Professionals should re-examine their systems and procedures to identify risks arising from changed ways of working since the pandemic, as it seems that courts and regulators will be unimpressed by excuses related to remote working.
The modern working world is more virtual than ever, and whatever and whenever the fuller return to offices might be, the landscape has been changed permanently. Professionals (and in fact all those holding professional indemnity insurance) now face new manifestations of existing risks, and identifying and minimising them is key for preventing claims and complaints.
This article considers risk management “post-COVID-19”. We have identified key areas, and while there are undoubtedly more, we view these as the ones where risk has been increased since March 2020 and into the future, and consider how to manage that risk through proper management and robust systems.
While some claims and complaints do arise from getting the advice wrong, it has been demonstrated that with legal complaints well over 50% of those stem wholly or in part from poor communication. That is also likely to also be the case across the wider range of professionals. All of the key post-COVID risk areas set out below are linked to communication failures in some form.
Terms and conditions
The initial stage of the professional-client communication and relationship should be to clearly define the scope of work in the letter of engagement and any other document containing the relevant contractual terms and conditions of the client relationship. Now more than ever it is worth regularly reviewing any standard T&Cs and ensuring they are fit for purpose. Standard terms which might suggest where, or how, work is to be done may need to be reviewed and updated in light of developments (e.g. data protection), and more recently, to acknowledge that most professionals are now working from home to some degree. More than ever before, T&Cs or letters of engagement should be revisited regularly during the course of a job to avoid “mission creep”.
Where possible, T&Cs should specify an upper limit for any exposure to compensation in the event of a claim. It is important for this limit to reflect the nature and value of the work being undertaken, and that it is appropriate in terms of insurance cover and the limit your insurers will pay in the event of a successful claim.
As an example, the authors have seen a claim where liability wasn’t appropriately capped, and the professional faced a claim approaching £18 million arising from a piece of work where they were paid £30,000 in fees and the limit of their insurance was £8 million. Fortunately, given those alarming and no doubt stressful figures, we were able to defend the claim in full, but this provides a stark example of the importance of fixing and communicating scope of work and liability caps as far as possible. It is also important to have a process in place for considering and then approving any non-standard services or caps, as these could have a potential impact on the professional's insurance coverage.
Professionals should also ensure that limits are reasonable and have discussions with the client in advance of any cap being imposed. Failing to do so can also lead to complaints. For example, the Law Society of Scotland consider that liability should not be capped below the minimum level of Master Policy cover (currently set at £2million), and also that doing so may in fact be considered unsatisfactory professional conduct in a complaint.
Even where a professional has properly defined the scope of work, then appropriately capped liability at the outset, “mission creep” through undertaking further work outside the original scope, for which new T&Cs should have been provided, can undermine all the good groundwork laid. Finally in relation to T&Cs, it’s important to consider whether third parties might seek or be entitled to rely on advice that the professional has given, and whether there should be a specific provision regarding their ability to do so. This is particularly important in relation to multi-party projects, and should be considered at the time of engagement and regularly thereafter.
The importance of record keeping cannot be overestimated, and the authors often represent firms where the professional will be adamant that certain advice or warnings were given but there is no evidence of it within their files. With more remote working, there should be an even greater emphasis on good record keeping, ensuring that conversations, decisions and instructions are properly noted in what could be perceived to be a more informal work setting. Wherever possible, advice given verbally to a client should be repeated in writing. Putting forward a defence to a claim or complaint is always more challenging when having to rely on what the professional can remember of what happened, or what their usual practice would likely have been. Reminding colleagues about the importance of keeping good records and confirming instructions always has been, but increasingly will be, key to defending the firm later on.
The authors acted in a claim made against a law firm instructed in a property transaction. The firm was told at the outset that its builder client had obtained various permits and licences and the firm was not needed for that element of the work. However, it transpired that incorrect permits and licences were obtained, which led to a large claim against the builder. The builder then made a claim against the law firm, asserting that they had instructed it to obtain the permits and licences. The lack of a file note or other written record made the defence of the claim particularly difficult, and it became a question of whose evidence was preferred by the courts. A contemporaneous record showing the instructions would have allowed the claim to be resisted, but instead its absence proved fatal to the defence.
