Thursday, September 30, 2010

Law Firm Facing Government Fine for Data Breach

We've commented several times on growing data privacy and confidentiality management trends. (See recent posts on client and regulatory drivers: [1] [2] [3]). Now comes a story of a recent law firm breach and the potential impact -- The UK law firm ACS:Law may be fined as much as £500,000 by the UK Information Commissioner’s Office in response to a recent data breach.

The firm had undertaken a programme of sending out letters to those allegedly sharing copyrighted material on the internet, asking individuals for £500 per infringement or threatening potential court action. According to the BBC, their system may have been inaccurate and their tactics inappropriate:
  • A BBC investigation in August found a number of people saying they were wrongly accused by ACS:Law of illegal file-sharing. UK consumer group Which? says it has also received a number of complaints. Many contest that IP addresses can be spoofed.
  • ACS:Law is under investigation by the Solicitors Regulation Authority over its role in sending letters to alleged pirates.
Recently, a confederation of internet activists attacked the law firm and "hacked" servers, revealing personal information that was not properly secured. As UK Information Commissioner Christopher Graham stated:
  • "The question we will be asking is how secure was this information and how it was so easily accessed from outside. We'll be asking about the adequacy of encryption, the firewall, the training of staff and why that information was so public facing."
A lesson to any law firm or organisation that holds information subject to data privacy rules to review their confidentiality management controls and practices.

Wednesday, September 29, 2010

Debate Continues Over Access to ABA Ethics Opinions

Following yesterday's discussion about the accessibility of ABA ethics opinions, what John Steele at the Legal Ethics Forum dubbed a "collateral fight" continues.

Several arguments supporting the notion that opinions that shape professional standards should be open and accessible:
  • "The ABA can’t be a leader in providing that guidance if its thinking on these issues is not freely available."
  • "True, the ABA opinions are not binding, but they're considered persuasive and many states rely on them. Moreover, whether or not I pay ABA dues is irrelevant because the ABA opinions affect all lawyers whether they are members or not."
  • "No one objects to copyrighting the various books and magazines that are published under ABA auspices. Those are all commentary in a way that ethics opinions are not. The entire rule-making, rule-interpretation exercise is based on the reality that the ABA is (and wants to be) a crucial element in lawyer self-regulation...I'm not very comfortable having the ABA assert a property interest in essential guidance to the law of professional responsibility."
Others counter that the financial wherewithal to produce these opinions, guidelines and resources needs to come from somewhere, and worry about a "free rider" problem:
  • "I get the idea that monetizing the Model Rules and opinions interpreting them seems almost offensive in light of their status as public law (or the source of same). But, that kind of turns the question on its head. The jurisdictions... have to some extent had a free ride whenever they adopt rules based on ABA models. Those models did not spring up without cost or effort."
  • "A very large number of lawyers do not belong to any voluntary bar association but they surely benefit from the contributions of those who do, especially from the work of those who contribute their time and professional expertise in the area of the law of lawyering and legal ethics. Please encourage colleagues who do not belong to the ABA or to their state or local bar associations to join."
  • "The argument presented by the 'free access' advocates seems to be primarily based on the notion that the ABA's ethics opinions are so persuasive that they constitute quasi-law... Not all quasi-law is freely available. As has been pointed out, the Restatements aren't generally available without cost, although they are widely quoted and relied upon by courts... The 'state code' argument is flawed. Most, if not all, states do make their laws available online and for free, sometimes in a user-friendly format and sometimes not. On the other hand, if you want that handy-dandy version that has the case annotations, legislative history, etc, you usually have to pay a pretty penny to Michie or somebody for that... All that having been said, the ABA's approach to copyright in this area is not free from justified criticism."
The most amusing exchange to date:
  • Contributor A: "The Tea Party comes to the legal profession: I am really angry because the ABA is such a big impersonal and expensive organization that wastes its time, money, and energy on things I don't care about or disagree with. But when it comes to ME, it should provide the services I want for free because I am special, deserving, and cheap."
  • Contributor B in response: "Wait...Has Stephen Colbert hijacked out listserv?!?"

Lateral Movement Trends and Law Firm Information Risk Management

The American Lawyer reports that several indicators point to record lateral movement among law firms. They point to their own "finger in the air" test -- noting that the volume of firm-issued press releases announcing laterals has recently doubled and feedback from recruiters. (They also call out a trend long in the making, linking to quantitative analysis with data showing record significant movement in 2009 as well.)

