Tuesday, February 21, 2017

Client Confidentiality Concerns, Information Security Standards & More




Not strictly related, but definitely relevant given yesterday's post on confidentiality management: "Clients Turning to Encryption to Combat Law Firm Data Breaches" --
  • "Firing off an email to a client may become a bit more complicated as some in-house legal departments are looking to email encryption as a way to combat law firm data breaches... Corporate counsel are encrypting emails with outside counsel on sensitive matters, including high-stakes litigation and mergers and acquisitions."
  • "'I never considered something like this before I came to Sophos,' said Eleanor Lacey, the network security company's senior vice president and general counsel, who joined from SurveyMonkey in November 2016. 'But I should've, because law firms have had data breaches.'"
  • "Late last year, Preet Bharara, U.S. attorney for the Southern District of New York, announced that three Chinese nationals had been charged with hacking into two national law firms to steal information on upcoming M&A deals."
  • "A legal operations professional at a Fortune 200 company, who was not authorized to have quotes attributed to her name or company, said her company has secured email 'tunnels' with outside counsel on high-stakes litigation. 'We contacted our firm, they put us in touch with the right IT contact, who then talked to our IT contact, and it was done,' the source said, explaining the ease of the process. 'Once it's set up, it's done. It's invisible to me.'"
  • "The source also said some companies are skittish to publicly announce that they use email encryption because it could make them a 'target' for outside hackers."
  • "This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law."
  • "Somehow law firms have escaped being subject to the same legal compliance mandates that many other businesses must adhere to. The American Bar Association has certainly visited this issue and stated the following in 2013. Many firms are now asking, “What do we do to keep our systems and data safe? How can we keep this from happening to us?” There is a simple answer to this question: Hire a chief information security officer, give him or her a budget to hire the staff needed to build and maintain an enterprise security program (ESP), and exercise appropriate governance over the firm’s digital assets."
  • "But do law firms have a security standard like FISMA, PCI DSS, HIPAA or SOX? Not really one specific compliance mandate for law firms. If they handle credit cards it's PCI DSS, if they handle HIPAA, then HIPAA third party kicks in. It’s a disconnected disjointed, patchwork of laws written by? Legal professionals. Add privacy laws to the mix. Forty-seven states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have all enacted statutes requiring companies to provide notification if a breach of personal information occurs."
  • "'We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cyber theft of intellectual property on a daily basis. The ABA Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, lawyers will not stand on the sidelines,' said Laurel Bellows, 2012-2013 President of the American Bar Association."
Finally, commentary on another jurisdiction's move to approve cloud services: "Illinois State Bar Association issues Opinion on using cloud services to store client information" --
  • "Back in October, the Illinois State Bar Association (ISBA) issued a Professional Conduct Advisory Opinion stating that a lawyer may use cloud-based services to store client information as long as the lawyer takes reasonable measures to ensure that the client information remains confidential and is protected from breaches."
  • "Carefully choosing an internet cloud space provider is, of course, the first step a lawyer must take in order to comply with the duty.  But, it is important to note that the opinion clearly states that a lawyer does not comply with the obligation to protect the client information by merely selecting (however carefully) a reputable provider.   Thus, the opinion concludes that lawyers must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected."

Monday, February 20, 2017

SHOCKER: When Lawyers Breach Confidentiality (for Profit)




"Akin Gump Lawyer Accused of Trying to Sell Lawsuit Under Seal" --
  • "A Washington lawyer at a prominent firm was arrested in a disguise while trying to sell a copy of a secret lawsuit involving a company that was under investigation by the U.S. Justice Department. Jeffrey Wertkin was picked up Jan. 31 in the lobby of a hotel in Cupertino, California, where he believed he was about to collect $310,000 for selling the lawsuit, according to the Federal Bureau of Investigation."
  • "Wertkin, who worked in Washington for Akin Gump Strauss Hauer & Feld LLP, believed he would hand a copy of a complaint to an employee of the company, which was accused in the complaint by a whistle-blower of falsely billing the government. Wertkin, who was wearing a wig and went by the name of Dan, was met instead by an FBI agent, according to arrest documents unsealed on Feb. 6. “My life is over,” Wertkin told the agent."
  • [The firm states]: "There is no indication that Mr. Wertkin misused any Akin Gump client information. It appears from the criminal complaint that the document he attempted to sell was filed under seal in January of 2016, when he was working at the Department of Justice and months before he joined the firm."
It's important to note the firm's position in this matter with regard to where and when access to the sensitive materials occurred.

But it's equally important to flag the broader risks raised when bad actors gain access to extremely sensitive information. (An individual acting improperly with data obtained months prior to joining a firm, might be equally or even more tempted to continue pursuing such activity.)

Consider that over the years we've covered multiple instances of insider trading and other unsavory (alleged) behavior by rogue actors, both lawyers and staff, working within several firms.

It's one reason why firms are increasingly taking a closer look at internal information governance and security practices, including "pessimistic" or "hybrid" models of access and confidentiality management.

Of course, no policy or approach can completely prevent a determined, trusted bad actor from doing (or attempting) bad things -- that's what makes this particular risk so concerning, and the need for continued vigilance so critical.

Wednesday, February 8, 2017

Big Conflicts Case Continues to Make Big News




This one heated up in December, but is still worth noting, as we wait for the next update:


"Why This California Case Is Driving a Wedge Between Law Firms and Clients" --
  • "Dozens of major law firms are lining up against their corporate clients in an awkward faceoff at the California Supreme Court that lays bare the increasing tension between companies' expectations of loyalty and Big Law's economic incentives to take on more and more business."
  • "In papers filed last week [Dec 16], more than 50 law firms including Arnold & Porter, Latham & Watkins, Sidley Austin and Wilson Sonsini Goodrich & Rosati urged the state high court to adopt a ruling that would allow them to represent clients with opposing interests, though not in the same matter, through the use of broad conflict waivers—and ensure they still get paid."
  • "That notion rankles in-house lawyers who say their interests are being stepped on to boost law firm profits. In briefs opposing the law firms, the Association of Corporate Counsel (ACC) and an unusual alliance of corporations including the paper giant Kimberly-Clark Corp. and networking hardware maker Netgear Inc. argue that conflicts must be disclosed and that companies must not be left to foot legal bills if the firms they hire are secretly playing dual roles."
  • "Such public discord between law firms and their clients is atypical, to say the least. While spats over legal fees erupt from time to time, rarely do law firms and corporations stake out opposing positions at a venue as significant as the California Supreme Court."
"ACC Joins $3.8M Fight Over Sheppard Mullin Conflict Waiver" --
  • "The Association of Corporate Counsel has joined a host of companies in their support of J-M Manufacturing as it opposes Sheppard Mullin Richter & Hampton LLP’s appeal of a $3.8 million fee forfeiture order at the California Supreme Court, agreeing that the firm’s “open-ended” advance conflict waiver should remain invalid."
  • "General counsel from 10 companies, including Kimberly-Clark Corp., Newegg Inc., Herbalife International and NetGear Inc., have also urged the court to reject Sheppard Mullin’s attempt to overturn the order, saying in a joint amicus brief the firm’s “boilerplate” advance conflict waiver was rightly rejected."

