Wednesday, November 20, 2013

Law Firm Information Security -- UK Edition


Two interesting updates on law firm information security in the UK:

Government surveillance threatens law firms’ cloud data security, regulator warns
  • "Widespread data snooping by the US National Security Agency (NSA), as revealed by whistle-blower Edward Snowden, could threaten the security of cloud computing for law firms acting in confidential merger negotiations, the Solicitors Regulation Authority (SRA) has warned."
  • "In a detailed paper on the risks associated with cloud computing, Silver Linings: cloud computing, law firms and risk, the authority concluded that due diligence over outsourcing data processing, such as cloud computing – the use of the internet to store data remotely – should take into account government surveillance as a risk factor."
  • "The authority highlighted confidential merger negotiations conducted by a law firm as potentially at risk from NSA spying activities, which it said were rumoured to have led to data 'being passed to commercial organisations for business advantage', although that had been officially denied. 'With the heightened need for confidentiality of law firms, this represents a challenge to their ability to use cloud services,' it said."
UK Law Firms Less Prepared Than Other Sectors For Cyber Attacks, But Can Mitigate Risk, Survey Says --
  • "Law firms are in a unique—and perhaps precarious—position when it comes to cyber security. They not only have to protect their own electronically stored information, but they have a responsibility to protect the information of their clients as well. Are law firms doing enough? According to a recent survey of UK law firms, while 68 percent of law firm employees think firms are a likely target, only 35 percent have a response plan in place for an attack."
  • "'Locked down? A Closer Look at the Rise of Cyber Crime and the Impact on Law Firms' was produced by Legal Week in association with digital security firm Stroz Friedberg. Views of more than 370 senior business people were collected for the report, almost half of which worked in the legal profession."
  • "'The failure of UK law firms to tackle online security is leaving clients increasingly vulnerable to attacks,' Seth Berman, executive managing director of Stroz Friedberg, said in the report. “As custodians of clients’ intellectual property and commercially sensitive information, law firms are particularly attractive to hackers.'"
  • See also: video summary and discussion of the report.

Tuesday, November 19, 2013

Canadian Court on Client Rights and Lawyer's Files

Interesting update and commentary from the University of Calgary Faculty of Law Blog: "Client Rights and Lawyers’ Files." Commenting on a recent decision: Royal Bank of Canada v Kaddoura, 2013 ABQB 630 --
  • "In a recent decision, Master Prowse held that a client who sues a lawyer may obtain production of documents from the files of other clients of the lawyer. The production of specific documents may be resisted on the basis of solicitor-client privilege. Master Prowse did not, however, impose any requirement that those clients be given notice of the production of documents from their files, did not consider whether the documents contain confidential (as opposed to privileged) information, whether the documents are properly considered to be in the 'control' of the lawyer, or assessment of the risk of prejudice to the legal interests of those clients from disclosure."
  • "In short, the judgment appeared to give no weight or consideration to those clients. This result is unfortunate, and inconsistent with the usual respect afforded to the confidentiality of lawyer-client communications."
  • "The key point I am making here is that in any circumstances in which a court or party is producing information from a client’s legal file, and is doing so without representation of that client’s interests, there are reasons to be seriously concerned… At minimum, the client whose information may be producible as a consequence of a ruling such as this ought to be notified, and given the opportunity to object.  More substantially, the default position should be that information in a lawyer-client file is not producible, absent some basis for production of specific information in that file."

Monday, November 18, 2013

Webinar Recording: Complying with HIPAA "Minimum Necessary" Standard

For those who missed the live presentation and discussion, we have a recording of our recent webinar: "Complying with the "Minimum Necessary" Standard of the HIPAA Privacy Rule," presented in conjunction with the International Legal Technology Association (ILTA) Legal Security Initiative --

