Elements of an Effective Ethics Screen

Michael Downey, litigator and legal ethics lawyer with Armstrong Teasdale provides a thorough and nuanced review of differences in state rules of professional conducts ethical screening standards for law firms: "Elements of an Effective Ethics Screen." (Published by ABA/BNA: [Text Version] [PDF Version]

Downey notes that state rules of professional conduct are “inconsistent on what elements are required for a screen to be effective.” He goes on to provide an excellent summary of different requirements for a variety of screening scenarios:

• Lawyer who works on a matter at a prior firm
• Nonlawyer prior work
• Lawyer who works on a matter while a government employee
• Lawyer previously involved in the matter as a judge
• Where communication with prospective clients reveal confidential information

Common screen standards apply to all situations including timeliness, notification and enforcement requirements. He notes that best practices include:

•  “Implement data access controls to prevent screened lawyers from accessing all digital files and documents relating to the screened matter…”
• “Monitor and audit the screen on a regular basis to ensure continued compliance.”
• “Send reminders of screens on a periodic basis and when circumstances make such notices appropriate. Examples would include an additional screened person joining the firm or a screened lawyer changing offices.”
• “Audit specific screens and the firm’s screening procedures on a periodic basis to ensure that the firm is taking proper steps to implement and maintain its screens. Particular attention should be paid to changes in information or document management, or personnel responsibilities, that may require changes for screens to be effective.”
• “Preserve records establishing that the client and appropriate firm personnel received notice and demonstrating that a particular screen was effective throughout its duration.”

Interestingly, Downey notes that decommissioning screens is another important area to consider (and one firms often overlook): “…screens should be discontinued when they are no longer necessary. This reduces the number of screens in effect in the event that a firm later needs to defend its screening policy.”

These elements highlight the value of modern screening software that automates creation, notification, enforcement and auditing processes. Such an approach can also be extended to interface with firm matter closing processes or update screens and matter teams based on lawyer billing practices (for example, notifying an administrating regarding screened matters that have not seen active work in a predetermined time and may warrant review by risk stakeholders to see if they are still active.)

Canadian Risk Roundtable Scheduled (April 10th, Toronto)

We're pleased to kick off this year's Risk Roundtable series in Toronto, with a session scheduled for Tuesday, April 10th, hosted by McCarthy Tétrault LLP:

Industry developments continue to raise the profile of risk and compliance issues -- particularly with information risk management, where rising client expectations, evolving professional standards and new regulations create new challenges and dangers.

In this context, it's vitally important that risk professionals continue to take steps to understand this changing landscape and minimize firm exposure.

The Risk Roundtable provides a forum for risk, IT and related professionals to connect in a collaborative environment.

This session will include:

• A review of news stories, issues, trends and developments affecting law firm risk management
• An update on the Risk Roundtable Compliance Consortium, including an overview specific industry risk response guidelines under development
• An open forum for peer discussion, exchange and networking

Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.

SRA Updates: Handbook Revisions, Conduct Breaches, Compliance Deadlines

Hat tip to Legal Futures for several interesting Solicitors Regulation Authority updates:

• SRA approves third version of Handbook in six months – with another one set for June -- "The SRA said it recognised the disruption that so many updates in such a short time would cause the regulated community but argued that they have been unavoidable. The plan is to have two updates a year once implementation of the new regime has settled down."
• Most firms in multiple breach of the Solicitors Code of Conduct, says SRA research -- "The vast majority of law firms are non-compliant with the Solicitors Code of Conduct, research by the Solicitors Regulation Authority (SRA) has found. Most of the 200 firms assessed for a baseline study on solicitors’ approach to regulatory compliance had four or five incidences of non-compliance, although in the main they could be remedied relatively easily through changes to client-care procedures and letters, the authority said."
• SRA set to delay COLP and COFA deadline -- "The 31 March deadline for law firms to nominate their new compliance officers is to be pushed back as a result of the continuing practising certificate (PC) renewal problems at the Solicitors Regulation Authority (SRA)."
• SRA rejects calls to curb publication of regulatory decisions against solicitors -- "The Solicitors Regulation Authority (SRA) has rejected calls from the Law Society and practitioners to curb the amount of information it publishes about solicitors subject to regulatory sanctions."

Law Firm Mergers, Client Confidentiality Management, Legal Ethics + More

Two interesting stories to share today:

King & Wood and Mallesons iron out confidentiality issues ahead of merger

• "King & Wood and Mallesons have addressed perceived client confidentiality issues ahead of their 1 March merger by pledging to keep the Chinese partnership out of the firm’s network system... a number of Mallesons partners were uneasy about sharing systems across the merged firm because under Chinese law lawyers in domestic firms are obligated to hand over any client information the ruling Communist Party may ask for."
• "The new approach includes establishing a comprehensive intranet site to help lawyers manage the change to King & Wood Mallesons and ensure effective internal communication, and setting up a stricter procedure of sharing client documents and confidential information between the partnerships."
• In an internal memo, Mallesons chief executive Stuart Fuller instructs: "You should only share client documents and client confidential information between the partnerships if you have the client’s consent. This applies to sharing documents via the document management system or by email."

Privatizing Professionalism: Client Control of Lawyers’ Ethics

• [via Hildebrandt Institute]: "Whelan and Ziv examined the formal guidelines given to outside counsel by their clients, as well as informal industry ethical norms, to determine what impact corporations can have on the ethical standards and behavior of their lawyers."
• "The authors found that clients can, in fact, exert considerable influence over the ethical behavior of their outside counsel. More significantly, Whelan and Zin make the argument that such influence is an important form of “private regulation” that may fill in the gaps between government regulation of legal ethics and self-regulation by the industry"

Law Firm Lateral Hires and Depatures -- Do's and Don'ts

The Legal Intelligencer Blog published an interesting series: “Do’s and Don’ts for Departing a Law Firm” [Part 1] [Part 2] [Part 3].

