Wednesday, February 29, 2012

Firm Information Security Management (More News and Views)

Following the flurry of stories on law firm information security over the past few weeks, comes two related links:

The Risks of Taking Your Electronic Devices Abroad
  • "You have just finished a long trial, deal or other matter and decide to take a vacation… you bring along your work laptop, your BlackBerry or iPhone, and your iPad or e-reader to cover all your bases electronically."
  • "Then, a funny thing happens on your way to baggage check… The Customs and Border Protection officer asks to see your bags and decides to confiscate your laptop and iPad for further inspection. End result: You don't get your devices back for almost two months and you have no idea how many government agencies saw, inspected and/or analyzed their contents."
  • "Now, even without reasonable suspicion of any wrongdoing, the government can search, copy and seize travelers' laptops and other electronic devices at the border and can potentially continue to access personal and work data and information stored in the cloud, indefinitely and in an ongoing manner."
  • "Many law firms store attorney-client communications, clients' proprietary data and other confidential information this way and the limits on potential government access to such information is practically unbounded under the law as it exists today. This doesn't even include the possibility that, once any privileged communication is accessed by the government, the privilege could be deemed waived, with the scope of the waiver extending to all communications relating to the same subject matter. (What comes next? -- a subject matter waiver over everything in your email?!) Malpractice claims and ethical pitfalls would abound."
  • "Short of leaving our electronic devices at home, we may need to start taking copious measures when traveling internationally, like keeping a backup of our confidential data and communications elsewhere (e.g., on law firm servers) and securely deleting our hard drives, smartphones, etc., prior to travel, then remotely accessing the material we need when we get where we are going."
On a related note, see also an article in the February issue of Wisconsin Lawyer: “Preserve Confidentiality When Using Technology” --
  • Question: "I use a lot of technology equipment in my law practice. What steps must I take to ensure confidentiality of client information when disposing of this equipment?"
  • "Although this topic is still subject to much discussion and debate, it is clear that lawyers are required to have some basic understanding of the function and operations of equipment that is used in their practices, especially if that equipment is storing client information as part of its functioning. Special care must be exercised at the time of disposing of equipment used in the practice to make sure that client information is not somehow transmitted or left on the equipment for discovery by someone else."

Tuesday, February 28, 2012

ISO 27001 for Law Firms -- More News and Competitive Positioning

Bond Pearce just announced that the have retained their ISO 27001 certification. The firm's positioning of the broad scope of its certification suggests another conscious salvo in the use of ISO as a competitive wedge. (See: recent Allen & Overy ISO 27001 announcement.)
  • "ISO 27001 is the world's highest accreditation for information protection and security and is awarded to companies whose business processes conform to strict international standards; it is the only auditable international benchmark for information security management."
  • "We have retained our prestigious ISO 27001 certification following a robust external audit process. We were the first law firm in the UK to achieve full ISO 27001 certification across all sites and services back in 2008."
  • "Full ISO 27001 certification across the entire organisation is rare amongst law firms - many others limit the scope of their certification to IT alone."
  • "Retaining the certification demonstrates our continuing commitment to ensuring its client data is treated with the strictest safeguards and protections to ensure client confidentiality."
Ben Weinberger, Director of IT and Facilities, comments: "We serve an impressive array of national and multinational clients who rely upon our ability to protect and maintain their information with our rigorous security standards.  Retaining our ISO 27001 certification demonstrates our high level commitment and understanding of security requirements to ensure our client information and data remains fully secure. We maintain world-class technology and continue to invest in IT and all our business systems, which play a central role in our strategy to provide the best service experience to our clients."