Several factors are commonly cited for lateral movement: lawyers may act to maximize personal compensation (particularly as the end of the year nears), to find a more compatible work environment, or in response to pressures from firm management to "find a new home," in the case of poorer performers.

When lawyers leave or plan to leave firms, risk follows. One key risk is client information management and confidentiality. The Legal Ethics Forum just pointed out an interesting paper on the challenges of and common disputes tied to managing electronic client files: "Client Files and Digital Law Practices: Rethinking Old Concepts in an Era of Lawyer Mobility." Key excerpts
  • "The digitization of client files and law firm intellectual property, however, severely tests the existing framework for defining the relative rights and interests of law firms, lawyers, and clients. Digital files reduce or eliminate some recurring problems with hard copy files. For example, the digital file may be duplicated easily and inexpensively, thereby eliminating disputes over hard copy materials that arise when material is voluminous and can only be duplicated at substantial expense. The ease of digital duplication, however, renders client files and firm intellectual property highly portable, and facilitates the movement of lawyers from firm to firm. The portability of digital files poses significant challenges to firms attempting to mitigate the effects of lawyer mobility."
  • "To complicate matters, firm intellectual property may exist both within and outside client files, thereby creating three competing interests in the same collection of data (i.e., the client, the client’s lawyer, and the owner of any intellectual property). That a law firm may have intellectual property rights is without question, but in the absence of clear agreements between the affected parties, the nature of these rights is murky, and success in denying departing lawyers access to and use of information in which the firm may have proprietary rights is spotty at best."
For additional discussion on information risk management tied to lateral attorney movement, see a previous post and article linked within on law firm data leakage risks. See also a series of webinars on how firms are using technology to identify abnormal access and treatment of internal information that may flag impending lateral movement.

Tuesday, September 28, 2010

More Discussions about Accessibility of Ethics Opinions

Several months ago, the ABA Ethics 20/20 mailing list touched on the issue of challenges to accessing various state bar ethics opinions. Today, this issue arose again regarding accessibility of the ABA's own published opinions.

The debate began when the ABA circulated a new opinion (10-457) on lawyers use of web sites via PDF to the list. A member noted that they were surprised by the opinion and hadn't seen it mentioned in any other forum, including the ABA's own web site.
  • In response, one list member re-posted the opinion on his own web site. But the ABA informed this individual that the content was copyrighted and the repost was not authorized and asked that it be removed, noting that it would instead be posted on the ABA's web site tomorrow.
  • The discussion then took a heated turn, culminating in a lengthy and critical post on the blog by Carolyn Elefant: "Lawyers Want to Be Good, So Why Does the ABA Make It So Darn Hard?" -- The author charged: "By cloaking its ethics opinions in opaque copyright wrappings, the ABA is impeding lawyers from complying with our ethics obligations and stymying discourse and debate over appropriate ethics standards for our profession as we move at the speed of light through the twenty-first century."
Response to this article and argument was mixed both pro and con:
  • One contributor noted that as a non-profit organization the ABA relies on sources of financial income such as access subscriptions/paywalls to cover the costs of creating and distributing these opinions in the first place. And that other organizations follow what could be labeled even more restrictive practices: "If the ABA should publicly post, should the ALI publicly post its Restatements? Should BNA publicly post the Lawyer's Manual?"
  • Another commenter supported the free and open access position: "Of all the things to shroud in secrecy, these opinions are the last things that should be...I hope the Powers That Be listen."
  • Another voice added: "Like it or not, by voluntarily undertaking to issue ethics opinions, the ABA has placed itself in a "law-giving" role (yes, we all know that ABA opinions are not binding in any jurisdiction); as such, I believe that it has a duty to make all of its ethics opinions freely available."

Conflict Disqualifies Law Firm from $1 Billion Case

Following last week's roundup of recent law firm conflicts and ethical screening snafus in the news, Winston & Strawn has just been disqualified from defending Pfizer in a $1 billion lawsuit connected with the drug Celebrex. As reported by the National Law Journal, a Winston partner previously represented Brigham Young University, which brought a patent suit against Pfizer:
  • "The magistrate judge found that Schaerr's relationship with the school created a conflict that infected the rest of Winston & Strawn. That firm, she said, appeared to 'abandon' BYU in favor of a more lucrative matter."
Interestingly, both Winston and Strawn, and Sidley Austin, where the partner in question previously worked, both represented BYU, and both had obtained advanced waivers to clients adverse to the university. But dispute arose over the wording of the Winston waiver, which implied only parties represented by the firm at the time it was executed were covered. (The firm subsequently took on Pfizer as a client.)

