Sunday, July 27, 2014

More on Security: ISO 27001 and GRC for Law Firms

Previously, we noted that ILTA has posted the recordings of several sessions at their recent Law Firm Information Security Symposium (LegalSEC). Here are more relevant and interesting sessions:

ISO 27001 for Law Firms
ISO 27001 can be a powerful tool for law firms interested in demonstrating information security maturity to both their firm management and clients. Whether you plan to get certified or just leverage ISO 27001 standards, this session will provide information on how the standard can benefit your organization and help you respond to client outside counsel guidelines and security audits.

A 360-Degree Look at eGRC
A paradigm shift is happening in regard to enterprise governance, risk and compliance (eGRC) — we want to be proactive instead of reactive. Legacy and siloed approaches no longer will be successful. Organizations need to plan and implement GRC efforts that are truly "enterprise" and involve all key players and departments in a coordinated organization-wide effort. What does it take to have a successful implementation of a systematic, well-planned, coordinated enterprise approach? What are the overall benefits?

Learn more about the overarching goals of an eGRC program and how it can improve strategic and timely decision-making, enhance the focus and effectiveness of internal audits, and assist in identifying key performance metrics and risk indicators. No angles here...we're giving you a 360-degree look!

What To Do When (Not If) Data Breaches Occur
When security threats emerge, quick response is imperative to contain risk and protect data assets. Often, the expertise and pace with which an event is managed can make as much media buzz as the data breach itself. Come walk through a mock data breach incident and see how well-defended law firms and corporate legal departments are those that prepare for the unexpected.

Thursday, July 24, 2014

There is Only One Lord of the (Risk) Ring?

As first covered in June (poetically), we noted a disqualification motion tied to a matter involving a fight over merchandising rights to the "Lord of the Rings." Now, fresh off the pages of Variety, comes an update: "Judge Refuses to Disqualify Tolkien Attorneys in ‘Lord of the Rings’ Dispute" --

  • "A federal judge is refusing to disqualify Greenberg Glusker as the law firm representing the estate of “The Lord of the Rings” creator J.R.R. Tolkien, which is engaged in a legal tangle with Warner Bros. and the Saul Zaentz Co. over merchandising rights to the lucrative franchise."
  • "Last month, Warner Bros., represented by Dan Petrocelli of O’Melveny & Myers, filed a motion claiming that Greenberg Glusker had “invaded” attorney-client privilege by hiring former MGM studio lawyers as expert witnesses."
  • "Warner Bros.’ claim is that Greenberg Glusker attorneys, led by Bonnie Eskenazi, contacted Alan Benjamin and William Bernstein, who represented UA as in-house lawyers at the time, to serve as expert witnesses, offered to represent them for free as 'percipient witnesses' and 'had direct communications with them.'"
  • "Collins wrote that in making her decision, she considered the Tolkien estate’s right to chosen counsel, Greenberg Glusker’s years of work on the litigation, the length of time that had passed since Bernstein and Benjamin were involved, and the “extremely attenuated relationship” between Warner Bros., the Zaentz Co. and United Artists. UA and MGM had filed a “joinder” to the Warner Bros. motion to disqualify Greenberg Glusker, even though they are not parties in the case."
  • "Collins also denied Warner Bros. and Zaentz’s request for an order of disclosure of Greenberg Glusker’s communications with Benjamin and Bernstein and for a deposition of Eskenazi. She wrote that the discovery is 'likely to be costly and fruitless, and will not advance the litigation.'""

Wednesday, July 23, 2014

Law Firm CIO Responds to Suggestions Industry Security is Lacking

Industry expert, Judith Flournoy, CIO at Kelley, Drye & Warren and chairwoman of ILTA’s legal security working group, takes to the pages of Law Technology News to address frequent stories suggesting that law firms are a juicy and attractive target for hackers: "Law Firms Respond to Security Risks in Client Data: After being dubbed the "soft underbelly of American cybersecurity," law firms embrace robust security programs." --
  • "So, we may have been characterized as the 'soft underbelly' but we are no softer than any other industry, government or institution.  On behalf of my colleagues around the world in firms large and small, we understand the call to arms and we are engaged."
  • "Law firm clients in the financial services industry heavily scrutinize their outside counsel with vendor security audits. Governed by the Office of the Comptroller of Currency and the Federal Financial Institutions Examination Council in compliance with the Gramm-Leach-Bliley Act, all law firms who have financial institution clients are required to respond to a comprehensive security audit."
  • "The audit process is detailed, and in many cases includes questionnaires with several hundred questions, on-site interviews and or on-site physical security assessments covering everything from hard-copy file security to data center security."
  • "Why does this matter?  For the first time in the history of our industry, we find ourselves in a position where we not only have to provide highly detailed information about our security programs but we are also required to remediate any risks identified in the audit process.  The end result for many firms is to redirect efforts and funds for security based projects and policies, including security education programs, resulting in a battle for resources."
  • "Law firms continue to adjust to the 'new normal' business model based on client demands. Prior to 2008, firms provided services to clients based on the billable hour and what the lawyer believed was the value of the work performed. Since 2008, clients have been demanding alternative fee arrangements, fixed fee projects and have been generally unwilling to pay for the work of junior attorneys.  Combine the new normal with clients requiring outside counsel firms to adhere to a much more stringent security practice.  These are the newer set of demands we find ourselves adjusting to."
  • "The good news is that many firms have already begun the complex process of implementing a more robust security posture.  As previously mentioned, many firms have acquired, or are in the process of obtaining, ISO 27001 certifications."