The minimum necessary standard, a key protection of the HIPAA Privacy Rule, mandates that protected health information should be used or disclosed only to satisfy a particular purpose or carry out a particular function. Complying with the minimum necessary standard poses particular challenges to law firms, often forcing them to modify practices for collecting client information and securing it throughout the matter life cycle.
  • This presentation explains why the minimum necessary standard is important and how it impacts common law firm operations.
  • Speakers include Kathryn Hume from Intapp, moderator of several recent Risk Roundtable sessions and Brian Donato, Chief Information Officer at Vorys, Sater, Seymour and Pease LLP
  • Content includes suggested processes, procedures and technologies to satisfy compliance obligations

Thursday, November 14, 2013

AmLaw Survey: Firms Rank Data Security as Key Concern

"2013 Am Law Tech Survey: Data Security Fears Rise"
  • "To be sure, security has always been a top-of-mind issue for law firms. But as The American Lawyer's 18th annual survey of law technology reveals, the worries, and the stakes, have never been greater. Eighty-six percent of respondents—technology directors and CTOs from 87 Am Law 200 firms—say they are more concerned about security threats now than they were two years ago. An array of factors, the chiefs say, are driving the heightened focus: tougher regulatory requirements, more security-conscious clients, and the more sophisticated techniques used by cyber-criminals, who are increasingly targeting law firms."
  • "'Law firms are often targeted [since] they store information on clients' pending deals and litigation,' Austin Berglas, assistant special agent in charge of the cyber branch in the FBI's New York office, told The American Lawyer earlier this year. 'Organizations who do not protect their 'crown jewels,' or proprietary information, and segregate it from any external facing network, run the risk of having this important information stolen during a cyber attack.'"
  • "Indeed, firms have been busy ramping up their defensive posture—and according to the survey, plan to continue that focus in the coming year. At some firms, this has involved creating new positions focused exclusively on security. Blank Rome hired its first director of information security this year. Ballard Spahr now has an IT security expert on staff. 'It's not like we weren't concerned about security before, but we see the need for a more targeted focus,' says Lisa Mayo, Ballard Spahr's director of data management."
  • "'The short, glib answer is, clients are driving the heightened focus,' says one CIO who asked not to be identified. 'There is a lot of noise, especially out of the banking industry, about looking specifically at your law firms.' Tougher regulatory frameworks, not just in finance but in sectors like health care, are causing clients to ask more questions about the security their firms do, and don't, have in place. 'We're seeing a significant increase in client security questionnaires and on-site reviews,' says another CIO, who asked not to be identified. 'Many firms are [secured] pretty well, but clients may require certain things and firms may have to add systems.'"
  • "Increasingly, these conversations are happening before engagements are won. 'Now as part of the RFP process, you'll need to provide very detailed specifications on what you have in place,' says Mayo. 'It's becoming a factor in whether you will get the business.'"
According to the interactive survey results: Two of the top reported security concerns are:
  • "Insiders taking intellectual property out of the data network"
  • and "Not knowing if data has been compromised"
See Intapp for information on technology approaches to addressing these law firm information security management, and a white paper highlighting several published corporate outside counsel guidelines, including examples of these more stringent confidentiality standards / audit requirements.

Wednesday, November 13, 2013

New Ethics Opinions: Email Edition

  • "On October 25, 2013, the North Carolina State Bar Council adopted a formal ethics opinion that impacts how North Carolina lawyers respond to emails with the 'Reply All' option."
  • "The formal opinion, titled “Copying Represented Persons on Electronic Communications,” addresses two specific inquiries regarding electronic communications with persons represented by opposing counsel."
  • "The first inquiry, and its answer, have not been controversial: a lawyer cannot respond to an email from opposing counsel by adding and thereby, copying the opposing counsel’s client on the email communication unless the lawyer receiving the email has consented to the communication to the client. Most lawyers would agree that this opinion is an appropriate application of Rule 4.2(a) of the Rules of Professional Conduct..."
  • "The second inquiry, which does not evoke the same consensus among lawyers and addresses the “Reply All” feature, is: Would the answer change if Lawyer A is replying to an electronic communication from Lawyer B in which Lawyer B copied her own client? Does the fact that Lawyer B copied her own client on the electronic communication constitute implied consent to a 'reply to all' responsive electronic communication from Lawyer A?"
  • "The short answer from the Ethics Opinion is that it depends on a good faith analysis of the facts and circumstances whether consent to the communication can be implied."
  • "Ethics rules permit a law firm to look through incoming e-mails addressed to a former partner to see what should be done with them, the Philadelphia bar's ethics committee said. [full opinion]"
  • "A departed lawyer may not insist that the law firm set his e-mail account to automatically bounce back incoming e-mails to the sender, the panel said. On the other hand, it added, any e-mails the firm reads that are clearly meant for the lawyer must be forwarded to him."
  • "The managing partner of a law firm contacted the ethics committee after disputes arose between the firm and a partner who left to start his own practice, taking some clients with him. One area of disagreement centered on the firm's handling of the former partner's e-mail."
  • "Some degree of interaction with the substance of the messages is necessary as a practical matter so that the firm can sort out its responsibilities to current clients, former clients, clients who have elected to follow the ex-partner, and third parties, it explained."

