Risk and the matter lifecycle

The current climate dictates that firms must overhaul their approach to client verification, conflicts management, and information security, retention and retrieval.

By Sam Suri, director, It Matters Consulting

People often make two assumptions about lawyers: first, lawyers know the rules and regulations with which they must comply; and second, they apply their knowledge to practice. These assumptions are often incorrect.

The consequences for professional-services firms not fully understanding or following the regulations that apply to their day-to-day work have been well publicised:

Jonathan Duff, a solicitor, received a prison sentence for failing to understand the UK anti-money-laundering obligations;
Law firms are increasingly investigated for breaches of conflict obligations, including a recent judgement, preventing a firm from acting for a client after the courts held that it had a conflict of interest and had insufficient information barriers in place;
Morgan Stanley was ordered to pay $1.58bn in damages in a $30m claim, due in part to inadequate information management;
Arthur Andersen was found to have obstructed the course of justice following the shredding of documents relating to one of its clients, Enron.

Despite these high-profile cases, many law firms remain open to similar risks. In law firms, lawyers are under pressure to be profitable and this leaves vital areas such as regulatory compliance and risk management unattended or forgotten. As implementing risk and compliance measures are often thought to sacrifice convenience, even partners, the owners of the business, are reluctant to put measures in place that could, one day, save their reputation.

Compliance should be made as straightforward as possible for lawyers. Automating compliance helps to simplify complex and labour-intensive tasks so that they are as easy to understand and adhere to as good everyday working practices. However, it should not be assumed that automating tasks using technology is the entire solution. The right technology should always be used to support the right working practices and vice versa.

Putting aside firm-wide issues such as business continuity and disaster recovery, where do the main risk and compliance issues lie for a lawyer during a typical matter? The answer is, at each stage of the matter lifecycle. Where can technology assist the lawyer in meeting their compliance and risk-management obligations? The answer is, at each stage of the matter lifecycle.

Matter inception

Know your client

One of the key areas driving risk management is the acceptance of new instructions. Few things are more risky to a law firm than the act of taking on or declining a client representation.

The importance of lawyers correctly carrying out their ‘know your client’ processes was emphasised by the case of English lawyer, Jonathan Duff, who was convicted and sent to prison for failing to disclose suspicion of money laundering in relation to a payment on account of costs received from an existing client. Following a request from the client, the payment was returned. The client was subsequently arrested and convicted of drug trafficking and laundering the proceeds. Duff had no suspicions about the payment on account until after it was returned and the client was arrested, at which point, following consideration, he determined that the funds had originated from the client’s legitimate business. The judge, however, held that Duff had misunderstood his professional obligations under the Drug Trafficking Act by failing to disclose any suspicions.

International anti-money-laundering obligations such as the US Patriot Act and the UK Financial Services and Markets Act, have created further offences, increased the obligation placed on lawyers to guard against money laundering and now require that, in addition to knowing the relevant law themselves, lawyers ensure that their staff are trained to recognise and report potential money laundering, or face prison.

To ensure that their own lawyers do not end up in the same predicament as Duff, a consortium of City law firms has collaborated to define best practice for anti-money-laundering compliance. The consortium has produced an online anti-money-laundering training course. To address the inefficiencies of traditional classroom training, the tool audits completion of the course, routing individuals’ results to those responsible for risk training in the firm, triggering refresher courses where necessary and keeping a history of who has completed the course and when, should this information ever be required by regulators.

As well as training staff, it is essential for law firms to improve their data systems and information-gathering procedures to better understand who their clients are. The more information a firm has available, the less likely it is to take on an undesirable client. Technology can be an effective tool in collating information such as prior representation, accounts receivable, credit worthiness and litigation history. Securing this information in document and records-managements systems, and integrating applications that can search external databases such as OFAC and the EU Sanctions list, provides comprehensive reports on potential clients, enabling an informed decision to be made as to whether to accept a new instruction.

Conflicts

The role of IT in conflicts systems is a given, but it is not just manual conflicts procedures that cause issues. Ineffective IT conflicts systems can create as many problems as they solve by overwhelming lawyers with forms that they cannot understand and therefore misinterpret or attempt to circumvent.

In addition, one of the principal objectives of effective risk management should be to ensure that crucial decisions are not made solely by the lawyer receiving the instructions, whose vested interest could result in serious concerns being overlooked and the usual protections being circumvented. In this respect, IT systems such as conflicts workflows can act as a brake to prevent a lawyer from accepting an undesirable client or initiating a lawyer-client relationship without proper safeguards in place. Such technology can prevent a file being opened before important information is obtained or that the matter-inception information is routed to others in the firm, requiring that they be part of the file-opening decision-making process.