Tuesday, July 22, 2014

A Couple of Compliance Chronicles: Screens Standing & Waivers Working

Two updates to share today. First, from Canadian Lawyer Magazine comes: "Court approves law firm’s ethical screen: Lawyer from opposing side allowed to stay on case at new firm," which is noteworthy as it involves successful screening by a 14-lawyer firm --
  • "When a lawyer for an opposing party joined its firm, Lloyd Burns McInnis LLP faced a real possibility of removal from a case due to a conflict of interest. But in an exemplary case of a timely ethical screen, the firm was allowed to stay on the case this week despite its small size and close working relationships between its lawyers."
  • "Lloyd Burns McInnis is representing AIG Insurance Co. in a class action coverage dispute with the Ontario government. The firm’s new lawyer, Michael Foulds, represented Ontario in the same matter while he worked at Theall Group LLP. Foulds now spends 50 to 60 per cent of his time working with his colleague Douglas McInnis, who is representing AIG in the Ontario-AIG matter. In fact, McInnis and Foulds work together on other files involving AIG."
  • "Despite the province’s argument there’s a high risk of an inadvertent leak of confidential information from Foulds to McInnis, Justice Alfred O’Marra found Lloyd Burns McInnis put up a sufficient ethical screen at the right time to significantly reduce this risk."
  • "'In considering the timely and comprehensive compliance by LBM with the institutional measures set out in the guidelines, in addition to appointment of a supervising senior partner, and isolating Mr. Foulds from any Ontario-AIG matters, I find that a reasonably informed person would be satisfied that the use of confidential information had not occurred or would likely occur, and it is in the interests of justice to allow Mr. McInnis to remain as AIG’s counsel of choice.'"
  • "Davis LLP lawyer Gavin MacKenzie, who represented Lloyd Burns McInnis, says even large law firms can take notes from the steps the firm took in this case. 'I think it’s a good example for small firms and large,' he says, adding if large firms follow the same approach, 'it’s highly likely' that the courts will be satisfied."
Next comes our waiver story: "Attorneys from same firm represent Wilmette, park district in negotiations" --
  • "Sometimes being one happy family comes with a few complications, as Wilmette Park Board members learned when they heard the attorney who represents them in negotiations with the Village of Wilmette belongs to the same law firm as the attorney who represents the village."
  • "That won’t be a problem, district Director Steve Wilson assured board members at their July 14 meeting, before recommending they let him sign a so-called conflict of interest waiver so the negotiations could go forward."
  • "Wilson explained the situation originally occurred because the law firm of Tressler LLC acquired the separate practices of attorneys who had been working as outside counsel for the village and park district: Raysa and Zimmerman, in which village attorney Michael Zimmerman was a partner, and the practice of park district outside counsel Charlene Holtz. Tressler merged with Raysa and Zimmerman in 2012; Holtz joined Tressler in 2009."
  • "Negotiations between Wilmette and the park district are friendly, Frenzer said, so it makes sense to waive any suggestion of conflicts of interest. Otherwise, both governments would have to hire new attorneys to handle the issues, which could prove expensive for everyone."

