Wednesday, November 30, 2011

One More Thing: Bonus Risk Roundtable Meeting on ISO 27001 (Kansas City @ Lathrop & Gage)

We have a late entry into our Winter Risk Roundtable series. Based on member demand, we'll be hosting another session focused on ISO 27001 certification for law firms. Hosted in Kansas City by Lathrop & Cage, the presentation is scheduled for Wednesday December 14th.

Over the past 18 months, corporations have increasingly mandated more stringent information security requirements for outside counsel. This often means more time spent responding to client requests and RFPs. Today several firms are leveraging the ISO 27001 standard as a strategic response.

Session Agenda:
  • Business Drivers - Why are law firms investing in ISO27001?
  • Value - What is the true value and is it worth the effort?
  • Accreditation Process - What strategies are firms pursuing, is accreditation needed?
  • Lessons and Best Practices - What technical, business and other considerations can peer firms benefit from in their own thinking?
  • Information Risk Management Options - What tools are being deployed to respond to the new challenges?
Event attendance is by invitation only and is limited to qualified law firms and personnel. Please contact for more details.

Tuesday, November 22, 2011

Report from Canadian Risk Roundtable Session Hosted at Fasken Martineau

We hosted a Risk Roundtable last week in Toronto, Ontario. Many thanks to Fasken Martineau
for hosting. Brian Lynch delivered a presentation updating attendees on current risk issues and trends, and moderated group discussion. He sent his customary summary of the day:
  • Dan – I'm happy to report that we finished up our Winter Risk Roundtable series with an excellent session in Toronto. Fasken Martineau was gracious to host a large group of attendees, including General Counsels from leading Canadian firms.
  • First we walked through some of the risk trends that IntApp is observing in the US and the UK, especially trend-setting markets like New York and London. We covered familiar ground with the rise of Outside Counsel Guidelines, recent initiatives within the ABA, and Alternative Business Structures in the UK. Client audits continue to capture group attention -- one of the attendees shared his experiences with on-site auditors.
  • Next, Mary Trudell, Director, Conflicts and Records Management at Fasken, shared success stories about her firm’s work to harmonize information governance processes. They’re using IntApp Wall Builder as a foundational technology, supplemented by efforts of her team working across Canadian provinces and in Paris, London and Johannesburg to provide timely and consistent service to the firm's lawyers.
  • Finally, Simon Chester of Heenan Blaikie walked us through the recent decisions of Wallace and Nova. There are certainly interesting implications for both cases, and the assembled group had plenty of questions and commentary. Many thanks to Simon for summarizing the facts and history, and helping us understand the broader context.
This session concludes the 2011 Fall/Winter Risk Roundtable series. Plans are underway for future events in 2012. Watch this space for more details. (And if you'd like to host a Risk Roundtable in your neck of the woods, please get in touch:

Thursday, November 17, 2011

Webinar: Managing Insider Risk at Law Firms (CLE Eligible)

We've had tremendous interest in our risk webinar series and are pleased to announce our latest session: Managing Insider Risk at Law Firms

Date: Tuesday, November 29
Time: 9 am Pacific / 12 pm Eastern / 5 pm BST

Description: In the past 18 months, surprising stories of lawyer and staff misuse of sensitive client information have dramatically raised the profile of this issue among law firms, clients, regulators and the media. [See previous blog updates: here, here, here and here.] In response, many firms are re-evaluating the policies and protections they have in place to mitigate insider risk.

This session is presented as part of the Risk Roundtable initiative and includes panelists from the Risk Roundtable Compliance Consortium, a working group focused on developing firm risk response guidelines:

Most firms have programs to educate lawyers and staff about their obligations not to act on inside or price-sensitive information. Yet in an environment where individuals generally have broad access to electronic repositories where sensitive information is stored, such as document management libraries, temptation may lurk. This is particularly true as new search tools make it even easier to locate sensitive materials (either accidentally or intentionally).

While most firms take steps to control risk by using matter "code words" and emphasizing the need to control document distribution, organizations are increasingly pursuing greater confidentiality protections and the ability to better demonstrate compliance if required to do so by clients or regulators.