Monday, February 27, 2012

Legal Ethics News & Developments

Ethical issues raised about nonlawyer law firm CEOs:
  • "Drinker Biddle & Reath partner Lawrence J. Fox, former chair of the American Bar Association’s standing committee on ethics and professional responsibility, thinks Scott Green's appointment marks the first breach of professional independence for lawyers."
  • "'It raises all sorts of questions and trivializes the basic tenant of professional independence — lawyers report to lawyers... The problem I see is those who want to own a law firm now have an argument for doing so. If you have a nonlawyer CEO, why shouldn’t the next step be Goldman Sachs or Walmart owning law firms.'"
Recent Ethics Opinions:
  • New York State Bar Opinion 903 (1/30/12) -- "When a lawyer jointly represents two co-defendants pursuant to a validly obtained consent to the dual representation and to any future conflicts that might arise between the joint clients, and one of the clients later revokes consent, whether the lawyer may continue to represent the non-revoking client depends upon the circumstances, unless an advance agreement specifies what happens upon revocation of consent."
  • New York State Bar Opinion 905 (1/30/12) -- "Rules 1.9 and 1.10 do not apply to a lawyer who acquired confidential information while acting solely as a paralegal or legal assistant. A law firm that hires a lawyer who acquired confidential information while acting as a paralegal or legal assistant has an obligation to make reasonable efforts to ensure that the lawyer does not reveal the confidential information. A law firm should instruct the newly hired lawyer not to divulge confidential information. The firm should also perform a conflicts check reasonable under the circumstances. If the lawyer acquired confidential information in a matter while working as a paralegal or legal assistant, the lawyer ordinarily must be screened from any personal participation in the matter to avoid communication to others in the firm of confidential information that the firm has a duty to protect."
  • New Hampshire Ethics Committee Advisory Opinion #2011-12/5 -- Outsourcing Legal and Non-legal Support Services – "Such engagement of support services does not of itself violate the Rules of Professional Conduct. The New Hampshire attorney must ensure that the individuals or companies providing the services maintain client confidences (Rule 1.6) and do not create conflicts of interest (Rule 1.7). The New Hampshire attorney must also ensure that the charges for these services do not result in an unreasonable fee or unreasonable expenses (Rule 1.5), and must not share fees with non-attorneys (Rule 5.4). The New Hampshire attorney must notify the client of the engagement of such services (Rules 1.2 and 2.1), must be competent (Rule 1.1) to review the services provided (Rules 5.1 and 5.3), and must avoid the assistance of the unauthorized practice of law (Rule 5.5)."

Wednesday, February 22, 2012

Clients Advised to Ask Tougher Questions About Law Firm Information Security

Law firm information security and information risk management is definitely in the zeitgeist. Corporate Counsel magazine just published an article advising clients to take greater interest in how outside counsel treat their sensitive information. "Securing Corporate Data in a Law Office's Computer Network" --
  • "It’s an issue that should be getting the attention of in-house counsel, especially as they share sensitive--and potentially valuable--data with outside counsel."
  • Digital risk consultancy Stroz Friedberg notes: “We’re advising law firms to segregate that data, and put much more security around that data."
  • "'The disparity in the levels of security we’re seeing is startling.' Some law firms have a very strong culture of security, at or beyond that of their corporate clients. Others continue to prioritize the convenience of a flat, open network over the security of a network with more barriers."
  • Echoing, similar comments published by the UK's Legal Support Network, Friedberg notes: “The issue ends up being that the lawyers are so oriented to the convenient use of computers. It presents real challenges to pervasively establish a culture of security, because convenience has to be subjugated to secure computer use.”
The article presents an extensive list of "Twelve Security Questions That Corporations Should Ask Their Law Firms," which includes:
  • Does the firm log access to its clients’ files, so who touched what file can be reconstructed?
  • Does the firm use secure enclaves, where highly sensitive data receives higher levels of security protection and monitoring?
  • Does the firm have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?

Tuesday, February 21, 2012

New Federal Information Security Law -- Will It Affect Law Firms?

The recently-introduced Cybersecurity Act of 2012 calls for the federal government to identify key systems that if attacked would result in severe economic or physical damage. Stated targets include utilities, banks and other critical service providers.

As Law Technology News reports: "Experts say it's possible that large law firms and corporate legal departments could be impacted and find themselves reporting security procedures to the federal government, or face fines and public scrutiny."
  • Steptoe & Johnson partner Stewart Baker outlines how the rules could affect law firms: "That is to say, there might be 100 or 200 law firms in America whose secrets, if compromised, would in aggregation result in really significant economic harm. At the end of the day, it's not the law firm's secrets that are important, it's their clients."
  • But he and others, like one security consultant, suggest that law firms are not the intended targets of the measure: "You can imagine hypotheticals, but I think in fairness, law firms are probably outside the zone of what the bill makers are actually contemplating. Probably lawyers are not life-sustaining, notwithstanding how important we think we are."