Tuesday, November 12, 2013

More Law Firm Conflicts in the Public Eye

"City officials dismiss outside legal counsel in LP&L investigation, citing conflict of interest" --
  • "After only a week and a half of investigation, a perceived conflict of interest prompted city officials to dismiss Andrews Kurth, the law firm Lubbock Power & Light’s governing body hired to conduct an investigation of LP&L’s 2019 power supply search."
  • "'...due to the fact that the firm currently serves as bond counsel to the city of Lubbock,' reads a statement LP&L released Friday afternoon, Nov. 1."
  • "However, Mayor Glen Robertson said he had reservations about hiring the firm from the beginning, and the potential conflict of interest was pointed out to LP&L’s general council, Todd Kimbrough, before the board voted on the issue."
"Outgoing chairman vows to steer clear of law firm's business, but others fear conflicts of interest" --
  • "The outgoing chairman of the Federal Energy Regulatory Commission today said that despite having already announced he will join a law firm, he can avoid conflicts of interest until the White House nominates his replacement -- something sources say could take a long time."
  • "Jon Wellinghoff said he has for months recused himself from all cases involving clients of Portland, Ore.-based law firm Stoel Rives LLP, where he plans to work after stepping down from leading the agency."
  • "The chairman also said he will continue to recuse himself from such cases until he leaves the agency, and that all of his actions have been cleared by FERC's Ethics Office."
  • "But agency watchers said the situation raises ethical issues... Some observers said the situation is 'somewhat uncomfortable' because Wellinghoff could work on policies that could affect the firm's clients."

Monday, November 11, 2013

When Conflicts Cost (Firm Sanctioned)