In this session, panelists will review several methods for dealing with insider risk, including ways to:
  • Encourage professional responsibility
  • Prevent inadvertent access
  • Prevent unauthorized use
  • Track suspicious behavior
CLE Credit: Certificates will be provided to attendees upon request. (Attendees outside of California are responsible for confirming CLE reciprocity in their particular jurisdiction.)
Attendance: Attendance is by invitation only. Risk Roundtable members and qualified parties are invited to request more information by emailing:

Wednesday, November 16, 2011

Risk News & Updates: Lateral Hire Intake Checklist, Canadian and UK Lawyer Regulation

Authors at McKenna Long & Aldridge recently published "Ensure lateral moves are win-win," which reviews "questionnaires, conflicts checks and proper documentation [that] will help boost profitability, lower risk":
  • "Like all risk management issues, the most effective strategies involve systems. This means adopting practices, protocols and procedures that the law firm and its attorneys follow every time. Murphy's law applies in full force in lateral hiring. Inevitably, it is the one time that the law firm fails to follow the established rules that comes back to create the most difficult problems... Of course, it all sounds intimidating. But, it does not have to be so. The solution is an effective system with questionnaires, supplemental questionnaires, conflicts checks and a documented mutual understanding, which combine to do most of the work. Safer and more profitable—it is a winning combination."
University of Calgary law professor Alice Woolley opines on larger issues stemming from a recent disciplinary decision by the Law Society of British Columbia in "Lawyers Regulatory Lawyers?" --
  • "The decision warrants comment, however, because the threat it creates to the legitimacy of lawyer self-regulation applies to all Canadian law societies. Specifically, the misdirection in regulatory energy reflected by the decision of the Law Society of British Columbia in this case is something to which all Canadian law societies have shown themselves to be susceptible. This comment is a plea to the law societies to think more carefully about the cases they pursue; to take more seriously conduct by lawyers that undermines the rule of law; and, to allow lawyers to hold each other to account in circumstances where there is a reasonable basis to allege misconduct, even if lawyers sometimes do so with 'incivility.'"
Interesting developments in the UK:
  • Law Society and SRA unveil deal to resolve longstanding governance wrangling -- "The Law Society and Solicitors Regulation Authority (SRA) have hammered out 'a permanent resolution' of their long-running internal governance issues, the pair announced yesterday."
  • SRA eyes expanded international reach by offering to regulate foreign firms -- " In addition, it may seek to regulate firms that are English and Welsh law firm partnerships but part of a larger Verein structure – where it would be expected to designate the SRA as the lead/home regulator of the English and Welsh part of the Verein... For foreign firms with subsidiary operations in England and Wales which contains solicitor partners and have the majority of their turnover and activity outside of England and Wales, they would either be subject to the SRA Handbook regime only in England and Wales, or be able to have the SRA as its lead/home regulator worldwide."
Finally, a thank you to readers who have taken our reader survey, and a friendly reminder for those with feedback to share to take a few minutes to participate: 2011 Risk Blog Reader Survey.

Tuesday, November 15, 2011

ISO 27001 for Law Firms: Report from Houston Risk Roundtable Hosted at Baker Botts

Last Friday we held a Risk Roundtable session in Houston, Texas. Many thanks to Baker Botts for hosting. The event focused on ISO 27001 for law firms. Brian Lynch moderated and sends his customary summary:
  • Dan – Greetings from the Great State of Texas! We had a very informative Risk Roundtable today at Baker Botts in Houston with our special guest, Andrew Rose, Principal Analyst, Security and Risk, from Forrester Research.
  • Andrew walked us through the ISO 27001 standard and how it applies to law firms. In response to growing client demands and increased regulatory obligations, law firms are finding themselves developing all sorts of security measures to accommodate a variety of requests. ISO 27001 certification has provided a reliable framework for a number of firms to respond effectively and provide security that clients have come to expect.
  • Bobby Tindel of Andrews & Kurth spoke to us about the robust processes and technologies that his firm has put in place over the past year and a half. One of the "sleeper risks" is a disgruntled employee turning whistle-blower over a minor violation.
  • The best approach is to close the loopholes and apply comprehensive and defensible security. Another participant pointed out the high standard established by the HIPAA/HITECH Act, and it's increasingly frequent appearance. Clients are pushing firms to provide security levels comparable to their own, not to other law firms.
  • As always, it was a great opportunity for an engaged group of participants to connect and share risk management perspectives.
For more information about ISO 27001 for law firms, see our recent New York Roundtable summary.

