Thursday, May 31, 2012

Hacking Risks Facing Law Firms (More on Chinese and Russian Attacks)

LTN editor-in-chief Monica Bay sends a timely update from recent LegalTech conference. "Law Firm Risk Factor: China, Russia Cyberspies" summarizes key themes from keynote speaker Joel Brenner's address. Brenner is of counsel at Cooley LLP, and formerly held roles including: senior counsel at the NSA, head of US Counterintelligence, and NSA inspector general.
  • "China and Russia conduct 'relentless targeting of the private sector, not for military information, but for reasons having just to do with technology. 'This is not the cold war, revisited,' he said. 'These are not diplomats, they are every day business persons. This is a different world than any of us grew up with.'"
  • "Law firms, especially large international shops, and public relations organizations, are frequent targets for systematic attacks, said Brenner. 'Lawyers are attacked at work, at home, while traveling, and it's embarrassing to have to tell clients,' he said. At issue is confidential data, especially for negotiations. 'Lawyers who have clients doing business in China, or lobbying, are hardest hit. They worry about losing information.'"
  • "Law firms and their clients need to change their mindset about secrecy, and focus more limiting access than preventing access, he said. 'Secrets are like isotopes, they have half-lives. Our job in the information security business is to prevent and slow the degradation of those half-lives. We are talking about managing secrets,' he said -- differentiating the things that are not very important, or short-lived, from more important information."

Wednesday, May 30, 2012

Associate's Searches Through Firm DMS Prior to Filing Lawsuit Not Grounds for Professional Discipline

Thanks to John Steele, publisher of the Legal Ethics Forum, for sending in the following disciplinary decision from the Massachusetts Board of Bar Overseers: "RE: Bar Counsel . Petitioner v. Kamee Beth Verdrager. Esq. . Respondent. BBO File No. C1-2008-0271"

The fact pattern here -- Before leaving the firm, an associated harvested and removed a number of documents from the firm's document management system:
  • "She believed she was about to be fired by the firm after she had claimed to be the victim of sex discrimination. Anticipating that she would file suit against the firm, she searched for documents maintained in that sector of the firm's computer document management system that was open to any lawyer or other staff member in the firm and was referred to as "public" at the firm."
  • "She accessed, copied, and e-mailed to her home a number of documents that she thought might support her claims against the firm, After the firm notified her that she would be laid off, she disclosed one of the documents she had copied and advised that she had more firm documents to buttress her discrimination claim."
  • "The firm then terminated her employment on the grounds that she had violated privacy rights and breached her duty of loyalty to the fiim by accessing and copying firm documents for her own purposes. The firm also filed a grievance with the Office of Bar Counsel, which later filed a petition for discipline."
In its decision, the BBO noted:
  • "Lawyers in the firm were encouraged to review public documents posted by others. Such review was a widespread practice among the firm's lawyers, whether in search of a template for a pleading or even to discover how many hours other partners and associates were billing. Given such a policy and practice, and the highly competitive environment it reflects, it follows that no one who failed to secure documents he or she did not want other lawyers to review should be heard to complain that others took the fmn at its word regarding the public nature of its unsecured documents. If documents were not secured they could - and in such a milieu there was a very good chance they would - be read by any interested person with access to the system."
Further, because the associate took care to avoid documents related to her specific case or marked privileged, it did not consider her activity to be a rule violation or otherwise inappropriate. Quite the opposite: "...the respondent accessed and copied materials that were freely available to her as an employee, a step any experienced plaintiffs lawyer would have advised a client to take."

This is an important data point for those looking to balance open internal access to information with the need to manage confidentiality controls. We've commented previously on the role technology can play in both enforcing restrictions and alerting management regarding suspicious or abnormal document access by law firm personnel.

Tuesday, May 29, 2012

New Jersey Supreme Court Says "No" to Unilateral "Side-Switching" Lawyers

Bloomberg BNA Reports: "New Jersey Supreme Court Clarifies Analysis of Former-Client Conflicts in ‘Same’ Matter," which is says: "Almost completely closes any escape hatch in New Jersey for lawyers to switch sides in the same dispute."
  • "In an opinion by Justice Helen E. Hoens, the court made clear that when a lawyer has previously represented a client in a matter and later represents the client's adversary in the same matter, the conflict is not analyzed under the two-part test announced in Atlantic City v. Trupos, 992 A.2d 762, 26 Law. Man. Prof. Conduct 282 (N.J. 2010), for evaluating whether matters are substantially related."
  • "The plain language of Rule 1.9 make clear, Hoens said, that if the prior and the subsequent matters are essentially the same, the representation is prohibited absent the former client's informed consent, confirmed in writing."
  • "As other evidence demonstrating that the matters were the same, the court pointed out that in his certification opposing disqualification, Meller noted that he advised his new client, PB Americas, about the former representation and the work he had performed for FKSB in 2004."
  • "But that was not his obligation under Rule 1.9(a), the court said. Instead, having realized that he had previously represented the client's adversary in the same matter, Meller was obligated to reach out to former client FKSB and affirmatively seek that client's permission before undertaking the new representation. Not having done so, the firm must be disqualified, the court concluded."
See the opinion: Twenty-First Century Rail Corp. v. New Jersey Transit Corp., N.J., No. A-101, 5/7/12.

