Wednesday, December 22, 2010

Data Breach: First Test of Massachusetts Data Privacy Law

While the FTC Red Flag Rules no longer apply to law firms, the Massachusetts data privacy law, enacted earlier this year remains in effect. News broke yesterday concerning the data loss. In this case, data on 1850 MA residents was exposed:
  • "The breach, which occurred in September, was discovered by a Twin America Web programmer in October and came to light when the company's attorney wrote letters to states' attorneys general disclosing the breach."
Recall, the new rules mandate disclosure and have been called "one of the toughest in the nation," applying to any individual or organization that: "...store[s], collect[s] or use[s] personal information, including name, social security, driver's license number or financial information on Massachusetts residents - regardless of whether those organizations are based in or have offices in the state."

This appears to be the first published incident of a data breach subject to the Massachusetts rules. And while the party in question is not a law firm, 2010 has shown that law firms are not immune to unexpected data breaches.

Raise the White Flag: FTC Red Flag Rules Officially Eliminated for Law Firms

Eliminating what some, including the ABA, felt were onerous and inappropriate information risk management and client intake requirements for law firms, President Obama just signed the Red Flag Program Clarification Act.
  • "The revised definition of “creditor” excludes creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  This exclusion addresses a widespread concern among stakeholders that the original FCRA definition improperly extended the Red Flags Rule’s scope to implicate entities not typically thought of as creditors, including law firms and health care providers."
These rules were developed to protect personal information held by creditors and would have put new confidentiality enforcement, tracking and compliance requirements on law firms, given the originally-broad definition of "creditor" and the FTC's interest in seeing them applied to organizations including law firms. With that, the court fight between the FTC and the ABA is concluded.

Tuesday, December 21, 2010

Risk Roundup: Disqualifications, Ethical Walls & More

Several interesting law firm risk developments, stories and articles to share. Several touch on recent disqualification news:
  • Fighting over toys: Mattel, Bratz and related legal wrangling -- In the high-stakes fight over the Bratz toy franchise, lawyers for Mattel (Quinn Emanuel) discovered that their opponents had hired a lateral from their own firm who worked on the matter: "...Quinn contends that MGA's latest law firm had committed "the cardinal sin" under disqualification case law by hiring a former Quinn Emanuel lawyer, Jill Basinger, who worked on Mattel matters--including the MGA case--while employed by Quinn. "No amount of spin and no ethical wall can change the fact that disqualification of Glaser Weil is required," Quinn wrote. Interesting to note that Quinn recently leveraged an ethical wall to defend another disqualification attempt last month.
  • Attempted disqualification of "avowed adversary" -- Akin Gump is working for parties allied with Tribune Company's Chapter 11 case. It's also representing a party opposing the proposed bankruptcy plan. The Tribune-friendly parties want Akin disqualified from representing an "avowed adversary." Akin argues its work does not rise the level meriting disqualification, and that it has an ethical wall in place to be safe: "Oaktree and Angelo Gordon want Akin Gump disqualified from working for Aurelius, which they label 'a notoriously litigious entity.' Akin Gump says that’s not necessary because its regulatory team and its Chapter 11 team are separated by an ethical wall, and the double-representation arrangement is one of long standing....According to Akin Gump, the firm’s work for Oaktree and Angelo Gordon on the one hand, and an occasionally hostile bondholder on the other, dates more than a year." Shortly after the motion was filed, a judge expressed hesitancy to rule on the matter: "Carey appeared reluctant at the hearing on Wednesday to approve change of counsel for Aurelius at this stage in such a 'complex Chapter 11 case.' Carey asked the warring parties to resolve their issues outside the courtroom so that Aurelius could keep Akin Gump as its counsel."
  • Corruption trial delayed due to disqualification -- In this case, the defendant's law firm was disqualified because it also represents the employer of a witness for the plaintiff. (This example is interesting as it presents what was likely non-obvious relationship between the law firm and a third party -- one that may not have even been possible to identify at the start of the representation.)
  • Derivative Claim in Dispute Between Owners May Require Independent Counsel -- A paper that looks at conflicts issues and triggers requiring engagement of new lawyers (New Jersey context): "In the closely held business the interests of the owners are more likely to be the same as the business.  Nonetheless, a derivative claim raises the thorny question of whether the entity must now engage independent counsel to represent the business itself."