Tuesday, February 7, 2017

Risk News: The Meta Meta Update



In November, we noted an ethics opinion: "No ‘Web Bugs’ on E-mail to Opposing Counsel, Bar Panel Says." Now comes a related story – tied to when providing metadata is NOT allowed. (And, similarly, considering the different scenarios – those when reviewing receiving counsel should review metadata vs. definitely should not.):

"Lawyers Beware: Sending Native File Documents to Third Parties May Violate Your Ethical Obligations" --
  • "Frequently, a party must produce electronic documents, such as Word documents, in their native format, rather than producing paper copies, in response to discovery requests; this obligation includes producing the document’s metadata, the data automatically embedded in an electronic file that contain information about the document, such as its origin and history of revisions. But what are a lawyer’s responsibilities concerning the transmission or receipt of metadata outside of the discovery context? A recent ethics opinion from the State Bar of Texas offers some guidance—and a stern warning: attorneys risk violating state rules of professional conduct if they mishandle metadata."
  • "The Professional Ethics Committee for the State Bar of Texas recently concluded that a lawyer must take “reasonable measures” to avoid transmitting metadata containing a client’s confidential information to persons to whom such confidential information shouldn’t be disclosed. See Professional Ethics Committee for the State Bar of Texas, Opinion No. 665, at 2 (Dec. 2016). This obligation, according to the committee, springs from two duties imposed under Texas rules of professional conduct: the duties of competence and confidentiality. Id."
  • "These professional duties are not unique to Texas, so it is unsurprising that other states similarly require attorneys to handle metadata carefully... But not every state has formally addressed the issue, and those that have taken it up have adopted different rules regarding the obligations of an attorney who receives electronic documents containing metadata."
  • "The answer to avoiding ethical violations by the recipient of metadata is less straightforward given the different state rules. Recipients who take a better-safe-than-sorry approach by ignoring metadata in all instances might not be choosing the right course, as failing to thoroughly review documents obtained from opposing counsel could itself be a violation of an attorney’s duties of competence and diligence. See, e.g., Vermont Bar Association Professional Responsibility Section, Opinion No. 2009-1 (2009). Attorneys, therefore, must carefully review the rules in their own state. Failure to do so could have significant consequences."

Monday, February 6, 2017

VIDEO: Firm Case Study (LegalKEY Migration, Security and OCGs)

Here's a new video featuring Lisa Mayo, Director of Data Management and Ballard Spahr on her firm's journey to improve risk management.

This discussion includes discussion of the firm's migration from the legacy LegalKEY conflicts tool (the risks associated with we've covered) to a modern conflicts management solution, and the pursuit of industry best practices for information security by adopting sophisticated confidentiality lifecycle management software.

https://www.youtube.com/embed/lVP8kYILKcU?modestbranding=1&rel=0&showinfo=0&autoplay=1

Intapp Open — Modern Conflicts
  • "We were on a very old version of LegalKEY. We were on version 3. LegalKEY had been purchased by OpenText. They weren't really putting out any new releases, and so based on the maintenance that it would take if we needed a new report — we would have to call, spec the report out, wait for a developer to build it — it just was an older product. We needed to move to a more modern tool with a modern infrastructure and something that would respond to our needs more quickly."
  • "What we found with Intapp Open was that it would provide us with a framework to be able to maintenance the system ourselves, so instead of waiting for a developer to write a report that was part of the executable, now we had the power to create the reports ourselves. If we needed to make modifications to forms or even the workflow, we now had the power to do that ourselves. It was a logical choice for us."
  • "In addition, with the conflicts system, there were a lot of features that we could take advantage of, such as the Dun & Bradstreet integration, Hoover's integration, and so that's what lead us to purchase the tool. We've been very happy with it."
Intapp Open — Future Value
  • "We are also looking at Intapp Terms in purchasing and implementing that tool, what we find is that we often get very voluminous outside counsel guidelines. Those have to be scanned in, but what we've found is that the continual maintenance, where someone's actually looking at those terms and making sure they're being enforced, that's too separated from the intake."
  • "By including Terms as a part of our intake, we hope to have those alerts to be easily notified when a term is being violated, a clause is being violated, and we also like the fact that with Terms, we're going to be able to have a central repository. It's not in someone's head who's working on the case and forgets to connect with accounting or connect with another administrative group. With the centralized repository, we'll be able to audit the terms against what's actually happening and be able to make sure that we're 100 percent compliant with what those outside counsel guidelines are."
On Intapp
  • "We know that Intapp is customer-focused, so it's not just the sales organization. They're focused on having customer support staff that are actually following up with us on a regular basis and again, seeing what our ongoing needs are and maintaining that relationship."
  • "I would say that really when you're working with Intapp, the company, you form a personal relationship with whoever your salesperson is. We see each other at different conferences, whether it's ILTA or Insight. You're greeted with a hug. You really build that relationship. They come to know what's important to your firm, what your needs are, and then they can respond in kind with solutions that will make your life easier."

Sunday, February 5, 2017

Negotiating Conflicts: Positional, Insurance-related




Hat tip to Karen Rubin for noting: "Batting clean-up on 2016: positional conflicts, settlements and your firm letterhead" --
  • "The U.S. district court for the Middle District of Tennessee in October turned back a disqualification motion aimed at Butler Snow, ruling that the firm could continue representing a personal injury plaintiff who was potentially contesting the constitutionality of the state’s punitive damage caps, while at the same time asserting the caps defensively in at least one pending case for another client."
  • "In its DQ motion, the trucking company defendant said those positions were inconsistent and raised a positional conflict in violation of Tennessee’s version of Model Rule 1.7 and its cmt. [24]."
  • "Not so, said the district court. First, the trucking company waited until two months before trial to try to disqualify the law firm; it would cause severe prejudice to the plaintiff if she had to find new counsel."
  • "Second, the firm retained separate counsel to represent the plaintiff on all post-trial issues challenging the damage caps, an arrangement that plaintiff agreed to at the beginning of her representation. Third, there was no evidence that the potential conflict had actually affected the injury case, or was likely to compromise the firm’s representation of clients who simply asserted the caps to limit their liability rather than expressly defending their constitutionality. On all these bases, the court held, the firm could stay in the case, part of which has now been settled."
Also an interesting and detailed read: "Settlement Negotiations in Legal Malpractice Cases: Walking the Fine Line of a Conflict" --
  • "When a defense is being provided to an insured under the terms of an errors and omissions policy, a number of conflicts can arise in the tripartite relationship among the insured, the insurer and the defense counsel. For defense attorneys, one of the most difficult to navigate is the conflict that arises when the plaintiff makes a settlement offer. Such a demand triggers separate rights and distinct duties to the policyholder/client, which pull against the sense of loyalty many defense attorneys feel to the insurer that hired them and, in many cases, supplies a great deal of their business."
  • "While the focus of this article will be the conflicts that defense lawyers feel between the needs of their clients and the demands of the insurers who pay them, understanding those conflicts requires an understanding of the conflicts the insurers face when determining whether to settle a claim."

Friday, February 3, 2017

In the News: Presidential Risk



Much attention has been paid to current events. Several firms are finding themselves facing scrutiny from a variety of sources, highlight issues including potential ethical conflicts as well as risks associated with client selection. Here are several stories of note and interest:

"In The Polarized Era Of Trump, BigLaw Searches For Balance" --
  • "Despite many BigLaw attorneys’ personal opposition to Trump, prestigious and traditionally bipartisan firms have largely remained quiet and cautious following an unusually divisive election."
  • "Firms that have represented Trump, including Jones Day, Kasowitz Benson Torres & Friedman LLP, and Morgan Lewis & Bockius LLP, have benefited from his rise to power. To be perceived as taking a political side could be advantageous, risky or both, given the current political climate and the unpredictability of the new president."
  • "The alignment of law firms with or against the new administration in the legal battles to come could open rifts among attorneys and perhaps with some clients."
  • "California’s Legislature this month retained Covington & Burling to help it resist Trump's potential attacks on the state's immigration, environmental and health care policies. Legislators cited expected “extraordinary challenges” and “uncertain times” in a news release announcing the deal. Former Obama administration Attorney General Eric H. Holder Jr. will lead that effort for the firm."
  • "Hester told Law360 that his firm views California as just another client with a host of potential legal conflicts with the federal government. He said that the firm itself has no political preference; it has represented both Democratic and Republican organizations...Hester said that he has received some calls from clients about its representation of California. They weren't complaints, but merely concerns that the firm's representation of the Golden State might create a conflict with their own cases involving California government entities. The firm’s representation of California hasn’t caused them to drop any other cases so far, he said."
  • "Trump owes one of his most enthralling displays of legal-political theater to his longtime tax attorney, Sheri Dillon of Morgan Lewis. On Jan. 11, she stood next to Trump and a table piled high with paper and folders arguing that Trump’s widely criticized business conflict management plan was legal, appropriate and effective. She dropped her firm’s name three times, at the beginning and end of her remarks. It was a crown jewel in an unconventional press conference... Dillon and Morgan Lewis declined to comment for this article. To some watchers, Dillon’s performance was a stellar example of an attorney providing vigorous advocacy for her client — and a fine way of getting her firm’s name into the public. To others, the comments crossed a line and placed Dillon and Morgan Lewis in jeopardy."
Related: Newsweek and others noted: "The law firm Dillon works for, Morgan Lewis, was in the spotlight this week not only for its work on Trump’s controversial plans for his business but also because it received the 'Russia Law Firm of the Year' award last year from a London organization that ranks lawyers and law firms. Critics have questioned Trump’s ties to Russia and President Vladimir Putin, and the president-elect has at times appeared to try to distance himself from Putin."

"Giant Law Firm Overlooks Giant Trump Conflict… Sends ‘Oops’ Letter" --
  • "Perhaps Dentons has finally grown too big. The global behemoth of a law firm sent a threatening letter to CNN last week, after CNN pointed out that Trump’s nominee for Secretary of Health and Human Services, Rep. Tom Price, had purchased shares in an implant company conveniently before introducing legislation that would financially benefit the company. Then someone performed the conflict check."
  • "Well, it turns out that someone else at Dentons performed a simple conflict check and revealed that Dentons actually does a whole mess of work for CNN, prompting Mike McNamara, Dentons’s U.S. Chief Executive Officer, to write another letter apologizing to CNN."
Related: "Did Dentons really botch its conflicts check in feud between CNN and Trump's healthcare nominee?" --
  • "So is that what happened here? He just forgot to run a check? It seems unlikely, and not just because you would expect him to practise what he preaches. Campaign finance records show that Price, who represents Georgia’s sixth congressional district, has been a longtime client of Evans."
  • "As for CNN, is it plausible that Evans, a Trump surrogate who has appeared on the network and who works in the firm’s Atlanta office, would be oblivious that Dentons also represents the Atlanta-based network? This is doubtful. Dentons may be huge but the Atlanta office has just over 100 lawyers. And CNN is the kind of client that colleagues would mention. Even if Evans did not run a conflict check, you would think he would know."
  • "So what did happen? Evans’ own writing may provide an answer. 'In some circumstances, ‘thrust upon’ conflicts arise. It often involves a situation where a firm represents two different clients who suddenly have an unexpected pote'tial conflict and there is insufficient time to address and/or resolve the conflict,' he wrote. “More often than not, both clients have been firm clients without incidence.'"
  • "So far, that seems right. Price and CNN were both Dentons clients, but they were not adverse to each other until the CNN story."
"Unclear Role Of Trump's Special Advisers Has Some Concerned" --
  • "Earlier this month, President-elect Donald Trump named former New York City Mayor Rudolph Giuliani, who heads a cybersecurity practice at the Miami-based law firm Greenberg-Traurig, as his chief adviser on cybersecurity issues. Giuliani's new title is more than just another notch on his resume. It's also likely to be good for business. "The way the world works, if you're perceived as having proximity to power, that brings certain advantages," says William Galston, senior fellow in governance studies at the Brookings Institution."
  • "Giuliani told Politico his role as Trump adviser would present no conflict-of-interest, and he said he would never use his White House access to lobby the president."
  • "But Politico said Giuliani 'acknowledged that he might have business ties with some of the people he connects to Trump, and that he might be discussing government and private issues with some people.'"
Politico notes: "Because Giuliani is a volunteer, not a government employee, he won’t come under the remit of federal ethics rules that require officials to separate themselves from potential conflicts of interest."

Thursday, February 2, 2017

EVENT: Education, Connection and Inspiration @ Inception 2017



We saw a large and operationally diverse community join us at Inception 2016, Intapp's inaugural global user conference. That event was a truly memorable experience, earning high marks from all who attended (including many longtime blog readers). And we’re building on that success in big ways.

Inception 2017 will be jam-packed with informative sessions, inspiring keynotes, hands-on-workshops, peer networking opportunities, exciting social events, and much more.

It's set for May 15th – 18th 2017 in San Francisco, California, at the Fairmont hotel. And we’re developing a rich program of educational and inspirational content, and adding several new enhancements.

As with last year's event, we'll have a "Risk Roundtable" program track.


You can read more about the event at the conference web site, where you can also download overview PDF with more detail. (The official agenda will be published shortly.)

For a bit more flavor on the event, see this 90 second recap video highlighting the 2016 experience:

https://www.youtube.com/embed/gi5050JXPAI?modestbranding=1&rel=0&showinfo=0&autoplay=1

Special Promotion for Risk Blog Readers
For the next week (Feb 2-9) we're making a limited number (we are in the business of risk, of course) of $100 off discount codes available to risk blog readers. These are reserved for qualified organizations and individuals, are first-come, first-served, and require registration to be completed by February 17.

Incidentally, these will apply in
addition to the early bird registration rate, which expires February 17, 2017. So, I hope some lucky, loyal blog readers will jump on the opportunity.

Please email:
Tammy Kim for details. (And watch for future updates on Inception 2017.)

Wednesday, February 1, 2017

Conflicts: You Don't See This Every Day...




These stories caught the eye for breaking the typical patterns you'd expect, in quite interesting ways. First: "Turkish Trader Wants To Retain Kirkland Despite Conflicts" --
  • "Accused international bank fraudster Reza Zarrab said Thursday he wants to keep a Kirkland & Ellis LLP team to support his defense despite conflicts the megafirm has with eight banks — even astonishingly agreeing to allow HSBC, a Kirkland client in a similar case, to examine his defense filings before they are made public."
  • "The eight banks with which Kirkland has ties are seen as victims of Zarrab's scheme, according to prosecutors."
  • "'I am aware of the conflicts,' Zarrab said during a lengthy questioning designed to convince Judge Berman that his choice of counsel had not wavered despite the direct and potentially thorny conflicts with the banks, especially HSBC. 'I am very happy with their services.'"
  • "In Lanard Toys Limited v. Toys “R” Us, Inc. et al, 3-15-cv-00849 (FLMD December 16, 2016, Order) (Barksdale, MJ), a patent infringement matter in Florida District Court, the court denied defendants’ motion to disqualify plaintiff’s new counsel for simultaneously representing defendant in an unrelated case."
  • "Four months after lawyers with Gordon & Rees Scully Mansukhani LLP (“Gordon & Rees”) began representation of Lanard Toys Limited (“Lanard”) against Toys “R” Us-Delaware, Inc. (“TRU”), other lawyers with Gordon & Rees began representation of TRU in a California state case. Upon discovering the conflict of interest, Gordon Rees withdrew from representing TRU in the California matter.  However, Gordon Rees refused to withdraw from the Florida case, so TRU filed a motion seeking disqualification."
  • "Gordon Rees asserted the dual representation was a result of an “inadvertent input error,” wherein the names of some of the parties where inadvertently omitted from the conflict tracking software during the conflicts check, and not because Gordon & Rees deliberately disregarded the duty of loyalty to a client."
  • "Gordon Rees was only acting as local counsel to TRU in the California matter.  The only activity in which Gordon & Rees participated on behalf of TRU in the California Case was the finalization and filing of TRU’s answer to the complaint at the direction of the Palter Firm, who was TRU’s primary counsel in the California matter."
  • "In analyzing the issue and ruling on TRU’s disqualification motion, the Court first noted that because a litigant is presumptively entitled to counsel of its choosing, only a compelling reason will justify disqualification.  Disqualification is a “harsh sanction, often working substantial hardship on the client,” so it “should be resorted to sparingly.” And, because a disqualification motion may be used to harass or for tactical advantage, it should be viewed with caution. The Florida Court further noted disqualification is not mandatory, even if a court finds a lawyer is violating a conflict-of-interest rule."
See also BNA’s take on this matter.

