Managing Web 2.0 risk

In very broad terms, the chief characteristic of Web 2.0 is the development of new ways of working ”” in particular, embracing new ways of interacting with clients. This approach is already being embraced in the commercial sector. As the prospect of volume legal service providers approaches, law firms will need to address this new method of communication and exchanging information.

The web is now a much broader resource in which the emphasis is much more focussed on participation. In this new model, users become involved much more proactively with exchanging information and ideas, exploring information, learning, and pursuing leisure activities.

This multi-channel communication is low cost and offers a great resource for the pooling, exchanging and development of new ideas. As such, it has a significant implication for all organisations providing services commercially.

As an example of how this might work, one instance cited in the commercial sector is that of a large company which, it has been claimed, is “flirting” with Web 2.0 by planning to cut its research and development budget and instead use the Web to gain access to a pool of global experts.

Web 2.0 has also spawned user-generated content. The most commonly referred to in this context is Wikipedia. Information, some in highly technical detail and on a wide variety of topics, is posted by visitors to the site who claim particular knowledge of the subject matter concerned. Taken as a whole, it develops into a resource of considerable importance. In parallel, the practice of blogging has developed, as it operates on the same principle.

There are now quite a number of blogs operated by law firms and the quantity is growing as individuals ranging from clients to expert witnesses see an opportunity to add valuable information to a continuing debate on legal issues. Web 2.0 emerges as a unique opportunity for the creative use of the web to develop communities of interest and develop them for the generation and marketing of legal services. Web 2.0 services can present opportunities for developing solutions to newly identified needs.

In summary, the implication of Web 2.0 for law firms lies in the emergence of new and collaborative ways of working. Examples include: knowledge sharing; social networking; developing new markets through exchange of data; and the emergence of new legal information resources.

One of the most problematic issues for managing Web 2.0 services is the diversity of their nature:

  • blogs: perhaps the most common name associated with Web 2.0 services, they are online contributions from different sources which are intended to amount to a formal record of research on a particular topic.
  • file-sharing: exchanging information, video records, photos, etc;
  • bookmarking: the classification of shared Internet resources for user information exchange;
  • wikis: websites created collaboratively for the creation and development of information and data resources to form a record of research ranging from collections of documents to formally classified data;
  • networking: collaboration between online communities with specialist interests.

Legal issues

A wide range of legal compliance issues surround Web 2.0 services, for which a failure of observance might lead to serious consequences both professionally and criminally. Web 2.0 is a relatively new phenomenon, particularly for law firms, and, so far, significant instances of reported non-compliance have yet to arise. Vulnerability potentially arises through deliberate or accidental abuse of information that is posted or mutually exchanged. Typical instances might include:

  • exposure to criminal and civil liability, including damage to reputation through the posting or exchanging of inappropriate material which may be defamatory, derogatory, offensive and racially or sexually discriminating ”” some instances have been reported of employees posting disparaging comments about their employers; in this connection, Applause Store Productions Ltd and Firsht v Grant Raphael [2008] EWHC 1781 (QB) is a reported case where defamation disseminated via Facebook resulted in damages totalling £22,000, including an element for the tort of misuse of private information;
  • a real danger that information exchanged may be not only erroneous but deliberately misleading and result in civil proceedings against those by whom the service is provided;
  • questionable authenticity of information posted or exchanged and the validity of the identity of the provider ”” again, exposing the service provider to civil proceedings for negligence;
  • opportunities for inappropriate, if not illegal, behaviour; examples include the creation of terrorist communities and intellectual property infringement, the latter being particularly difficult both to detect and prevent if material is provided by a third party whose credentials are not validated and which may possibly lead to criminal proceedings;
  • the disclosure, inadvertent or otherwise, of confidential information concerning the firm, its partners, its stakeholders and, most importantly, its clients ”” leading to a breach of the Data Protection Act and the Solicitors Code of Conduct potentially leading to proceedings by the Solicitors Regulatory Authority.

Typical compliance provisions which might be breached by the abuses outlined above include:

  • Misrepresentation Act 1967;
  • Sex Discrimination Act 1976;
  • Race Relations Act 1976;
  • Defamation Act 1996;
  • Obscene Publications Act 1959;
  • Data Protection Act 1998; and the
  • Solicitors Code of Practice 2007.

Most embarrassing of all, however, is surely the stigma that will attach to a firm’s reputation in the professional marketplace if its Web 2.0 services are so inadequately managed as to expose it to such vulnerability in the first instance.

A number of these attract criminal proceedings and the list is not exhaustive because, as Web 2.0 services develop, other statutory and regulatory provisions are certain to arise.

One basic issue that is frequently overlooked is that of the proper handling of data in compliance with the Data Protection Act 1998. The concept of collaboration strongly infers the exchange of personal data within the meaning of this Act. The Information Commissioner’s web site shows three law firms to have been convicted of data protection offences in recent months.

As an example, those participating in sites that encourage exchange of information and participation in chat rooms or newsgroups may well unwittingly divulge personal information which then falls into the public domain.

