Friday, June 28, 2013

Report from Recent Toronto Risk Roundtable

Last week, we held a Risk Roundtable Toronto. Many thanks to Goodmans for hosting. The event featured engaging presentations on risk issues ranging from conflicts clearance for lateral transfers, the rise of alternative business structures, outcomes-focused regulation, professional responsibility and cloud computing and evolving protocol for compliance with Know Your Client requirements. Kathryn Hume, who manages and moderates these Risk Roundtables, sends this update:
  • Dan, I'm pleased to report back a successful Toronto Risk Roundtable. Goodmans generously agreed to host our group of risk managers and technology leaders. A special thanks to Eugene Cipparone, Director of Professional Support at Goodmans, who brought together this group of Toronto-based risk leaders. 
  • Malcolm Mercer, General Counsel at McCarthy T├ętrault and bencher of the Law Society of Upper Canada, began the discussion with an overview of key activity currently taking place in Canadian regulation. Malcolm discussed a letter Susan Grundy, General Counsel at Blakes, recently sent on behalf of sixteen firms to the Law Society of Upper Canada to request clarification of the Rules of Professional Conduct to permit “limited disclosure [of work done by a transferring lawyer] for the purpose of clearing conflicts,” a shift in protocol to accommodate the rise in lateral transfers. Malcolm also touched briefly upon the Law Society’s currently discussions to potentially accept alternative business structures in Canada and to adopt an “outcomes-focused” approach to regulation similar to the Australian paradigm.
  • Simon Chester, Partner in the Litigation and Business Law groups of Heenan Blaikie, spoke about the continued trend of clients mandating specific terms of business in their Requests for Proposals (RFPs). As RFPs frequently restrict firms from accepting future business with a vast set of business competitors, firms struggle to balance short-term objectives with the long-term strategy (e.g. accepting business with certain financial institutions within the financial services practice group could cripple opportunities for the insolvency practice group in the future). Simon also spoke about how law firms can achieve their professional responsibility obligations in the age of the cloud, recommending the Law Society of British Columbia’s 2012 Cloud Computing Report and 2013 Cloud Computing Checklist as the best available resources on the subject. Simon highlighted that firms should pay special attention to the contractual provisions they establish with hosted service providers to ensure they can fulfill compliance obligations required by their respective Law Societies. 
  • As our event took place just after the publication of the CBA Legal Futures latest report on emerging trends, the topic of cloud computing ushered a general debate about how regulatory bodies should adapt policies and rules to accommodate new technologies and practices. As it stands, the American Bar Association and the 14 U.S. states (Florida’s impending opinion will make 15) that have delivered opinions on the cloud require “reasonable” and “adequate” protection to protect client confidentiality. We hope to use Risk Roundtables across the globe as a forum to define just what “reasonable” standards look like so that firms can maintain their commitment to excellent standards of client care while embracing new technologies to improve client service.
Kathryn looks forward to the upcoming Autumn Roundtable series.  Stay tuned for updates! 

Thursday, June 27, 2013

Consequences of Security Breach at Major U.S. Law Firm

Here's another fascinating article from former AmLaw 100 CIO and CKO Jeffrey Brandt. He writes of receiving a "...a short, unsigned handwritten note and a printout of an internal memo sent via email," in "Consequences of a security breach at a major U.S. law firm?" --
  • "I agreed with the anonymous source that there was value in sharing it with the larger community.  I scanned and OCR'ed the printout and eliminated the names and other pieces of information that might identify the firm.  Right now I don't want to be the one to "out" the firm."
    • "Security is something we at [law firm name] take very seriously.  As you know the firm represents [US defense industry], [global banking concern], [several hi-tech companies] and numerous other sophisticated, high profile clientele."
    • "While it was not widely disclosed, you may know that agents from [banking/securities firm] have been working with the firm on an information risk assessment.  The firm routinely answers periodic client security audits from many of our clients around the world.  This however, was not a routine audit."
    • "Within a week, not only did we have confirmation of a cyberattack a significant breach to our internal systems, but collaborating information from the FBI that highly sensitive client/matter data was posted and available to [foreign market]. By [state] breach and notification laws, as well as our own ethical responsibilities, the client was immediately notified. A special team organized by [client] has been working with us to assess the damage."
    • "As a result of the study, conversations with the FBI, internal discussions at the highest level, as well as input from our former client, the firm has decided to undertake some significant changes to our information governance and most specifically, our information access and security."
  • "Pretty intense memo wouldn't you agree?  I'm not sure there is any other way to adequately describe it - being hacked sucks.  Having your client data stolen and posted in a not so friendly foreign country ruins your day.  The ramifications of the loss of a big, long time client is bad enough.  While there is a call for media control at the end, there is no way something like this can be contained for long.  Nor that it can be spun, not when the FBI has confirmed to you and your client that their data is out there.  I would bet that GC has already spoken to a few of his close GC friends and given them a warning.  The potential loss of confidence to the other firm clients is simply mind numbing."
  • "The changes are sweeping and invasive, meaning the breach, on a scale of 1-10, was probably an 11.  The scope is massive and the memo hints that this isn't all of the changes.  The memo has not one signature, but four."
See the complete article for more detail and the scrubbed version of the memo Jeff references.