Wednesday, May 23, 2012

Cloud Storage, Mobile Devices & Information Risk

Two interesting articles touch on risk considerations and response strategies for organizations grappling with the increasing mobility of people and information.

"Not just a paper trail" -- Describes how two large Australian firms are approaching these issues:
  • "A document management system needs to balance the competing interests of ensuring lawyers can access and retrieve documents easily with the need for certain information to remain off limits to certain groups of people."
  • "Corrs Chambers Westgarth is one firm that is looking to use modern technology to reduce the reliance of its lawyers on paper. Late last year, Corrs rolled out an iPad app which allows lawyers to organise, transport and review thousands of documents outside the office."
  • "An important part of protecting the security of online documents at Corrs has been to eliminate the risk of documents getting lost in the cloud. To ensure this, Corrs has in place security measures to stop documents being stored in the cloud in the first place. 'Absolutely no documents kept by the firm are stored on the cloud,' says Borskjaer."
  • "A novel approach to the security risk posed by the cloud has been taken by Clayton Utz. It has developed an internal cloud as part of a “whole-of-firm” approach to document management."
On a related thematic note, "IBM stung by BYOD pitfalls," explores the risk and management challenges that come with letting users "bring their own devices" like iPads and iPhones, and the associated apps that enable "smooth" information sharing:
  • "IBM soon realized that it had no grasp of which apps and services employees were using on their personal devices and set forth guidelines of proper use. It banned, for example, the use of such popular services as Dropbox cloud-based storage. The well-justified fear was that employees would put IBM-sensitive information in their personal Dropbox accounts and forward internal email to public Web mail services, or use their smartphones as mobile Wi-Fi hotspots."
  • "...before IBM will allow an employee to access its networks with his or her device, it must make adjustments."
For more background on IBM's BYOD policies and practices, see also this article.

Monday, May 21, 2012

This Week’s London Risk Roundtable Near Capacity

The upcoming London Risk Roundtable event is near capacity with just a few available spots remaining. Set for this Thursday, May 24, this session will focus on several increasingly prominent information security and risk management trends including:
  • Client Audit Trends
  • ISO 27001
  • Open vs. Closed DMS (Approaches & Considerations)
Attendees will also receive a new white paper on document security trends. Attendance is by invitation only and is limited to qualified law firms and personnel. These events always provide a forum for IT and risk professionals to connect in a collaborative environment. Please contact info@riskroundtable.com for more details.

Wednesday, May 16, 2012

Conflicts of Interest -- Is "Playbook" Information (aka "Special Insight" into Former Client Thought Patterns/Strategies) a Basis for Disqualification?

A fascinating, sometimes ferocious, but friendly debate and discussion worth reading at the Legal Ethics Blog: "Playbook Information and Conflicts of Interest." Discussion focuses on the attempt to apply a poker metaphor (tell) to the question:

Some highlights of the exchange between Monroe Freedman, Professor of Law at Hofstra Law and John Steele, publisher of the site and legal ethics specialist:
  • Monroe Freedman: "Abbe and I discuss playbook information in connection with COI in ULE at p. 259.  The idea originated in a discussion by Richard Zitrin at a Hofstra Ethics Conference.  Richard is both an experienced litigator and avid poker player, and talked about the importance of the tell – information about how a player reacts in critical situations.  He then related this to information gained in a former representation about how the former client reacts in negotiations and litigation, e.g., a disposition to settle (and for how much) rather than litigate.  The idea was endorsed, also at a Hofstra conference, by Chuck Wolfram, who referred to it as playbook information. "
  • John Steele: "We've had some California cases squarely reject the idea -- and a recent federal case out of California that appeared to accept it too. My sense is that the doctrine is neither fully accepted nor fully rejected right now."
  • John Steele: "But, just to test the idea, let's suppose we give it credence. Henceforth, if you've ever represented a party on any matter, you are disqualified from ever being adverse to it on any matter (substantially related or not), because you have gained the ability to read and decipher poker tells. Is that the new "poker tell" rule that you favor, Monroe? Or perhaps you'd favor a rule where the party moving for disqualification needs to show that it has a poker tell that can be read by opponents?"
  • John Steele: "Notice that none of these strategies are unique and that every decent lawyer anticipates strategies of this type being employed by the opponents. Every one of those strategies has been described countless times in PLI articles and CLE conferences. Many of those litigation strategies originated in outside law firms, and it is erroneous to think of them as being uniquely the property of any particular client... When you read a motion premised on the playbook theory, ask yourself how specific the supposed strategy and techniques really are. I can't rule out the possibility that there could be someday, somewhere, sometime, a valid use of the playbook theory to capture something that isn't fully captured in the existing formulations of the former client conflict rules. But in the matters where I see it being asserted, it's just a weak rhetorical crutch that's being used because the movant lacks any sound basis for seeking disqualification."