It presents analysis stemming from Joint Formal Opinion 2007-300, “Ethical Obligations When A Lawyer Changes Firms,” case law and personal experience of the author, who has represented both firms and lateral movers in disputes.

He notes that firms responding to departing lawyers should take care to not:

1. "Prevent the departing lawyer from honoring his ethical obligations to clients or attempt to thwart any ongoing relationship between that lawyer and departing clients."
2. "Forbid a departing lawyer from announcing his departure, notifying clients or opposing counsel in a litigated matter."
3. "Instruct firm personnel not to disclose the whereabouts of former lawyers to clients or other callers."
4. "Withhold files of departing clients as leverage in disputes with departing lawyer over fees or other strictly lawyer-to-lawyer issues."

ABA Ethics 20/20 Commission Posts Final Draft of Proposed Model Rule Changes

We’ve posted several updates on the ABA Ethics 20/20 Commission’s work. This group is reviewing ABA Model Rules of Professional Conduct and other regulatory rules affecting law firms in order to develop policy recommendations in response to changes in technology and global legal practices.

The group has now published revised drafts of proposals scheduled to go to the ABA House of Delegates in August 2012. It’s inviting external comments by April 2, 2012. Further details and specific proposal language is available at the ABA web site. The Legal Ethics Blog has published an excellent series of proposal summaries. Of particular interest:

• Proposal to Amend Rule 1.6 – Confidentiality of Information
• Proposal to Amend Rule 1.6 – Confidentiality Exception to Detect Conflicts
• Proposal to Amend Rule 5.5 – Multijurisdictional Practice Of Law
• Proposal to Amend Rule 1.0(k) – Definition of "Screened"

The Proposed Rule 1.0(k) change seeks to explicitly modernize screening requirements. The Commission notes:

• “Advances in technology have made client information more accessible to the whole firm, so the process of limiting access to this information should require more than placing relevant physical documents in an inaccessible location; it should require appropriate treatment of electronic information as well.”

Upcoming Webinar: Paragon Insurance Presents IntApp Risk Briefing

Paragon International Insurance Brokers is presenting a webinar on trends in law firm confidentiality and how firms can respond to maintain a competitive advantage over their peers.

Date: Tuesday, March 13
Time: 9 am Pacific / 12 pm Eastern / 5 pm BST

Description: Law firms are investing in confidentiality enhancements in response to drivers including professional rules (ethical screening) [read more], tougher client requirements [read more], greater concern about data leakage [read more], and the desire for certifications such as ISO 27001 [read more].

Pat Archbold, head of IntApp's Risk Practice, will discuss:

• Recent disqualification decisions
• Insider trading threats
• Data leakage
• Confidentiality management software solutions

Attendance: This is a third-party event, produced by Paragon. Attendance is by invitation only and limited to Paragon clients and partners. For more information, please email: Natasha Watson, Director of Paragon Risk Management Services.

Firm Information Security Management (More News and Views)

Following the flurry of stories on law firm information security over the past few weeks, comes two related links:

The Risks of Taking Your Electronic Devices Abroad

• "You have just finished a long trial, deal or other matter and decide to take a vacation… you bring along your work laptop, your BlackBerry or iPhone, and your iPad or e-reader to cover all your bases electronically."
• "Then, a funny thing happens on your way to baggage check… The Customs and Border Protection officer asks to see your bags and decides to confiscate your laptop and iPad for further inspection. End result: You don't get your devices back for almost two months and you have no idea how many government agencies saw, inspected and/or analyzed their contents."
• "Now, even without reasonable suspicion of any wrongdoing, the government can search, copy and seize travelers' laptops and other electronic devices at the border and can potentially continue to access personal and work data and information stored in the cloud, indefinitely and in an ongoing manner."
• "Many law firms store attorney-client communications, clients' proprietary data and other confidential information this way and the limits on potential government access to such information is practically unbounded under the law as it exists today. This doesn't even include the possibility that, once any privileged communication is accessed by the government, the privilege could be deemed waived, with the scope of the waiver extending to all communications relating to the same subject matter. (What comes next? -- a subject matter waiver over everything in your email?!) Malpractice claims and ethical pitfalls would abound."
• "Short of leaving our electronic devices at home, we may need to start taking copious measures when traveling internationally, like keeping a backup of our confidential data and communications elsewhere (e.g., on law firm servers) and securely deleting our hard drives, smartphones, etc., prior to travel, then remotely accessing the material we need when we get where we are going."

On a related note, see also an article in the February issue of Wisconsin Lawyer: “Preserve Confidentiality When Using Technology” --

• Question: "I use a lot of technology equipment in my law practice. What steps must I take to ensure confidentiality of client information when disposing of this equipment?"
• "Although this topic is still subject to much discussion and debate, it is clear that lawyers are required to have some basic understanding of the function and operations of equipment that is used in their practices, especially if that equipment is storing client information as part of its functioning. Special care must be exercised at the time of disposing of equipment used in the practice to make sure that client information is not somehow transmitted or left on the equipment for discovery by someone else."

ISO 27001 for Law Firms -- More News and Competitive Positioning

Bond Pearce just announced that the have retained their ISO 27001 certification. The firm's positioning of the broad scope of its certification suggests another conscious salvo in the use of ISO as a competitive wedge. (See: recent Allen & Overy ISO 27001 announcement.)