Monday, February 20, 2012

Law Firm Information Security: News, Opinions & Best Practices

Law firm information security and confidentiality management continues to make headlines and draw industry attention. Here are recent updates worth reviewing:
  • Rupert Collins-White from the Legal Support Network starts things off with some bold opinions -- Why information security has now become a costly issue for law firms:
    • "It's not like lawyers and the business services people who work in law firms don't realise the information they deal in is, usually, sensitive and commercially useful to others - they know this very well... There's another reason things go wrong, though it won't be a popular one for me to say - partners and senior associates. Some partners and senior lawyers, and they're not all older members of the profession, think they are somehow outside the normal rules of behaviour, both in terms of manners and actions." 
  • Next comes a recent article in The Recorder -- 10 Steps to Minimize Cybercrime Exposure at Your Firm:
    • "Recently, federal law enforcement officials have been quietly visiting major law firms to explain they may be vulnerable, which makes sense given the confidential nature of the data law firms store on their information technology systems... At this point, it's fair to say that firms that fail to implement thoughtful and appropriate cybersecurity measures may well be held to answer in the wake of a serious data breach incident."
    • "Review and modify access rights. You, your HR department, and IT staff should take a hard look at access rights, and conform access to what's necessary as opposed to what's convenient... Your firm's document and information management system should compartmentalize sensitive data and records so that the number of partners, associates, and other employees with access is minimized to the extent possible. Pay special attention to the access rights granted to temporary and contract employees, as well as remote access rights. Finally, make sure you timely disable and purge old user accounts; experience has shown these can become external and internal threat vectors. User accounts should be disabled at the time of an employee's departure."
  • Finally, an example of alleged security-related malfeasance -- Pa. Firm Sues Ex-Partner for Allegedly Using Dropbox to Access Client Files:
    • "Elliott Greenleaf said that prior to Balaban leaving the firm, he and others deleted 5 percent of the firm's backup tapes for Harrisburg client files, took 78,000 files from the firm's computer system, and installed 'Dropbox' software that enabled Balaban continued access to Elliott Greenleaf's computer network through remote access, according to the complaint filed by name partner John M. Elliott."

Wednesday, February 15, 2012

Risk News: Law Firm Insurance Trends, Ethics and Disqualification Updates

The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:
  • "Law firms are loading up on insurance against expensive liability claims as they increasingly find themselves on the wrong end of lawsuits."
  • "Some clients are even using the threat of litigation as a way to negotiate their bills."
  • "And because big law firms carry more insurance than smaller firms, the big practices are particularly attractive targets for litigation."
  • "Insurance brokers say many law firms have expanded their coverage to guard against claims from former employees or disgruntled partners and are looking to shield firm leaders from suits over management decisions, such as whether to merge with other practices."
The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:

"Am I My Brother's Keeper?" -- BNA writes: "Law Partners and Managers Must Be Active Overseers of Colleagues' Conduct," a recent published updates to the ABA/BNA Lawyers' Manual on Professional Conduct:
  • "Model Rule 5.1, which covers partners and managers in all types of law practices, requires supervisory lawyers to take affirmative measures to prevent and detect unethical conduct by lawyers in their firm, office, or agency. Those who own and manage law practices are expected to construct and maintain a framework to make sure that other lawyers in the firm toe the ethical line."
  • "Model Rule 5.2 makes clear that subordinate lawyers who act unethically aren't off the hook merely because they followed a supervisor's instructions. Attorneys working under the supervision of other lawyers are charged with learning the rules and laws that govern their conduct; they cannot blindly rely on instructions from those above them who push the boundaries of professional conduct."
  • "Law firms must set up and maintain internal policies and procedures to prevent and detect unethical conduct, including measures designed to spot and resolve conflicts of interest, to foreclose and uncover fraudulent billing and improper dealings with client funds, and to identify key deadlines in pending matters and verify they are met. Firms also must have policies and practices ensuring that lawyers receive appropriate training, supervision, and support needed to carry out their work. Model Rule 5.1 cmt. [2]; Restatement §11 cmt. g."

Finally, in keeping with the legal ethics theme, and, arguable from the lighter side, comes an update in developments in the disqualification motion in Wingate v. Celebrity Cruises, Ltd. The complete decision, filed February 8, is available online, but the following transcript snippet summarizes part of the drama involved:
  • "THE COURT: I am not going to give this man a nickel if I already found, as I have, that in fact he obtained an unfair advantage by bribing an employee on the other side to let him know what the settlement value of the case was."