Furthermore, rather than screening the conflicted lawyer in question, the partner became directly involved in the Pfizer matter, in some ways that created problems for both his previous client and the court:
  • "Schaerr offered to help broker a settlement between BYU and Pfizer by acting as a 'go between' to bring the parties to the table... Soon after the phone call, Schaerr sent an e-mail to Orme saying that he regretted 'the difficult position' his firm's 'potential involvement' in the Pfizer litigation had created for the school. 'Yet I also have a fiduciary duty to my partners, and (especially in turbulent economic times) a moral duty to our employees, not to stand in the way, unnecessarily, of new opportunities that come to other partners,' he added. Wells wrote that she found Schaerr's attitude 'troubling': 'In essence, it appears that Mr. Schaerr is willing to leave his loyalty for a current client behind if a more lucrative offer comes along.'"

Thursday, September 23, 2010

Risk News Roundup : Conflicts, Ethical Walls & More

  • Here's another story about a firm disqualified due to failing to erect a timely and effective ethical screen. Interesting, this case follows a recent Texas decision regarding the need to screen paralegals. In another Texas case, the State Supreme Court disqualified a plaintiff for not properly screening a paralegal who formerly worked for the defendant. The paralegal signed a confidentiality agreement and pledge not to work on matters related to her previous employer, yet ended up doing so regardless. The Court ruled that the firm "did not take reasonable steps to shield the assistant from working on the Leal case and that she actually worked on the case at her employer’s directive."
  • No law firm wants to find itself representing both sides in the same case. But one AmLaw 100 firm has just been disqualified for attempting to do just this: "Southern District of New York Judge William Pauley said that a 'clear conflict of interest' exists where one Sonnenschein attorney represents former BDO Seidman partner and now cooperator Adrian Dicker and another represents former BDO Seidman CEO Denis Field."
  • For a little more conflicts and disqualification intrigue, see this story: "A federal judge has refused to disqualify on conflict of interest grounds a defense attorney with deep ties to the Gambino organized crime family."
  • A federal appeals court affirmed a ruling that Blank Rome was appropriately disqualified from a matter for representing a company that was adverse to a subsidiary of another client: "In a ruling in which the 2nd Circuit addresses for the first time whether a law firm infringed on its duty of loyalty by taking on a representation adverse to a client's corporate affiliate, the circuit affirmed a decision by Southern District Judge Jed S. Rakoff, who found that Blank Rome's engagement letter had not given it broad authority to accept a case adverse to a Johnson & Johnson affiliate's interest."
  • Finally, ALI/ABA is hosting a timely audio webcast on this very topic: "Brave New World: Ethical Screens and Conflicts of Interest." The session will explore how ethical screens can be used to address conflicts scenarios and the requirements necessary for screens to be judged effective. (For past discussion of this topic, see also: Managing Information Risk with Lateral Hires and Lawyer Departures.

Tuesday, September 21, 2010

ABA Ethics 20/20 Commission Hearing on Confidentiality Standards

The ABA Ethics 20/20 Commission is holding a public hearing on "Client Confidentiality and Lawyers’ Use of Technology," to collect input as part of its ongoing efforts to identify changes that may require updates to industry professional rules and standards. In its call for comment and participation, the committee noted that changing business practices, technologies and expectations all place increasing attention on this issue:
  •  "One of the Commission’s objectives is to determine what guidance to offer to lawyers who want to ensure that their use of technology complies with their ethical obligations to protect clients’ confidential information."
  •  "Lawyers must take reasonable precautions to ensure that their clients’ confidential information remains secure. When data was strictly in hard copy form, lawyers could easily discern how to satisfy their professional obligations and did not need elaborate ethical guidance. Now that data is predominantly in electronic form, however, the necessary precautions are more difficult to identify. One of the Commission’s goals is to identify the precautions that are either ethically necessary or professionally advisable.
The hearing will take place on October 14th, in Chicago.

