Thursday, February 28, 2013

Law Firm Insurance News: Cyberinsurance + Upcoming CNA Briefing (Chicago)

Cyberrisk continues to make headlines. From two lawyers at Baker Hostetler comes an interesting article on insurance: "What to Expect When Applying for Cyberinsurance" --
  • "While cyberinsurance is not a replacement for diligent in-house data security policies and procedures, prudent businesses should seriously consider it as part of their risk management program. In fact, even the process of applying for cyberinsurance can serve as a useful road map for a business to improve its data security processes."
  • "If the applicant shares confidential information with other companies, insurers will want to know if those business partners are required to demonstrate adequate security, indemnify the company for data breaches, and maintain their own insurance for breaches."

Also, our colleagues at CNA send word of an upcoming seminar they are producing:
  • On Wednesday, March 20, 2013, CNA, in conjunction with Levenfeld Pearlstein, LLC, will host a risk management roundtable seminar for midsize law firms (those with 35-125 full-time attorneys). CNA, as a leading professional liability insurer, recognizes that midsize law firms face specific challenges in managing risks and professional liability exposure.
  • We welcome partners, general counsel and/or other attorneys responsible for your firm's risk management, to this unique roundtable discussion.
  • Issues to be discussed include (among others):
    • Cultural challenges facing midsize law firms in today's lawyers professional liability world
    • Current claims trends against midsize law firms
    • Importance of client management and mitigating risk
The session will be held from 9 a.m.-11:00 a.m. at the offices of Levenfeld Pearlstein, LLC in Chicago, Illinois. If you are interested in attending, please contact Maryanne Brenna at Maryanne.Brenna@cna.com.

Wednesday, February 27, 2013

Upcoming Webinar: Impact of New 2013 HIPAA Omnibus Rules on Law Firms (CLE Eligible)

Our next webinar features a panel comprising speakers from Hunton & Williams, Carlson & Wolf and IntApp and will review recent HIPAA rule updates that create new requirements and challenges for law firms.

The 2013 HIPAA Omnibus Rule has raised the stakes for any law firm that provides services to the healthcare industry. Under the new regulations, law firms that interact with protected health information (PHI) are directly liable for compliance with the entire HIPAA Security Rule and select provisions of the Privacy Rule, including the requirement that uses and disclosures of PHI must be limited to the “minimum necessary” to accomplish an intended purpose.
Our speakers will review how key rule changes affect law firms and how law firms can best respond. Topics will include:
  • Analysis of key regulation changes that impact law firms
  • Explanation of HIPAA Security Rule requirements
  • Overview of breach notification requirements
  • Assessment of penalties for non-compliance
  • Overview of technologies available to remediate compliance gaps
  • Best practices for information security
Speakers:
We're pleased to feature several speakers, including Lisa Sotto from Hunton & Williams, who has been rated as the #1 privacy expert for three consecutive years by Computerworld magazine.


Date: Wednesday, March 13
Time: 9 am Pacific / 12 pm Eastern
Duration: 75 minutes

CLE CREDIT: As a certified as a CLE approved educator by the State Bar of California, we are able to provide California certificates to attendees upon request. (Attendees are responsible for confirming CLE reciprocity in their particular jurisdiction. We are happy to provide additional information required to receive credit outside of California, bttendees are responsible for researching and identifying information for their local jurisdictions and filing any necessary paperwork.)

Attendance is by invitation only. For more information, please contact: info@riskroundtable.com.

Monday, February 25, 2013

Risk Update: Audit Letters, Disqualification News


Mark Herrmann. Chief Counsel – Litigation and Global Chief Compliance Officer at Aon offers a modest proposal: "Stop The Audit Letter Lunacy!" --
  • "When I worked at a law firm, I knew that lawyers’ responses to audit letters — in which the firm confirms to auditors the status of litigation pending against a client — were a massive waste of time."
  • "Every once in a while, a junior associate would receive an audit letter and write a real response to it — analyzing the lawsuit, the tactics, and who would win. When the powers that be learned about that mistake, there’d be hell to pay: 'How could you write those things? Didn’t you run this past an audit letter review partner? We don’t actually provide information in those responses, you fool! Never do this again!'"
  • "But I always assumed that someone — the client, the auditors, someone — thought those ridiculous letters served a purpose. Now I’ve gone in-house, and it turns out that audit letters serve no purpose at all..."
  • "But if I’m right on this subject, can we please stop the lunacy? If no one — client, auditor, or law firm — derives any value from going through the annual audit letter drill, then let’s stop already."