Update (6/28): Jeff has published an update to his essay, confessing that the exercise was a creative fiction designed to draw attention to these issues by spinning a plausible story, ala "War of the Worlds."

Wednesday, June 26, 2013

On Crafting Effective Advanced Conflicts Waivers

BNA's recent update highlights an article by the team at Hinshaw & Culbertson, well worth reading in full, for those interested in the topic. "A ‘Safe Harbor’ for Future Conflicts Waivers" --

  • "Galderma Laboratories, L.P. v. Actavis Mid Atlantic LLC, ___ F. Supp.2d ___, 2013 WL 655053, 29 Law. Man. Prof. Conduct 114 (N.D. Tex. Feb. 22, 2013), enforced a relatively short form future conflicts waiver given by a legally sophisticated business client after review by the client's in-house counsel. Whether this opinion is regarded as a step forward, a step back, or just marching in place,1 it raises the question of how much disclosure should clearly be “more than enough” for future conflicts waivers to pass muster in the absence of truly extraordinary circumstances. This article seeks to answer that question."
  • "As already noted, our goal is to present a letter that will be 'more than enough' for future waivers to be effective. We also want to stress that there is no pride of authorship here. What is important is the substance of the communication, not the specific words used."
  • "The court then analyzed whether this advance waiver gave enough information to support informed consent and whether the information was reasonably adequate for the particular client. The court effectively decided this case under the ABA Model Rules even though it took note of the fact that the Texas Rules of Professional Conduct do not require any informed consent for concurrent representations of adverse parties in unrelated matters."
  • "Internal Screening. In almost all instances, the lawyers at a firm who work for a client that is asked for a future conflicts waiver will not be the same lawyers who would expect to represent other clients in matters adverse to that client... It therefore is minimally burdensome for the law firm to guarantee or agree that the lawyers who work for a client from whom a waiver is being requested will not simultaneously work on any matter adverse to that client and will not share files or discuss their respective assignments with lawyers who do. Where practicable, this kind of voluntary screen should also include paralegals and support staff."
  • "Law firms are well advised to be clear about what they want and not to ask for more than they need. Based on our experience, one of the reasons in-house counsel sometimes reject future conflicts waiver letters is that they appear to be too open-ended or to go further than in-house counsel believe the law firm really needs. In such situations, 'half a loaf' may be a whole lot better than no loaf at all."

