Wednesday, January 30, 2013

Cloud Collaboration Provider Box -- Taking Law Firm Information Risk Seriously


This week cloud collaboration provider Box announced 70% growth in law firm adoption of its service throughout 2012. As industry marketing director Julie O'Brien notes:
  • "Cloud technologies help legal CIOs consolidate a previously fragmented global infrastructure, and give attorneys the tools they need to work with clients anywhere, anytime, including on mobile devices."
  • She reports new customer additions include: Perkins Coie, Wilson Sonsini Goodrich & Rosati, and Gunderson Dettmer
As part of its efforts to address the specific information governance, risk and compliance needs of the legal industry, Box also announced a partnership with IntApp:
  • "Box is announcing a new relationship with IntApp, the leading provider of information security software for law firms, to offer compliance and control over documents shared via Box. Together, Box and IntApp will provide an integration that enables firms to proactively monitor lawyer and staff access to sensitive documents and notifies risk stakeholders about abnormal activity."
  • "Using the Box API, IntApp's Activity Tracker enables firms to set access thresholds on sensitive documents in Box and monitor excessive downloading of firm intellectual property, especially relevant to manage risk affiliated with impending lateral departures."

Tuesday, January 29, 2013

Linklaters Wins Award for Information Security and Risk Management Success

[via LegalWeek - free trial registration required]: The British Technology Award for "Best Use of Technology of the Year in 2012" went to Linklaters for its information security/confidentiality management implementation:
  • "The judges praised Linklaters in this category for ably managing a large and complex project that had a demonstrable relevance to the business. The magic circle firm took the prize following the culmination of a 14-month programme overhauling its client confidentiality systems and the way in which it manages its regulatory obligations."
  • "By introducing new technology and changing working practices regarding the way the firm manages information barriers and access control, Linklaters has increased its control over client confidentiality, as well as increasing productivity."
  • "The firm has launched a new software tool capable of tracking and managing what each team is working on and automatically locking down its global document management, time recording and matter management systems accordingly."
Linklaters is not the first firm to win an award for a confidentiality technology project. The prior year:
Who says there's no glory to be had in risk management? (Certainly none of our readers.)

Monday, January 28, 2013

More on Law Firm Information Security -- The Threats are Real, Are You Really Ready?

Hildebrandt highlights a recent PricewaterhouseCoopers white paper, which alerts: "Notice to law firms: Hackers want your secrets" --
  • “There is no question that law firms are among the companies being targeted by cyber criminals,” says Shane Sims, a director in PwC’s Forensic Services group."
  • "Mary Galligan, head of the cyber division in the New York City office of the FBI, agrees: 'As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry.'"
  • "Privacy and confidentiality are bedrock qualities for law firms. But the consequences of a security breach are obvious and painful: The theft of client information could be devastating to a firm’s reputation, which is their most important asset," says David Gaulin, co-leader of PwC’s Law Firm Services.
  • “Many law firms are moving to strengthen their defenses,” adds Gaulin.
The report notes the challenge that "...information sharing has been 'socialized,' meaning that people communicate information 'liberally and indiscriminately' across networks..." And it offers prudent advice including investing in user training, virus and spam protection, firewalls and defined incident response plans.

And, at the same time, it touches on issues we explored in a story last week -- the tension between the demand for frictionless internal access to information with the need to control, secure and manage sensitive material. In response to this tension, more firms are talking about creating a "hybrid" approach to internal information security to limit exposure to breaches or accidents.

The PwC report emphasizes this message as well, noting that firms should take a proactive view to limiting exposure and: "Run an analysis program that detects unusual behaviors, activities, or programs in the system."

Tuesday, January 22, 2013

Law Firm Billing Risk -- Fraudulent Manipulation

A few weeks ago we pointed out a story of risks tied to billing records: "Risks Tied to Law Firm Billing Record (or Lack Thereof)." Now comes a story about billing risk: "12-Month Suspension from the Bar, for Fraudulently Manipulating Billings to Get Bonus Money from Firm."