And Bloomberg notes a recent disqualification: "Firm’s Contacts With Tainted In-House Counsel Require Vicarious Disqualification From Case" --
  • "The Perkins Coie law firm must be disqualified as defense counsel in major patent infringement litigation because it presumably obtained confidential information about the plaintiff through its contacts with one defendant’s “outside in-house counsel” who previously represented the plaintiff in matters involving three of the four patents at issue in the lawsuits."
  • "Judge Dean D. Pregerson conceded that Perkins did nothing wrong and that the case did not involve a typical imputed disqualification scenario. But California law mandates Perkins’s removal on these facts, he concluded."
  • "Pregerson stressed that this decision was not attributable to any unethical behavior on the law firm’s part. Instead, he pinned the problem on two entities: OpenText itself and Crowell & Moring, a law firm that counseled OpenText and allowed one of its attorneys to work as a temporary “outside in-house counsel” for the company despite that attorney’s employment history, which included a stint on a patent litigation team with a firm that represented j2 in several similar disputes."

Thursday, February 21, 2013

Risk Update: Ethical Screens, Professional Rules


Ethical Screen Upheld in Screen-Unfriendly State
Bill Frievogel notes:

  • "Doe v. Regional School Unit, 2013 U.S. Dist. LEXIS 16700 (D. Me. Feb. 7, 2013). Firm A represents the plaintiff, Firm B the defendant. While at Firm B Lawyer worked more than a hundred hours on this case. Lawyer moved to Firm A. Firm A erected a screen although Maine rules do not recognize non-consensual screens. The defendant moved to disqualify Firm A. In this opinion the magistrate judge denied the motion. The court said that the defendant had not shown actual prejudice by Lawyer's move and seemed influenced by Firm A's screen. The court's analysis of the extent and nature of Lawyer's exposure to the defendant was very fact-intensive."
ABA Approves Ethics 20/20 Proposals on Foreign Lawyers, Choice of Conflict Rules
BNA provides this update:
  • "The ABA House of Delegates Feb. 11 put the organization's official stamp of approval on the second and final round of proposals from its Commission on Ethics 20/20 to update model ethics and bar admissions rules."
  • amend Model Rule of Professional Conduct 5.5, which addresses multijurisdictional practice, to permit foreign lawyers to serve as in-house counsel in the United States, so long as they do not give independent advice to their clients about state or U.S. law;
  • change the Model Rule for Registration of In-House Counsel to implement the new authority in amended Rule 5.5; and
  • update the Model Rule on Pro Hac Vice Admission to provide latitude for foreign lawyers to represent their clients in litigation in the United States, subject to numerous safeguards.

Wednesday, February 20, 2013

Holland & Hart Selects IntApp Wall Builder to Manage Information Security and Legal Holds

Holland & Hart LLP, a full-service law firm of more than 400 lawyers in 15 offices, has selected IntApp Wall Builder to enforce ethical screens and manage information security.

Said Holland & Hart Partner Wiley Mayne:
  • “We selected IntApp Wall Builder to help us enhance firm confidentiality practices and operational efficiency. Our firm takes its duty to protect client information rules seriously. Wall Builder’s automated security enforcement and extensive audit trail management will enable us to better comply with professional rules and demonstrate effectiveness of ethical screens without creating additional administrative burdens for our lawyers or staff.”
Pat Archbold, Head of IntApp's Risk Practice Group added:
  • “We’re proud to add Holland & Hart to our growing customer community. By adopting Wall Builder, the firm is demonstrating its strong commitment to addressing client and professional confidentiality management and compliance requirements.”
For more information, see the official news release.

Tuesday, February 19, 2013

Event Reminder: Sydney Risk Roundtable Next Week


We've seen significant interest in next week's Australian Risk Roundtable meeting, set to take place next Monday, February 25th, in the Sydney offices of K&L Gates (formerly Middletons).

We currently have nearly 30 registrants from several firms. If you are a risk or IT leader at a qualified organisation, you're welcome to join us (space permitting at this point). Please contact info@riskroundtable.com for more details.

Event Details
Sponsored by IntApp and K&L Gates, this upcoming event will provide a forum for local IT and risk professionals to connect in a collaborative environment. The theme for the morning is: “What keeps you up at night?” Presentations will explore international practices for risk management, incident response planning, client information security trends, and confidentiality management.