Tuesday, June 25, 2013

Big Banks are Worried about (Potentially) Big Law Firm Information Security Gaps

From Corporate Counsel, here's another in a long line of stories about clients taking a greater interest in specific security practices followed by law firms, including the growing trend of "Bring Your Own Device" (BYOD), which has resulted in the proliferation of iPhones, iPads, cloud storage services (Box, Dropbox, etc) and more: "Outside Counsel Who BYOD Worry Big Banks" --
  • "That’s the anti-Bring Your Own Device message the country’s biggest banks and financial institutions are trying to convey to their law firms, according to the global chief operating officer of Goldman Sachs’s legal department."
  • "'Everyone on Wall Street' uses separate devices for business and personal data, he said. But the law firms they hire as outside counsel haven’t gotten on board, he complained. The firms are apparently worried that they will be at a 'competitive disadvantage'—especially when recruiting talent—if they agree to enforce stricter data-security standards for smartphones, tablets, laptops, and other digital devices."
  • "Panelist Lani Quarmby, associate GC who oversees outside counsel management at Bank of America, said she and her colleagues spend lots of time talking to law firms to see how they’re protecting data. 'Can you imagine if a law firm had a breach' of their clients’ confidential information? 'We wouldn’t work with them again,' she said."
  • "Rose Battaglia, global chief operating officer responsible for Deutsche Bank’s legal and compliance departments, also chimed in. For the first time her team is being asked to perform risk assessments of their law firms. In a world where companies are responsible for the behavior of their vendors, law firms are among the last vendors they’re assessing, she said.
  • "Isaacs [Goldman Sachs] said that companies understand that federal regulators are eager for them to resolve the issue. He has a sense that if companies don’t, the regulators will step in and impose a solution for them."

Monday, June 24, 2013

Ames & Gough on Law Firm Malpractice Trends

  • "Although the frequency of legal malpractice claims appeared to be leveling off a year ago, most insurers of U.S. law firms now report the number of such claims is increasing, including those involving multi-million-dollar payouts."
  •  "A new study by insurance broker Ames & Gough finds most leading legal malpractice insurers had more claims in 2012 than the prior year, including a significant increase in claims in excess of $50 million."
  • "In its third annual survey of lawyers’ professional liability claims, Ames & Gough examined the trend by polling seven of the leading Lawyers’ Professional Liability insurance companies that on a combined basis insure more than 80 percent of the AM Law 250 firms. Five of the seven insurers indicated their company has more than 21 claims of $50 million; one has more than 11 such claims."
  • "Altogether, six of the seven insurers reported a year-over-year increase in the number of claims of $50 million or greater. Of the six insurers, three indicated the number had increased by 11 percent or more; and of the three, one reported a 50 percent in crease in such claims."
  •  "The insurers participating in the Ames & Gough survey were: AIG/Lexington, Alterra, AXIS, Beazley, CNA, Ironshore, and Swiss Re Corporate Solutions. Copies of the survey, Lawyers’ Professional Liability Claims Trends: 2013, may be obtained free of charge by emailing requests to: Those requesting the survey should include their name, title, affiliation, and phone number, and state 'LPL Claims Survey 2013' in the subject line." 

Thursday, June 20, 2013

Unfriended - Conflicts Allegations & Disqualifications in the News

"Facebook says lawyers in derivative case have conflict" --
  • "After Robbins Geller Rudman & Dowd lost a bid to lead an investor class action against Facebook over its $16 billion IPO, it hit back with a derivative lawsuit against Facebook's directors."
  • "Now Facebook is trying to have the derivative lawsuit thrown out, saying in part that Robbins Geller's foray into the class action counts as a conflict in the derivative lawsuit."
 "CalPERS wins round in city's bankruptcy case" --
  • "A bankruptcy judge in Riverside granted CalPERS' request to ban the Winston & Strawn law firm from representing bond insurer National Public Finance Guarantee Corp. because of a conflict of interest. The firm had hired a lawyer who used to work for CalPERS on the San Bernardino and Stockton bankruptcies."
  • See previous coverage and background.
"Hennepin Co. commissioner voted for contracts tied to wife's law firm" --
  • "Hennepin County Commissioner Peter McLaughlin has repeatedly voted for multimillion-dollar trash-disposal agreements tied to the law firm where his wife works — and never disclosed the connection."
  • "The contracts are with Great River Energy, which owns the Elk River processing plant where Hennepin County sends garbage to be converted into electricity. The company retained McLaughlin’s wife, Nancy Hylden, and her law-firm colleague Richard Forschler, as lobbyists in the fall of 2009 as Great River made a desperate pitch to keep the county’s business."
  • "Hylden said that while she initially provided some 'strategic counsel' on energy issues, she’s never lobbied her husband — and hasn’t worked for Great River in years, although she continues to register herself as a lobbyist with the company in the interest of disclosure. Forschler, who works with her at Faegre Baker Daniels, took the lead in setting up meetings between Great River and county commissioners, including McLaughlin."