Monday, November 14, 2011

Report from Atlanta Risk Roundtable Session Hosted at Ogletree Deakins

Last Thursday we held a Risk Roundtable session in Atlanta, Georgia. Many thanks to Ogletree Deakins for hosting. Brian Lynch delivered an update on current risk trends and issues, and moderated group discussion. Here's his summary:
  • Dan – Reporting from our latest Risk Roundtable in Atlanta. The group discussed legal trends, but also spent a good amount time talking about the reality of client audits.
  • One firm reported that a banking client recently completed a security audit of their security processes. The client is spending time with multiple law firms to establish a baseline that they can all follow.
  • Dan Drake of Ogletree shared with the group some of their current challenges with consumerization of law firm technology. iPads, iPhones, Android-based technologies, and other non-standard alternatives have found their way into many law firms, and they have brought security risks with them.
  • Many firms have "solved the hacker problem" with standardized firewall software, they have effectively locked down access internally with products like Wall Builder, and they have taken on preventative measures to reduce the risk of data breaches. These firms start by ensuring their " house is in order" and restricting internal access to sensitive documents.
  • One of our attendees spoke about the benefits of tracking indicative behaviors to identify potential bad situations before they happen. He identified the example that we’ve seen cited frequently: dark-of-night downloads. If a lawyer is downloading an unexpectedly high volume of documents to his local drive, it is a possible indicator of imminent departure. Securing and tracking have become essential and complementary functions that firm are looking for in their confidentiality management toolkit.
  • It was a productive forum for risk professionals to ask their peers how they approach different issues, like preparing for client audits.

Thursday, November 10, 2011

Be Heard -- 2011 Risk Blog Reader Survey

Last week, legal ethics maven Bill Freivogel was kind enough to submit a public endorsement of the blog. (I won’t produce it verbatim as it now resides on the right side of the web view of the blog.)

This bit of encouragement led to additional reflection – Over the past two years, the Law Firm Risk Management Blog has grown significantly. Today our diverse and significant readership reflects the importance law firms and related stakeholders (insurers, technologists, consultants) place on risk issues.

We'd like to know more about you, our readers. So please join your peers and take a few moments to participate in the 2011 Risk Blog Reader Survey.

Plans are already in the works for 2012 blog and Risk Roundtable programs, including surveys. Your input can help shape our direction.

Wednesday, November 9, 2011

Law Firm Risk Management Software : 2011 Product Adoption Survey Data

The International Legal Technology Association (ILTA) published its annual technology survey. The report provides key data about decisions law firms are making when adopting software related to risk management. The complete report, with detailed breakouts across several categories, is available via ILTA.

Here's a slice of that, summarizing large law firm (700 or more lawyers) use of commercially-available software that supports risk management functions:

Electronic Records Management
  • Autonomy / iManage -- 25%
  • CA Records -- 10%
  • DM / DOCS (Open Text) -- 5%
  • LegalKEY (Open Text) -- 5%

Ethical Screens / Information Barriers / Confidentiality
  • Wall Builder (IntApp) -- 72%
  • CompliGuard Protect (The Frayman Group) -- 20%
  • iMPrivate (DocAuto) -- 4%
  • SecurityGuard (Olson Consulting) -- 4%
  • WincWall (Wertheim Global Solutions) -- 0%
  • MasterEthics (RBRO Solutions) -- 0%
  • The Wall (Younts Consulting) -- 0%
(For additional data on confidentiality software adoption by firms with 150-349 and 350-699 lawyers, see the Legal Technology Insider.)