• "ISO 27001 is the world's highest accreditation for information protection and security and is awarded to companies whose business processes conform to strict international standards; it is the only auditable international benchmark for information security management."
• "We have retained our prestigious ISO 27001 certification following a robust external audit process. We were the first law firm in the UK to achieve full ISO 27001 certification across all sites and services back in 2008."
• "Full ISO 27001 certification across the entire organisation is rare amongst law firms - many others limit the scope of their certification to IT alone."
• "Retaining the certification demonstrates our continuing commitment to ensuring its client data is treated with the strictest safeguards and protections to ensure client confidentiality."

Ben Weinberger, Director of IT and Facilities, comments: "We serve an impressive array of national and multinational clients who rely upon our ability to protect and maintain their information with our rigorous security standards.  Retaining our ISO 27001 certification demonstrates our high level commitment and understanding of security requirements to ensure our client information and data remains fully secure. We maintain world-class technology and continue to invest in IT and all our business systems, which play a central role in our strategy to provide the best service experience to our clients."

Legal Ethics News & Developments

Ethical issues raised about nonlawyer law firm CEOs:

• "Drinker Biddle & Reath partner Lawrence J. Fox, former chair of the American Bar Association’s standing committee on ethics and professional responsibility, thinks Scott Green's appointment marks the first breach of professional independence for lawyers."
• "'It raises all sorts of questions and trivializes the basic tenant of professional independence — lawyers report to lawyers... The problem I see is those who want to own a law firm now have an argument for doing so. If you have a nonlawyer CEO, why shouldn’t the next step be Goldman Sachs or Walmart owning law firms.'"

Recent Ethics Opinions:

• New York State Bar Opinion 903 (1/30/12) -- "When a lawyer jointly represents two co-defendants pursuant to a validly obtained consent to the dual representation and to any future conflicts that might arise between the joint clients, and one of the clients later revokes consent, whether the lawyer may continue to represent the non-revoking client depends upon the circumstances, unless an advance agreement specifies what happens upon revocation of consent."
• New York State Bar Opinion 905 (1/30/12) -- "Rules 1.9 and 1.10 do not apply to a lawyer who acquired confidential information while acting solely as a paralegal or legal assistant. A law firm that hires a lawyer who acquired confidential information while acting as a paralegal or legal assistant has an obligation to make reasonable efforts to ensure that the lawyer does not reveal the confidential information. A law firm should instruct the newly hired lawyer not to divulge confidential information. The firm should also perform a conflicts check reasonable under the circumstances. If the lawyer acquired confidential information in a matter while working as a paralegal or legal assistant, the lawyer ordinarily must be screened from any personal participation in the matter to avoid communication to others in the firm of confidential information that the firm has a duty to protect."
• New Hampshire Ethics Committee Advisory Opinion #2011-12/5 -- Outsourcing Legal and Non-legal Support Services – "Such engagement of support services does not of itself violate the Rules of Professional Conduct. The New Hampshire attorney must ensure that the individuals or companies providing the services maintain client confidences (Rule 1.6) and do not create conflicts of interest (Rule 1.7). The New Hampshire attorney must also ensure that the charges for these services do not result in an unreasonable fee or unreasonable expenses (Rule 1.5), and must not share fees with non-attorneys (Rule 5.4). The New Hampshire attorney must notify the client of the engagement of such services (Rules 1.2 and 2.1), must be competent (Rule 1.1) to review the services provided (Rules 5.1 and 5.3), and must avoid the assistance of the unauthorized practice of law (Rule 5.5)."

Clients Advised to Ask Tougher Questions About Law Firm Information Security

Law firm information security and information risk management is definitely in the zeitgeist. Corporate Counsel magazine just published an article advising clients to take greater interest in how outside counsel treat their sensitive information. "Securing Corporate Data in a Law Office's Computer Network" --

• "It’s an issue that should be getting the attention of in-house counsel, especially as they share sensitive--and potentially valuable--data with outside counsel."
• Digital risk consultancy Stroz Friedberg notes: “We’re advising law firms to segregate that data, and put much more security around that data."
• "'The disparity in the levels of security we’re seeing is startling.' Some law firms have a very strong culture of security, at or beyond that of their corporate clients. Others continue to prioritize the convenience of a flat, open network over the security of a network with more barriers."
• Echoing, similar comments published by the UK's Legal Support Network, Friedberg notes: “The issue ends up being that the lawyers are so oriented to the convenient use of computers. It presents real challenges to pervasively establish a culture of security, because convenience has to be subjugated to secure computer use.”

The article presents an extensive list of "Twelve Security Questions That Corporations Should Ask Their Law Firms," which includes:

• Does the firm log access to its clients’ files, so who touched what file can be reconstructed?
• Does the firm use secure enclaves, where highly sensitive data receives higher levels of security protection and monitoring?
• Does the firm have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?

New Federal Information Security Law -- Will It Affect Law Firms?

The recently-introduced Cybersecurity Act of 2012 calls for the federal government to identify key systems that if attacked would result in severe economic or physical damage. Stated targets include utilities, banks and other critical service providers.

As Law Technology News reports: "Experts say it's possible that large law firms and corporate legal departments could be impacted and find themselves reporting security procedures to the federal government, or face fines and public scrutiny."