Tuesday, January 31, 2017

Conflicts Allegations in the News (Playbook, Forgotten & Cleared)


Known Knowns and Unknown Knowns: "Conflict Lateral Hire Didn’t Recall Disqualifies Alston & Bird" --
  • "Alston & Bird LLP can’t defend a doctor accused of breaching a non-compete agreement with a nanomedicine company, because a lateral partner may have previously advised the company on the non-compete but couldn’t completely recall his involvement, the U.S. District Court for the District of Maryland ruled Jan. 5 ( CytImmune Scis., Inc. v. Paciotti , 2017 BL 2356, D. Md., No. PWG-16-1010, 1/5/17 )."
  • "The conflicted lawyer, Jonathan Rose, joined Alston & Bird after a four-year stint at Katten Munchin Rosenman LLP, which served as plaintiff CytImmune Sciences Inc.'s outside counsel for several years."
  • "Judge Paul W. Grimm said Rose’s work on a CytImmune matter while working at Katten meant he had to be disqualified from this case—and that Rose’s conflict was imputable to all of his colleagues at Alston & Bird."
  • "Grimm reached that conclusion even though Rose claimed to have no “recollection whatsoever of ever working with [CytImmune] while at Katten” and wasn’t even 'aware of the existence of a company called CytImmune.'"
  • "'I am left with the impression that Rose’s inability to recall the precise details of his prior work for CytImmune placed him squarely between the Scylla of [Rule] 1.9 and the Charybdis of [Rule] 1.7,' Grimm said. 'And if Odysseus could not navigate such treacherous waters, then, respectfully, neither can Rose.'"
  • "The California federal magistrate judge overseeing Leapfrog Enterprises’ trademark infringement suit against competing educational game company Epik Learning said at a hearing Tuesday that she may disqualify Cooley LLP from representing Epik since the firm has worked on similar cases for Leapfrog for 20 years, but added she wouldn’t sanction the firm."
  • "Magistrate Judge Elizabeth D. Laporte said the case posed a 'close question.' Cooley's years representing Leapfrog Enterprises Inc., often in similar matters, might help the firm understand the company’s negotiating strategy, the judge said. But representation and communication had tapered off for months before the firm notified Leapfrog it could no longer represent the company in April, Judge Laporte said, and California’s strict laws on the subject seemed to her 'outmoded' and not in keeping with the pace of modern law firm management, but instructed her to 'err on the side of disqualification.'"
  • "Judge Laporte said Leapfrog’s strongest argument for disqualification was the possible negotiating strategy that Cooley was privy to, which meant the firm would know whether Leapfrog was “the type who starts at the top, then drops like a stone” during settlement talks."
  • "But she said she found it 'troubling' that Leapfrog hadn’t accepted Cooley’s offer to withdraw as counsel and had instead opted to pursue its motion for disqualification as well as sanctions when the matter was moot. She added that if anyone was entitled to attorneys’ fees, it might be Epik Learning, which had to continue fighting the motion even after offering to find new lawyers."
Cleared: "Cooley Defeats DQ Bid In Cardtronics ATM Commissions Suit" --
  • "A California federal judge refused on Tuesday to disqualify Cooley LLP from defending ATM processor Cardtronics Inc., its Mexican subsidiary and two of its executives in a suit alleging the companies cheated a franchiser out of commissions, saying Cooley properly disclosed potential conflicts to its clients and obtained their consent."
  • "Magistrate Judge Elizabeth D. Laporte said during a hearing in San Francisco that Cooley had the four defendants sign consent forms acknowledging potential conflicts, and that’s 'the correct way to do it.' Judge Laporte also criticized plaintiff William D. Bush’s argument that Cooley should be disqualified because the attorneys aren't licensed to represent their clients in Mexico. Judge Laporte said those 'aren’t really grounds to disqualify,' and even if they were, it wouldn’t be up to Bush to decide if the defendant’s counsel was competent."
Compounded: "Good morning your honors, you have a conflict." --
  • "Lawyers for Microsoft Corp. and Impulse Technology Ltd. spotted a problem when they arrived at the Federal Circuit for argument Nov. 4: Judge Kimberly Moore was seated on their panel. Moore routinely recuses herself from cases in which her husband’s law firm, Latham & Watkins, represents one of the parties. But in this case Latham lawyers had appeared for Microsoft at the trial court level only, and the conflict slipped through the cracks."
  • "After counsel notified the court, Moore stepped aside and Judges Pauline Newman and Alan Lourie heard the case on their own. 'Our appreciation and thanks to counsel for bringing this conflict to our attention now, rather than later,' Newman said."


Monday, January 30, 2017

Security: When Reality Mirrors Fiction


Yesterday we proposed a fictional "worst case" security breach scenario. Now comes the real-world lessons, examples and more.

"Feds bust Chinese hackers for trading on stolen law firm secrets" --
  • "Chinese hackers made more than $4 million by infiltrating the email servers of New York law firms to steal secret corporate merger plans they could trade on, according to U.S. authorities."
  • "According to the indictment, the suspects hacked inside information by infiltrating at least two unnamed law firms between April 2014 and late 2015."
  • "The hackers scoured the emails of law firm partners to discover stocks that were likely to soar because they were targeted in merger deals, including one tech company Intel would later acquire for $17 billion. The defendants then purchased shares of those companies, scoring over $4 million in illegal profits, authorities allege."
  • "Preet Bharara, the U.S. Attorney for the Southern District of New York, said the case should serve as a 'wake-up call for law firms around the world...You are and will be targets of cyber hacking, because you have information valuable to would-be criminals," Bharara said in a statement.
Next: "Data Security Not Top Concern For Firm Leaders, Report Finds" --
  • "The danger of data breaches and other technological security issues in the legal industry seems to be implicit given the rising demand for data-driven work and high-profile firm document leaks, but information security is not top of mind among firm leaders, according to a report issued on Wednesday."
  • "Through a joint effort by Novitex, a Connecticut-based provider of cloud-based document outsourcing solutions, and the Association of Legal Administrators, more than 800 legal managers were surveyed on their top concerns and challenges, and how they’re going about overcoming them. But despite a commonly perceived threat of “cybercriminals” to confidential legal work, most firm leaders put increasing profits and revenue and luring new clients well ahead of limiting any cybersecurity risks."
  • "Specifically, the survey found that nearly half of attorneys considered increasing net profits or attracting new clients as their number one concern, with increasing revenues coming in as the top concern, at about 21 percent."
  • "Just more than 8 percent of leading firm attorneys named reducing cybersecurity risk as of utmost importance, coming in just above concern for how to improve workflows, according to the report. Such a result may be surprising considering the role of Panamanian firm Mossack Fonseca in a massive document leak this past spring, which saw hundreds of thousands of shell companies aimed at avoiding taxes, their owners and their BigLaw counsel publically outed."