As the Legal Ethics Forum summarizes: "The lawyer "wrote up" his hours to meet internal cutoffs for bonuses, then surreptitiously "wrote down" the hours so the client would not get bilked. (Like the much discussed case, Board of Bar Overseers v. Warren, the new case has an issue about theft from the firm itself.)"
  • "Because his recorded billable hours exceeded 1,800 hours, Attorney Siderits participated in the bonus system in 2007 and 2008, earning ... [a total of] $46,978.04. After the Firm paid Attorney Siderits each of the bonuses, but before the Firm mailed his bills to his clients, Attorney Siderits reduced, or “wrote-down,” certain of his billable hours for the years for which the bonuses were paid."
See comments on original story and Legal Ethics forum for interesting discussion. As the article notes, given the particular fact pattern here, "the fraud here was on the firm, not on clients,"

We've commented previously on how firms can put technology controls in place to flag suspicious behavior and intervene before errors (intentional or accidental) create serious problems.

Monday, January 21, 2013

Law Firm Information Security: Alleged Breach Results in Malpractice Suit

We're seeing firms increasingly raise concerns about information security and prudent protective measures. Some are evaluating the move from a default open document management system towards a model where sensitive matters and information are more rigorously restricted.

From the Blog of the Legal Times comes a timely story on just this issue: "McDermott Facing Malpractice Lawsuit in Patent Dispute" --
  • "A former client of McDermott, Will & Emery is suing the firm for legal malpractice, claiming that a former partner improperly accessed confidential information related to patent applications and passed it along to family members."
  • "...former firm partner John Fuisz. Fuisz didn't represent Theranos, but Theranos and its chief executive officer, Elizabeth Holmes, accused Fuisz of using his position within the firm to access information."
  • "McDermott 'did not exercise reasonable care to prevent its employees, associates, and/or partners, including John Fuisz, from disclosing or using Plaintiffs' confidential information,' Theranos alleged in the complaint.
  • "In a written statement, McDermott partner and general counsel Alan Rutkoff said the firm 'is committed to maintaining the confidentiality of all of the information with which we are entrusted by our clients. The Firm tolerates no exceptions…. The Firm is aware of no misappropriation or any other wrongful conduct by Mr. Fuisz or by any other McDermott lawyer.'"

Thursday, January 17, 2013

Disqualification News

"Contract Attorney's Conflict Not Grounds for Disqualification" --
  • "A contract attorney for a plaintiff’s firm who had previously represented the defendant in the same case was not “associated” with her new employer such that her conflict could be imputed to the entire firm and disqualify it from the representation. Brown v. Florida Dep’t of Highway Safety and Motor Vehicles."
  • "'[N]ot every lawyer who is paid by a law firm to do work of a legal nature is ‘associated’ with the firm,' the court explained. 'An attorney to whom work is outsourced . . . ordinarily is not an associate.'"
  • "Reviewing the totality of the circumstances, the court explained that no one factor would be determinative in any case. Here, the attorney worked from home and was paid by the hour to help draft pleadings and briefs as needed. She set her own schedule. There was no expectation that she would have client contact or responsibility for any cases."
  • "In its analysis, the court acknowledged that relationships like the one at issue here are becoming more common. “[A]n increasing number of attorneys provide legal service in nontraditional settings. A rigid system that prevented the practice would serve little purpose,” reasoned the court."
  • "Though not discussed in Brown, another issue attorneys should consider is their public image. 'Conflicts rules are not just about confidential information; a big part of the conflicts rules are loyalty issues and the perception of loyalty by clients,' says Flowers. 'As lawyers we have to continue to be very aware from a professionalism perspective that we face some unflattering stereotypes and we have to be very careful that our actions don’t perpetuate those stereotypes. With regard to conflicts, it is very important that the public doesn’t think that we say one thing today and another thing tomorrow.'"
"Motion to disqualify law firm fails" -- Walker Digital, LLC v. Axis Communications, Inc. and On-Net Surveillance Systems, Inc., Civil Action No. 11-cv-558-RGA, November 21, 2012. --
  • "An attorney representing one of the defendants previously had served as patent counsel for the plaintiff and prosecuted patents while employed by Morgan & Finnegan. He did not work on any of the patents-in-suit or any of plaintiff’s patents directed to video surveillance technology, which is at issue in the current lawsuit. The court considered whether the current suit is the same or substantially related to any of the work performed by this attorney on behalf of the plaintiff well more than a decade ago and concluded it is not. Since there is no reasonable basis to disqualify this attorney it follows that there is no reason for his law firm to have screened him from the current representation."

Wednesday, January 16, 2013

Australian Risk Roundtable Set for Sydney in February


We're very exited to announce the inaugural Australian Risk Roundtable meeting, set to take place on Monday, February 25th in the Syndey offices of K&L Gates (formerly Middletons).