The always excellent Legal Ethics Forum highlights a recent conflicts decision "Boies Schiller's Conflict According to Judge McMahon" which concerns a $350 million antitrust suit --
  • "Judge Colleen McMahon (SDNY) has ordered Boies Schiller (“BSF”) to pay the legal fees of a former client (“Host”) that it sued. She held that the law firm had failed to detect a disqualifying conflict, causing Host to incur fees to prepare a disqualification motion. The firm withdrew before the motion was filed, following a meeting with Host’s current counsel, but not until two months after Host asserted the conflict. "
  • "The opinion is a painstaking (and for some painful) walk through the conflicts that Judge McMahon says the firm failed to discover or for a time even acknowledge. And it is quite critical not only of the firm but also of the outside ethics lawyer, Michael Ross, whom the firm hired to advise it after Host asserted the conflict. McMahon's characterizations of Ross's work should be instructive for lawyers asked to advise law firms."
  • "'A clearer conflict of interest cannot be imagined,' McMahon concluded. 'A first year law student on day one of an ethics course should be able to spot it."  Of course, first year law students don’t take ethics classes most places.'
Read the complete decision for details. For its part, Boies Schiller disagrees. See additional details and analysis via Reuters: "Scathing conflicts decision v. Boies Schiller: What’s enough checking?" --
  • "According to McMahon, ethics advisers from inside and outside Boies Schiller should have needed 'but a moment' to realize that its position in the Madison suit was untenable. It was attempting to assert on Madison’s behalf that an agreement Boies Schiller actually advised upon in 2002 was a sham, McMahon said, which meant that Host might call Boies lawyers who advised on the Marriott agreement as witnesses to defend against Madison’s claims."
  • "As McMahon’s opinion recounts, Boies Schiller acknowledged its conflict and withdrew from the case in February. She said Boies’s realization came more than two months too late and ordered the firm to reimburse all of Host’s fees and costs for investigating and litigating the conflicts question."
  • "Clearly, the investigation was insufficient or it would have revealed the irreconcilable conflict that ultimately led Boies to withdraw. But Boies contended in its brief opposing sanctions that part of the responsibility lies with its former client Host, which did not provide Boies Schiller with a precise explanation of the firm’s conflict and left Boies’s outside counsel and deputy GC to review 40 boxes of 10-year-old files without focus. Boies Schiller argued that it 'continuously made good faith efforts to understand and evaluate Host’s conflict.'"
  • "Boies Schiller put out a statement after the ruling: 'We are disappointed in the court’s ruling, which was made without an evidentiary hearing and ignored crucial, undisputed facts,' it said. 'We believe the ruling is wrong and its intemperate language, and the amount of sanctions awarded, wholly unjustified. We are confident that once the facts are fairly and properly evaluated on appeal, the ruling will be reversed.' The statement reiterated that Host refused to tell Boies Schiller why it believed the firm was conflicted and that Boies Schiller withdrew as soon as it understood the basis for Host’s demand."
With regards to conflicts review, Legal Ethics Blog contributor Milan Markovic, associate law professor at Texas A&M notes:"If the opinion is accurate, BSF and its expert not only overlooked a rather obvious conflict but misrepresented the nature of its investigation of the conflict to its former client. For example, BSF claimed to do a keyword search through its electronic files and yet missed documents that contained the keywords and would have shed light on the conflict."

With the stakes high, the landscape becoming increasingly complex, and information and process challenges growing, it's clear why many firms are pursuing more advanced conflicts management software approaches in response.

Thursday, November 7, 2013

Risk Roundtable Meetings set for Dublin & Bristol


We're pleased to announce two more Risk Roundtables.  
 
This session will explore how firms around the world are setting internal information security and access models to comply with professional rules, client demands and regulatory requirements, while supporting internal collaboration, lawyer productivity and firm culture.

Attendees will learn strategies to classify sensitive information at new business intake and maintain proper security throughout the matter lifecycle.
  • Dublin: Thursday, 21 November (11am – 2pm, lunch provided)
  • Bristol: Monday, 25 November (11am – 2pm, lunch provided)
These events always provide a forum for IT, risk and management professionals to connect in a collaborative environment.

Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact info@riskroundtable.com for more details.

Wednesday, November 6, 2013

Conflicts Allegation – Firm Facing Probe

"Legal firm facing probe over sale of lottery licence" --
  • "One of the State's biggest and most successful legal firms could face the prospect of being investigated by the Law Society after admitting to a conflict of interest arising from its involvement in the Government's sale of the National Lottery operating licence."
  • "The Sunday Independent understands that A & L Goodbody has been informed by the Rehab Group that it is considering making a formal complaint to the Law Society."
  • "The move comes after it was revealed that the blue-chip law firm had been advising the successful bidding consortium of UK lottery giant Camelot and An Post while simultaneously providing advice to Rehab in relation to a €1.5bn claim it intends to bring against the State in relation to the National Lottery."
  • "While A & L Goodbody informed Rehab at a recent meeting that they had discussed the 'merits' of their case for compensation with a 'third party client,' it emerged subsequently that the client in question was the Camelot and An Post consortium.'"
  • "And while the law firm is understood to have assured Rehab at their meeting that they had not disclosed "full documents or information" in relation to Rehab's case with the representatives of Camelot and An Post, whom they described as their "third party client," the charitable group has been taking legal advice on the matter and, according to well-placed sources, is treating it with the 'utmost seriousness.'"
 

Tuesday, November 5, 2013

Conflict in the Court of Public Opinion – A “Congruence of Interests”?

