Wednesday, April 30, 2014

Hodgson Russ Protects Client Confidential Information with Intapp Wall Builder

Hodgson Russ LLP, a full-service law firm with offices across the United States and Canada, has adopted Intapp Wall Builder to enhance its information security model and increase protection of sensitive client information.

Said the Firm's Director of Information Technology, Kathy Krieger:
  • “The combination of new HIPAA regulations, stronger client confidentiality mandates and repeated FBI warnings has dramatically increased the focus on law firm information security. The rising volume of matters requiring heightened access controls makes it impractical for any firm to manage information security on an ad hoc, matter-by-matter basis."
  • "To simplify the process and reduce the potential for error, we wanted to systematize security of matters in practice groups that frequently handle sensitive data, like Trust & Estates and State & Local Tax practices. Intapp Wall Builder enables our firm to set members-only access by practice group, and to layer even tighter security controls based on matter type, such as those subject to HIPAA."
Intapp Wall Builder is a web-based information security and confidentiality management software application that enables organizations to centrally control and report on user access permissions across multiple applications, including document management, accounting, portal, CRM, time entry and records management systems. It also automates notifications to individuals subject to specific policies and tracks acknowledgments for compliance purposes.

Wall Builder is the most-adopted information security management software by law firms with 150 or more lawyers. According to an independent survey by the International Legal Technology Association (ILTA), 72% of large law firms using commercial software to enforce information access controls use Intapp Wall Builder.

Krieger added:
  • “It can be a challenge for firms to strike the right balance between implementing prudent security and enabling efficient information access and sharing. A blanket approach that locks down every folder, for every matter can significantly deter knowledge management and collaboration, which can impact client service."
  • "By allowing us to set access controls at the practice level, Wall Builder gives us the flexibility to strike a better, more nuanced balance between sharing and security. This enables lawyers and staff to maximize productivity and knowledge sharing, while freeing IT resources from having to manually manage complex and changing access controls across multiple matters and repositories."

Said Intapp's Risk Practice Group Leader, Pat Archbold:
  • "Hodgson Russ joins the ever increasing set of firms that are adopting Wall Builder to secure information by practice group, office or jurisdiction. While firms used to leave firm documents open by default to internal lawyers and staff, the new standard of care we see across the industry is to classify data and apply layers of security to keep sensitive client information protected."
Visit for more information on how Intapp enhances law firm information security, to learn more about HIPAA compliance for law firms, or to request more information and a demonstration.

Wednesday, April 23, 2014

New Risk Roundtable Events Announced

We're pleased to announce several new Risk Roundtable events set for Toronto, Tampa and Orlando. (If you missed summaries on upcoming Boston, Houston, Dallas, or Chicago events, please see our previous update.)
The Toronto Risk Roundtable is set for Tuesday, May 13th, at the office of Davies Ward LLP.  Malcolm Mercer (General Counsel, McCarthy T├ętrault) will join Intapp to lead a discussion on new changes proposed by the Law Society, followed by a demonstration of Intapp business intake and conflicts management
The Tampa event is set for Tuesday, May 20th, at the office of Greenberg Traurig LLP. And the Orlando meeting is set for Wednesday, May 21st, at the office of Rissman, Barrett, Hurt, Donahue & McLain, P.A.
Both of these sessions will feature a presentation, moderated discussion and technology demonstration on best practices to address corporate family conflicts. Topics include:
  •     Corporate Conflicts Trends and Challenges
  •     Clearance and Engagement Letter Strategies
  •     Agile New Business Intake Processes
  •     Intapp’s Software for Data Integration and Conflict Analysis and Resolution
Roundtable attendance is by invitation only and is limited to qualified law firms and personnel. Please contact for more details.