Attendees will gain insights into:
  • International trends and best practices for law firm risk management, including confidentiality management
  • The pros and cons of “open” vs. “closed” information security models
  • Industry ISO 27001 developments and approaches
  • How law firms are leveraging technology to advance risk management
This group will discuss practical, proactive recommendations that firms can take back and implement to mitigate risk and protect firm assets.

Wednesday, February 13, 2013

Recent Ethics Opinions of Note -- Law Firm "Beauty Contests" and Cloud Services

New York Opinion: Formal Opinion 2013-1: Duties to Prospective Clients After Beauty Contests and Other Preliminary Meetings --
  • "Rule 1.18 codifies the established principle that New York lawyers owe duties to prospective clients even when no lawyer-client relationship ensues. Under the Rule, a lawyer who learns confidential information in a consultation with a prospective client may not use or reveal the information except to the extent permitted with confidential information of a former client, and the lawyer may not take on a materially adverse representation in the same or a substantially related matter when the information, if used in the matter, could be significantly harmful to the prospective client. These duties are less restrictive than the comparable duties owed to former and current clients in several respects, and ethical screens may be used to take on otherwise adverse representations."
  • "In this section we discuss the application of Rule 1.18 to three beauty contest scenarios, two in a litigation setting and the third in a transactional setting. Our analysis, however, is not limited to beauty contests and would apply in any situation where the prospective client communicates with a law firm about a possible representation (e.g., after making a request for proposal (RFP)), whether or not other law firms are approached."
  • "With regard to ethical screens, we stated in No. 2006-2 and continue to believe that such screens 'are an appropriate means to rebut a presumption of shared confidences or secrets' within a law firm. Thus, we believe that, if a law firm implements an ethical screen as contemplated in Rule 1.18(d), it may rely on the screen to comply with paragraph (b) as well as paragraph (c)."
The Florida Bar’s Professional Ethics Committee approves Advisory Opinion 12-3 approving cloud computing with caveats on confidentiality and other issues --
  • "The proposed advisory opinion concludes: 'In summary, lawyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained. The lawyer should research the service provider to be used, should ensure that the service provider maintains adequate security, should ensure that the lawyer has adequate access to the information stored remotely, and should consider backing up the data elsewhere as a precaution.'"
  • "Bottom line: this Proposed Advisory Opinion 12-3 on cloud computing should be finalized by the PEC at its meeting in June and will then be reviewed by the Bar’s Board of Governors. If it is approved by the BOG, the Advisory Opinion will become final."

Tuesday, February 12, 2013

Insider Trading & Confidentiality Management – Law Firm Data Privacy & Information Security Management

Law firm ‘wine and dine’ event with client led to insider-trading case against partner’s husband --
  • "The husband of a partner at a well-known law firm is facing an insider-trading case, after allegedly using information he obtained in connection with a planned 'wine and dine' event with a Silicon Valley client… The GC told one Baker partner, who told Baker partner Tonya Jacobs, who told her husband, Balchan, the complaint alleges. Jacobs, who worked at Baker & Hostetler from 1994 to 2012, is not accused of any wrongdoing, nor is the law firm, the Recorder reports."
  • "Such scenarios, partner Raymond Marshall of Bingham McCutchen told the legal publication are 'all too common' and emphasize the need to exercise care about what lawyers discuss in public. 'All firms, including ours, have a very vigorous standard of not discussing client business outside the firm,' said Marshall, who co-chairs his firm's white-collar investigations and enforcement practice group. 'That means no elevator speak. No conversations to be overheard at lunch. No Super Bowl party chat about what you're working on.'"

Illinois Disciplinary Commission Hearing Board reprimands lawyer for e-file confidentiality breach and failing to supervise non-lawyer staff --
  • "In July and August 2011, one the lawyer’s several non-lawyer assistants prepared complaints and corresponding exhibits... The non-lawyer assistant was required to check a box in the CM/ECF system which stated that the filings were in compliance with Rule 5.2(a) of the Federal Rules of Civil Procedure, which requires that personal identifying information be redacted from all filings."
  • "The box was checked; however, the exhibits included loan documents that had personal identifying information, such as social security number, date of birth, and account numbers. In numerous complaints and exhibits, defendants’ personal identifying information was not redacted; therefore, the confidential information became available to the public and viewable on the court’s website."
  • "The lawyer stipulated that he failed to make reasonable efforts to supervise the non-lawyer and the process of redacting the confidential information."