Tuesday, May 15, 2012

Risk News and Updates (Insider Trading, Recommended Rule Updates, Malpractice News + UK Developments)

 
  • SEC Charges Montana-Based Paralegal and Father with Insider Trading -- "The Securities and Exchange Commission has sued a former paralegal at a Kalispell, Mont.-based semiconductor company and her father after they have traded on confidential information about the 2009 acquisition of the company."
  • NYC Bar: Lawyers Must Tell Opponents If Documents Are Mistakenly Sent, But May Be Able to Use Them -- "An opinion released Monday by the New York City Bar Association attempts to provide a clear pathway through an ethical thicket concerning a lawyer's duties when he or she receives material from an opponent that was sent by mistake... lawyers must now decide for themselves how to deal with a gray area that has been created by the new ruling: Whether it is ethically permissible to use the material..."
  • ABA Ethics 20/20 Commission Publishes Final Resolution and Reports -- ""The ABA Commission on Ethics 20/20 respectfully submits to the House of Delegates the accompanying Resolutions and Reports. They are the product of a three-year study of how globalization and technology are transforming the practice of law and how the regulation of lawyers should be updated in light of those developments."
  • No malpractice coverage for lawyer who failed to mention ethics investigation -- "An insurance company can rescind a malpractice policy because a now-disbarred lawyer didn't disclose on a renewal application that a bar association was investigating him, the U.S. Court of Appeals for the Sixth Circuit has ruled."
  • Law Firm Identity Theft? (SRA acts over identity fraud after series of bogus law firms) -- "The SRA has issued six warnings about bogus firms or branch offices of legitimate firms in the past six months, and last week also highlighted a fake website of a real practice... SRA executive director David Middleton said: “Any firm that discovers its identity has been stolen should contact us and their insurers and also consider legal action such an injunction either to stop misleading statements or to freeze assets if money has gone missing." [See also: SRA under fire for “failing to act” on bogus law firm warning.]
  • SRA in new compliance deadline setback -- "The Solicitors Regulation Authority is set to push back the date for approving compliance officers by two months. The SRA Board will vote tomorrow on extending the grace period for approving the new appointments to 31 December... All firms must appoint compliance officers who are responsible for recording and reporting any failure to comply with SRA regulations."

Monday, May 14, 2012

Conflicts & Malpractice: When Law Firms Represent Themselves

Interesting article in The Recorder: "Viewpoint: When a Lawyer Needs a Lawyer." Richard Zitrin, professor at UC-Hastings and of counsel at Carlson, Calladine & Peterson explores the question: "What happens when a lawyer may have committed malpractice? May the offending lawyer confidentially consult internally within in his or her firm with— the "loss prevention" partner, the ethics committee, or the managing partner — and may those others then consult confidentially about the situation among themselves?"
  • "This California rule makes simple common sense. After all, if a law firm starts giving advice to client No. 1 that is adverse to ongoing client No. 2, the conflict of interest is self-evident. When the advice relates to the exact same facts for both clients, the problem is even more obvious. Viewed in this context, the argument that somehow if the law firm itself is client No. 1 those consultations magically remain confidential and privileged strains credulity, especially considering that these consultations are designed to protect the firm against its existing client's claim. Not surprisingly, the majority of the existing decisional law strongly supports this view, including two recent federal cases in Massachusetts, two more in Pennsylvania, and elsewhere, including Louisiana and Washington State."
  • "But this common-sense view is not unanimous. Recent cases in Ohio and Illinois both hold that on the specific facts presented, a law firm is not required to disclose its internal communications about loss prevention even if it was still representing the client asserting the claim. The Illinois case, while acknowledging that the law firm violated its fiduciary duty to its client, noted somewhat counterintuitively that the fiduciary violation does not create an exception to the privilege under current Illinois law. Notably, however, neither case analyzed the law firm's ongoing duty during the "dual representation" to candidly communicate with its third-party client, including about its own malpractice, an issue the California courts wisely recognize."
See the complete article for addtional detail.

Thursday, May 10, 2012

Risk Survey Update -- High (and Growing) Participation Levels

We took a proto-survey (Survey'?) of our surveyors and are delighted to report high levels of participation in the 2012 Law Firm Risk Management survey program.

At this point, a week into the process, well over 100 organizations have participated (and counting).

