Master Policy, no specific issue has been identified. The only specific risk management point which has been raised is the importance of off-site back-ups of electronic records.
Scanning of correspondence
Although there is probably no specific Professional Indemnity Insurance issue, again there may be risk management and professional practice issues. As far as risk management is concerned, whether the scanning is done in-house or is contracted out, there clearly need to be strict protocols and instructions to ensure the accuracy and reliability of scanned material and how original documents are dealt with after scanning. Proper arrangements need to be made for the storage of disks off-site.
There may be professional practice considerations related to the issue of ownership of and property in clients’ property. Consent will presumably require to be obtained from clients before destroying those parts of the correspondence etc which are deemed to be the client’s property.
Scanning of closed files
Some firms may now be scanning as an alternative to archival/storage of files. The same sort of risk management issues arise and, again, there is likely to be a requirement for specific authority from clients before hard copy correspondence is destroyed.
IT risks generally
This month saw the National Legal Offices and Legal Services Exhibition which took place at the NEC, Birmingham. On display were products from providers of software, hardware, internet and intranet services. According to the organisers of the event, lawyers are now at the forefront of e-commerce and electronic business development.
The range of business and legal risks that need to be managed by solicitors making use of IT in various ways in their practices is a risk management subject all of its own. The subject was addressed by solicitor, Charles Sandison in the course of a Masters degree in management completed last year and in future issues of this page he will address a variety of risk management issues associated with the use of IT, particularly issues of information security – the steps practices take to ensure that important data stored on computer is safe from a variety of threats.
The information in this page is (a) intended to provide guidance on matters of practical risk management and not on issues of law and (b) is necessarily of a generalised nature. It is not specific to any practice or to any individual and should not be relied on as stating the correct legal position.
Alistair Sim is Associate Director in the Professional Liabilities Division at Marsh UK Limited (e-mail: Alistair.J.Sim@marsh.com)