Saturday, February 27, 2010

Will the Red Flag Rules Rise Again for Law Firms?

As noted by the Blog of the Legal Times, and expected when a judge first put enforcement on hold for law firms last October, the FTC has filed an appeal, arguing that it does in fact have the authority to apply Red Flag Rules to law firms.

Red Flag Rules aim to protect personal information held by creditors and would put new confidentiality enforcement, tracking and compliance requirements on law firms.

The argument presently hinges on the definition of "creditor." The FTC argues that law firms qualify. The ABA argues that the legislation creating the Red Flag mandate never intended it to apply to law firms and the FTC is exceeding its reach. In October, a judge sided with the ABA. But this issue is far from settled...

Thursday, February 25, 2010

Who Will Own Your Law Firm? It May Not Be The Lawyers...

As reported by LegalWeek in the UK, the Legal Services Board, body responsible for overseeing the regulation of lawyers in England and Wales, has approved the launch of alternative business structures for law firms and set forth a timetable that could see new organizations in place by October 2011. This development is significant for the legal industry as these structures will enable non-lawyers to hold ownship stakes in law firms.

As an LSB official summarized: "The basic proposition of ‘Alternative Business Structures’ is to enable non-lawyers to own law firms, whilst guaranteeing that lawyers adhere to their professional principles (this is effected through a combination of detailed statutory requirements and strong regulation)." For those interested in the detailed history a 60-page discussion paper the Legal Services Board issued in 2009 detailed background information is available here, and the news release regarding the 2011 timetable is available here.

Australia is well ahead in this regard, with rule changes that have resulted in one law firm going public in 2007.

Interestingly, the US legal community explored modifying rules around firm ownership (ABA Model Rule 5.4) in 1999-2001, looking at Multidisciplinary Practices, but decided against significant changes. Interesting historical documentation outlining: the issues explored in that initiative, and dialogue that took place, including concerns about the implications of non-lawyer management on adherence to rules of professional conduct, including conflicts.

Tuesday, February 23, 2010

High-Stakes for Law Firms Subject to HITECH Act / HIPAA Rules

As mentioned previously, the HITECH Act of 2009 has taken effect. These rules extend HIPAA confidentiality and information protection rules to entities including law firms. Provisions of the new law include notification and public disclosure.

Yeseterday, one of our readers noted that the Health and Human Services Office of Civil Rights just created a web page to list data breaches. Any organization subject to the regulation that loses or exposes records must notify affected parties and, if more than 500 individuals are affected, publicly disclose the breach.

No law firm wants to see its name on this list.

Sunday, February 21, 2010

It's High Time for HITECH -- Is Your Law Firm Ready?

The provisions of the HITECH Act of 2009 went into effect on February 17, which means if your law firm holds personal health information covered by these rules, it's now subject to stricter confidentiality and compliance requirements.

The HITECH Act extends HIPAA confidentiality, monitoring and compliance tracking requirements to business associates receiving personal health information from covered entities. Under the terms of the law, associates include law firms who serve and receive information from entities including doctors, hospitals and insurance providers.

In the past, organizations may have been able to address confidentiality requirements by executing Business Associate Agreements that asserted adequate measures would be taken to protect health information. Now the stakes are higher. Under the HITECH Act, firm with relevant data must take more stringent and explicit measures to ensure compliance. This includes segregating, encrypting, and restricting and monitoring access to personal health information they store or manage.

Hogan and Hartson has developed some excellent educational material, including a webinar.

As noted in the article from Hogan, while regulators had promised to provide more detailed guidance for business associates, there are still areas of uncertainty and confusion. But what's not unclear is that firms must take steps to improve their confidentiality and compliance practices for covered information now in order to comply. It’s now the law.

Friday, February 19, 2010

Another Case of Law Firm Insider Trading...

[via]: Canadian regulators have issued an order prohibiting the IT team leader at Ogilvy Renault from acting in that capacity. It is alleged that this individual: "conducted transactions in the shares of 17 companies between April 2006 and November 2009 while in possession of privileged information that allowed him to obtain a profit of more than $520,000."

The regulators note that these charges are levelled at the individual, not the firm. Still, no firm wants to see its name associated with such activity, and organizations are increasingly extending their internal confidentiality and monitoring practices to minimize the risk of internal accident or malfeasance.

Risk blog readers will recall several examples of similar situations of law firm insider trading which came to light in late 2009.

Tuesday, February 16, 2010

Another Case of Lawyer Data Leakage & Client File Pilfering

(Hat tip to the Legal Ethics Forum.) Here's another case of a lawyer planning a lateral departure improperly removing client information in a bid to bring the client with him. The firm discovered this activity and eventually sued the departed attorney. As the decision notes:
  • "In the months leading up to his departure, Winters considered which of his assigned clients he wanted to try to take with him when he left the firm. During this time, Winters removed at least one client file from Mulholland's office and copied it before returning it. He kept other client files with him rather than leaving them at the office."
On a related note, the ABA Journal recently noted that it's not uncommon for firms to allow laid-off lawyers to retain limited access to firm email accounts.

No firm wants to find itself in the position of lawyers inappropriately removing client information. Some organizations are using technology tools to monitor abnormal lawyer document activity and providing early warnings by watching for unusual activity. This approach can give management early visibility so they can investigate and address any concerns before they become serious crises.

Thursday, February 11, 2010

Upcoming Event: Ninth Annual Legal Malpractice & Risk Management Conference

Always an excellent program, the Ninth Annual Legal Malpractice & Risk Management Conference is taking place March 3-5 in Chicago. Several panels will explore a variety of law firm insurance and risk management topics. Event sponsors include: APRL, Hinshaw & Culbertson, IntApp and InOutsource and Paragon. For more information, see the LMRM web site.

Tuesday, February 9, 2010

Joint Defense Can Create New Conflicts and Imputation Challenges

Hinshaw & Culbertson have posted another interesting risk article on how joint defense agreements may put firms at increased conflicts risk tied to non-client parties. They explain that information learned from non-clients in these scenarios could be imputed to the firm and raise conflicts issues on future matters, unless involved lawyers are adequately screened.

This example stemmed out of a matter before the DC Bar's Legal Ethics Committee. With regard to screening requirements:
  • "...the Committee opined that the new firm could represent a client against a joint defense member by timely and effectively screening the lawyer, thus effectively eliminating any appreciable risk of an adverse effect on the representation. Regarding the latter, the Committee noted that two factors complicate the imputation issue. First, the firm itself might be a party to the joint defense agreement, and second, given the possibility that other members of the firm came into contact with confidential information from the joint defense members, enacting a retroactive screen could be quite difficult. The Committee therefore concluded that the firm likely could not represent a client against a joint-defense member unless the firm and its other lawyers were not bound by the joint defense agreement, and the other lawyers were not exposed to any confidential information related to the joint defense agreement."
The Committee also suggested preventative internal screening when non-client parties become involved may be a prudent protective measure in avoiding future risk and disqualification.

February 2010 Meeting of Association of Professional Responsibility Lawyers (APRL)

APRL hosted one of its regular meetings last week in Orlando, Florida. The Ethical Quandry blog presented an excellent summary of discussions and topics covered:

Monday, February 1, 2010

Lack of Screening Leads to Disqualification posted a good article outlining a few examples of lateral hire conflicts and screening (or lack thereof) resulting in disqualification: "Will That New Associate Get You Disqualified?"

This issue continues to evolve and its interesting to see how different jurisdictions are facing the realities of lawyer mobility and the challenges that brings. (And, in some instances, how different courts within the same jurisdiction wrestle with the same.)