As a reminder, the incentive for qualified firms and stakeholders to participate is access to a copy of the final published report for their geography (this year, separate exercises are underway for Australia, Canada, US and UK).

By participating, you will gain visibility in the priorities, policies and practices of your peers across the industry.

Wednesday, May 9, 2012

Conflicts Clashes -- Law Firm Sues 150 Lawyers/Firms

Fascinating conflicts news from The Globe and Mail in Canada: "Law firm Cassels Brock sues 150 lawyers" --
  • "Cassels Brock & Blackwell LLP is suing close to 150 law firms and lawyers across Canada as it faces conflict-of-interest allegations in a closely watched lawsuit. The suit alleges that Cassels advised both the auto dealers’ association and the Canadian government on the matter, as Ottawa was allegedly pressuring GM to cut its number of dealerships to receive a bailout and avoid bankruptcy. The allegations have not been proven in court."
  • "In response, Cassels has filed a claim against almost 150 lawyers and law firms across Canada."
  • "Cassels' claim targets the lawyers from whom the individual GM dealers were required to seek independent advice when they were given just six days, over the Victoria Day weekend in May, 2009, to accept their "wind-down agreements" from General Motors."
  • "The way the profession deals with conflicts has been a source of contention for years, especially as law firms merge into larger entities more likely to end up with clients with opposing interests. David Sterns, a Toronto class-action lawyer with Sotos LLP acting for the GM dealers in their lawsuit, calls Cassels’ move to sue nearly 150 lawyers unprecedented."
See the full story for additional background and detail.

Tuesday, May 8, 2012

Upcoming Webinar: Law Firm Information Security Trends

Industry developments continue to raise the profile of risk and compliance issues -- particularly with information security management, where rising client expectations, evolving professional standards and new regulations create new challenges and dangers.=

Designed for both IT and risk stakeholders, this webinar will explore law firm information security trends, developments and emerging themes, including:
  • Client audits
  • ISO 27001
  • Industry reviews of the pros and cons of "open" vs. "closed" DMS models
Plus you'll hear details about ILTA's LegalSEC initiative.
  • Date: Tuesday, May 29
  • Time: 9 am Pacific / 12 pm Eastern / 4 pm GMT
This webinar is co-sponsored by ILTA's Emerging Technologies Peer Group and IntApp. For more information, and to request registration, visit ILTA's web site.

Thursday, May 3, 2012

Report from Last Week's Risk Roundtable Meetings

Last week, Risk Roundtable sessions were held in Los Angeles and San Francisco. Many thanks to O'Melveny & Myers and Cooley for hosting. Brian Lynch, chair of the Risk Roundtable Compliance Consortium, delivered a presentation updating attendees on current risk issues and trends, and moderated group discussion. He was joined by John Steele, publisher of the often-cited Legal Ethics Forum.

Brian kindly sent an update summarizing some of the group discussions at each event:
  • We recently held two educational and animated Risk Roundtable sessions in Los Angeles and San Francisco. And we were pleased to be joined by a mix of risk and IT representatives from many firms.
  • In Los Angeles, we spent our first hour discussing current risk trends and news in the US and the UK,  including lively discussion regarding the challenges associated with laterals and mergers. Healthy interaction all around as participants discussed their specific challenges and, in some cases, provided potential solutions for others. It proved once again to be an excellent forum for exchanging ideas and viewpoints. John Steele, legal ethics and risk management expert, walked us through a discussion of the hazards associated with non-standard terms and conditions (a/k/a Outside Counsel Guidelines). He reviewed a number of recent court decisions that highlight the power of effective contracting with clients. Many thanks to John for showing us the implications of defining the "client," delineating scope and jurisdiction when multiple firms and vendors are involved, and the reach of exceptional terms.
  • In San Francisco, an excellent session brought together new and familiar faces. Brad Hise, Assistant General Counsel at at O'Melveny & Myers spoke about the challenges of lateral hires. John Steele was on hand again to discuss client contracting and how the Dupont Model has organized in-house counsel to generate common approaches. He encouraged law firms to come together and do the same. Finally, Rebecca Buchanan at Cooley shared some of their approaches with engagement letter management and other risk mitigation strategies
The next Risk Roundtable session is currently scheduled for London in May.

Tuesday, May 1, 2012

2012 Law Firm Risk Surveys Underway (US, UK, Canada & Australia)

We're pleased to kick off the 2012 Law Firm Risk Survey program.

This year we're running four separate exercises, inviting risk and IT stakeholders at participating mid-sized and large firms in each of four geographies – US, UK, Canada and Australia.

The surveys explore several topics including risk priorities, risk policies and education, intake and conflicts management practices, lateral hiring and departures, confidentiality/information security management, and compliance tracking.

As with past surveys, all who participate will receive a copy of the final published report.

Invitations are going out this week. Please watch your inbox.