Monday, September 20, 2010

Risk Event Report: Hildebrandt/Hinshaw Annual Law Firm General Counsels' Forum

Last week, The Hildebrandt Institute and Hinshaw & Culbertson hosted the 9th Annual Law Firm General Counsels' Forum. This event targets law firm risk professionals and examines hot button risk issues of the day. While turnout was noticeably lighter compared to years past, content and discussion was excellent, as always. Speakers and panelists from a variety of firms including: Orrick Herrington & Sutcliffe, Dykema Gossett, Lindquist & Vennum and Duane Morris, explored a number of timely issues including:
  • Risks tied to technology, including social networking, process automation and confidentiality
  • HR risks and challenges, featuring a detailed examination of forced retirement and related issues tied to EEOC v. Kelley Drye.
  • and a Roundtable discussion entitled "What Keeps You Up at Night?" (See PDF summary.)
Other sessions of note include an update on Responding to Key Trends in Law Firm Risk Management and Compliance. Pat Archbold from IntApp reviewed current confidentiality and data privacy developments across US, Canadian and UK jurisdictions, including recent case law and industry response trends.

Representatives from the ABA and Association of Corporate Counsel also provided an interesting update on the ABA Ethics 20/20 Commission, an initiative exploring who trends in technology and globalization may require changes to professional rules and standards. See also: A New Approach to Law Firm Regulation, an article distributed in the conference program. Other session handouts are available on the conference web site.

Thursday, September 16, 2010

Clients Increasingly Concerned about Law Firm Risk, Confidentiality and Compliance Practices

A reader sent an interesting document in response to the recent series of posts summarizing recent ILTA conference panels on law firm risk management (see: [1], [2], [3], [4]). One theme several sessions touched on was an increasing trend of corporate law departments promulgating significantly more stringent outside counsel guidelines, especially with regard to risk management, confidentiality enforcement and compliance tracking.

The reader linked to Bank of America's published Outside Counsel Procedures which highlight this trend quite nicely:
  • Law firms ultimately responsible for following all professional rules and statutory regulations: "Outside counsel must follow all statutory and regulatory provisions relating to privacy, confidentiality and nondisclosure of customer records, proprietary information of Bank of America, and other privileged or confidential information, including without limitation information or data protection laws and regulations... consistent with all codes of professional responsibility and applicable laws and regulations."
  • Audit rights to verify firm confidentiality and data privacy practices: "Bank of America reserves the right to review, test, and audit information and data protection plans and procedures of outside counsel and any third party in privity with outside counsel who accesses Bank of America confidential information."
  • Sensitive information must be transmitted securely: "Any law firm in possession of such information may only transmit it to or receive it from Bank of America via secure electronic means (i.e., encrypted e-mail). "
  • Confidential information can be shared internally only on a "need to know" basis: "In particular, the firm shall limit disclosure and access to customer and proprietary information to those members and staff of the firm who need to have such access to provide the services for which the information has been provided."
This last point is particularly noteworthy, given common practice for law firms to maintain open internal electronic information repositories, like document and records management software applications. Organizations must take special care to respond diligently to client requests, particularly when they conflict with common practice. Failure to do so, creates significant risk in a world where clients are increasingly interested in conducting their own audits...

Tuesday, September 14, 2010

The Final Frontier -- Is Your Law Firm ITAR Compliant?

A reader pointed out an interesting news story published this week on the topic of space exploration, highlighting the challenges facing aerospace companies and their supplies working under US ITAR regulations -- rules which may also affect your law firm.

ITAR, the International Traffic in Arms Regulations, is US law that specifies that information relating to defense and military technologies may only be accessed by US persons (citizens or permanent residents). Law firms providing services to clients subject to ITAR and related regulations must take special care to maintain and document compliance.

This includes ensuring that internal stakeholders not considered US persons are restricted from accessing sensitive information prepared for or provided by clients. Areas firms should consider include examining the extent to which IT personnel (or outsourced service providers) may be able to access this data, or the degree to which information may be unintentionally available to non-US lawyers or staff located in international offices.

To address these issues, several law firms turn to confidentiality management technology, such as information barrier automation and abnormal activity monitoring software to address their risk management and compliance tracking requirements. [Fellow space fans: see also this detailed paper arguing that ITAR and related rules are hampering commercial space tourism.]

Monday, September 13, 2010

ILTA Risk Session Report 4: Risk Management -- What's Hot, What's Not

Another ILTA risk panel comprising Adam Hansen, director of information security at Sonnenschein, Nath & Rosenthal, and Gail Ballinger firmwide business continuity administrator at O'Melveny & Myers took a broad view of law firm risk management across multiple categories.

This group categorized risk by severity and explored several categories including strategic risk, firm structure and governance, business intake, human resources, financial and technology. The panel produced what are likely the densest slides delivered in any session at the conference and included their view of trends, priorities and response options for each risk category.