Tuesday, February 14, 2012

Information Security, Ethical Walls and Confidentiality Management -- Making the Business Case (Webinar)

This upcoming webinar will address the question: "How do you effectively make the business case for investing in information security and confidentiality management?"

Today a growing number of firms are using software to automate the enforcement of information barriers and access restrictions on confidential matters. Yet many firm risk and IT professionals find it challenging to educate others in the firm about the need for enhancing internal practices and controls.

At this event, speakers from three firms will explain the different approaches they took and offer advice you can put into practice at your firm:
  • Mia Jiganti, Director of Risk Management, Dykema Gossett
  • Gavin Gray, CIO, Perkins Coie
  • Eric Carpenter, Information Systems Director, Rothgerber Johnson & Lyons
Date: Thursday, February 23
Time: 9 am Pacific / 12 pm Eastern / 5 pm GMT

The session, moderated by Pat Archbold, head of IntApp's risk practice group, and will include time for live Q&A. Attendance is by invitation only. For more information, please contact: webinars@intapp.com.

Monday, February 13, 2012

Law Firm Conflict Allegation Rejected: Google Not "Feeling Lucky"

This update for a story we noted earlier today about Google's attempt to disqualify former counsel: "Google Loses Bid to Disqualify Lawyers Suing Android Partners."
  • The ITC ruled that “Google offers no evidence regarding how Google’s business interests will be harmed through this litigation... I find that the actions taken by Pepper Hamilton serve as a reasonable precaution to keep the confidential information of Google and Digitude separate."
  • "Pepper Hamilton has pledged not to question any Google witnesses and it’s set up an 'ethical screen' to keep lawyers who are working on behalf of Digitude in Washington and Boston from accessing confidential information related to Google’s patents."

Conflicts Management for Law Firms

Conflicts Checks, A Necessary Pain
Two partners from McKenna Long & Aldridge just published an excellent article about the necessary pain that is law firm conflicts management. They start with full and honest disclosure -- noting that conflicts ranks at the top of the least favorite lawyer pursuits, but remains an important nevertheless:
  • "Other than billing, there is virtually nothing that lawyers dread more than checking, responding to, and resolving potential conflicts of interest…Legal newspapers are replete with articles about motions to disqualify, bar complaints, and legal malpractice claims based on an unidentified or unresolved conflict of interest."
They go on the review different types of conflicts and key considerations for prudent processes to identify, analyze and resolve potential conflicts. Importantly, they note that conflicts management software can help the process, but isn’t a substitute for human intervention and wisdom:
  • "Computers make conflicts screening much easier. But, computers are no substitute in the final conflicts analysis for involving lawyers in the process. Effective conflicts procedures involve both. The key is to make sure that both are looking for the right things."

Googling a Potential Conflict -- Can You Hear Me Now?
“Google is sparring with a law firm it's been using since 2008 after discovering that lawyers there began representing a patent-licensing business that sued the company's Android partners last month.”
  • Google submits that the firm in question represented it 50 patent applications, including 12 specifically related to Android and argues in a filing with the ITC that: "…Pepper Hamilton is accusing its own client of infringement… Pepper Hamilton should not be allowed to continue alleging infringement against the products and interests of its current client."

Thursday, February 9, 2012

Another Law Firm Hacked – Gigabytes of Email Capture & Published

More news in keeping with this week’s theme of the importance of law firm information security management – Yesterday we focused on the FBI’s warning concerning the very real threat of law firm hacking.

Now comes another example: "The announcement states that Anonymous stole 2.6 gigabytes of e-mail belonging to Puckett Faraj, a law firm that represents Staff Sgt. Frank Wuterich, who is accused of leading the group of Marines in Haditha." (As reported by Time and other news sources, this 2005 raid resulted in the deaths of 24 unarmed Iraqi civilians.)

The Haditha incident was recently in the news as Wuterich was convicted of negligent dereliction of duty on January 24. The cases against six other defendants were dropped, and the seventh was found not guilty.

The emails are said to contain: "…detailed records, transcripts, testimony, trial evidence and legal defence donation records pertaining to not only Frank Wuterich but also many other marines they have represented."

Equally troubling for the law firm, the emails included personal lawyer correspondence relating to other matters. Finally, the hackers and supporters are reported to be publishing the email trove online in a searchable form.