• Steptoe & Johnson partner Stewart Baker outlines how the rules could affect law firms: "That is to say, there might be 100 or 200 law firms in America whose secrets, if compromised, would in aggregation result in really significant economic harm. At the end of the day, it's not the law firm's secrets that are important, it's their clients."
• But he and others, like one security consultant, suggest that law firms are not the intended targets of the measure: "You can imagine hypotheticals, but I think in fairness, law firms are probably outside the zone of what the bill makers are actually contemplating. Probably lawyers are not life-sustaining, notwithstanding how important we think we are."

Law Firm Information Security: News, Opinions & Best Practices

Law firm information security and confidentiality management continues to make headlines and draw industry attention. Here are recent updates worth reviewing:

• Rupert Collins-White from the Legal Support Network starts things off with some bold opinions -- Why information security has now become a costly issue for law firms:
• "It's not like lawyers and the business services people who work in law firms don't realise the information they deal in is, usually, sensitive and commercially useful to others - they know this very well... There's another reason things go wrong, though it won't be a popular one for me to say - partners and senior associates. Some partners and senior lawyers, and they're not all older members of the profession, think they are somehow outside the normal rules of behaviour, both in terms of manners and actions." 
• Next comes a recent article in The Recorder -- 10 Steps to Minimize Cybercrime Exposure at Your Firm:
• "Recently, federal law enforcement officials have been quietly visiting major law firms to explain they may be vulnerable, which makes sense given the confidential nature of the data law firms store on their information technology systems... At this point, it's fair to say that firms that fail to implement thoughtful and appropriate cybersecurity measures may well be held to answer in the wake of a serious data breach incident."
• "Review and modify access rights. You, your HR department, and IT staff should take a hard look at access rights, and conform access to what's necessary as opposed to what's convenient... Your firm's document and information management system should compartmentalize sensitive data and records so that the number of partners, associates, and other employees with access is minimized to the extent possible. Pay special attention to the access rights granted to temporary and contract employees, as well as remote access rights. Finally, make sure you timely disable and purge old user accounts; experience has shown these can become external and internal threat vectors. User accounts should be disabled at the time of an employee's departure."
• Finally, an example of alleged security-related malfeasance -- Pa. Firm Sues Ex-Partner for Allegedly Using Dropbox to Access Client Files:
• "Elliott Greenleaf said that prior to Balaban leaving the firm, he and others deleted 5 percent of the firm's backup tapes for Harrisburg client files, took 78,000 files from the firm's computer system, and installed 'Dropbox' software that enabled Balaban continued access to Elliott Greenleaf's computer network through remote access, according to the complaint filed by name partner John M. Elliott."

Risk News: Law Firm Insurance Trends, Ethics and Disqualification Updates

The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:

• "Law firms are loading up on insurance against expensive liability claims as they increasingly find themselves on the wrong end of lawsuits."
• "Some clients are even using the threat of litigation as a way to negotiate their bills."
• "And because big law firms carry more insurance than smaller firms, the big practices are particularly attractive targets for litigation."
• "Insurance brokers say many law firms have expanded their coverage to guard against claims from former employees or disgruntled partners and are looking to shield firm leaders from suits over management decisions, such as whether to merge with other practices."

The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:

---

"Am I My Brother's Keeper?" -- BNA writes: "Law Partners and Managers Must Be Active Overseers of Colleagues' Conduct," a recent published updates to the ABA/BNA Lawyers' Manual on Professional Conduct:

• "Model Rule 5.1, which covers partners and managers in all types of law practices, requires supervisory lawyers to take affirmative measures to prevent and detect unethical conduct by lawyers in their firm, office, or agency. Those who own and manage law practices are expected to construct and maintain a framework to make sure that other lawyers in the firm toe the ethical line."
• "Model Rule 5.2 makes clear that subordinate lawyers who act unethically aren't off the hook merely because they followed a supervisor's instructions. Attorneys working under the supervision of other lawyers are charged with learning the rules and laws that govern their conduct; they cannot blindly rely on instructions from those above them who push the boundaries of professional conduct."
• "Law firms must set up and maintain internal policies and procedures to prevent and detect unethical conduct, including measures designed to spot and resolve conflicts of interest, to foreclose and uncover fraudulent billing and improper dealings with client funds, and to identify key deadlines in pending matters and verify they are met. Firms also must have policies and practices ensuring that lawyers receive appropriate training, supervision, and support needed to carry out their work. Model Rule 5.1 cmt. [2]; Restatement §11 cmt. g."

---

Finally, in keeping with the legal ethics theme, and, arguable from the lighter side, comes an update in developments in the disqualification motion in Wingate v. Celebrity Cruises, Ltd. The complete decision, filed February 8, is available online, but the following transcript snippet summarizes part of the drama involved:

• "THE COURT: I am not going to give this man a nickel if I already found, as I have, that in fact he obtained an unfair advantage by bribing an employee on the other side to let him know what the settlement value of the case was."

Information Security, Ethical Walls and Confidentiality Management -- Making the Business Case (Webinar)

This upcoming webinar will address the question: "How do you effectively make the business case for investing in information security and confidentiality management?"

Today a growing number of firms are using software to automate the enforcement of information barriers and access restrictions on confidential matters. Yet many firm risk and IT professionals find it challenging to educate others in the firm about the need for enhancing internal practices and controls.

At this event, speakers from three firms will explain the different approaches they took and offer advice you can put into practice at your firm:

• Mia Jiganti, Director of Risk Management, Dykema Gossett
• Gavin Gray, CIO, Perkins Coie
• Eric Carpenter, Information Systems Director, Rothgerber Johnson & Lyons

Date: Thursday, February 23
Time: 9 am Pacific / 12 pm Eastern / 5 pm GMT

The session, moderated by Pat Archbold, head of IntApp's risk practice group, and will include time for live Q&A. Attendance is by invitation only. For more information, please contact: webinars@intapp.com.