Monday, July 21, 2014

On Managing Client Terms of Business, OCGs and Rules of Engagement

Our colleagues at Paragon have written in to note that Gilda Russell (who served as partner and Ethics & Conflicts Counsel to Holland & Knight LLP for fifteen years), has joined their Panel of Preferred Service Providers and authored an excellent white paper: "Dealing with Client Outside Counsel Guidelines and Other Non-Standard Client Engagement Terms" --
  • "Such OCG and client terms are now utilized by a wide range of clients, including business and financial institutions, federal, state and local governments and agencies, health care organizations, defense contractors, and even non-profit groups. OCG and client terms cover a large number of subjects and demonstrate attempts by organizational clients and their in-house law departments to maintain control over and loyalty from outside counsel through various restrictions and obligations."
  • "Yet, OCG and client terms can cause enormous problems for law firms -- however large or small the firms -- given the obligations they create, many of which may be adverse to law firm policies, more restrictive than professional ethics rules, designed for other types of businesses than law firms, in conflict with professional liability policies, and/or unduly burdensome."
  • "Accepting OCG and client terms without a clear understanding and assessment of the many obligations they impose can result in subsequent breach of contract and malpractice claims, disqualification motions based on conflicts of interest, exposure to potential civil and criminal penalties at least in the government representation context, and loss of client business."
  • "Consequently, firms should develop effective processes for dealing with OCG and client terms. These processes should focus on monitoring the avenues by which OCG and client terms come into firms as well as requiring review and approval of OCG and client terms by designated persons well versed in the subject matter of the provisions and related compliance issues."
Note: Longtime readers will recognize Gilda as a participant in several Roundtable programs, including a webinar on this very topic. (And, similarly, readers are also likely aware that OCGs can be more effectively reviewed, evaluated and implemented at the point of client engagement through the use of modern approaches to new business intake and acceptance…)

Wednesday, July 16, 2014

Upcoming Webinar : Conflicts Management — Focus on IP Matters

At a recent Risk Roundtable, we asked participants which conflicts were most challenging to manage. The response was unanimous: subject matter conflicts associated with IP prosecution and litigation matters.
IP matters often involve subject matter conflicts which are notoriously hard to manage, requiring a different approach than ethical or commercial conflicts. The bring with them unique, complex challenges and questions, such as:
  • Who is the client, an individual inventor or the corporation where he or she works? 
  • When can a firm file similar patents for two different clients and when is the subject matter too close for comfort? 
  • Can a firm litigate against a patent that it previously achieved for a former client?
This webinar features four speakers who will explore current trends and approach for tackling these issues.

IP Matters, Intellectual Challenges
In this webinar, an expert panel will explore strategies and approaches firms are taking to address these issues and provide insights relevant to lawyers, general counsels, conflicts analysts, practice managers and IT leaders.
Intapp Open for IP Conflicts Management
This session will also include an overview of how Intapp Open, a modern business acceptance and conflicts management system, provides firms with data management and reporting to identify and resolve conflicts related to IP matters.
Intellectual Discussion
  • Bill Freivogel, Independent Consultant and author of Freivogel on Conflicts, will review recent case law pertaining to IP conflicts, highlighting applicable lessons
  • Chris Kave, Principal, Aurora North Software, will provide advice on how firms can develop workflows and data integrations to manage IP conflicts effectively
  • Gillian Power, CIO, Lathrop & Gage, will describe how her firm is leveraging Intapp Open together with data from IP Manager to identify and analyze IP conflicts
  • Kathryn Hume, Risk Practice, Intapp, will show how Intapp Open integrates information and business rules to deliver a fresh, effective approach to IP conflicts management.

Event Details
  • Date: Thursday, July 24th
  • Time: 10:00 am PDT / 1:00 pm EDT / 5:00 pm GMT
  • Registration: Limited to select firms and partners. Please email Jason Yu for more information.

Tuesday, July 15, 2014

Help Support the Law Firm Risk Blog!

The ABA Journal is working on its annual "Blawg 100" list. If you're a regular reader of this blog and like to show your support by giving us a vote or nomination, we'd certainly be delighted (and grateful).

Over the past five years, we've published over 500 updates. The growth of our readership over the years has been very rewarding to see... but there's something nice about making the list. Nominations are due August 8th and can be submitted at the ABA's Blawg Site. Thank you!

Monday, July 14, 2014

Law Firm Risk News & Updates

Several interesting updates and resources to start the week off with. First, two more talks from the recent ILTA legal security summit:
  • "Practical Approaches to Business-Aligned Security" -- Join us for an interactive discussion on bridging the gap between the business side of your organization and those responsible for security and risk management. We will identify common challenges encountered, ways to deal with them and a practical approach to building strong business cases for security initiatives, such as technical controls, user awareness, risk management and IT governance. Make sure you're doing all you can to have business-aligned security practices in place!
  • "Don't Believe the Hype! What Data Leak Prevention Solutions Can and CAN'T Do" -- Can you identify and restrict unwarranted attempts to copy or transmit sensitive information, deliberately or inadvertently (and generally by personnel who are authorized to access the sensitive information)? Take an in-depth look at best practices for implementing enterprise and point solutions for data leak prevention (DLP) as we cover the Web, email gateways, networks and mobile devices, and the mechanisms used to secure them. There's a lot of talk about what DLP solutions protect's time the hype be laid to rest.
And from the Kansas Bar Association comes "Legal Ethics Opinion No. 14-01: Duty to report attorney memory lapses" --
  • "Law firm had a partner with 'possible cognitive degeneration,' evidenced by memory lapses… The subject lawyer has now left the law firm, but continues to practice. The law firm questions whether – now that the lawyer has left the firm -- it has a duty to report the subject lawyer to the Kansas Disciplinary Administrator under Rule 8.3."
  • "A lawyer is not required to report another lawyer to the Disciplinary Administrator unless the lawyer has knowledge of an action, inaction or conduct of the other lawyer which constitutes misconduct under the Kansas Rules of Professional Conduct. Rather, in the event there are memory lapses, cognitive deteriorations, or other potentially disabling conditions, the subject lawyer should be referred to the Kansas Lawyers Assistance Program or other suitable service."