Sunday, January 29, 2017

2017: New Year, New (and Old) Risks




Happy 2017. Having returned from a brief break (including restful rejuvenation in my metaphorical volcano risk lair), and having now learned the risks of a New Year’s resolution to blog more (apologies for the extended absence), we now return to covering the issues of the day.
 
(Note: While the blogging went on hiatus, the reading and research did not, so in the coming days I’ll highlight some of the key developments and news of the past few weeks -- to mitigate the risk of readers missing something compelling, of course.)
 
Let’s start with security. I was recently asked by LegalTech News to provide a take on “hot issues” for 2017. So what follows is a bit of a creative writing exercise undertaken in the spirit of "Fifteen Minutes Into the Future" speculative fiction, focusing on one potential future news article:

"Is 2017 the Year a Leak Sinks Your Firm? A look into the future for the lessons learned from the 'hack' of one major firm." --
 
  • "It was both literally and figuratively a dark and stormy night, at least according to the FBI forensics report. That pinpointed New Year’s Eve as the moment when a vast trove of extremely sensitive data was stolen from the firm Krennic, Erso & Tarkin. While the office was quiet and closing, with most out celebrating the eagerly anticipated end of 2016, its servers were subjected to a sophisticated digital heist."
  • "This was not the first time a law firm had experienced a security breach. But what happened next was indeed unprecedented."
  • "First, came the cocky pronouncements from WikiLeaks. That they had obtained 'the crown jewels' from an extremely prestigious law firm. That they planned to make tsunami-level waves, releasing information from clients including high-profile financial services firms, high-net-worth individuals, several lobbyist and political non-government organizations, and white-collar criminal defendants."
  • "Further twisting the knife, WikiLeaks stressed that they would be releasing this data slowly, in a manner staged for 'maximum impact,' as per their stated policies. This was an unpredictable organization, but its agenda wasn’t."
  • "The media feeding frenzy that followed was expected. The chain of events that sparked, was not—the wholesale departure, first of clients, then associates, and then partners from the firm."
Read on for more details in the scary story, including why the silver lining of the security nightmare was actually due to the cloud (document management system).

[What’s that old saying? All actors want to sing and all bloggers want to screenwrite Blade Runner 2049? >smile<]
 

Sunday, December 11, 2016

EVENT: Toronto Risk Roundtable (January 2017)



Our next Risk Roundtable event in our series on outside counsel guidelines is set for January 11th in Toronto. We're delighted to feature Simon Chester, Senior Counsel, Client Solutions at Gowling WLG, as our guest speaker.

He'll revisit his the point he made last year that outside counsel guidelines (OCG) are “bombs” waiting in law firm files, and that firms need to take action now to mitigate the substantial risks associated with OCG management.

Simon will by joined by Eric Nerland, Risk Practice Leader at Intapp, who will focus on the increasing compliance pressures being imposed by clients and how a firm can deliver on key client commitments. He will also share a short update on Intapp Open terms of business management system, a solution that helps firms finally manage, centralize, classify and report on client terms, RFPs and communications in a structured fashion.

And, as always, we’ll have plenty of time for open discussion, peer exchange and networking.



Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.
 

Thursday, December 8, 2016

VIDEO: Law Firm Perspective: Risk Case Study

Here's a seven minute video interview of Andy Jurczyk, CIO of Seyfarth Shaw on his firm's investment in risk technology:

https://www.youtube.com/embed/eghvsEIHMW4?modestbranding=1&rel=0&showinfo=0&autoplay=1

Intapp Open — A Journey Forward
  • "We just recently finished the Open implementation, and finally brought our new business intake process into the electronic world, and the workflow associated with that, which is a project that went great."
  • "We originally had a contract with The Frayman Group, and we were ready to roll out our workflow software, and the acquisition happened. Of course, there's always questions about what's going to happen next. We had a number of Intapp meetings, and agreed on a delivery schedule and resource allocation to complete the project. Everything went great from that point on. We had some good resources that were applied."
Intapp Open — In Practice
  • "We finally finished the workflow and programming associated with the open product, and chose our Boston office as our pilot. Our Boston office is a little bit challenging because of some of the work that we do and the volume of the matters that get opened up in that office."
  • "We thought that would be great from a stress test perspective, and we rolled it out, and everybody loved it. It had more requirements, from a data collection perspective, which we thought we'd get some pushback on, but just the opposite happened. It was easy. It gave people insight into the matter opening process. They knew what the status was, where it was going."
  • "We still thought: 'Well, I wonder if that's an anomaly. Let's roll out another office,' and we went to the other side of the coast to our West Coast office, with the same results. Everybody was very happy about the product and welcomed it. We just finished the rollout firm wide, and it's been accepted, and everybody has provided very positive input for it. I'd think the value of the workflow is important for us."
On Intapp
  • "Intapp is one of those companies that I think is easy to do business with. In my role, I spend a lot of time with a lot of companies and a lot of people that run those companies, and one of the most impressive thing, for me, is the focus on the client at all levels from all personnel within the firm. It's a very well run company. It's easy to do business with. There's a lot of transparency on current product and future product, and so you have a good feel for what they're working on, where they're going, and that personally helps me strategically in budgets and being able to determine what the next steps are for our business and where we're going to take it."