Friday, September 10, 2010

Update on Alternative Business Structures in the UK

This year we've tracked several updates regarding moves by various jurisdictions to allow alternative business structures. See posts: here and here for background on the UK's path to allowing non-lawyers to hold ownership stakes in law firms. These arrangements will likely create new opportunities, and new (and perhaps unexpected) risk and compliance challenges for law firms.

This week, the Solicitors Regulation Authority (SRA), which originally published ABS guidance in July 2009 and offers extensive resources on its web site, emphasized that it would not bow to pressure from law firms to let them enter into these arrangements prior to 6 October 2011, the previously-authorized date for enactment of new ABS rules and regulations will take effect.

Instead, the SRA reminded firms that they can still discuss, negotiate and design alternative business structures -- doing everything but putting them into effect or entering into binding agreements.

Thursday, September 9, 2010

ILTA Risk Session Report 3: Managing the Risks with Departing Lawyers

Another excellent ILTA panel addressed risk management issues tied to departing lawyers. Eric Carpenter, IT Director at Rothgerber Johnson & Lyons, and Leigh Isaacs, firmwide director of records management at Orrick, Herrington & Sutcliffe, and Charlene Wacenske firmwide director of records management at Morrison Foerster provided a wealth of information on the topic to a mixed audience of technology and risk stakeholders.

Discussion was very practical, exploring specific processes, best practices and communication strategies for working across all of the firm departments impacted by and responsible for responding to lawyer departures. (These include: Records, IT, HR, Finance, Business Intake, Docketing, Marketing, Facilities and Risk Management teams.)

The session slides are available here, but the real value of this session lies in the excellent checklists and other resources the participants shared including:

Tuesday, September 7, 2010

ILTA Risk Session Report 2: Law Firm Information Risk Management

On the second day of the annual ILTA conference, the risk track hosted a session on information risk management entitled: "Finding Where the Squirrels Hide the Nuts [and How to Manage Them]." A panel comprising Jeffrey Franchetti, CIO of Cravath, Swaine & Moore, Pat Archbold, Head of the Risk Practice at IntApp, and Neil Araujo, CEO of Autonomy iManage dug into a variety of information management challenges facing law firms.

In the session, Jeff Franchetti described how his firm vested risk management responsibility with his IT organization, which oversees records and conflicts management. To ensure all voices are heard, and emerging challenges are addressed before problems arise, he created a risk management committee which brings together cross functional participants to review IT, business continuity, conflicts and document management risk issues and concerns.

At Cravath, an initiative to roll out enterprise search technology highlighted the need to understand and manage information security risks (i.e. "where the squirrels were hiding (and finding) nuts"). In this case, the firm understood that search tools would likely internally surface a great deal of sensitive firm and client information stored across multiple electronic information repositories. To address these issues before implementing the technology, Franchetti commissioned a team to perform a "detect and clean up" exercise, performing sensitive searches (e.g. "compensation" or "offer letter") and locking down documents that were improperly classified. In parallel, the firm adopted a centralized confidentiality management software to automate confidentiality enforcement moving forward.

Pat Archbold from IntApp, provider of the confidentiality management software chosen by Cravath, described how his organization's technology integrates and works with a variety of enterprise search and document management tools to ensure that sensitive information is properly secured on an ongoing basis. The slides from this talk are available here.

Friday, September 3, 2010

ILTA Risk Session Report 1: The Changing Regulatory Landscape Facing Law Firms

ILTA, the International Legal Technology Association, held its annual conference last week. Over 1000 law firm technology, finance and risk professionals were on hand for several days of conference sessions, vendor demonstrations and spirited interaction. As expected, risk management and related sessions continue to garner significant attention, not only from risk stakeholders in attendance (loss prevention, conflicts, records and compliance staff) but also from technologists interested in better understanding and supporting law firm risk management efforts.

Early in the week, Beth Chiaiese and Jodi Malek, who run the loss prevention and compliance team at Foley & Lardner, delivered an excellent presentation on: "The Changing Regulatory Landscape and Its Effect on Law Firms." The session reviewed different sources for rules governing lawyer and law firm behavior (professional rules, case law and, increasingly, government regulation).

Significant attention was placed on data security, confidentiality and privacy regulations increasingly affecting law firms, especially those practicing across jurisdictional boundaries. Other topics of discussion included risks associated with social networking technology, lawyer licensure, UK anti-money laundering and Know Your Client requirements. The session concluded with an exploration of how firms can best organize to respond to the growing spectrum of risk and compliance issues they face. The slides from this talk are available here.