This section looks at the key risks identified by the top 150 firms in the UK in our third risk management survey. While last year client bankruptcy, credit problems and other recession-related fears dominated risk managers’ agendas, this year some of those fears may have abated.
Of the potential risks identified by risk managers, the threat of clients being acquired or declared bankrupt has fallen sharply, scoring on average 2.6 out of five, compared to 3.6 last year (see ‘Legal risk profile’ table, opposite).
This moves the threat from high risk to moderate risk, as law firms and their risk managers suggest that firms are over the worst and their core client base remains intact. This renewed confidence is evident from the fact that credit or other financial problems were identified as very low risk this year, noticeably down from last year’s results (see ‘Dangerous games’, LB192, page 48).
Although the overall ranking of recession-related fears has abated, comments from risk managers throughout the country indicate that there are still knock-on effects, and no one is suggesting the industry is out of the woods just yet. One major national firm says: ‘Wider economic drivers of the recession have meant risks such as client fraud, conflicts and clients wanting to look to exit transactions have come higher up the agenda.’
What is clear is that clients’ own economic fears are manifesting themselves in greater pressure on law firms. The need to get things done quicker and more cheaply means that, inevitably, mistakes appear. This is shown by the fact that two of the most serious risks facing firms at the moment are increased claims as a result of pressure on fees and the need for instant advice (average score: 2.9 out of five); and errors made by staff on high-value, complex transactions (2.8 out of five). One respondent identifies the root cause of these risks: ‘There is a higher risk of professional errors due to clients looking to receive “more for less”.’ In other words, clients’ appetite for getting something for nothing means that errors are creeping in.
A bit of good news
While firms such as Russell-Cooke, Linklaters and Slaughter and May were all on the receiving end of yet-untested claims in 2009, there was good news for law firms last year in response to clients chancing their arms and launching speculative claims. The Commercial Court found in favour of the law firm in Levicom v Linklaters in April 2009.
A contractual dispute between the Baltic telecoms company Levicom and two Swedish competitors had settled on less favourable terms after Levicom rejected an earlier, more favourable settlement. The company argued that, had it been advised properly by Linklaters, it would have negotiated a settlement on similar terms to the original offer and not referred the matter to arbitration. Levicom also alleged that its solicitors were too optimistic about its chances of success and did not properly explain the difficulties it would face in proving its case.
Although the Court agreed that Levicom had strong views on the level of settlement it could obtain, and Linklaters perhaps wasn’t firm enough in expressing its own views on the level on quantum, the Court felt Levicom was considered a sophisticated business capable of interpreting legal advice fully and had therefore failed to prove that it had suffered any loss as a result of Linklaters’ advice. Levicom was awarded nominal damages of just £5, while Linklaters was awarded costs.
What are the biggest causes of professional malpractice claims?
System error
Although the risk profile for many firms may have altered slightly, one remains pretty constant for UK firms and the US firms that responded. One of the key risks identified by respondent firms this year, as well as in previous years, is IT security (average score: 2.8 out of five). This comment from one respondent was typical: ‘We are increasingly reliant on IT and therefore that is a higher risk.’
Emma Dowden, director of best practice and operations at Burges Salmon, says: ‘It may seem obvious to make this point, but one of those issues that never goes away is IT security. We’ve just been looking at our IT policy and recognising how quickly things move on and new risks, such as social networking, arise.’
‘Given the lack of fines, many businesses have not prioritised data protection. Now is the time for every business to consider its use of data, its data security policy, and how it will protect such data in the future.’
Rupert Casey, Macfarlanes
The dangers posed by weak IT infrastructure in the financial services industry were outlined in a recent article in The Economist (‘Silo but deadly’, December 2009). The article made clear that banks are essentially technology firms and all but the most sophisticated banks are handling crucial data on decades-old mainframes overlaid by innovative products and fragmented systems due to ongoing consolidation in the sector. The situation is exacerbated by the fact that much of the money spent on IT is there to make systems faster rather than more transparent. The result? Many banks have a problem with data quality: assets are defined differently on supposedly complementary systems, numbers do not add up, and managers in different departments do not trust their colleagues’ data. The landscape is a fragmented mess.
The situation isn’t so dire for law firms because, as one general counsel puts it: ‘We deal with words rather than numbers, so in theory it’s not as easy for errors to crop up.’
Nonetheless, risk specialists identified IT as a major headache in the survey, with some noting that ‘IT security has become a bigger issue’. Fines and sanctions aside, security breaches can do untold damage to a law firm brand, as the industry has been defined for centuries by its ability to handle clients’ needs sensitively.
LEGAL RISK PROFILE: What are the risks currently facing your firm?
Costly mistakes
One of the biggest IT threats is data security, particularly for law firms, as client confidentiality, engagement and retention are their raison d’être. Not only would data security breaches lead to Solicitors Regulation Authority action for breach of Rule 4 (confidentiality), but as of 6 April 2010, the Information Commissioner’s Office will have new powers to issue fines of up to £500,000 for data security breaches. The new power brings the ICO in line with other UK regulators, which have long had the power to issue large fines. The Financial Services Authority, for example, has imposed fines of up to £3m on various UK banks and financial services institutions for failing to put in place adequate measures to protect against data loss. For instance, in 2007 Nationwide Building Society was fined £980,000, and Norwich Union £1.26m, for losing customer data.
Rupert Casey, a partner at Macfarlanes specialising in data protection and IT matters, says that, like so many risk issues, the cost of doing something about data protection is better than simply ignoring it.
‘Given the lack of such fines until now, many businesses have not prioritised data protection within their overall administrative burden,’ Casey says. ‘Now, however, is the time for every business to consider its use of data, its data security policy, and how it will protect such data in the future so that it will be ready for the likely implementation on 6 April.’
Data to take away
And it is breaches of data security measures on handheld devices where law firms are perhaps most at risk. BlackBerrys and laptops containing confidential information left on trains or in restaurants present a significant risk to firms. A survey released in January by data protection company Credant Technologies reported that 4,500 USB memory sticks had been left forgotten in the pockets of clothes sent to the dry cleaners in 2009. Credant carried out a straw poll in 2008, where 24% of lawyers canvassed owned up to losing at least one handheld device containing sensitive information and putting client confidentiality at risk. Only 13% of those careless solicitors said they believed the data was safe because the device was secured and the information encrypted. This was cold comfort though, as one-fifth of all lawyers surveyed said that their data could easily be compromised by a hacker if they did lose their mobile device.
The fact that a data protection company has pointed out that there are data security problems means that perhaps the infomation can be taken with a pinch of salt. However, the risk is ignored at your peril, as the problem, as ever, is a lack of adequate supervision over what information is accessible outside of the physical office of a firm and an unwillingness to challenge partners over a cavalier attitude towards handheld devices. Ill-advised, drunken e-mails are one thing, but how many lawyers would leave a client’s confidential case file on a table in a hotel lobby? Yet many will do the same with an unlocked BlackBerry, which could enable access to many clients’ details.
John Verry, director of risk at TLT, cannot hide his exasperation at the risk firms are exposed to by carelessness with portable devices. ‘Lawyers are incredibly likely to lose portable devices, and the point is there’s a lot of information stored on them,’ he says. ‘I would ban people from taking anything out of the office – including BlackBerrys – but it’s not going to happen, so you need to manage it as best you can.’ He adds: ‘Confidentiality is the lifeblood of the profession. If you’re leaking like a sieve or breaching confidentiality, irrespective of the legislation on data protection, you’re not going to last long as a law firm. Make a mistake with clients that have their own statutory requirements for data protection and you don’t get a second chance.’ LB