  • CompuLaw -- 35%
  • CPI -- 23%
  • MA3000 -- 18%
  • PATTSY -- 18%
  • Microsoft Outlook -- 9%
  • Aderant -- 13%
  • ProLaw -- 10%
  • Law Bulletin -- 8%
  • LegalKEY -- 5%
  • Amicus -- 3%
  • CourtAlert -- 3%
  • IPMaster -- 3%

Conflicts Management
  • LegalKEY (Open Text) -- 40%
  • Elite (Thomson) -- 28%
  • Aderant -- 13%
  • Accutrac -- 3%

Tuesday, November 8, 2011

Law Firm Ethical Walls and Confidentiality Screens: Not Just for Conflicts

Nancy Beauchemin, president of law firm client intake and record management consultancy InOutsource, recently published an excellent article on law firm confidentiality management: "Ethical Walls and Confidentiality Screens: Not Just for Conflicts."

The piece provides a concise summary of the expanding confidentiality drivers facing law firms, from traditional scenarios like waiver-driven ethical screens, to expanding regulatory rules and increasingly stringent client outside counsel guidelines:
  • "Today, law firms are applying confidentiality screens for a variety of reasons, including an increasingly complicated legal and regulatory environment that demands compliance with record-keeping requirements defined by their clients. Law firms are realizing that they must know where their information resides and how it is accessed and stored before they can protect it from inadvertent disclosure. Clients will sometimes exercise their right to audit a firm’s internal record-keeping processes to ensure compliance with their guidelines. In a legal proceeding, courts will require evidence that policies were consistently followed."
She cautions firms about the need to understand and update their current practices:
  • Law firm confidentiality policies are often disconnected from requirements mandated by clients and regulatory bodies. Firms need to understand where they have gaps and commit to correcting deficiencies in policies and use of technology to ensure that their clients’ confidential information is protected.
  • Ideally, repositories and applications that store confidential client matter information should be centrally maintained and managed by a firm’s IT department, and all client matter information should be readily identifiable by the applicable client matter.
  • The screening function should be centralized within the office that is primarily concerned with risk management and loss prevention issues. This is sometimes the responsibility of the firm’s general counsel.
  • There must be immediate and direct communication with affected users, records and IT staff. Screening processes should be documented and require affected individuals to acknowledge and comply with the screen.
  • Screens should be regularly reviewed and removed when no longer needed. There should also be policies to notify appropriate governing bodies and clients of data breaches.

Law Firm Outside Counsel Guidelines: Webinar Recording Now Available

Content from our October webinar on managing risk and response to outside counsel guidelines is now online, for those who missed the live session:
  1. Responding to Outside Counsel Guidelines -- Thanks again to our panelists. We welcomed another large group (100+ attendees) who heard speakers from Holland & Knight (Gilda Russel), Orrick, Herrington & Sutcliffe (Mike Guernon), and McKenna Long & Aldridge (Paul Hurdle).
Those who registered but were not able to attend these events should have received a link to the video recordings via email. Others interested in these sessions can view them online: [Law Firm Risk Management Webinars].

Monday, November 7, 2011

Update: Imputation Risk and Joint Defense Agreements

Eighteen months ago we noted Nintendo's move to disqualify plaintiff's counsel in a patent suit, arguing that a lawyer at the firm was exposed Nintendo's confidential information through participation in a previous,  unrelated joint-defense matter.

At the time, the plaintiff's firm's managing partner noted that if Nintendo prevails it would be: "extremely risky for a company entering into an joint defense agreement in that all knowledge is imputed to everyone in your organization. Companies often enter into joint defense agreements with their own competitors."