Law Firm Conflict Allegation Rejected: Google Not "Feeling Lucky"

This update for a story we noted earlier today about Google's attempt to disqualify former counsel: "Google Loses Bid to Disqualify Lawyers Suing Android Partners."

• The ITC ruled that “Google offers no evidence regarding how Google’s business interests will be harmed through this litigation... I find that the actions taken by Pepper Hamilton serve as a reasonable precaution to keep the confidential information of Google and Digitude separate."
• "Pepper Hamilton has pledged not to question any Google witnesses and it’s set up an 'ethical screen' to keep lawyers who are working on behalf of Digitude in Washington and Boston from accessing confidential information related to Google’s patents."

Conflicts Management for Law Firms

Conflicts Checks, A Necessary Pain
Two partners from McKenna Long & Aldridge just published an excellent article about the necessary pain that is law firm conflicts management. They start with full and honest disclosure -- noting that conflicts ranks at the top of the least favorite lawyer pursuits, but remains an important nevertheless:

• "Other than billing, there is virtually nothing that lawyers dread more than checking, responding to, and resolving potential conflicts of interest…Legal newspapers are replete with articles about motions to disqualify, bar complaints, and legal malpractice claims based on an unidentified or unresolved conflict of interest."

They go on the review different types of conflicts and key considerations for prudent processes to identify, analyze and resolve potential conflicts. Importantly, they note that conflicts management software can help the process, but isn’t a substitute for human intervention and wisdom:

• "Computers make conflicts screening much easier. But, computers are no substitute in the final conflicts analysis for involving lawyers in the process. Effective conflicts procedures involve both. The key is to make sure that both are looking for the right things."

---

Googling a Potential Conflict -- Can You Hear Me Now?
“Google is sparring with a law firm it's been using since 2008 after discovering that lawyers there began representing a patent-licensing business that sued the company's Android partners last month.”

• Google submits that the firm in question represented it 50 patent applications, including 12 specifically related to Android and argues in a filing with the ITC that: "…Pepper Hamilton is accusing its own client of infringement… Pepper Hamilton should not be allowed to continue alleging infringement against the products and interests of its current client."

Another Law Firm Hacked – Gigabytes of Email Capture & Published

More news in keeping with this week’s theme of the importance of law firm information security management – Yesterday we focused on the FBI’s warning concerning the very real threat of law firm hacking.

Now comes another example: "The announcement states that Anonymous stole 2.6 gigabytes of e-mail belonging to Puckett Faraj, a law firm that represents Staff Sgt. Frank Wuterich, who is accused of leading the group of Marines in Haditha." (As reported by Time and other news sources, this 2005 raid resulted in the deaths of 24 unarmed Iraqi civilians.)

The Haditha incident was recently in the news as Wuterich was convicted of negligent dereliction of duty on January 24. The cases against six other defendants were dropped, and the seventh was found not guilty.

The emails are said to contain: "…detailed records, transcripts, testimony, trial evidence and legal defence donation records pertaining to not only Frank Wuterich but also many other marines they have represented."

Equally troubling for the law firm, the emails included personal lawyer correspondence relating to other matters. Finally, the hackers and supporters are reported to be publishing the email trove online in a searchable form.

The US Naval Instituted called out and commented on this incident as another reminder to treat sensitive electronic information carefully.

Information Risk Threats: Law Firms Increasingly Targeted by Hackers

Following yesterday's update about the growing adoption of ISO 27001 information security standard by law firms comes renewed news about external attacks on firms: "China-Based Hackers Target Law Firms to Grab Secret Deal Data."

The issue is serious, the FBI convened a meeting of the top 200 firms a few months ago. As the head of the FBI’s New York cyber division summed up the threat: "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry."

She noted that of the firms in attendance: "Some were really well prepared; others didn’t know what we were talking about," and that firm culture and related factors make law firms a "soft" target for attackers.

The article mentions several law firm hacking incidents:

• "...the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board..."
• "In one recent case, a corporation was negotiating to open a major plant in China when the law firm helping with the deal was hacked…"
• "Similarities between the Canadian attack and other recent intrusions at U.S. law firms suggest that cyberattacks on attorneys are now part of the hacking playbook for gathering sensitive information on corporate clients…"

Given these threats, it’s no reason why many firms are seeing more stringent client mandates about how sensitive information is stored, accesses and protected:

• "'If clients start thinking they can’t give private information to their lawyers because it might get out, it’s a huge problem for the profession,' said Richard Goldberg, a former software programmer and lawyer in Washington involved in the data security issue. 'The whole system will start to fail.'"

Risk and Compliance as Competitive Advantage: A&O Highlights New ISO 27001 Certification

Last week, Allen & Overy made a very public announcement that it has received ISO 27001 certification in the US for its confidentiality management practices. What’s fascinating is the firm’s aggressive use of certification as a competitive differentiator:

• "[Our] firm stays ahead of competitors on information security with prestigious certification…"
• CIO Gareth Ash adds: "We are leading the pack on information security. This certification provides real business benefits when working with our clients and future clients, especially within the financial industry."

With clients issuing stricter guidelines, asking tougher questions on RFPs, and even commissioning audits of their law firms, it’s easy to understand why a firm would emphasize its capabilities and advantage.

Allen & Overy selected IntApp Wall Builder in 2010 to support its internal confidentiality efforts. Speaking at the time, the firm’s head of risk and compliance noted:

• "We made a strategic decision to adopt technology controls to help us manage information barrier and wider client confidentiality issues and in particular to enhance our ability to monitor and audit compliance. We selected Wall Builder because it's a mature product that has been widely adopted by law firms, and because IntApp possesses the necessary expertise and could demonstrate success working with large, global firms to address information barrier and client confidentiality requirements."