Wednesday, December 7, 2016

Recent Conflicts News & Updates




A few stories and updates of note, starting with the latest from Bill Freivogel:
  • "Screening; Electronic Files: Estate of Kennedy v. Stuart A. Rosenblatt, C.P.A., 2016 WL 6543629 (N.J. App. Div. Nov. 4, 2016). This opinion’s description of the parties and the procedure is somewhat befuddling (to us, at least).  Therefore, we will take extreme liberties in simplifying the facts in order to reach the key issue for this audience: the application of N.J. Rule 1.10(b) (same as M.R. 1.10(b)) to electronic files remaining in the law firm when the lawyers handling the matter in question have left, taking the paper files with them. Law Firm defended a lawyer (“Defendant Lawyer”) in a prior malpractice case (“Prior Case”). After Prior Case was dismissed, the lawyer representing the plaintiff in Prior Case (“Lawyer”) joined Law Firm. Lawyer then filed the same case as before, including against Defendant Lawyer (“This Case”). In This Case Defendant Lawyer moved to disqualify Law Firm. Law Firm defended the motion because the lawyers working on Prior Case had left and taken the paper files with them. The issue was whether the electronic files left behind disqualified Law Firm under Rule 1.10(b)(2). The trial court granted the motion. In this opinion the appellate court reversed “conditionally” and remanded for further proceedings. Law Firm had erected a “screen” around the electronic files. However, the court said that if someone in Law Firm looked at the substance of the retained electronic files, Law Firm should be disqualified. If, however, all Law Firm lawyers did was look at metadata to determine whether anybody in Law Firm had looked at the files substantively, then the Law Firm should not be disqualified. The appellate court felt that New Jersey’s recent adoption of its version of M.R. 1.6(b)(5) (N.J. Rule 1.6(d)(5)), helped inform its decision here, even though the N.J. version came after the events in question. The opinion also discusses the nuts and bolts procedure that should be followed in resolving the remaining issues, and directs Law Firm to delete any electronic files remaining."
  • "Waiver; Passage of Time (posted December 2, 2016) Worth v. Worth, 2016 WL 7007721 (E.D. Pa. Nov. 29, 2016). The parties litigated this derivative action in state court for nine months. They now appear in federal court with different lawyers. Law Firm is representing the company and individual defendants. The plaintiff moved to disqualify Law Firm. In this opinion the court denied the motion because the plaintiff allowed a different law firm to represent the company and individual defendants for nine months in state court without objection."
  • "Of Counsel (posted November 30, 2016) LoPorto v. County of Rensselaer, No. 1:15-CV-0866 (LEK/DJS) (N.D.N.Y. Nov. 16, 2016). Lawyer filed this case for Plaintiff. Two individual defendants, A and B, were represented by Law Firm. After filing this case Lawyer became of counsel to Law Firm. Plaintiff and A and B reached an agreement to settle by dismissing A and B. The court held a conference to discuss the settlement. There the court learned of Lawyer’s of counsel status at Law Firm. The court ordered the lawyers to address this conflict.  After the lawyers did so, the court, sua sponte in this opinion disqualified Lawyer and Law Firm."
"More Conflicts Arise On Kirkland Team for Turkish Trader" --
  • "A hearing Wednesday in a New York federal court intended to address two possible conflicts with a Kirkland & Ellis LLP team representing a Turkish gold trader accused of violating Iran trade sanctions revealed several additional issues with the firm’s banking clients."
  • "Instead, one of Zarrab’s 14 lawyers, Viet Dinh of Kirkland & Ellis, told Judge Berman than six additional banks involved in transactions worth hundreds of millions of dollars at the heart of the case are also on Kirkland’s client roster."
  • "Moreover, he and another one of Zarrab's lawyers, Paul Clement, were also representing one of the banks that prosecutors claim were victimized by Zarrab's scheme in another ongoing federal case, representing a "metaphysical" conflict issue in the case."
  • "Zarrab and two others were charged in March with acting on behalf of the Iranian Bank Mellat and others on a U.S. sanctions list. He was initially represented in part by a Bancroft PLLC team that including Dinh and Clement."
  • "But in September, Kirkland announced it was absorbing the entire 17-attorney team at Bancroft, a renowned appellate firm. That created conflict issues for the four former Bancroft partners on Zarrab's deep legal team."
  • "Dinh argued Wednesday that the possible conflicts between the Zarrab and the banking clients were at worst indirect, and could be handled with an ethical wall in the firm. He also said he’d gotten Zarrab’s informed consent for the former Bancroft lawyers to continue to represent him, as well as conflict waivers from Bank of America and Deutsche Bank."
  • "He likened the issue to lawyers who represent a plaintiff suing a defendant who happens to have insurance coverage from a company also represented by the plaintiff firm in unrelated matters. 'It’s analogous to an indirect springing conflict,' he said."
  • "But Dinh also acknowledged that even if he could secure waivers from the other six Kirkland clients and erect an ethical wall in his new firm, he and Clement were also personally representing one of them, HSBC, in a Second Circuit appeal. 'We can’t wall ourselves off, and Mr. Zarrab understands that metaphysical issue,' he said."

Tuesday, December 6, 2016

Outside Counsel Guidelines -- Keeping up on the Conversation




Always important to listen to the client side of the equation. Here is a recent article from Sterling Miller, former General Counsel for Sabre Corporation (and Travelocity prior to that): "Ten Things: Preparing Outside Counsel Guidelines – The Keys" --
  • "Managing your relationship with outside counsel can be challenging. The good ones work hard to make it easy but, even so, there are times when you and your outside lawyers are not on the same page... There are many facets of your relationship with outside counsel that you need to think about and constantly manage. One way to do this is through an engagement letter. While this is a good device to manage some aspects of a particular project, the better path is to create and maintain a set of 'Outside Counsel Guidelines' — a standing set of rules for how you and your outside counsel will interact on key issues, especially on billing."
  • "1. Be reasonable. I have been on both sides of the aisle as General Counsel and as outside counsel. One thing I always tried to ensure was that, as in-house counsel, we were reasonable in what we included in our outside counsel guidelines and in the manner in which we interacted with our outside counsel, especially over billing and invoicing. My assumption was that outside counsel wanted to do a good job, wanted to comply with our guidelines, and wanted to ensure that we felt that we got value for the money we spent with them."
  • "7. Conflicts. As firms consolidate, conflicts become a real issue. One thing I have seen larger firms try to obtain is a blanket waiver of conflicts (sometimes called “advance conflicts waivers”). I would say no to this, and set out your policy on this in your guidelines. Moreover, you should set out that you expect the firm to advise you before undertaking any representation of a client who’s interests are generally adverse to the company, for example a competitor. It may not be an actual “conflict” under the ethical rules, but it’s fair to ask outside counsel to advise you of such representations."
  • "Additionally, if your law firm for some reason needs to withdraw from a representation of your company (either voluntarily or via court order) because of a conflict, you should require that the firm pick up the cost of transferring the matter to new counsel and for getting new counsel up to speed on the matter and if for some reason there is work product that can no longer be used due to the conflict, that the firm refund you the fees and costs associated with that work product."
  • "8. Guidelines trump retention letter. Most retention letters are prepared by outside counsel, which is fine. However, when you get the retention letter don’t just skim over it and sign it as is (even if they send it to you as a signed pdf). Take the time to read through it and ensure that a) it accurately reflects your understanding of how the engagement will work and any special terms or pricing you agreed to, and b) that there is nothing in the retention letter that conflicts with your Outside Counsel Guidelines. If either is not the way you want, change it – do not be afraid to mark up the retention letter. One thing I frequently did (especially if most of the letter was fine) was simply hand-write by my signature “Nothing in this letter trumps the [Company Name] Outside Counsel Guidelines and in the event of a conflict, the Outside Counsel Guidelines shall govern.” On occasion, I am glad I wrote this into the engagement letter."
  • "9. Guidelines do not replace a conversation with outside counsel. You can write the most elaborate Outside Counsel Guidelines, covering everything from A to Z, but in my experience your guidelines do not replace the one thing that is most important – regular conversations with your outside counsel about the relationship, especially around billing and costs. It may feel a bit scary and even awkward but nothing will pay back dividends like an honest conversation with your outside counsel about the bills."
  • "10. Review annually. If you are a regular reader of my blog you know that one thing I preach consistently is that you cannot prepare policies and guidelines and then just leave them on the shelf until “something happens.” You need to schedule regular reviews and you need to create the right team to help with that review – potentially even folks outside the legal department... Outside Counsel Guidelines can be a very helpful tool to help manage your relationships with outside counsel. Don’t be afraid to rewrite them from scratch every few years – the legal profession is changing way too fast to just sit back and assume what you already have is good enough. And, there are many other topics you can/should cover in your guidelines, e.g., confidentiality, media relations, “up-the-ladder” reporting, dispute resolution."

Wednesday, November 30, 2016

Positional Conflicts – Those Tweets & Posts (May) Create Serious Conflicts Problems



"Tweeting, Blogging Lawyers Warned About Positional Conflicts" --
  • "Lawyers who blog or tweet about legal developments should be cautious 'when stating positions on issues' because 'those stated positions could be adverse to an interest of a client, thus inadvertently creating a conflict,' the District of Columbia bar’s ethics committee advised in November."
  • "The guidance came in one of two simultaneously issued opinions that discuss a host of ethical issues involving lawyers’ use of social media (D.C. Bar Legal Ethics Comm., Ops. 370 and 371, 11/16)."
  • "But the D.C. panel also highlighted a few risks that were not emphasized in prior ethics opinions. One apparently novel warning was on the risks of creating so-called 'positional' conflicts when blogging or tweeting about legal developments. These are conflicts that can arise when a lawyer advances one position but needs to argue the opposite on a client’s behalf."
  • "The panel warned that lawyers who blog or tweet about legal developments may run into ethical problems if they state positions on legal issues that conflict with positions they have advanced, or may be called on to advance, on a client’s behalf."
  • "The committee said lawyers who engage in online musings of this sort may inadvertently create a positional conflict under D.C. Rule of Professional Conduct 1.7(b)(4). That rule says a lawyer may not represent a client in a matter if 'the lawyer’s professional judgment on behalf of the client will be or reasonably may be adversely affected by ... the lawyer’s own financial, property or personal interests.'"
  • "Accordingly, Cornett said, "If a blawger whose reputation is entwined with her blawg needs to take a contrary position in order to advance a client’s interests, she may be ‘materially limited’ from doing so because of that reputational interest.'"
This development is interesting on several levels -- The distinction between social/blogging commentary and other forms of expression being just one. (Though, the text of the opinion itself covers communications mechanisms as diverse as yelp, email lists and even general email, while acknowledging differences apply based on a number of factors.)

