The risk of paper cuts
"Paperless" office operation has its benefits, but risks can arise and risk management measures should be adopted to control them
Like many businesses, legal practices are carrying out an ever increasing proportion of their traditionally paper based operations in purely electronic form. The truly “paperless” office may still be some way off for most of us, and the term “paperless operation” can have as many meanings as there are firms employing it – from using document management systems to store electronic copies of incoming and outgoing emails, to removing paper completely from the equation by immediately scanning and destroying all incoming paper correspondence and utilising only electronic client files. For the purposes of this article, paperless office operation refers to regular scanning of incoming documents and electronic filing.
Potential risk management benefits
Routine electronic scanning and filing can confer potential risk management advantages, but can also present firms with risk issues. Depending on the system’s functionality, there is potential for improved ease of retrieval of documents and monitoring, as well as business continuity benefits. And as regards their file auditing requirements, firms’ files can be conveniently accessed from remote locations at any time of the day, even while the files are still live and fee earners are still working on them.
However, if the system functionality is more limited, or in the event of absence of or failure to comply with protocols, there is scope for risk issues to arise as a result, including:
- scanning errors
- misunderstandings over retention/disposal of clients’ property
- failure to act on (urgent) instructions
- failure in naming/filing of documents
- security breaches
- business interruption
- non-compliance with requests for information
- obsolescence of firms’ systems.
Document scanning software is not perfect, and documents can sometimes become corrupted during the scanning process. Human error can also result in defects – e.g. omitted pages or attachments. Risk management point:
Consider how to ensure/monitor the completeness and legibility of scanned material.
Misunderstandings over retention of clients’ property
Issues can arise in relation to ownership of and property in the content of files if original hard copies are destroyed either immediately after scanning or after any closed paper file has been scanned into storage. Consent will presumably require to be obtained from clients before destroying those parts of the paper correspondence etc which are deemed to be the client’s property, or deleting the whole electronic file after the firm’s normal retention period. Risk management point:
Consider what provision requires to be included in terms of engagement to make clear the contractual position with the client on this point, to avoid misunderstandings or disputes arising at a later date.
Failure to act on instructions in (urgent) correspondence
There may be a risk of (urgent) communications not being acted on (timeously) and clients’ interests suffering as a result during the “down time” period while correspondence is being scanned into the system, if scanning is done before fee earners see incoming mail. Risk management point:
Consider how (urgent) correspondence is to be dealt with before scanning.
Failure in naming/filing of documents
Input error, carelessness or absence of protocols can all mean that documents are misdescribed/misfiled, making location/retrieval difficult. The inability to do the electronic equivalent of “thumbing through” a paper file can mean that e-documents so misnamed may be harder to trace.
Depending on how the system is set up, it may be more difficult, or impossible, for an auditor to audit/review an electronic file if, for example, the chronology, location or description of key documents is unclear.
Risk management points:
Have clear protocols in relation to naming and filing in the electronic file. Deliver training on the importance of following these protocols.
A firm policy of regular file review may be appropriate to check that staff are complying with file naming conventions.
The strengths of new technologies often, paradoxically, entail some weaknesses too. With the paperless office, the advantage of ease of accessibility of a firm’s electronic files for the purposes of legitimate manipulation and amendment is countered by the downside of possible vulnerability of the system to deliberate corruption or deletion by viruses etc, due to the action of external hackers and cybercriminals or disgruntled (former) employees.
The effects of, for example, the mass deletion or disclosure of client information, much of it confidential, can be extremely serious, as many businesses, especially in the financial sector, have found out to their cost (in terms of both financial loss and reputational damage) in recent years. For example, banks have reported the theft of laptops containing the personal account details of thousands of customers; and hackers recently broke into the computer records of a major international retail chain and stole the details of over 40 million credit card transactions.