Sponsored by IntApp and K&L Gates, this upcoming event will provide a forum for local IT and risk professionals to connect in a collaborative environment. The theme for the morning is: “What keeps you up at night?” Presentations will explore international practices for risk management, incident response planning, client information security trends, and confidentiality management.

Attendees will gain insights into:
  • International trends and best practices for law firm risk management, including confidentiality management
  • The pros and cons of “open” vs. “closed” information security models
  • Industry ISO 27001 developments and approaches
  • How law firms are leveraging technology to advance risk management
This group will discuss practical, proactive recommendations that firms can take back and implement to mitigate risk and protect firm assets.

Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.

Tuesday, January 15, 2013

Law Firm Conflicts News & Updates

Eric Mosca of InOutsource, provider of information and records management consulting, recently published an overview essay in a recent ILTA white paper: "A Conflicts of Interest Primer" --
  • "Researching and evaluating potential conflicts of interest is a core aspect of every law firm’s business operations. Many firms struggle to adhere to rules in different U.S. and international jurisdictions."
  • "Pressure on attorneys to open matters quickly and meet billable hour quotas can also be in direct contrast to the careful analysis that some potential conflicts of interest require."
  • "Many clients are intimately aware of how conflicts of interest impact their outside counsel. Outside counsel guidelines are often provided to law firms detailing how conflicts of interest will be addressed, among a variety of other topics."
An interesting conflicts story from Australia: "Lawyer ordered off Sayers tax team" --
  • "A senior lawyer working with prestigious law firm Clifford Chance has been forced off the legal team defending mining contractors Ron Sayers and Peter Bartlett against tax fraud charges. Supreme Court judge Eric Heenan yesterday ruled the lawyer should immediately quit the case after the Commonwealth Director of Public Prosecutions office (DPP) outlined the practitioner's former work for the investigation that led to the two men being charged."
  • "Prosecutors went to court last month asking for the lawyer to be ousted after Clifford Chance continued to allow the practitioner to work on the case."
In this story, as later reported:
  • "The DPP claimed the lawyer had access to protected material and gave confidential legal advice for ACC's Operation Hardcastle, having been the DPP case officer from March 2007 to February 2008."
  • "As opposed to quietly switching the prosecutor to other work, Clifford Chance demanded the aggrieved prosecution agency detail what particular information the lawyer had become aware of in her old job and why it was contended to be confidential. And she was seen attending court hearings with the Sayers-Bartlett defence team, liaised with her former DPP colleagues about bail for the accused men and instructed Clifford Chance partner Ben Luscombe, the partner overseeing the defence team, on a suppression order application."
  • "The judge said no allegation of suggestion of actual impropriety or breach of confidence had been put forward by the prosecution and the proceedings had been initiated entirely as a protective measure."

Thursday, January 10, 2013

Rescinding Conflicts of Interest Waivers?

Here's another interesting story coming out of Imperial Valley, California, centering on calls to rescinding conflicts waivers issued to outside law firms. The story centers on deliberations by the Imperial Irrigation District’s (IID) Board of Directors: "Imperial Irrigation District to review its use of outside counsel" --
  • "'In closed session it was apparent that the IID wishes for the general manager to arrange for an independent review of its many and far-flung legal needs as they’re being handled by outside counsel,' Kelley said. 'Specifically, the board is concerned about the overreliance on one firm, Allen Matkins.'"
  • The board also rescinded a conflict-of-interest waiver between the IID and John Penn Carter of the law firm Horton Knox, Carter and Foote LLP and a letter of engagement between the IID and the law firm Allen Matkins, whose attorney David Osias represents the district in matters of litigation. Osias represented a number of clients in the Imperial Valley before signing a contract with the IID. A number of those clients are suing the IID.
  • "Carter had a conflict of interest waiver from the IID to represent the city of Vista and some Native American tribes."
  • "The resolution also calls for a review of the conflict of interest waiver granted to attorney William Kissinger by First Solar, a solar energy developer with whom the district has done business." [Ed: Internet investigation suggests Mr. Kissinger is a partner at Bingham McCutchen.]
  • "'I’m asking the board to rescind all conflict waivers and have them brought back to the board for approval,' Director Jim Hanks said."
  • "The district has come under fire before about its use of outside counsel, particularly Osias, whom IID critics have said has clear conflicts."