(I suspect that somewhere out there may be a lawyer who actually represents Twitter, who may be tempted to weigh in publicly on this particular opinion... maybe even via a tweet... but the circular logic loop of that potential conflict is too much to consider at the moment...)

Tuesday, November 29, 2016

New European Data Privacy and Security Rules (GDPR)



The newly launched GDPR Wiki site offers a plethora of information on these pending rules:
  • "Coming to you in May 2018, the GDPR is the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years and therefore unsurprisingly is designed to better take into account modern technologies, the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely held belief that business had not taken data privacy seriously enough previously. As a consequence, penalties are considerably harsher and the compliance requirements are intended to spread a far wider net to include small and medium businesses."
This initiative is resource delivered by Tim Hyman, former IT director of law firms including Reed Smith and Taylor Wessing.

The site has published and distributes several resources, including: "The Essential Guide to GDPR" --
  • "Following recent presentations on the potential impact of GDPR at a number of global law firms and a presentation to the Institute of Barristers Clerks, I have been asked to compile a guide as to the basic principles of GDPR, how they may impact technology systems and which software tools/vendors could assist with compliance... The solution providers that appear in the guide are those that have come forward and described how their solutions can help businesses looking to get GDPR compliant."
  • "THE 6 GDPR DATA PROTECTION PRINCIPLES:
    1. (‘lawfulness, fairness and transparency’) processed lawfully, fairly and in a transparent manner in relation to the data subject
    2. (‘purpose limitation’) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
    3. (‘data minimisation’) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
    4. (‘accuracy’) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
    5. (‘storage limitation’) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
    6. (‘integrity and confidentiality’) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage, using appropriate technical or organisational measures."
As further context on the topic, Wikipedia offers:
  • "The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995."
And Dell sponsored a third-party survey on these new rules. The report highlights the state of response from the general corporate sector (short version: likely lacking).

Is your firm ready? Or getting ready to be ready? May 2018 will come sooner than we think... And it looks like, on the compliance side, firms are already planning their GDPR litigation offerings.

Sunday, November 27, 2016

VIDEO: External Vendor Risk Management (Drivers, Trends & Approaches)



A recording of last summer's well attended session on vendor risk management is now available: "Vendor Procurement, Risk and Relationship Management" --

Jointly produced by Intapp and HBR Consulting, this video explores the various factors causing firms to pay even closer attention to the way they select, evaluate and manager their external vendors. (Client information security mandates are just one of several drivers.)

Scott Springer and Mark Denner from HBR reviewed industry trends and how innovative approaches, supported by new technology, enable firms to streamline procurement, evaluate vendors and address increasingly stringent client and industry requirements.
They also reviewed the vendor lifecycle and demonstrated of HBR Consulting's procurement management solutions, built leveraging Intapp Flow to manage the entire vendor lifecycle, including:
  • Evaluation & on-boarding
  • Information security review
  • Performance monitoring
  • Audit & compliance
  • Off-boarding
(They've nicknamed it "NVI." V for vendor, in the same way firms have an "NBI" approach for business. Clever.)

Monday, November 21, 2016

Ethics Opinion: Don't "Bug" Me -- aka On Monitoring Lawyer Behavior (Not Your Own)




Here's a fascinating ethics opinion for the technically inclined: "No ‘Web Bugs’ on E-mail to Opposing Counsel, Bar Panel Says" --
  • "Lawyers may not use “web bugs” to track e-mail communications with opposing counsel, the Alaska bar’s ethics committee advised in an Oct. 26 opinion (Alaska Bar Ass’n Ethics Comm., Op. 2016-1, 10/26/16)."
  • "The opinion is just the second bar advisory to address whether ethics rules permit lawyers to use 'web bugs'—also known as 'pixel trackers' or 'web beacons'—to discover information about how e-mails they send to opposing lawyers have been treated."
  • "According to the opinion, a common web bugging method “involves placing an image with a unique website address” into an e-mailed document and disguising that image “as a part of the document (e.g., part of a footer).” When the recipient opens the document his or her computer “looks up the image” and transmits information back to the sender about how the message was treated, the opinion said."
  • The opinion described “web bugs” as internet surveillance tools that can tell e-mail senders:   
    • whether e-mails they have sent, or attachments to such e-mails, were opened by their recipients;
    • when those messages or attachments were opened;
    • how many times those materials were opened;
    • how long recipients spent reviewing those materials;
    • whether a recipient forwarded those materials to other persons; and
    • the rough geographic locations of the recipients.
  • "Following the lead of the only other bar panel to address this issue, the Alaska committee concluded that 'tracking electronic communications with opposing counsel through ‘web bugs’ impermissibly and unethically interferes with the lawyer-client relationship and the preservation of confidences and secrets.'"
  • "The committee said web bugs can enable lawyers to discover how long opposing counsel or parties spent reviewing e-mail messages and how frequently they viewed them, which can be “a proxy for how important” those opponents may have deemed such communications to be."


Thursday, November 17, 2016

On Clients Regulating Law Firms (or "Meet the New Boss, Same as the Old Boss")




Inside counsel writes: "Law Firms, Meet Your New Regulator: Your Client" --
  • "While major banks, retailers, hospitals and insurance companies were the brick and mortar of a growing media monument to hubris and cyber overconfidence, law firm breaches went mostly unnoticed. That is, until government agencies and law enforcement grew concerned that the wealth of intellectual property curated by law firms could be used to manipulate financial markets by front running trades."
  • "As the expression goes, misery loves company, and law firms can now commiserate with their financial clientele. Law firms represent banking and investment funds, healthcare providers, pharmaceutical companies and themselves conduct myriad financial transactions."
  • "Law firms are at the cross roads of industry. Take for example, a firm that represents an investment institution in Manhattan and who has a position in a biopharma company across the river in New Jersey. The law firm now handles investment information that is regulated by the SEC and monitored by the FBI. The firm also handles healthcare information in the form of FDA drug test results, patient records, which now falls under Health Insurance Portability and Accountability Act (HIPAA). It might also house investor information from the fund, which means the law firm has PII and is ultimately on the hook for PII requirements."
  • "With an alphabet soup of regulators and laws, it’s no wonder that the clients of law firms are now taking cybersecurity seriously. It’s a big stakes loss in the event of a data breach, and it’s the kind of breach that will not go unnoticed. In fact, SEC regulations, HIPAA and PII all have disclosure requirements meaning that a law firm cannot quietly go about business while keeping the story out of the press. That is why today, more law firms are receiving cyber due diligence questionnaires (DDQs) from their clients. As regulators such as the SEC tighten their rules, implications now reach their vendors; most notably legal services."
And, as we know, information security is just one of several areas clients are exercising their power to shape law firm policies and practices.

Wednesday, November 16, 2016

EVENT: November Risk Roundtable



Our next Risk Roundtable event in our series on outside counsel guidelines is set for November 29th in Boston.

As with the NY, DC and Chicago events, we'll be featuring presentations and discussion lead by Anthony Davis from Hinshaw & Culbertson and Eric Nerland.


Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.
 