Now comes an update from a few turns later:
  • World 2-1: The district court did indeed disqualify the firm, agreeing that the joint defense agreement provision in which the parties agreed not to seek future disqualifications did not apply once the lawyer in question moved from AMD to another organization. (A second judge dissented.)
  • World 3-1: The U.S. Court of Appeals for the Federal Circuit overturned. No Disqualification Where Disclosure of Confidential Information Controlled by Joint Defense Agreement: "Considering the joint defense agreement as a whole and its use of the term “respective counsel” throughout, the Court rejected Nintendo’s argument, reasoning that Nintendo should have had the expectation that Cooper was a “respective counsel” who would be bound by the agreement’s confidentiality provisions. By analogy, the Court ruled that Cooper was also a “respective counsel” for purposes of the agreement’s waiver provision. Having so ruled, the Court granted the petition for writ and vacated the district court’s decision disqualifying F&B." (A second judge also dissented in this instance.)
[8/11: See also good discussion on this at the Legal Ethics Forum.]

Friday, November 4, 2011

Risk News & Updates: Conflicts of Interest, Side-Switching, Disqualification, ABA 20/20 Update

  • Wachtell Switched Sides in United Technologies - Goodrich Deal – "...after working with Goodrich on the deal for months, the law firm — one of the most prominent firms in corporate M&A — switched sides and began working with United Technologies, according to a regulatory filing released today."
  • ABA Ethics 20/20 Commission, which "Stands by Plans to Propose Latitude for Firms to Have Nonlawyer Owners," is working to extend the time frame for it to submit recommendations across all of the topics under consideration: "...if additional funding can be obtained, the panel's work will continue for an additional six months. Under this plan, commissioners will submit about half of their proposals for the delegates' review in August [2012], with the remaining recommendations to be presented for consideration in February 2013."
  • Overzealous disqualification in Lewis v. State – A school superintendent, charged with crimes including corruption, hired Alston & Bird to represent him. The prosecutor successfully moved to disqualify the firm because it also represented "the employer of a witness for the State, albeit with respect to matters unrelated to both the witness and the prosecution." Upon review, the Court of Appeals overturned the decision as unwarranted and overreaching given the facts of the matter and applicable rules: "The record reveals merely that Alston & Bird has a relationship with Parsons. The remainder of the case for disqualification consists of one conjecture piled upon another."
  • Nevada Supreme Court Adopts Disqualification Rule for Use of Information From Anonymous Source – "The Nevada Supreme Court held that a lawyer who received and used information regarding a case from an anonymous source should not be disqualified because he had promptly notified opposing counsel of the anonymous disclosure and did not review any privileged information contained in it."
  • Finally, the oft-cited hypothetical divorce consultation/conflict scenario (aka "The Tony Soprano Maneuver") recently played out in real life: Firm’s Links to Both Sides in Divorce Result in Total Denial of Attorneys’ Fees.

Wednesday, November 2, 2011

"Side Switching" Decision: When Screening, It Helps to Actually Screen

[h/t to Bill Frievogel]. In Martin v. AtlantiCare, 2011 U.S. Dist. LEXIS 122987 (D.N.J. Oct. 25, 2011) the US District Court for the District of New Jersey disqualified a side switching lawyer.

A lawyer who performed material work for one side of a lawsuit moved to the firm representing the other side. The new firm argued it screened the incoming lawyer, who performed limited work on the matter.

But a judge disagreed, ruling that the lawyer had "primary responsibility" on the matter, which was enough to trigger the disqualification. The court also noted that even if the lawyer was less involved, the new firm's screening measures were significantly lacking and the firm would be disqualified on those grounds due to facts including:
  • The screening notification was only oral, with no written document distributed among firm personnel
  • The firm admitted that it did not even have a general written screening policy
  • No notice was giving to opposing counsel regarding the movement of the lawyer, the screening of the lawyer or the screening measures employed
  • Physical materials were not secured. The oral notification instructed that she "can't touch this file" and "can't go into that file drawer herself."
  • Electronic information was not secured. The oral notification instructed the affected lawyer: not to "click on AtlantiCare on the case management system."
Interestingly, the opinion notes: "Although there is no definitive New Jersey guidance on the elements of an effective screen, the Court has no hesitation in finding CM's procedure inadequate." It goes on to repeatedly drive home the extent to which the disqualified firm missed the mark: "the file was not specially secured or 'kept under lock and key,' LG and CM's employees did not acknowledge in writing CM's procedures, and LG was not 'locked out' of the AtlantiCare file on CM's computer system."