The use of passwords which meet specified complexity criteria, and which require to be changed at regular intervals or on a revolving basis, can make the system less vulnerable to external or internal attack. Risk management points:
Consider the need to ensure that:
IT security measures (including firewalls, password access and, for especially sensitive files, encryption) are sufficient to protect confidential data, including client data; and staff, including temporary employees, clearly understand the importance of following these procedures.
The paperless office clearly creates a greater dependence on the availability of firms’ IT systems. A move to paperless operation may necessitate a review of business continuity planning arrangements. Risk management point:
Review business continuity plan to address paperless office issues.
Non-compliance with requests for information
Like all other businesses, firms may be required from time to time to produce documents in response to a court order for specification or discovery of evidence, or a data subject access request under the Data Protection Act 1998. Sometimes law firms will be able to avail themselves of certain exemptions to the obligation to comply with such requests, primarily that for legally privileged communications between lawyer and client. However, other (non-privileged) documents will need to be disclosed, within time limits.
The already noted potential advantages and disadvantages of paperless operation, depending on how the system is set up, can affect how such requests impact on paperless offices which receive them.
Risk management point:
Consider how/in what form documents are produced (e.g. using file indexing and searching software) in response to requests for information.
The frequent obsolescence of computer systems due to changing technology can create difficulties in recovering electronic documents which are no longer in active data sources (i.e. in regular, everyday use and easy to access), due to system incompatibility. Risk management points: A technology upgrade policy which allows for the accessing of old data if the need arises, together with a document retention policy that ensures the destruction of legacy data when it is no longer required, can help reduce the impact on firms which need for whatever reason to access aged information.
There is insurance cover available for the cost of reconstituting electronic documents belonging to the firm from backup disks/tapes, other firms’ files, clients’ own copies etc. Electronic documents may be covered by either the firms’ professional indemnity insurance or their office insurance, depending on whether the documents in question belong to the client or the firm, and on (compliance with) the terms and conditions of those policies.
Professional indemnity insurance
The Master Policy covers the cost of replacing lost documents, including electronic documents, not owned by the practice. However, there are two exclusions from this cover: loss or damage caused by viruses; or unauthorised access to systems. Cover for loss or damage to electronic documents is also subject to the condition that “the Insured can demonstrate to the reasonable satisfaction of the Insurers that the Insured has in place sufficient and proper procedures for the security and daily back-up of Documents”.
Risk management points:
Maintain up-to-date anti-virus and anti-hacking measures to deal with the exclusions mentioned.
Ensure compliance with the security and backup conditions in the Master Policy.
For electronic documents which are the firm’s own property, including parts of transaction files belonging to the firm, cover is available under the firm’s office insurance (e.g. property, business interruption etc), if such insurance includes the “cyberrisks” associated with paperless operation (e.g. inability to access files on the system, document corruption, cost of data loss etc). Loss of electronic documents cover under office insurance may also be subject to conditions imposed by the firm’s insurers.
Risk management points:
Check office insurance arrangements to confirm that loss of the firm’s own electronic documents is included within the scope of cover; and, if so, that working practices conform to insurers’ requirements – for example, procedures are in place for notifying insurers of any upgrading of document scanning or management equipment.
While proffering undeniable efficiency and client service benefits, like many business innovations paperless office operation also brings with it side effects in the shape of new risks it poses to firms. Awareness of these risks allows practices to formulate and apply risk controls to combat them, so that the advantages of paperless operation can be enjoyed while minimising exposure to the potential downsides.
To assist firms in this process Marsh has produced a checklist of paperless operation risks and risk issues. This is attached to the guidance note on paperless office operation available in the Downloads section of the Marsh solicitors’ website at www.marsh.co.uk/lawsociety
ALISTAIR SIM AND MARSH
Alistair Sim is a director in the FinPro (Financial and Professional Risks) National Practice at Marsh, the world’s leading risk and insurance services firm. To contact Alistair, email: Alistair.firstname.lastname@example.org
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Services Authority.