Monday, April 21, 2014

Risk News: Two Stories of Law Firm Malpractice Allegations

"Who Picks Counsel: Firm or Insurer?" --
  • "O'Donnell, Ferebee, Medley & Frazer of Houston wants to select the lawyer who will defend the firm from some malpractice counterclaims instead of using a defense attorney picked by its liability insurer. In a petition filed April 3 in the 269th District Court in Harris County, O'Donnell Ferebee seeks a declaratory judgment that it has a conflict of interest with Travelers Casualty and Surety Co. of America that would prevent Travelers from selecting the defense counsel."
  • "'Therefore, defendant has the duty to defend O'Donnell Ferebee and the law firm can choose the counsel to represent it and that defense will be paid for by defendant,' O'Donnell Ferefee alleges in O'Donnell, Ferebee, Medley & Frazer PC v. Travelers Casualty and Surety Co. of America."
  • "O'Donnell Ferebee alleges that Travelers notified it by letter on Feb. 7 that it would provide the firm with a defense but reserved the right to limit coverage… 'The letter then sought to control the defense of the claim by assigning the defense to a law firm chosen by defendant,' O'Donnell Ferebee alleges in the petition."
  • "O'Donnell Ferebee alleges that a conflict of interest prevents Travelers from 'conducting the defense' in the underlying litigation because it selected defense counsel and because the facts to be adjudicated in the underlying litigation are the same as the facts upon which the defendant will determine coverage."
  • "John Schutza, the Travelers claim counsel handling the O'Donnell Ferebee claim, did not return a telephone message left at his office in Richardson or respond to an emailed request for comment."
  • "Venzke, of the Venzke Law Firm of Houston, said O'Donnell Ferebee filed the declaratory judgment action to get attention from Travelers."
"Englewood bank at center of legal suit" --
  • "A loan made by Englewood-based NVE Bank is at the center of a malpractice lawsuit filed against Wolff & Samson of West Orange by a real estate investor who contends the law firm failed to protect him from legal action taken by the bank."
  • "Richard Berlowe, one of three principals in Ber-Loew Partnership, a real estate investment firm, argues in a suit filed in Superior Court in Newark that the law firm didn't raise key issues in defense of the partnership when the bank sued to recover money owed on a loan."
  • "The lawsuit, which was filed last month, says the two other partners, Harold Berlowe and Barbara Berko, secured a loan with NVE Bank by executing mortgages on the partnership's real estate – unbeknown to Richard Berlowe, who is identified as Harold Berlowe's father."
  • "Wolfe & Samson defended the partnership as well as the individual members in the case, the Essex County suit says. But the law firm failed to take into account the conflict of interest between the partnership and the two partners, who were liable personally and signed the loan documents, Richard Berlowe's suit says."

Thursday, April 17, 2014

Law Technology News on Steps to Protect Client Data

Law Technology News urges clients to take the lead in directing law firm information security practices: "8 Tips for Corporate and Outside Counsel to Protect Client Data"--
  • "Corporate counsel must take the initiative to protect the company's confidential information. In the wake of recent high-profile data breaches, such as November's Target Corp., many corporate legal departments and IT leaders are tightening up network security. And they expect their outside counsel to do the same."
  • "Attorneys have an obligation to protect confidential client information. This duty is not limited to privileged information, but includes all information relating to a client or furnished by the client acquired during the course of representation. To the extent that a client is damaged by a data breach occasioned by a lawyer’s revelation of confidences, the firm may be subject to disciplinary action or malpractice actions. The threat of reputational harm may be the best deterrent. Outside counsel in today’s digital world must make protecting client data an integral part of the overall engagement."
See the full article for a complete list, which includes:
  • "Control access: Make sure that access to your company’s documents is limited to only law firm personnel who are working on the engagement."
  • "Restrict document sharing: Block the use of Dropbox, Skydrive and other document-sharing sites from law firm networks to minimize the risk of sharing client-related documents outside of the firm."
  • "Create and implement a security breach plan, including immediate notification to your company in the event of an actual or suspected breach. All attorneys and support staff should be trained about those procedures."

Wednesday, April 16, 2014

ABA Webinar on HIPAA for Law Firms

Hat tip to Bill Freivogel for noting an upcoming webinar presented by the ABA, set for April 21 (1pm Eastern): "You Mean HIPAA Applies to Lawyers? Keeping Data Safe, Clients Happy and Your License Secure" --
  • Lawyers have long been aware of their ethical legal duties to keep client information confidential and safe— these ethical duties are deeply rooted in state bar driven ethics rules and the common law. HIPAA takes those obligations a step further.
  • Beginning in February 2010, as mandated by 2009’s HITECH Act, many lawyers, with little fanfare or publicity, became directly federally regulated when it comes to using, disclosing, and safeguarding their client’s data. In fact, lawyers are now required to engage in specific types of risk analyses, documentation, and employee training in relation to client health information.
  • As a result of HITECH, lawyers who practice in many areas of law may now fall under the HIPAA definition of a business associate, oftentimes inadvertently.  In turn, many law firms will be directly federally regulated by provisions of the HIPAA Security Rule, Privacy Rule, and Enforcement Rule as a matter of law.
This program provides a foundational background of HIPAA and HITECH and provides an overview of the following:
  •     How law firms become business associates (intentionally or inadvertently)
  •     What HIPAA requires of law firm business associates
  •     How to properly safeguard client data
  •     Unauthorized uses and disclosures
  •     What constitutes a “breach”
  •     Business associate requirements in case of a breach
  •     Penalties, criminal, and civil liability associated with HIPAA
  •     Potential other ethical conflicts caused by HIPAA as you are forced to execute contractual agreements with clients
See the ABA web site for registration details and information on CLE credit. And see also a previous webinar recording presented by Intapp, featuring Vorys: "Complying with the 'Minimum Necessary' Standard of the HIPAA Privacy Rule."