Wednesday, June 19, 2013

Canadian Bar Association on "The Future of Legal Services"

With our Toronto Risk Roundtable taking place today, timing is right to highlight the Canadian Bar's latest update in its Legal Futures Initiative: " As part of our multi-phase project, we have conducted extensive research and analysis to understand the current legal environment in order to identify and understand what’s driving changes in the legal marketplace."

The report is now live: "The Future of Legal Services in Canada: Trends and Issues," and touches on issues facing multiple geographies --
  • "The challenges brought on by globalization and technology will also affect the regulation and oversight of the legal profession. Developments such as multi-jurisdictional practices (MJP) will require more cooperation and harmonization, nationally and internationally. Law firm ownership by non-lawyers will raise professional and regulatory questions regarding competence, conflicts of interest, confidentiality, independence, and fidelity to law and other related issues."
  • "There is increased thinking about achieving better regulatory outcomes by focusing on enhancing the 'ethical infrastructures' of law firms. This would prevent misconduct before the fact, rather than meting out punishment after the fact as a result of client complaints. While penalties to individual lawyers may be appropriate, law firms themselves also play a role either directly or indirectly."
  • "Choosing to adopt the newest forms of technology may not be an option for most lawyers and firms in the future. An entire generation has expectations that service providers will conduct business in a way to which they have become accustomed – quickly, directly, and online. One issue that must be considered are new standards for privacy, generally thought to be lower among younger people. This change may challenge established rules for older lawyers and more traditional law firms and legal organizations in areas such as client confidentiality and privilege."

Tuesday, June 18, 2013

Beazley on Evolving Standard of Care for Firm Information Security

Brant Weidner with professional liability insurance business Beazley sent a link to their latest brief, which includes a featured article on the evolving standard of care for law firm information security:
  • "The standard security model traditionally adopted by law firms focused on preventing an external breach. Firms invested in tools like firewalls to safeguard external network perimeters from attack and granted lawyers and staff “open-by-default” access to client information maintained in repositories like the document management system (DMS)."
  • "The prevention security model no longer suffices to mitigate the cyber risk generated by mobile devices, cloud services, lateral departures, matter centricity (e.g., a central document management system) and sophisticated hacking techniques. Instead, firms are increasingly adopting a data-centric information security approach, managing information more tightly and often restricting access to sensitive client information to only those lawyers and staff who need it to carry out work."
  • "Although law firm cultural preferences and business needs may justify an open-by-default information access model, clients and regulators are pushing for (or requiring) much more restrictive and protective approaches to content security. Firms therefore find themselves caught in a nexus of competing demands, with management struggling to find a reasonable solution that balances collaboration and compliance."
  • "In the past five years, client outside counsel guidelines and client audits have become more commonplace and more stringent. This creates extensive challenges for law firm risk managers, who must ensure that the proper policies and controls are in place to accord with client requirements. Financial services clients are reportedly the most stringent regarding security protocol for protecting sensitive information. Indeed, many firms report that client audits now extend far beyond yes/no questionnaires and can include month-long examinations to verify both controls and overall user training and awareness."

Tuesday, June 11, 2013

Reminder: Toronto Risk Roundtable (June 19)

Just a reminder that our upcoming Canada  Risk Roundtable is set Wednesday, June 19th at the offices of Goodmans LLP.
At this session, Malcolm Mercer (General Counsel, McCarthy T├ętrault) and Simon Chester (Partner, Heenan Blaikie) will join IntApp to lead a discussion about emerging trends in law firm risk management and compliance.
Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact for more details.