Commenting on the recent ISO announcement, Pat Archbold, head of IntApp’s risk practice group, writes: "We’re seeing continuing law firm interest in ISO 27001 and have developed solutions that enable law firms to accelerate their compliance certification efforts. I happy to share more detail with readers who’d like to get in touch directly at: Pat.Archbold@intapp.com."

Terminated Lawyers Level Law Firm Conflicts and Ethics Accusations

Careful Calling “Conflicts”
The U.S. District Court for the Western District of Kentucky just ruled that a lawyer cannot sue for being terminated after failing to take part in a referral arrangement he believed created a conflict of interest under state ethics rules: “He contended that a quid-pro-quo referral arrangement existed between the law firm and Kentucky Spine and Rehab, creating a conflict of interest under Kentucky ethics rules. The firm terminated his employment because he refused to participate in the referral scheme, the plaintiff asserted. For purposes of the law firm's motion to dismiss, the court took the facts alleged in the complaint at face value. Even so, Heyburn concluded that the complaint did not state a viable claim against the firm under Kentucky law.”


Lawyer Claims Firm Encouraged Fraud with 3000-Hour Billable Quota, as reported in the ABA Journal. Commenting on the article, one contribute suggests that: “Billing 3,000 hours should trigger an ethics investigation. More than 3,500 hours should trigger an ethics investigation with a rebuttable presumption of guilt. Trouble is, you’re billing multiple clients, so no individual client knows to complain. The only person who sees the high numbers is the boss…” [Clearly, there’s an opportunity for added controls to mitigate this risk, either triggered by manual review or automated technology.]

UK Risk News and Updates

• UK-based Legal Risk LLP has published its latest newsletter, which contains updates on Alternative Business Structures, Outcomes-focused regulation, Anti-money laundering compliance, and Professional indemnity insurance.
• International firms offered global entity regulation – “The Solicitors Regulation Authority (SRA) is proposing to sweep away the old system of registering foreign offices of global firms and to replace it with a single international ‘passport to practice’… Under the proposals, international law firms will have greater flexibility to operate in any form that is allowed in other countries. They will also be able to bring into their partnerships lawyers from key emerging markets.” [via MP Magazine]

Law Firm Engagement Letters in the News...

“A Clearly Drafted Engagement Letter Can Limit the Scope of Attorney's Duties” – according to the U.S. District Court for the Eastern District of Louisiana, as reported by Hinshaw & Culbertson: "the firm’s clearly drafted engagement letter successfully provided a defense to the client’s allegations that the firm did not provide adequate legal representation."

A bit more colorful analysis is provided by legal news rag Above the Law, which offers specific advice:

• “Retainer Agreement, engagement letter, whatever you want to call them. Have one. Just don’t make it a bunch of much-too-long, written “understandings” of too many things that the client isn’t absorbing at the initial consultation. These documents are not tools to attempt to impress the client with your ability to expand on: “You are going to pay me this, and I am going to do this, and I’m not paying for this, and if anything else comes up, we’ll talk about a separate retainer/fee/cost, and I’m not guaranteeing anything or giving you money back, and we have no other agreements, so sign here.”

Law Firm Conflicts and Controversy

Megaupload, Megacontroversy, Megaconflict?
Hogan Lovells partner withdraws from representation of Megaupload in its recent legal troubles. The organization is currently defending itself against accusations that it built an elaborate system designed to encourage online copyright infringement: “Robert Bennett was required to withdraw from the case because of a conflict involving at least one other client of his law firm, Hogan Lovells, this person told Reuters. The other client or clients were not identified.” Interestingly, Bennett represented Megaupload in other matters, so this may be a base both of “business” as well as ethical conflicts. [See American Lawyer story for additional detail.]

Risk When Law Firms and Politicians Mix
An interesting article exploring the relationship between one firm and Wisconsin’s Republican leadership: “In December news broke that Wisconsin Supreme Court Justice Michael Gableman, a well-known conservative, had received about $100,000 worth of free legal services from a Michael Best & Friedrich attorney. The revelation created a controversy because the Supreme Court presides over cases argued by Michael Best & Friedrich. Accepting free services from the firm could be considered a conflict of interest.” [The judge in question denies a conflict of interest and will not recuse himself.]

Data Privacy News and Updates

Firms that store and manage sensitive client information should take heed of recent privacy developments and news:

• New California Data Privacy Law Now In Effect -- "SB 24 strengthens and standardizes the notification requirements when someone’s personal information has been hacked into, stolen, or lost. The bill also requires state agencies, businesses and others to notify the Attorney General if more than 500 Californians are affected by a data breach."
• Privacy Enforcement Actions Set to Increase in 2012? -- "There's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them."
• A pertinent example: UCLA Hospitals Sued Over Patient Data Breach -- "The suit, filed as a proposed class action on Dec. 14, alleges that by not protecting its patients' confidential information, the hospital system violated California's Confidentiality of Medical Information Act. The law allows each patient to recover $1,000 in statutory damages per occurrence." In this case, a former physician had sensitive information on his home computer, which was stolen by burglars. (Could this happen to a lawyer?)