Monday, February 11, 2013

Law Firm HIPAA / HITECH -- More Details, Developments and Advice

Following last week's post on law firm HIPAA implications with recent rule changes, come additional stories worth noting:

Law Technology News digs into greater detail on breach notifications: "The HIPAA Final Rule Is a Game-Changer for Breach Notification" --
  • "Your email inboxes have likely been flooded with updates regarding the U.S. Department of Health and Human Services' final rule to strengthen the privacy and security protections of health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)."
  • "The Final Rule, among other things, enhances a patient's privacy protections, provides individuals new rights to access their health information, and strengthens the government's ability to enforce the law... The biggest change for everyone is probably the definition of a breach. Prior to the final rule, and up until March 26, a HIPAA/HITECH breach was defined as a use or disclosure that caused a 'significant risk of financial, reputational, or other harm.'"
  • "The final rule has changed the definition of a breach. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI or ePHI has been compromised."
Looking at steps organizations should take to mitigate new risks, business and technology analysis site GigaOM writes: "Are health care companies prepared for the new HIPAA privacy and security rules?" The article includes commentary from Kirk Nahra, partner and co-chair of Wiley Rein's healthcare practice group:

  • "Even though the ruling has been expected for some time, companies in the industry are all over the map when it comes to being prepared. Some have the security infrastructure, policies and documentation in place, he said, but others have a ways to go before being in compliance. Although the act goes into effect in March, companies don’t need to be compliant until September."
  • "To meet the new standards of the law, Nahra said, companies may need to evaluate the extent to which they encrypt data, train all employees on privacy and security, develop appropriate procedures for the disposal of information, designate a security official and implement appropriate contracts with subcontractors, among other tasks."
  • "'It’s a big deal,' said Nahra. 'The government hasn’t been incredibly aggressive about enforcing it, but they’re getting more aggressive.'"

Thursday, February 7, 2013

Playbook Knowledge and Law Firm Disqualification

Last year we highlighted an interesting debate on the extent to which “Playbook” knowledge can and should influence disqualification decisions.

We’re nothing if not consistently grateful for the good work Bill Frievogel does keeping on top of case law relevant to our community. Here are some interesting developments of note on this topic:

SHFL Entm't, Inc. v. Digideal Corp., 2013 U.S. Dist. LEXIS 6635 (D. Nev. Jan. 16, 2013).
  • "Plaintiff is suing Defendant for infringing Plaintiff's patent on a playing-card shuffling machine. Lawyer worked in-house at Plaintiff for two years, leaving in 2007. Lawyer is now counsel of record for Defendant. Plaintiff moved to disqualify Lawyer and his firm. In this opinion the magistrate judge granted the motion. The opinion is very fact-specific on the substantial relationship test… The court also gave substantial weight to the playbook nature of what Lawyer learned while at Plaintiff."
Childress v. Trans Union, LLC, 2012 U.S. Dist. LEXIS 182585 (S.D. Ind. Dec. 28, 2012).
  • "Class action under the Fair Credit Reporting Act ("FCRA"). Lawyer represents the class representative. From 2001 to 2005 Lawyer worked for two different law firms and worked on 250 of defendant's FCRA cases, billing some 4,000 hours. The defendant moved to disqualify Lawyer in this case."
  • "In this opinion the magistrate judge granted the motion. The judge compared the work done on those earlier cases with the work required in this case and, essentially applying the playbook test, found just too much overlap."

Wednesday, February 6, 2013

Canadian Conflicts News

Supreme Court of Canada to examine boundaries of ‘conflict of interest’ --
  • The case, Canadian National Railway v. McKercher LLP, affects a wide range of clients — from large companies who must rely on the limited number of major firms in Canada’s legal market for representation in significant transactions and litigation, to consumers from rural and remote areas that are served by only a few lawyers."
  • "The case before the Supreme Court originated in 2008, when McKercher LLP, one of Saskatchewan’s top law firms, took on a proposed class action brought on behalf of a group of prairie farmers. The claim alleged that the Canadian National Railway and others overcharged the class for grain transportation for over 25 years. At the time, McKercher was acting for the railway in other matters, but subsequently withdrew from these cases. CN sought to disqualify McKercher from acting on the class action law suit."
  • "'It boils down to whether there is a categorical prohibition preventing lawyers from acting against clients in unrelated matters even where there is no risk of prejudice to the former clients, or whether the prohibition is merely a presumption that requires the lawyers to establish that no substantial risk of prejudice exists,' says Scott Joliffe, the Toronto-based chair and chief executive of Gowling Lafleur Henderson LLP."