More on Information Security -

Industry expert Jeffrey Brandt, a former AmLaw 100 CIO and CKO with 25+ years experience in these matters recently weighed in on current information risk trends with a two part piece: "Why Law Firm Security Makes Good Business Sense [part 1] [part2]" --
  • "I will be the first to admit that getting senior law firm management to develop a security conscious mindset can be tough. Many leaders have the attitude that 'it won't happen to me.' It is often seen as costly insurance or an unnecessary expense. Worse still, it’s seen as useless, as an impedance to work, an unwanted inconvenience. But times are changing. Security and awareness must change too."
  • "Recognizing the value and importance of security, corporations are requiring more answers from their outside counsel via security audits. Brief and sporadic to begin with, audits have become more frequent, more common and in some instances, much more complex. The first client security audit I ever answered was back in the early 1990s. That audit was nothing compared to the ones of today."
  • "Some firms like White & Case and Bond Pearce have achieved ISO 27001 certification and now use that as an aid in answering these complex audits. They also use it in their marketing, as a differentiator."
  • "Law firms, with the deserved reputation as corporations 'weakest link,' certainly have a lot of catching up to do, but I am happy to report that there are signs that the security winds continue to shift. More and more when I talk to CIOs, the topic of security is one that they bring up."
  • "The LTN/American Lawyer Law Firm Chief Information & Technology Officers Forum earlier this year put it well, 'Security needs to stop being considered a business impediment and start being viewed as a sound business decision.'"
  • "Good security is a sound business decision. Partner convenience should not always trump security. The winds of change are here. Will you join the movement or just end up as one of the statistics?"

Monday, June 10, 2013

Law Firm Information Security -- Bank of America is Serious, Scrutinizing (and Auditing)

Corporate Counsel shines a spotlight on information security, sharing highlights from its recent General Counsel Conference: "Outside Law Firm Cybersecurity Under Scrutiny" --
  • "Bank of America Merrill Lynch is auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators to do so, according to the bank’s assistant general counsel Richard Borden."
  • Borden says that law firms are "considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information."
  • "Regulators at the Office of the Comptroller of the Currency, which oversees BofA and other financial services companies, 'have focused on law firms,' Borden said. "They are coming down on us about security at law firms. So we have no choice but to check the information security and to audit—to actually audit—the information security of our law firms that have confidential information. We spend a lot of money and use a lot of law firms, so this is casting a very wide net.'"
  • "It’s been really interesting dealing with the law firms, because they’re not ready,' said Borden, who is the bank’s in-house cybersecurity lawyer and is assisting the group that’s reviewing BofA’s outside counsel. 'Some of them are, I should say, but there are many that aren’t. And it actually does pose a threat.'"
  • "And the bank isn’t simply relying on the law firms’ own audits of their information security practices. 'We’re really looking at their whole structure and focus on information security, and we test it. We send in people to test it,' Borden said."

Wednesday, June 5, 2013

Information Barriers in the UK -- A Brief History and Recent Trends

A reader sent a link in to an interesting article just published in The Lawyer: Information barriers - approach with caution, which reviews the history and complexities in this market and asks: "The ‘Chinese walls’ technique is still widely used at top firms, especially on private equity deals. Did the great M&S conflict debacle of 2004 really change anything?" --
  • "Yet the incident appears to have done little to ward off firms from using Chinese walls as a prevention for conflicts or confidentiality breaches. Indeed, these seem even to have grown in popularity as firms eye revenues from bidding processes in which a number of companies are tendering. This is perhaps most common for firms majoring in the prime domain of competitive bidding: private equity. Indeed, the concept of the Chinese wall harks back to the late 1980s when banks lent to multiple M&A clients, including private equity houses, bidding against each other to take companies over."
  • "According to Weil Gotshal & Manges London private equity partner Marco Compagnoni, the nature of deals in his sector is such that the practice area’s leading firms would be foolish to minimise their role when one of a number of bidders could end up buying the company or asset. 'Where there is a competitive auction lots of companies will start out needing lawyers,” Compagnoni explains. “As the field narrows, [if you put up an information barrier] you’re not shut out and the clients aren’t shut out either. It happens all the time. We only do it if the client in the engagement letter has accepted you can do it.'"
  • "For Herbert Smith Freehills (HSF) partner Mark Bardell, a system aligned across the network is crucial, with the firm going beyond the letter of the law to ensure client confidentiality. 'For us, because it’s such a sensitive issue you apply best practice - you don’t just do what the rules say - and you apply that best practice wherever you are,' says Bardell, who recently experienced informational separation on Ithaca Energy’s £203m acquisition of Valiant Petroleum, announced earlier this year."
  • "The corporate partner acted for Valiant but worked on the other side of a Chinese wall from finance partner Jason Fox and senior associate Olivia Caddy, who advised Ithaca’s lenders, Banc of America Securities, BNP Paribas and Bank of Nova Scotia. The situation was made more unusual by the fact that Fox resigned to join Bracewell & Giuliani halfway through the deal."