During the matter

It is during the course of the matter that the dangers of inappropriate document management become most evident. This is highlighted by the emerging trend of firms taking steps to counter the risks by adopting matter-centric electronic-filing environments – namely, keeping all information relating to a client matter in a single electronic file. The issues that lawyers face during a matter are not new but only recently have cases emerged that publicise the risks of a business not effectively managing its communications and document strategies.

Matter security

One area of risk that law firms are showing a reluctance to address is client confidentiality and security of information. Technology such as sophisticated document and records-management systems allow all electronic client-matter material to be secured so that only the matter team has access to the information relating to the matter. Firms are, however, still reluctant to secure their matters. Matter security is not conducive to informal knowledge sharing or looking for documents stored in a document-management system for use as precedents. Monitoring and managing who has access to matter-related information is onerous and time consuming. Recent developments, however, are forcing firms to reconsider:

Clients are more sophisticated regarding their choice of law firm and no longer remain loyal to one firm on the basis of a longstanding relationship. Law firms now often have to pitch to clients to be appointed to a panel of firms retained by the client. During this process, as well as expecting legal expertise, clients look for value-added assurances and services. It is increasingly common for a law firm’s IT director to be required to attend a pitch to a potential client to explain how the firm uses its technology to protect their clients’ interests. Clients are increasingly asking questions such as: “How do you manage my information and ensure its confidentiality?” Many clients would be extremely surprised to discover that their retained firm’s entire staff is able to freely access their matter information, not just the team instructed on the matter. Richard Daniel, chief operating officer of the legal and compliance department at Barclays Bank plc says: “We are in the business of risk management for ourselves and for our clients, and will only deal with suppliers who take this as seriously as we do. To be considered as a legal supplier to Barclays, firms must have established a reputation for excellent risk management, which we will increasingly seek to validate in our selection process. This includes conflict management and confidentiality.” He adds: “Protection of [a law firm’s] reputation is what keeps them in business and this tends not therefore to be a source of competitive advantage but a core value.”
Ethical walls and potential conflicts of interest are often handled inappropriately by law firms. Many of the policies put in place are insufficient to address the use of electronic information, even though around 90 per cent of the information relating to a matter is in electronic form. In addition, these policies are usually only implemented after a particular need for confidentiality has been recognised, which is often too late. Securing a document-management system on a matter-by-matter basis by default will ensure to a large extent the integrity of conflicts or ethical-wall procedures at the outset;
Market-abuse regulations require access to insider information to be restricted and lists to be produced at short notice detailing exactly who has accessed such information and when. These obligations are made significantly easier to comply with
if information is secured to the matter team from the outset and access is audited.

British Standard BS7799 (ISO 17799) governing information-management security promotes effective working practices and policies to improve information security within organisations. Although compliance with the standard is no guarantee of security, it is a sign that a firm takes risk management seriously and can protect the confidentiality of its information and, therefore, its clients. Although several law firms are interested in achieving compliance with the standard, only three UK law firms – Allen & Overy LLP, Irwin Mitchell and Kennedy’s – have achieved accreditation to date.

Document creation and distribution

Lawyers are often unaware of the risks that lie in the creation and distribution of information. The lack of awareness that there is more to a document than what appears on screen has caused many inadvertent leaks of confidential information. The embedded electronic information attached to every document (meta-data) can, if accessed, divulge negotiation strategies and other privileged information that lawyers and clients may have noted in the document and mistakenly believed to have been permanently deleted prior to e-mailing the document to the other side. The importance of document-integrity tools and meta-data ‘scrubbing’ before a document is e-mailed cannot be understated. One of the most publicised incidents relating to this issue occurred in 2003, not to a law firm but to the
UK government.

In 2003, the UK government published a report on its website detailing Iraq’s weapons of mass destruction to justify the joint war effort by the US and the UK against Saddam Hussein’s regime. Contrary to assertions, the report was drafted by civil servants who had plagiarised some of the information from a student’s thesis in the US. In addition, although the government asserted that the document was original and current, it quickly became clear that it was a compilation of documents drafted ten years previously. This embarrassing blunder was exposed because meta-data detailing the properties of the electronic draft of the dossier, which was hidden within the document itself, revealed the names of the authors and dates as to when different parts of the document were written.

To address this issue, Allen & Overy LLP uses document-integrity tools to remove embedded information in e-mail attachments. Partner and head of the firm’s risk-management team, Heather McCallum, says: “Awareness needs to be raised that an electronic document is more than what you see on your screen. Lawyers often send out attachments to e-mails without understanding that the recipient can go behind the scenes and see hidden information. This is particularly important in terms of litigation.”