Lateral Movement, Client Poaching and Staff Screening

 

• Laterals Be Careful? -- Lawyer May Be Liable to Former Firm in Tort For Improper Efforts to Recruit Firm's Clients -- "The U.S. District Court for the Eastern District of Pennsylvania Dec. 22 granted a law firm's motion for a preliminary injunction against a lawyer who tried to recruit many of the law firm's clients after she was fired (Feldman & Pinto PC v. Seithel, E.D. Pa., No. 11-5400, 12/22/11)."
• Avoiding disqualification on matters due to non-lawyer firm changes -- Bill Freivogel published an excellent article on "what screens law firms should put in place to avoid problems with non-lawyers." The essay compares and contrasts US and Canadian standards, explores when unilateral lateral screening is permitted vs. when waivers are required, and provides a case study example. He also presents a list of the five minimum characteristics of an effective staff screen, including policy construction, notification, information access control and compliance documentation. [Update: h/t to Legal Ethics Forum for suggesting LA County Ethics Opinion 524 as a relevant related read.]

Alternative Business Structure Applications Live in the UK (ABA Says: "Not So Much")

• First ABS wannabes begin SRA application process -- "More than 10 prospective alternative business structures (ABSs) completed the first stage of the Solicitors Regulation Authority’s (SRA) application process on the first day, the authority has revealed." As explored in greater detail in the article, Law Society President John Wotton argues that ABS licensing provides England and Wales with a competitive global advantage for legal services.
• ABA Panel Says No to Outside Law Firm Ownership -- "An American Bar Association commission is considering recommending that nonlawyers be allowed to take an equity stake in law firms for which they work while urging that an existing ban be maintained on the kind of outside investment in U.S. firms that is now possible in the United Kingdom and Australia."

Law Firm Rules & Regulations (News & Fighting)

• ABA and European Law Societies Fight New Efforts to Regulate Legal Industry -- Stemming from the debt crisis, new attempts at external law firm regulation threaten "...one of the core principles of the legal profession: regulation independent from the executive branch of the state," the industry argues, noting that a "guarantee of independence" is "fundamental to the profession."
• Washington DC ethics opinion 361 allows referrals to non-lawyer service providers -- “…such as a financial services firm may accept compensation from the provider for the referral so long as the criteria of Rule 1.7(c) and, if applicable, Rules 1.8(a) and 5.7 are satisfied. Those criteria are exacting, however, and the arrangement may be beyond the lawyer’s malpractice coverage even if permitted by the Rules.”
• Utah Bar Says Using Student's Lexis/Westlaw Access for Firm Work is Unethical -- "The Utah Legal Ethics Advisory Committee considered whether an attorney who encouraged a student to breach her agreement by doing firm-related research had committed an ethical violation. The Committee answered in the affirmative finding that an attorney's misuse of a student's educational Wexis access is theft of services, a potential felony."

2012: New Year, New (and Old) Risks

A few interesting updates as we kick off the new year:

• The ABA Commission on Ethics 20/20, the body charged with reviewing and recommending changes to the Model Rules, recently issued a Summary of Actions, writing: "For two years, we listened to all elements of the profession as well  as clients, consumer groups and businesses that support, sell to, and report on the profession.  Our proposals respond to what we have heard and are intended to address the following developments…"
• From the frequently linked and hat-tipped Legal Ethics Forum -- John Steele published his "Top Ten Legal Ethics Stories of 2011." It’s excellent reading.

Law Firm Insider Trading Risk Management: Webinar Recording Now Available

Content from our November webinar on managing insider trading risk at law firms is now online, for those who missed the live session:

1. Managing Insider Trading Risk -- Thanks again to our panelists. We welcomed another large group (100+ attendees) who heard speakers from SNR Denton (Adam Hanson), Baker & McKenzie (Dan Surowiec), and Hogan Lovells (Jeff Lolley).

Those who registered but were not able to attend these events should have received a link to the video recordings via email. Others interested in these sessions can view them online: [Law Firm Risk Management Webinars].

Report from Kansas City Risk Roundtable Session Hosted at Lathrop & Gage

We hosted a Risk Roundtable last week in Kansas City. Thanks again to Lathrop & Gage for hosting. Brian Lynch sent his customary summary of the day:

• Dan – I'm pleased to report back from our ISO 27001 Risk Roundtable discussion in Kansas City. Lathrop & Gage hosted our session, where we had a chance to check in with KC-based firms and their respective approaches to implementing ISO-friendly security programs. It was a lively discussion, where we had a chance to evaluate the benefits and costs of pursuing ISO certification.
• As one of our attendees put it, creating a standard information security management system - e.g. ISO - is an inevitability. It's a difficult process for clients and law firms to work through the audit process. Managing audits seems to be something clients increasingly want, and firms are getting more comfortable addressing. But many are looking for a shorthand method to show that they meet a certain level of differentiated confidentiality management. This promises a quicker path to providing clients with peace of mind and enabling firms to address their obligations as they work across jurisdictions.
• Several attendees commented on the role IntApp Wall Builder plays at their firm in managing confidentiality enforcement as part of their security programs. They're mapping the technology to the requirements and processes ISO 27001 defines to ensure consistent compliance.
• Many thanks again to Sean Power @ Lathrop & Gage for providing the forum for an intellectually stimulating discussion.

This session concludes the 2011 Fall/Winter Risk Roundtable series (we promise this time). Plans are underway for future events in 2012. Watch this space for more details. (And if you'd like to host a Risk Roundtable in your neck of the woods, please get in touch: dan@riskroundtable.com.)

With Swift Ethical Screen, Quinn Emanuel Survives Disqualification from $10 Billion Lawsuit

We first highlighted this case in October, when a Bank of America moved to disqualify Quinn Emanuel, counsel for AIG in a $10 billion lawsuit because of alleged conflicts stemming from the move of  lateral partner. [h/t to Bill Frievogel for noting the recent update.]