Tuesday, June 4, 2013

Managing Law Firm Risk When Handling Personal Information

A reader sent in a link to an excellent article published by CNA, written by three lawyers from Hunton & Williams, including Lisa Sotto, head of their privacy and information management practice, and past risk webinar participant: "Law Firms Face Risks in Handling Personal Information" --
  • "Law firms may collect, use and disclose personal information in numerous circumstances, both as providers of legal services and as employers. In safeguarding personal information that pertains to their employees or clients, or other individuals, law firms must comply with applicable privacy and information security laws as well as their professional duty of confidentiality. The article provides an overview of potential legal issues that law firms may encounter."
  • The article also touches on privacy and information security laws outside the United States, including the legal requirements relevant to cross-border transfers of personal information."
  • "The final  topics the article addresses are examples of privacy and information security enforcement  actions, including judicial enforcement of professional ethics rules, and a brief discussion of  some of the key pending privacy and information security legislative initiatives."

  • "Regardless of the circumstances in which a law firm handles personal information, the firm must appropriately safeguard the information to protect the interests of the firm and its clients. Law firms are uniquely positioned in that their need for adequate privacy and information security procedures arises not only from the obligations imposed by privacy and information security laws. Lawyers are bound by a professional duty of confidentiality, which is a paramount component of the attorney-client relationship."
  • "A law firm’s failure to safeguard personal information that results in an unauthorized disclosure may result in not only a legal enforcement action against the firm, but financial and reputational harm to the firm’s clients and, potentially, irreparable harm to one of the firm’s most valuable assets – its reputation."
 See the complete article for more detailed discussion, analysis and citations.

Monday, June 3, 2013

Morgan Lewis Accused of Conflict by Client (Apple, Inc.)

In yet another conflicts story making news in the general press, Morgan Lewis stands accused of an ethical breach. As reported by Ars Technica and several other publications: "Apple, betrayed by its own law firm." --
  • "Court documents unsealed this week reveal who's behind FlatWorld, and it's anything but typical. FlatWorld is partly owned by the named inventor on the patents, a Philadelphia design professor named Slavko Milekic. But 35 percent of the company has been quietly controlled by an attorney at one of Apple's own go-to law firms, Morgan, Lewis & Bockius. E-mail logs show that the attorney, John McAleese, worked together with his wife and began planning a wide-ranging patent attack against Apple's touch-screen products in January 2007—just days after the iPhone was revealed to the world."
  • "The whole time she was advised by her husband, a lawyer who had access to reams of confidential Apple data—but who says he never touched it. (Apple doesn't see it that way.) Together, the McAleeses created 'an indirect and covert pipeline' of information pumped to FlatWorld's attorneys according to Apple lawyers. Now Apple wants FlatWorld's law firm, Seattle-based Hagens Berman Sobol Shapiro, kicked off the case."
  • "McAleese's involvement has become a very big deal, though, and it could get bigger. Apple fired off subpoenas to Morgan Lewis, and the firm—likely desperate to save its relationship with a premier client—worked quickly to get the evidence Apple wanted. Morgan Lewis handed over McAleese's relevant e-mails and files. When Apple had questions about metadata in a letter signed by Jennifer McAleese, Morgan Lewis gave Apple the confirmation it needed. (That letter, seeking to license a patent to someone named 'Michael,' had been edited by John McAleese, user MCAL5094.) That's when Apple started its all-out effort to argue that McAleese's connection to Morgan Lewis should halt the FlatWorld case, at least until FlatWorld gets new lawyers."
As with many of these stories, public opinion can weigh heavily. Legal news site Above the Law weighs in:
  • "I say 'allegedly' not to suggest there’s any question over whether the partner owned the trolling company, but because the partner claims he had no involvement in the decision to sue his firm’s most prominent tech client. Even if he didn’t, it hardly sounds kosher."