Tuesday, November 15, 2016

More Pessimism on the Horizon? (On Client Confidentiality & Law Firm Information Security)




Caroline Hill, editor in chief of Legal IT Insider, weighs in with: "Comment: Pessimistic security – a necessary evil?" --
  • "Given the amount of commercially and potentially nationally sensitive and valuable data held by law firms, and given recent security breaches such as the Panama Papers, the question is no longer whether firms are being targeted by hackers but how, and how far they need to go to protect against a leak."
  • "While law firms have historically focused on defending their perimeter wall, the wider trend shows that attacks are becoming far more sophisticated, with spear phishing attacks tricking employees into giving away passwords and login details, potentially giving a hacker the internal privileges and access rights of that employee."
  • "Says one commentator: 'The concern among large corporations is that law firms don’t have enough complexity in their record access rules and that they have been largely left to do what they want to do. If you are a large enterprise working on a greenfield project and you know it might attract negative publicity, particularly following the Panama Paper leaks, you want to know that your law firm has better security.'"
  • "The result is that a number of firms, particularly those from the United States, are looking at significantly limiting file access within the firm. Pessimistic security flips the normal ‘optimistic’ approach of law firms on its head, with staff only able to open files where they have explicit rights. If a user has different and potentially conflicting permissions, the default position adopted will be the most restrictive."
  • "This complex exercise in damage limitation – one already adopted by a number of accounting organisations – is, for many IT directors, the stuff of nightmares, given the fast pace that law firms work at, often through the night, with major financial drivers to complete work quickly and without technical impediments."
  • "That is not to mention the fact that the knowledge capital and precedents by which law firms differentiate themselves and add client value – and in the future are increasingly likely to monetise – also currently involve sharing vast amounts of client information around the firm."
We previously noted: "InfoScary (Part 1) : A Pessimistic View on Information Security"

Thursday, November 10, 2016

Your Brother's Keeper? (Disqualification News and Views)



Lending itself to any number of colorful comments and quotes, come: "Atty Beats DQ Bid In Case Involving Brother At Fox Rothschild" --
  • "A Pennsylvania judge on Friday shot down efforts to disqualify an attorney from defending a travel agency previously represented by his brother, a Fox Rothschild LLP attorney also accused in the suit of filing a meritless bankruptcy petition, noting that the clients have waived a cited potential conflict of interest."
  • "In his order, Philadelphia Court of Common Pleas Judge Ramy I. Djerassi denied a motion filed by solo practitioner Bruce J. Chasan, the owner of travel agency Carmen Enterprises Inc., to disqualify attorney Jeffrey Goldin from representing Murpenter LLC and two affiliated individual defendants."
  • "Chasan had argued that Goldin should not be permitted to represent the Murpenter defendants because his brother, Fox Rothshchild attorney Ely Goldin, had previously represented Murpenter in an underlying breach of contract suit over an aborted merger and is now named as a defendant in the instant litigation, alleging wrongful use of civil proceedings."
  • "But Goldin’s clients have stated that they are aware of the family relationship and the potential risk it could pose, and still choose to retain Goldin as their lawyer, Judge Djerassi said. 'Based on this informed consent and attorney Jeffrey Goldin’s own written and verified responses here, we believe his sworn promise that he will devote paramount loyalty to his client,' the judge said. 'We believe he will preserve all necessary confidentialities from his brother and represent his client zealously.'"
  • "In addition to seeking to remove counsel for Murpenter, the plaintiffs have also asked the court to disqualify Bochetto & Lentz and its attorneys George Bochetto and John O’Connell from representing Fox Rothschild because the firm’s other name attorney, Gavin Lentz, represented Chasan and his company in a breach of contract suit against his ex-wife in Montgomery County, Pennsylvania, nearly 20 years ago."
And: "Baker Donelson Fights DQ In Amazon Shipping Tussle" --
  • "Western Express Inc. argued in October that Phoenix counsel John Hicks and Jaime DeRensis of Baker Donelson’s Nashville office cannot continue on the case over allegedly unpaid invoices because the firm is actually counsel of record in currently stayed litigation launched in 2011 by the Amazon.com Inc. freighter. But the attorneys said Friday that it is only former counsel and there simply is no conflict since it informed Western of its Phoenix work several months ago."
  • "'While Western made vague statements that Baker Donelson's representation may present a conflict and prevent Western from using Baker Donelson as counsel in the future, it did not allege any specific conflict until almost eight months into Baker Donelson's representation of Phoenix,' the attorneys said in their opposition. 'There is no conflict of interest; even assuming a conflict of interest, Western's failure to timely assert such conflict waives any alleged conflict.'"
  • "As for the matter Baker Donelson formerly represented in, Hicks and DeRensis said that case, involving Western’s claims of embezzlement by a former employee, is not “substantially related” to the instant breach of contract matter, leaving no reason at all for disqualification under Tennessee conduct rules."
  • See the filing for more detail.

Wednesday, November 9, 2016

Conflicts, Ethical Screens and Electronic Paper Trails



Technology offers new opportunities to identify, address and mitigate risk. But it can also cut both ways -- preserving records of error, accident or omission. Over the years we've watched how standards for ethical walls and confidentiality management have evolved to keep up with the realities of how information is stored, accessed and managed. Consider a few examples [here and here] where, for example, internal access audits have played a role in discussions tied to conflicts, disqualifications and ethical screens.

This type of scenario is in the news again in: "Riker Danzig Must Review Database to Determine Disqualification Motion" --
  • "As a result of lawyers coming to and leaving the firm, Morristown's Riker, Danzig, Scherer, Hyland & Perretti must review its electronic database to see if it will be allowed to remain as counsel in a malpractice action... a three-judge Appellate Division panel said the firm, which currently represents the plaintiffs but which once represented one of the defendants, may have to be disqualified after an investigation determines who reviewed confidential files after lawyers were shuffled."
  • "In January 2014, a Riker Danzig attorney wrote an "Initial Case Analysis," which was placed in both a paper file and stored in the firm's database. The analysis, Sylvester said, was a "detailed case assessment" and strategy memorandum. On July 11, 2014, nine months after the estate lawsuit was filed in Bergen County, Sylvester and a number of other attorneys left Riker Danzig to joined Florham Park's Sherman Wells Sylvester & Stamelman. Riker Danzig was the Shoobe estate's counsel and Sherman Wells took over. Sylvester took the paper file with him, and the lawsuit was dismissed for an undisclosed reason on Aug. 27, 2014. However, a copy of the analysis remained in Riker Danzig's computer files."
  • "In April, Sylvester notified Riker Danzig of the conflict of interest. In response, Riker Danzig established what it called a "fire wall" to prevent Loalbo, along with attorneys who were also involved in the case, from accessing the file involving the Shoobe estate, including the initial case analysis... At the same time, a senior attorney at Riker Danzig, with the help of information technology personnel, reviewed the file to determine whether anyone had reviewed the analysis. That review showed that no one, other than the unidentified Riker Danzig senior attorney, had done so."
  • "The appeals court remanded the case to determine whether the Riker Danzig senior attorney only noted that the analysis existed, or whether he or she had read it. 'Reviewing anything more than the metadata concerning when the file was accessed, and perhaps a title to the document, would have unreasonably exceeded the need to determine the existence of a conflict,' Nugent said. 'In such case, there would certainly be a doubt as to the propriety of Riker's continuing representation of plaintiffs, and that doubt would be resolved in favor of disqualification.'"
  • "The firm has 20 days to file a certification from the senior attorney and the IT person who assisted him or her that generally describes the information that was accessed from the analysis and whether they reviewed the contents. The firm also must determine if the analysis could be deleted from its database and, if so, explain why the firm has not already done so. Riker Danzig has 30 days to access the file, in the presence of Sylvester and his IT person, to determine whether anyone other than the senior attorney accessed the analysis."
See the complete order.