We've covered several stories about general public attention on alleged conflicts (which may or not, in practice, pose any ethical or professional responsibility issues) [Example]. Here's another interesting one in the news: "One Law Firm On Both Sides of Controversy Over Alexandria Waterfront: McGuireWoods defends city in zoning change as well as developers who seek to benefit from it." --
  • "Lawyers at McGuireWoods are on both sides of the controversy over the waterfront, defending Alexandria taxpayers in court while seeking approval from city officials on behalf of three separate developers at the same time. Legal experts say that's not a conflict of interest, but neighborhood residents say it leaves the impression that city officials are in bed with developers. Critics say the city should have considered hiring a firm that does not regularly appear before city leaders seeking zoning approvals."
  • "In May 2012, Alexandria City Attorney James Banks signed a conflict waiver from McGuireWoods. Banks, who is a former partner at the firm, declined to be interviewed for this story although he issued a written response to questions. City officials have denied a Freedom of Information Act request for a copy of the conflict waiver."
  • "Critics of the waterfront plan say they are concerned about the appearance of impropriety. They say it looks bad for Banks to hire the firm where he was once employed, especially because that firm is now representing a trio of developers who seek to benefit financially from the zoning change that allows for increased density and overturns the longstanding ban on hotels. Some say the city should not have signed the conflict waivers. Others say they are concerned about how city officials will respond to permit applications from a firm on the city's payroll."
  • "Legal experts say a conflict of interest would exist if the developers and the city government had different interests. But because the City Council members adopted the zoning change allowing hotels and increasing the density, the city's corporate interest is in developing the waterfront. 'There is a congruence of interests right now,' said Michael Kraus, law professor at George Mason University. 'That is to say the city believes that it is in its interests to do what the developer wants to do.'"
  • "That conflict waiver remains a mystery, one that has been denied to the public because city officials have declined to make it available. Legal experts say it might be a document waiving a potential conflict that could arise in the future. Or it could draw attention to an existing conflict of interest between the law firm and city officials. A spokesman for McGuireWoods declined to comment on the issue. Banks said that these kinds of waivers are routine, although critics say the document should raise a red flag."

Monday, November 4, 2013

Shelter from the Storm: Risks & Rewards of Updating New Business Intake

The cover story in the latest white paper focuses on new business acceptance. James Edwards and Kathryn Hume from Intapp take us on a Bob Dylan-inspired journey in: "Shelter from the Storm: Risks & Rewards of Updating New Business Intake." They cover critical areas of consideration, including:
  • Here Comes the Story of the Hurricane: Business and legal risks addressed by NBI
  • A Hard Rain’s A-Gonna Fall: Common risks of updating NBI technology
  • The Answer, My Friend, Is Blowin’ in the Wind: The rewards of doing it right
And they counsel that "You Don't Need a Weatherman to Know Which Way the Wind Blows" --
  • "In today’s digital world, IT works increasingly close with firm risk leaders to manage risks related to compliance, client confidentiality, lateral departures and information security. The more serious the risk the firm is trying to manage, the more important it becomes that IT execute projects to manage them quickly and successfully."
  • "Client selection is the fundamental starting point for firm business, and identifying the right clients (while avoiding the wrong ones) is critical for a firm’s success. Managing client data with an eye on longterm strategy, however, is a complex balancing act that must reconcile competing interests from multiple departments. Lawyers want to take on as much new business as fast as possible, marketing wants to collect information to fuel analysis and risk wants the time required to vet clients thoroughly. Therefore, an intake project challenges IT to institute technology that is fast, thorough and sophisticated enough to manage multiple risk management requirements."
  • "In today’s increasingly competitive marketplace, IT is pressured more than ever to make investments that significantly improve firm performance, process efficiency and data quality. NBI supports all these goals because it unites efforts across systems and departments and provides firms with the core client data they need to improve strategy and compliance. The key to success is to find an approach that has the flexibility and foresight to accommodate all the unforeseen information flows, technologies and risk requirements that’ll come a’ramblin down on Highway 61."
(Because something is happening here, and we do know what it is...) Read the article here, and access the complete ILTA update, which includes essays on enterprise search, security awareness and outsourcing practice support services.