Data protection

There is also the question of how data is handled by the site operator. The Act requires organisations collecting data to make available to the individuals concerned:

  • the identity of the organisation;
  • contact details of its data protection officer;
  • the purposes for which the data is collected;
  • any other relevant information ”” including the potential recipients and their likely use of the data collected.

This is most frequently addressed by posting a privacy notice on the site concerned. However, a privacy notice is frequently posted in an obscure position and therefore frequently un-noticed by those for whom it is intended.

Any firm that offers Web 2.0 services should ensure that it is able to comply with data protection requirements. This may not be as simple as it appears. If the services develop and exchanges identifying the names and contact details of numerous individuals are revealed, the firm will need to be in a position to manage the potential consequences of receiving numerous data subject enquiries.

The Act also provides the right to object to the processing of personal data. The free and collaborative basis on which Web 2.0 operates means that information and data may be exchanged informally and in such a way that objections are raised. Again, firms must have adequate management procedures in place to address any issues that arise.

Security issues

Security issues can present real problems for firms embracing Web 2.0 services. The free flow of data in and out of servers supporting Web 2.0 services offers the opportunity for infection of a system with a variety of viruses and malicious code, not to mention the issue of identity-checking in respect of those exchanging information.

The seventh principle of the Data Protection Act 1998 specifies that appropriate technical and organisational measures shall be taken against any unauthorised or unlawful processing of personal data and against any accidental loss or destruction of or damage to personal data.

The anarchic development of Web 2.0 services ”” MySpace, Facebook and YouTube are typical examples ”” has shown a marked trend in the exchange of personal data covered by this principle.

Operational issues

The informality of Web 2.0 services involves the potential exposure to a wide range of legal compliance issues as mentioned above and it therefore follows that management strategies are required to minimise this risk

Business use of Web 2.0 services

The use of Web 2.0 services require control to ensure that firms and their employees are not exposed to criminal or civil proceedings, or damage to their reputation.

Each law firm will form a different view of what is permissible and this should be enshrined in a “Web 2.0 services use policy”. The purpose of any use policy is to:

  • protect all in the practice from exposure to liability;
  • identify risks and take steps to minimise their impact on the practice;
  • define the use of specific technologies; and
  • promote good practice.

The conditions of the policy should be tailored to the firm’s requirements but at the very least should issue direction and guidance on:

  • offensive, obscene, harassing, threatening and defamatory exchanges of information;
  • participation in discussion forums, chat rooms, or newsgroups which may give rise to liability;
  • the avoidance of: breaches of confidentiality, negligent mis-statement, contained in information exchanges; and
  • the need for due respect for the status of fellow employees and superiors.

Personal use of Web 2.0 services

Guidance and direction should be issued in respect of participation concerning personal interest specifying:

  • the general limits of acceptability;
  • the need for compliance with duties to an employer and fellow employees;
  • the need for avoidance of infringement of the rights of other employees;
  • the need for avoidance of disclosure of confidential data;
  • the prohibition of personal use exposing risk of criminal or civil sanctions.

Monitoring the use of Web 2.0 services

If the use of Web 2.0 services is to be managed effectively, employers may wish to monitor postings and exchanges of information made by employees. Monitoring introduces another range of legal compliance provisions, principally:

  • Data Protection Act 1998;
  • Regulation of Investigatory Powers Act 2000;
  • Telecommunications (Lawful Business Practices) (Interception of Communications) Regulations 2000;
  • Part 3 of the Information Commissioner’s Code of Practice The Use of Personal Data in Employer/Employee Relationships; and
  • Human Rights Act 1998.

The Regulation of Investigatory Powers Act 2000 generally prohibits monitoring except in closely defined circumstances, set out in the Act. The Telecommunications (Lawful Business Practices) (Interception of Communications) Regulations 2000, permits certain monitoring of electronic communications in closely defined circumstances.

The manner in which permitted monitoring is to be carried out is set out in Part 3 of the Information Commissioner’s Code of Practice The Use of Personal Data in Employer/Employee Relationships, effective from June 2003.

The Human Rights Act 1998 enacts the European Convention of Human Rights, in particular, Article 8, and includes the right to privacy including correspondence (therefore e-mail) in the workplace.

If monitoring is undertaken, employees should be informed in writing (for instance by a provision in a contract of employment) and be required to acknowledge their understanding of the position.

The broad principles of monitoring are that:

  • there must an impact assessment to consider whether the monitoring is justified;
  • the purpose of the monitoring must be clearly stated;
  • the technology involved should be explained;
  • the monitoring must be proportionate to the activity;
  • the communications being monitored should be specified;
  • management responsible for monitoring should be identified;
  • disciplinary measures for non-compliance should be identified.

Web 2.0 presents some critical pitfalls for the unwary. They are a mixture of legal, security, and operational issues. As is invariably the case, the ultimate solution lies in effective management.

In the same way as policies for the management of e-mail and Internet access by employees should now be routine in all organisations, the same process should be adopted by law firms on the brink of embracing Web 2.0.

Rupert Kendrick is a solicitor and director of Web4Law Limited, a risk management consultancy, specialising in IT and internet risk issues.