Tuesday, February 5, 2013

Law Firm Information Risk and Security -- FBI + Financial Services Clients Raising the Red Flag

Several presentations LegalTech New York last week focused on information security and risk management issues facing law firms. This coincides with two major stories about hacking as the New York Times, Wall Street Journal, Bloomberg and Washington Post admit to being hacked by (allegedly by Chinese hackers).

Law firms manage some of their clients more sensitive information. We've posted several stories and upates on firm hacking/security breach examples and warnings (here, here and here). Evan Koblentz published several updates from LegalTech, connecting the dots:

LegalTech Day Three: FBI Security Expert Urges Law Firm Caution:

  • "A computer security expert from the Federal Bureau of Investigation pulled no punches at LegalTech New York on Thursday." 
  • Said Mary Galligan, FBI Special Agent in charge of cyber and special operations: "We have hundreds of law firms that we see increasingly being targeted by hackers. The FBI puts great importance on this issue."
  • Adding: "The more mobility you have, the more documents you're sending through the internet, the more likely you are to be the victim of a cyberattack, and that's what we're seeing at law firms... The cyberthreat is too big for any of us to fight alone."
Law Firm Security Awareness
Next comes commentary from Carlos Rodriguez at Lathrop and Gage, and Mark Brophy at Rogers Townsend & Thomas, who describe how clients are driving their firms to respond to these threats:
  • Rodriguez notes: "It's important that all information technology employees at a firm deliver the same message, he added. 'We're trying to move from just having a compliance checkmark into transforming our organization,'"
  • "Brophy noted that his firm's clients, many of whom are in the financial industry, demand security audits. 'They are holding our feet to the fire. You have to have an awareness program and you have to provide materials about what you are teaching...You may have a partner who's a rainmaker and generates $1 million for the firm, but if he causes a breach, that's a $7.2 million liability.'"
  • "Behind the scenes, law firms are learning from the financial industry's best practices, he added. Several major New York firms met with Goldman Sachs earlier this month to learn additional security techniques, he said. Such meetings will probably recur on a regular basis, he said."

Monday, February 4, 2013

HIPAA for Law Firms – In 2013, Hipper Than Ever

Last December, the folks at Carlson and Wolf noted that impending new rules from the Department of Health and Human Services promised to heighten the profile of HIPAA/HITECH for law firms in 2013. See the excellent series they've published for background and latest news:
Now, as predicted, the rules have been refined and tightened, with significant implications for law firms that store, manage or come in contact with personal health information. As the Hogan Lovells privacy blog summaries:
  • "In the most significant change to HIPAA since the law was enacted, the Department of Health and Human Services issued an omnibus HIPAA regulation, which will require substantial operational changes for HIPAA covered entities and their business associates."
  • [These include]: "Changes to the data breach rule will make more incidents reportable. Business associates are directly liable for HIPAA violations and business associate agreements must be modified."
In part 3 of their series, Carlson and Wolf go into greater detail -- The Coming Storm of Regulatory Oversight:
  • "...the HITECH Act changed the game for Business Associates (BAs), including the many law firms acting in that capacity. BAs now have a legal obligation to comply with provisions of HIPAA and are subject to direct regulatory oversight... Lawyers acting as BAs face the added challenge of having to reconcile their obligations under the applicable Rules of Professional Conduct with potentially conflicting obligations under HIPAA/HITECH."
  • "As a result of the HITECH Act, the maximum civil monetary penalty for a single HIPAA violation rose from $100 to a much more serious $50,000. Monetary penalties and settlements for HIPAA violations now go directly to fund future enforcement efforts, which gives regulators an incentive for vigorous enforcement."
  • "Some firms have already done as [Office of Civil Rights] Director Rodriguez advises. We encourage other firms to take this opportunity to evaluate their compliance posture and develop plans to address any gaps. The alternative--remaining unaware--could be quite costly. (As you may recall from our last post, the HITECH Act established a tiered penalty scheme with greater penalties for higher levels of culpability. Violations made with willful neglect are subject to the highest penalty tier .) When asked why an organization wouldn't be better off remaining ignorant about its security problems, Rodiguez offered the following:
    • 'I think that's why I'm here…We're looking for that high level of sensitivity [to security issues]... Another one of the big audit findings was activity monitoring, and failure to conduct activity monitoring was a consistent issue. . . So we are looking at that issue, and that is an issue that could easily turn into an enforcement issue.'"