Wednesday, December 8, 2010

Law Firm Insider Trading -- Alleged Violation by IT Manager at Richards, Layton & Finger

Several news sources are reporting on yet another allegation of insider trading originating at a law firm. This time the story centers on an IT manager at Richards, Layton & Finger, a firm comprising approximately 140 lawyers.

The SEC alleges that this individual worked with an external accomplice to engage in 22 trades based on inside information between June, 2009 and October, 2010, when he was terminated. The firm noted that:
  • "...all firm employees are required to acknowledge the firm’s confidentiality policy annually.  In addition, the firm requires that all stock trades by all employees be cleared before they are made.  The allegations of the complaint, if true, indicate knowing violation of these various policies."
However, it appears that in this instance policy was not sufficient to prevent the practices of this IT manager.

Interestingly, this individual was tasked with information security management, a role which "...gave him access to electronic and other files containing material non-public information." Which also raises the question of "who watches the watchers" in environments without suitable checks and balances enforcing information access restrictions and monitoring unusual activity.

Monday, December 6, 2010

2010 Law Firm Risk Survey Report Now Available

The 2010 Law Firm Risk Survey report is now available (North American edition). Survey participants and members receiving risk bulletin updates via the Risk Roundtable Initiative, can expect to receive copies shortly. Other parties interested in the report may contact info@riskroundtable.com for more information

The Law Firm Risk Survey focuses on firm risk management policies, practices and priorities. It examines specific issues including new business intake, attorney lateral hiring and departures, ethical walls management, confidentiality enforcement, internal education, and compliance tracking and verification. The published survey report provides quantitative summaries of overall group response data, as well as samplings of individual responses to questions seeking free-form comments.

Selection of Key Findings of the Survey Report:
  • Top law firm risk concerns include business intake, records management and confidentiality protection.
  • Clients continue to raise concerns about the steps firms take to ensure the confidentiality of sensitive business information.
  • Nearly 90% of firms have been asked by clients to restrict and track internal firm access to sensitive information via ethical walls and other confidentiality controls.
  • 70% of firms report taking on matters subject to confidentiality controls mandated by external regulations; firms identified the HITECH Act for personal health information, and state and international personal data privacy laws as regulations of greatest concern.
  • Nearly half of all firms have been audited or received requests for proof of compliance from a client or external agency.
  • In response to an expanding set of risk management challenges, organizations are increasing the number of internal stakeholders tasked with risk response and compliance.
  • Supporting this trend, more firms have designated formal budgets earmarked for risk management.
A similar exercise is underway in the UK, with a report expected early 2011.

Wednesday, December 1, 2010

ABA Committee Publishes Draft Discussion Doc on Domestic and International Outsourcing

The ABA Commission on Ethics 20/20 recently posted a draft discussion document on potential changes to Model Rules of Professional Conduct tied to domestic and international outsourcing. The document is the result of efforts undertaken by the Commission's Outsourcing Working Group.

The document is designed to frame ongoing discussions, not present final recommendations:
  • "The Draft does not constitute an endorsement or rejection of the practice of outsourcing by lawyers and law firms, but was drafted to recognize the growth of outsourcing practices and to suggest ways in which lawyers engaging in the practice can do so ethically and responsibly."
  • "...the Commission analyzed a significant volume of materials including, but not limited to, all available legal ethics opinions; news reports, scholarly articles, studies and surveys; testimony offered at the Commission’s public hearings; and comments received in response to questions that were specifically tailored to the experiences and concerns of clients, lawyers, law firms, and providers of outsourced services. "
Interested parties are encouraged to review the discussion document, background materials, and draft changes to Model Rules and submit comments are requested by January 31, 2011.