Supervision and training
Where working practices are changing dramatically, professionals should consider whether their systems of supervision and training are appropriate. The challenge of ensuring that trainees or junior colleagues are appropriately trained and supervised has to be met.
In the majority of workplaces, junior colleagues may be missing out on “in person” checks and training, as well as the opportunities to receive “training by osmosis” by simply observing more experienced colleagues at work. Additional training, more effective systems of work and more deliberate supervision may be needed to minimise risks, while also providing training more appropriate to the modern working environment.
The case of Boxwood Leisure Ltd v Gleeson Construction Services Ltd  EWHC 947 (TCC) highlights some dangers and the importance of adapting systems of work, supervision and training. Briefly, in this case a trainee solicitor was instructed to raise court proceedings and although they sent a number of court documents to the defendant solicitors, they failed to include the vital claim form. The error was noticed eventually, but the claim form was then served four days late. The defendants successfully argued that as the claim form was not submitted in time, there could be no claim. The client whose action was lost may well now look for compensation from their solicitors for failing to preserve their claim.
The difficulties of remote working were relied on in mitigation, and it was suggested by the solicitors that it would not have occurred during “normal” working times when dates would have been “properly diarised, or someone would have noticed during the course of our day-to-day engagement, interaction and meetings which have been absent for so long”. While acknowledging the impact of COVID-19 on the supervision of junior colleagues and that it “could allow mistakes to slip through the net”, the court held that this did not reduce the duties incumbent on solicitors.
While the case was heard in England, it is likely a similar approach would be taken in Scotland across all professions and that courts will not be sympathetic to disruption caused to the “regular” working environment by the pandemic.
The lesson for all professional services firms is that they must adopt and follow robust systems for diarising dates and supervision of colleagues, fit for the conditions in which we now find ourselves. The checks which were in place in the physical office must be reviewed, updated and properly adapted to the virtual working environment. Additional training and more effective systems of supervision may need to be put in place to minimise these risks. Failure could lead to potentially serious and expensive claims against any professional services firm.
Data breaches and fraud
Cybercrime and fraud appear to have been rising inexorably over the last 18 months, and it seems clear that working from home has increased risks for professional services firms. Similarly, risks arising from data protection issues such as data breaches. With remote working certainly more prevalent in the post-COVID-19 world, these increased risks are likely to continue, as professional fraudsters seek to take advantage of any potentially vulnerable systems. Professionals should be aware of the risks and should have effective systems in place to help prevent data breaches or fraud, such as a robust and multi-step central process for checking bank details for money transfers, which may be instructed “from home” and so are potentially more vulnerable.
The authors acted in a typical case, where a professional received correct bank details for a transfer, only for a second email to be sent with different details by cybercriminals who had intercepted the emails. The professional did not verify the second instruction by telephone or otherwise, and £450,000 was sent to the criminals and could not be recovered. The claim for negligent failure to confirm the instruction was clear and was paid, but distress was caused to those involved in the transaction and for the professional services firm.
Despite this trend, legal software provider Access Legal has found that of 3,500 law firms surveyed, over 40% had not updated cybersecurity policies since March 2020, with 49% responding that they had not undertaken a data protection impact assessment.
Professional services firms should re-examine IT systems to identify data risks and guard against deliberate attacks, while also conducting training and establishing work-systems to minimise the risk of accidental data breaches through incorrect email recipients, for example. It seems that the courts and regulators will be unimpressed by excuses around COVID-19 and remote working, so if it is found that a business had insufficient protections in place to alert it to fraud or data breaches at an earlier stage, it will have difficulty in defending a claim for resulting losses.
While the conduct of professionals will be judged in the context of events at the time to some degree, Boxwood Leisure shows that professionals should not rely on being able to plead the inevitable and understandable difficulties of COVID-19 to excuse a slip in standard of service.
Although most professionals will likely return to a more “normal” office working environment, it is inevitable that remote working will remain part of the picture for many. Devising and adopting efficient and adaptable systems to manage new and existing risks are vital to manage client relationships, training and supervision for junior colleagues’ development, and for the avoidance of claims and complaints.