The lawyer worked 5.8 hours on the matter at Quinn, starting in July, 2011, before Quinn became aware of the potential conflict after opposing counsel wrote them in September. Quinn argued that the matters were unrelated, that no sharing of confidential information had taken place and that the firm erected an ethical screen immediately upon discovering the situation.

Given the stakes, in order to avoid the impression or potential of future disclosure, the lawyer voluntarily left the firm in October, 2011.

When the motion was first filed, a legal ethics expert agreed the situation would likely not warrant disqualification, but opined that “…it could prove 'problematic' if presiding judge Barbara Jones decided Becker was not screened fast enough, but that an effective screen could address this issue.”

Last week, the judge agreed that disqualification was unwarranted [see: American Int'l Group, Inc. v. Bank of Am. Corp., 11 Civ. 6212 (BSJ) (S.D.N.Y. Dec. 6, 2011)]

• The decision noted that: “…screens erected immediately upon discovery of the conflict weigh against disqualification.”
• However: “Quinn’s screening procedure was imperfect, without question.”
• But she ruled that the firm successfully rebutted the presumption that confidences were shared. For one, the lawyer brought no client files to the new firm. Furthermore, three years had passed since the lawyer worked on the original matter. Quinn also conducted extensive interviews of all significantly involved members of the matter team, securing affidavits that no confidences were sought or received.
• Physical separation (the lawyer was based in London), the size of the firm (500+ lawyers) and the firm’s long client relationship also influenced the judge’s ruling.

This is yet another recent example where IT plays a critical role in disqualification defense. In this case, IT conducted an electronic audit of firm’s document system to support the firm’s arguments. (In this case, the audit showed the lawyer accessed two documents related to the matter. But that was insufficient to warrant disqualification, given the facts and factors in play in this case.)

Counsel for Bank of America in Multi-Billion Dollar Lawsuit Disqualified; Judge Cites “Porous and Ineffective” Ethical Wall

Today comes a significant update in Line Trust Corp. Ltd, et al. v. David Lichtenstein, et al, heard before the Supreme Court of the State of New York.

It appears that a lawyer who represented Bank of America while a partner at Kaye Scholer LLP made a lateral move to Willkie Farr & Gallagher LLP. The client moved with her.

But Willkie was representing allegedly adverse parties in the same matter. And shortly thereafter, the existing client moved to disqualify the firm from representing BofA, asking for discovery to see if matters had been tainted. In the process, the firm shared important information:

• In May of 2011, the firm’s IT department audited its electronic document management system and discovered that an associate had opened and printed a document they should not have in October, 2010. That associate was then removed from the matter at hand. (The court says: “perhaps negligently so.”)
• Expanded to include time recording data, the IT audit also showed that a legal assistant cite-checked a memo and viewed five documents related to the matter in 2009.

This case highlights the critical importance of effective confidentiality, screening notification and information security controls. In his order the judge called out that:

• “… Wilkie Farr has submitted insufficient proof that they erected adequate screening measures to prevent attorneys advising Bank of America from having access to (i) other Wilki Farr attorneys who worked for the Lichtenstein Defendants… If an ethical wall exists here at all, and it may not, it is porous and ineffective.”

The firm argued that these breaches were accidental, minor and taken out of context. But the damage was done. The judge took evidence of smoke to suggest a fire:

• “Willkie Farr submits time records to show that breaches of the wall were minimal. The time records are inadequate, as they cannot be expected to reflect the totality of breaches of the ethical wall.”

Recent Law Firm Conflicts, Disqualifications and Penalties

In Washington, D.C., Butzel Long Tighe Patton PLLC recently found itself facing harsh words from a judge, who stripped the firm of $72,000 in fees for failing to disclose a conflict. "...the judge slammed a partner, saying it was "inexcusable" he didn't show up for a fee application hearing." [via BLT. See the written decision.]

In Washington State, a firm was disqualified for giving legal advice to both sides in the same dispute. "Grant PUD law firm disqualified in Crescent Bar case" --

• "At the time, Aylward told Trautmann that there could be a conflict of interest, since his partner, David Sonn, occasionally did legal work for the PUD, but he added that he thought he could get a waiver."
• "But with the waiver issue still unresolved, Aylward proceeded to correspond with Trautmann over the following month, including giving what she believed was 'specific advice regarding strategy' that the condo owners could use in their argument against the PUD."

Partner Event: Ark Group Risk Management for Law Firms (December 6-7, London)

The Ark Group is hosting its annual "Risk Management for Law Firms" conference in London next week. Organizers have assembled a rich agenda and impressive roster of speakers who will address topics including:

• A first-hand account of how firms including Taylor Wessing, Freshfields, and Allen & Overy have tackled the challenges in operating under the new outcomes-focused regulation
• Clarity from the SRA, Law Society and Legal Ombudsman as they share their expectations for OFR, ABS and the claim trends for the coming year
• Tools to benchmark your firm against leading law firms' risk management strategies and ensure you stay out of trouble
• An understanding of the key changes and trends in claims over the past year and how these will affect your professional indemnity insurance renewal
• Learning opportunities to avoid the pointed end of regulation, with an overview of high-profile disciplinary matters and rogue partners
• A forum to consider all risks relating to outsourcing

Kaye Sycamore, IntApp Managing Director, will also be presenting a briefing on risk news and trends relating to confidentiality management, information barriers and information security issues affecting law firms, including a summary of recent Risk Roundtable events. She has invited UK-based firms interested in exploring these issues in greater detail to contact her directly.