The US Naval Instituted called out and commented on this incident as another reminder to treat sensitive electronic information carefully.

Wednesday, February 8, 2012

Information Risk Threats: Law Firms Increasingly Targeted by Hackers

Following yesterday's update about the growing adoption of ISO 27001 information security standard by law firms comes renewed news about external attacks on firms: "China-Based Hackers Target Law Firms to Grab Secret Deal Data."

The issue is serious, the FBI convened a meeting of the top 200 firms a few months ago. As the head of the FBI’s New York cyber division summed up the threat: "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry."

She noted that of the firms in attendance: "Some were really well prepared; others didn’t know what we were talking about," and that firm culture and related factors make law firms a "soft" target for attackers.

The article mentions several law firm hacking incidents:
  • "...the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board..."
  • "In one recent case, a corporation was negotiating to open a major plant in China when the law firm helping with the deal was hacked…"
  • "Similarities between the Canadian attack and other recent intrusions at U.S. law firms suggest that cyberattacks on attorneys are now part of the hacking playbook for gathering sensitive information on corporate clients…"
Given these threats, it’s no reason why many firms are seeing more stringent client mandates about how sensitive information is stored, accesses and protected:
  • "'If clients start thinking they can’t give private information to their lawyers because it might get out, it’s a huge problem for the profession,' said Richard Goldberg, a former software programmer and lawyer in Washington involved in the data security issue. 'The whole system will start to fail.'"

Tuesday, February 7, 2012

Risk and Compliance as Competitive Advantage: A&O Highlights New ISO 27001 Certification

Last week, Allen & Overy made a very public announcement that it has received ISO 27001 certification in the US for its confidentiality management practices. What’s fascinating is the firm’s aggressive use of certification as a competitive differentiator:
  • "[Our] firm stays ahead of competitors on information security with prestigious certification…"
  • CIO Gareth Ash adds: "We are leading the pack on information security. This certification provides real business benefits when working with our clients and future clients, especially within the financial industry."
With clients issuing stricter guidelines, asking tougher questions on RFPs, and even commissioning audits of their law firms, it’s easy to understand why a firm would emphasize its capabilities and advantage.

Allen & Overy selected IntApp Wall Builder in 2010 to support its internal confidentiality efforts. Speaking at the time, the firm’s head of risk and compliance noted:
  • "We made a strategic decision to adopt technology controls to help us manage information barrier and wider client confidentiality issues and in particular to enhance our ability to monitor and audit compliance. We selected Wall Builder because it's a mature product that has been widely adopted by law firms, and because IntApp possesses the necessary expertise and could demonstrate success working with large, global firms to address information barrier and client confidentiality requirements."
Commenting on the recent ISO announcement, Pat Archbold, head of IntApp’s risk practice group, writes: "We’re seeing continuing law firm interest in ISO 27001 and have developed solutions that enable law firms to accelerate their compliance certification efforts. I happy to share more detail with readers who’d like to get in touch directly at: Pat.Archbold@intapp.com."

Thursday, February 2, 2012

Terminated Lawyers Level Law Firm Conflicts and Ethics Accusations

Careful Calling “Conflicts”
The U.S. District Court for the Western District of Kentucky just ruled that a lawyer cannot sue for being terminated after failing to take part in a referral arrangement he believed created a conflict of interest under state ethics rules: “He contended that a quid-pro-quo referral arrangement existed between the law firm and Kentucky Spine and Rehab, creating a conflict of interest under Kentucky ethics rules. The firm terminated his employment because he refused to participate in the referral scheme, the plaintiff asserted. For purposes of the law firm's motion to dismiss, the court took the facts alleged in the complaint at face value. Even so, Heyburn concluded that the complaint did not state a viable claim against the firm under Kentucky law.”


Lawyer Claims Firm Encouraged Fraud with 3000-Hour Billable Quota, as reported in the ABA Journal. Commenting on the article, one contribute suggests that: “Billing 3,000 hours should trigger an ethics investigation. More than 3,500 hours should trigger an ethics investigation with a rebuttable presumption of guilt. Trouble is, you’re billing multiple clients, so no individual client knows to complain. The only person who sees the high numbers is the boss…” [Clearly, there’s an opportunity for added controls to mitigate this risk, either triggered by manual review or automated technology.]