If law firms adopt suitable document-integrity tools, security of document exchange is ensured, with the automatic removal of potentially prejudicial hidden information. This includes removal of tracked changes, comments and other information such as authors and server names where the document has been stored. Document security, at a level that cannot be provided by document-management systems alone, means that the client can be assured that confidentiality is preserved.

Matter close

The importance of records management

Law firms should already understand the need to keep records and the importance of effective document-retention and destruction policies. Firms should, however, also record the rationale and approval process behind the policies to avoid adverse inferences being made, for instance, during civil litigation.

In Rolah Anne McCabe v British American Tobacco Australia Services Limited the judge struck out British American Tobacco’s defence as he considered that the company’s document-management policy was merely a cover for the deliberate destruction of documents relevant to McCabe’s claim.

Although this decision was overturned on appeal with the court recognising a legitimate commercial need for companies to limit the scale of retained documents, the case acts as a warning that document-retention and destruction policies are likely to be subject to scrutiny in the future. Firms should ensure that they are able to justify such policies as reasonable, measured and appropriate.

Information retrieval

The ability to retrieve information within the time limit specified by a particular order or regulation is vital. Many organisations have discovered this to their cost, not because they did not keep the requested e-mails but because they could not be produced in the timeframe demanded. Some organisations have preferred to pay the fines imposed for failing to comply rather than pay the sums required for an outside agency to locate the e-mails.

Last year’s punitive $1.58bn judgement against Morgan Stanley (Coleman (Parent) Holdings Inc v Morgan Stanley & Co) in a $30m claim brought against it rules out this option.

The case involved Coleman (Parent) Holdings suing Morgan Stanley for fraud. As Morgan Stanley was unable (and unwilling) to disclose relevant e-mails requested by Coleman, the judge switched the burden of proof to the defence, which Morgan Stanley was unable to discharge. This case leaves no doubt that information must be capable of being produced when required and, accordingly, must be capable of being retrieved from whatever medium it is stored.

The case of Zubulake v UBS Warburg is a further warning to law firms and their clients as to the importance of ensuring systems are in place that can efficiently retrieve electronic communications. During a preliminary hearing, the judge ordered UBS Warburg to disclose all e-mails relating to the claim brought against it, despite the fact that these were stored on back-up tapes from which it was difficult and therefore expensive to retrieve the relevant information. Further, UBS Warburg was ordered to produce the e-mails at its own cost, although in a subsequent hearing the claimant was ordered to contribute 25 per cent towards this expense. Zubulake also spells out lawyers’ duties to monitor their clients’ compliance with electronic data preservation and production. It is considered that judges in this country are likely to follow the reasoning in this case and will not allow organisations to claim inadequate technology as a reason to refuse a request for disclosure in legal proceedings.

Improvement of electronic records management is swiftly climbing further up the agenda of many law firms due to the implications of the judgements against Morgan Stanley and UBS Warburg and the emerging regulations that apply the same compliance requirements to electronic information that were previously only applied to paper. As a result, firms are in greater need of extensive and complete records-management policies and technological systems covering both electronic and paper records that integrate tightly with their document-management systems and other business processes throughout the firm.

A balance needs to be struck, however, between the cost of retaining information, whether stored electronically or physically, and the comfort of keeping documents. Firms need to assess the risk that they may need to defend themselves against the threat of litigation, or they may need to retain documents to initiate legal action at some point in the future. Conversely, choosing to retain documents beyond their statutory retention period carries its own risks. Such retention may be in breach of Principle 5 of the Data Protection Act if documents contain personal data and the purpose for which that information was obtained no longer applies. In addition, documents that are kept beyond their retention periods will remain disclosable in litigation.

Final thoughts

Too many firms still have a ‘head in the sand’ approach to mitigating exposure to risk. Gone are the days, however, of this being an acceptable way to manage a firm, without sobering consequences. Current climate dictates that the way in which issues such as client verification, conflicts management, and information security, retention and retrieval are managed, must receive an overhaul. Firms cannot opt out.

Policies and working practices to address the risks and ensure compliance must be re-evaluated. Technology plays an important supporting role but any solution should be designed with the lawyer’s perspective in mind. This ensures that solutions are straightforward enough to limit their use being sidestepped and appropriate for the way in which lawyers work. It is therefore vital that lawyers are involved in the consultation process when systems to protect their business are developed.

Finally, it should not be overlooked that, in the absence of educating its lawyers about the importance of using tools and complying with working practices, any investment that a law firm makes in risk reduction will be worthless. Education costs money, but then so does ignorance.

Sam Suri was a corporate lawyer at Allen & Overy LLP and is now a director of It Matters Consulting. She can be contacted at sam.suri@itmattersconsulting.co.uk