Monday, April 14, 2014

A New Era of Risk Management – Intapp Acquires the Frayman Group

Today, Intapp announced the acquisition of the Frayman Group (TFG), a company offering risk management software for law firms. With this move, Intapp further extends its position as the leading provider of risk management software for the legal industry, offering broadly adopted products that streamline new business intake, conflicts management, information security and professional compliance.

Said Intapp CEO John Hall:
  • "We are very excited about this acquisition, which is a major milestone for law firm risk management software. Intapp customers will benefit from an even stronger risk management offering as we integrate TFG technology and staff and continue to make significant investments to advance our products."
  • "At Intapp, our mission is to cultivate a position of trusted partner and advisor to our more than 500 customers, offering innovative software and services that enable them to thrive in an increasingly competitive business environment."

Said TFG Founder, President and CEO Yuri Frayman:
  • "With these two organizations coming together, there’s now no other vendor in the market today with a more skilled team, greater insight into legal risk management, a more ambitious product roadmap, or ability to execute."
  • "As I turn to pursue opportunities outside of the legal industry, I see a bright future ahead, both for my customers and the industry as a whole, under Intapp’s leadership."
TFG – An Intapp Company
TFG will continue to operate as a subsidiary of Intapp. In that capacity, it will deliver support to organizations that have licensed TFG products for managing new business intake and workflow (Compliguard Flow), client conflicts (Compliguard Analyze), and ethical walls (Compliguard Protect).

An OpenText Development and Services Partner, TFG will also continue to support organizations with valid support contracts for LegalKEY, an OpenText software product launched in 1994, used for conflicts and records management.

As part of the transaction, Intapp takes ownership of all TFG intellectual property, including patents and software assets, and will incorporate elements of this technology into Intapp business intake, workflow, conflicts management and other products.

The Intapp Risk Management Vision
Today, mounting market forces are putting new demands on law firms to transform the way they operate in order to prosper in an extremely competitive environment. These include clients with escalating service expectations, increasing economic pressure, and a risk landscape marked by evolving regulatory rules, compliance requirements and professional standards.

Controlling risk is just one of several ways Intapp enables firms to thrive in response. Offering unique software products, Intapp lets firms align business operations with firm strategy, while bridging the gap between compliance and efficiency:
  • Intapp Open provides a fresh and innovative approach business intake, client due diligence and conflicts management.
  • Intapp Wall Builder centralizes enforcement of information security and internal access rights across electronic information repositories in response to professional rules, client mandates and regulatory requirements.  
  • Intapp Activity Tracker delivers sophisticated, intelligent monitoring and reporting to flag abnormal access or use of sensitive firm or client information, to satisfy a variety of compliance requirements.
  • Intapp Time integrates the industry’s most adopted time entry, automated activity capture and mobile time recording software, delivering a single, unified experience that delivers real-time e-billing validation and compliance at the point of entry. 

Wednesday, April 9, 2014

2014 Law Firm Risk Surveys Underway (US, UK, Canada & Australia)

We're pleased to kick off the 2014 Law Firm Risk Survey program.

We're running four separate exercises, inviting risk and IT stakeholders at participating mid-sized and large firms in each of four geographies – US, UK, Canada and Australia.

The surveys explore several topics including risk priorities, risk policies and education, intake and conflicts management practices, lateral hiring and departures, confidentiality/information security management, and compliance tracking.

As with past surveys, all who participate will receive a copy of the final published report.

Invitations are going out this week. Please watch your inbox.

Thursday, April 3, 2014

The New Standard for Law Firm Information Governance : Policy-Based Security

Intapp's Kathryn Hume writes in with another update, relating to her collaboration with Iron Mountain's Information Governance working group: "Policy-Based Security: the new standard for law firm information governance and access management" --

I wouldn’t be the first to make the bold statement that "the perimeter is dead," as articles praising the value of an information security model founded upon the idea of a "secure breach" have been circulating throughout the information security community for the past couple of years. This information governance strategy, which Forrester Research refers to as a "Zero Trust Model," takes a fundamentally different conceptual approach to risk management than the traditional “perimeter” security model it is meant to replace.

The traditional, "perimeter" approach uses tools like firewalls, password policies and anti-virus software to keep bad guys out. These defensive bulwarks were developed in an age where businesses housed all of their information on local, private servers. In those days, the IT or security manager followed absolute dogmas: do what it takes to keep intruders out at all costs and make sure that business users within our environment benefit from maximum sharing, flexibility and productivity.