Wednesday, January 9, 2013

Risks Tied to Law Firm Billing Record (or Lack Thereof)

Another reader pointed out an interesting claim that came to light late last year: "Record Label Sues BigLaw Firms Over Billing Records" (free registration required to view complete article) --
  • "A record label recently lodged malpractice claims in New York state court, alleging that a lawyer who has worked at BakerHostetler, Troutman Sanders LLP and Gibbons PC failed to keep proper billing records, preventing the label from recovering legal fees in a prior suit."
  • "...alleging that Warshavsky did not maintain proper billing records related to the label's defense in a prior copyright case in Louisiana federal court, according to a malpractice complaint lodged Nov. 7."
  • "'Because Warshavksy failed to maintain proper records -- records that would have included copies of his firms’ billing statements -- TufAmerica was unable to prove to the satisfaction of the Louisiana state court that it had incurred the attorneys’ fees, and that those fees were reasonably related to its defense in the…federal court suit,' the complaint said."
  • TufAmerica Inc. v. Warshavsky et al., case number 157795-2012, in the Supreme Court of the State of New York, County of New York.
(And usually the complaint is about over billing...)

Our sister site, the Law Firm Finance Blog, has noted several stories about the role technology can play in improving time management, including automating lawyer time capture and sending alerts when lawyer behavior strays outside of the ordinary.

Tuesday, January 8, 2013

Hackers and Human Risk Factors (Canadian Firm Theft in the "Large Six Figures")

A reader sent word of this story reported in LawTimes: "Law firm’s trust account hacked, ‘large six figure’ taken" --
  • "In a scam never seen before in Ontario, a Toronto-area law firm lost “a large six figure” over the holidays after a virus gave hackers backdoor access to its bookkeeper’s computer. The virus copied bank account passwords as she typed them."
  • "The level of sophistication of this one was unbelievable,” says Dan Pinnington, LawPRO’s vice president of claims prevention and stakeholder relations...The virus 'tricked the [bookkeeper] into giving the trust account’s password to the fraudsters, allowing them essentially full access to the trust account, including the ability to go in, monitor it, and wire money to foreign countries shortly after deposits were made,'"
  • [via an ABA summary]: "the hackers used a Trojan banker virus to replicate a Web page for the Ontario law firm's actual bank. Then, when the bookkeeper entered the law firm's password, as prompted, the hackers, who were watching through their computer program, obtained it in real time and very soon logged onto the firm's actual trust account themselves...."
  • "Pinnington believes the hacking took place after the bookkeeper clicked on a link, opened an e-mail attachment or downloaded something as mundane as a screen saver from the Internet."
  • "The Trojan virus is known to realistically mimic U.S. bank web sites, but this time it was 'a major Canadian bank,' says Pinnington. It appears the swindlers also knew the firm had done banking with another Canadian bank, he adds, noting there was evidence they sought information on another bank account as well."
This example highlights a number of very real risks. The first is the stark reality that malicious forces are focusing specifically on law firms -- in our recent Los Angeles Risk Roundtable, the consulting team from Carlson and Wolf spoke specifically about information security threats facing law firms. These include malware like Trojan horses, spear phishing (email attacks that target a specific firm and contain key information like sender contact information, or bank details, to make them appear accurate and relevant), and Ransomware.

The second, of course, is the "human factor" -- this bank heist succeeded because at one point or another, someone likely clicked or downloaded something they shouldn't have...

Monday, January 7, 2013

Upcoming Risk Roundtable: Washington DC


Our October 2012 Washington DC Risk Roundtable event was cancelled due to Hurricane Sandy. We've rescheduled for Wednesday, January 23rd. This event is co-sponsored by IntApp and Ames & Gough.

Summary:
Many law firm IT and Risk Management professionals are taking a closer look at their information security strategy. While many firms have invested heavily in firewalls and malpractice insurance, many firms are considering cyber insurance, ISO 27001 certification and process and policy changes to address these new set of risks.

In this context, it’s vitally important that risk professionals continue to take steps to understand this changing landscape and minimize firm exposure. This session will explore how firms are responding to client concerns about data security, including re-evaluating the suitability of open access security models.

This forum will include presentations by:

  • Eileen Garczynski, Vice President of Ames & Gough
  • Pat Archbold, Head of Risk Practice at IntApp
  • David Greenberg, law firm risk consultant
This group will discuss practical, proactive recommendations that firms can take back and implement to mitigate risk and protect firm assets.

Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.