The oxymoronic character of the "secure breach" model to security indexes a vastly different approach to security. Here, IT and Security managers use outcomes-focused logic and work backgrounds to design their information governance strategy. They start by assuming that, in a world where employees lose mobile devices, share information outside their organizations and click on links in spear-phishing emails, a breach is bound to occur. They then assign access control rights and implement technologies inside the perimeter to mitigate the impact of a breach when it WILL eventually occur. Acceptance of risk is embedded into the very fabric of this new strategy.

As law firms, pushed by client requirements and regulations like HIPAA, pay increasing attention to information security, they are also increasingly adopting this secure breach approach. At last month’s LMRM conference, Tom Browne (General Counsel, Hinshaw) and Donald Campbell (Attorney, Collins Einhorn Farrell) highlighted the importance of developing a classification program to assign access control rights to data of varying sensitive. And Iron Mountain now advises information governance professionals on methods to adopt what they call "policy-based" security, where "firms identify which items must be classified as private, confidential or otherwise protected with ethical walls and security polic[ies] travel with the data asset no matter where a file goes."

Over the past year, we’ve seen our law firm customers drastically change the way they configure Wall Builder to support a policy-based security strategy. Multiple firms have developed data classification programs, assigning access control rights to data as it enters the firm at intake whose strictness varies with the data’s sensitivity. This approach generates layers of information security that requires a new approach to managing access controls.

That’s why firms now leverage our unique security capabilities to lock down practice groups with high densities of sensitive data (like Trust & Estates, Business Law and Litigation or M&A), while respecting more granular need-to-know access controls and ethical walls within these larger groups. The standard of care has shifted away from an open-by-default information access model to a policy-based security strategy that will clip the carte blanche to client data in the event of a breach.

We also see firms complementing policy-based security with policy-based monitoring. Many firms aren’t quite ready to lock down every practice groups, and instead seek a compensating control to have visibility into unauthorized behavior that may signal a problem. To address, firms set information access policies without enabling security, monitoring activity on information flagged by the policy and receiving alerts of unsanctioned behavior (e.g. an associate from the real estate practice looking at materials in the medical malpractice defense practice). Firms also monitor activity on very sensitive information like PHI or PII to identify traffic to personal email addresses or spikes in activity that may signify a problem.

As a member of Iron Mountain’s Law Firm Information Governance Symposium HIPAA Task Force, I look forward to the upcoming symposium discussions on policy-based security in Washington, D.C.

And our upcoming information security presentation hosted by the Australasian Legal Practice Management Association in Melbourne will explores how firms can execute a policy-based security model successfully.

To discuss policy-based security in your law firm, please feel free to contact me at

Wednesday, April 2, 2014

Risk Bulletin: Beyond Adversity — On Business, Positional and Subject Matter Conflicts

Recently returned from the Legal Malpractice and Risk Management conference in Chicago, Intapp's Kathryn Hume has published a risk bulletin summarizing and commenting on some of the lively conflicts discussions at the event: "Intapp Risk Bulletin: Beyond Adversity — On Business, Positional and Subject Matter Conflicts" --
  • Managing conflicts is integral to the new business intake and lateral onboarding processes at every law firm. Over the years, firms have honed procedures and adopted software to search and identify potential adversity to avoid malpractice risks by resolving conflicts or turning down matters or lateral hires. Increasingly, however, clearing conflicts requires much more than simply identifying legal conflicts.
  • To manage these business, positional, subject matter and playbook conflicts successfully requires firms to keep abreast of industry trends, update procedures, collect and manage new information and leverage new technology to streamline compliance.
  • Increasingly, firms face "business conflicts" involving simultaneous representation — in unrelated matters — of clients whose interests are only economically adverse.
  • Another conflict type discussed  at the LMRM event is known as "issue" or "positional" conflicts... this type of conflict "occurs when a law firm adopts a legal position for one client seeking a particular legal result that is directly contrary to the position taken on behalf of another present or former client seeking an opposite legal result, in a completely unrelated matter."
  • Firms with active intellectual property practices are likely familiar with the challenges of identifying and resolving "subject matter" conflicts, which occur when firms represent multiple clients trying to protect closely related inventions.
  • Perhaps the trickiest conflicts today’s firms must consider are "playbook" conflicts, which occur when a lawyer’s former representation provides inside knowledge into a client’s litigation strategies or internal decision-making practices that may be used to its disadvantage in subsequent representation.
See the complete bulletin for additional detail, analysis and links to further resources. (And visit Intapp's white paper library for additional risk resources, and information about software designed to enable prudent response to these sorts of trends...)