Sunday, July 13, 2014

How McCullough Robertson Protects Client Confidentiality

McCullough Robertson, a leading Australian law firm, uses Intapp Wall Builder to secure client data across firm information repositories and support its risk management protocol. The firm is leveraging Intapp software to limit access to confidential information and prevent accidental contravention of defined information governance policies.

Said the Firm's Director of Governance and Knowledge, Kim Trajer:
  • "Because risk management is core to our firm's culture, we made a significant investment in technology that would enhance our existing client data privacy and confidentiality management practices, without disrupting lawyer productivity or client service.
  • "With clients increasingly mandating matter-team-only internal access policies, the automated enforcement, auditing and alerting capabilities provided by Intapp’s risk management software provide vital compliance capabilities."
Intapp Wall Builder is a web-based information security and confidentiality management software application that enables organizations to centrally control and report on user access permissions across multiple applications, including document management, accounting, portal, CRM, time entry and records management systems. It also automates notifications to individuals subject to specific policies and tracks acknowledgments for compliance purposes.

Wall Builder is the most-adopted information security management software by law firms with 150 or more lawyers. According to an independent survey by the International Legal Technology Association (ILTA), 72% of large law firms using commercial software to enforce information access controls use Intapp Wall Builder.

Said Intapp's APAC Managing Director, Bruce Heaney:
  • "We’re proud to highlight McCullough Robertson’s adoption of our information security products to improve their risk management programme. By auditing for compliance with central policies, the firm is taking strong steps to guard client information and protect the organisation’s reputation."
Visit for more information on how Intapp enhances law firm information security, or to request more information and a demonstration.

Thursday, July 10, 2014

Risk Updates: Information & Records Ownership + the Value of Firm Cyberinsurance?

First, another audio recording (and slide deck PDF) of a recent ILTA talk now available online: "To Purchase Cyber Insurance or Not: That Is the Question" --
  • "We've heard of car insurance, life insurance and even pet insurance ... why not cyber insurance? It's available, but why should your organization consider purchasing cyber insurance? What is and is not covered by a typical policy? What are some contractual terms and other items to consider when seeking or negotiating a cyber insurance policy for a law firm? Learn the answers to these questions and more from an expert panel offering various perspectives."
For those focused on information security, Law Technology News recommends: "Get Cozy With the FBI and Secret Service to Ameliorate Data Breaches Woes" --
  • "The first step to avoiding a data breach is to create a security framework, Georgetown panelists advise. It's no secret that law firms are magnets for sensitive corporate information. So, said Ayiotis, companies should vet outside counsel the same way they hire other third-party vendors, holding law firms to the same level of due diligence and security checks."
  • "Forming proactive relationships with the government, namely the FBI and the Secret Service agents who handle cybercrimes, can help organizations avoid complications associated with a breach, he said. During a data breach investigation, there is a “high probability” that a company can go from being the victim to the defendant because of a lack of proper data security measures."
On the records management and information ownership front, BNA reports: "Firm Doesn’t Have to Give Ex-Client Originals Unless They’re Needed or Came From Client " --
  • "A client cannot force its former counsel to turn over original papers or documents in the client's files because the client did not show that he gave the firm any original papers or that any originals in its possession are necessary for the client's representation, the Ohio Court of Appeals, Second District, ruled June 20."
  • "A client has the right to any original paper that he gave the lawyer because these are the client's personal property, the court said. There were no such documents in the case files here, it noted.
  • "It could be inferred from a comment to the rule, the court said, that it is the originals of the reasonably necessary items that must be returned. But here, there is no original paper or document that is demonstrated to be necessary to Sacksteder's representation, the court said."
  • "With regard to documents that were created and stored electronically, the court noted that such materials have no single original. Under an Ohio evidence rule, the “original” of an electronic document is any printed copy, it pointed out."

Wednesday, July 9, 2014

On Information Security -- Law Firms - the "Soft Underbelly of Corporate America"?

The folks at ILTA have graciously posted the recordings of several sessions at their recent Law Firm Information Security Symposium (LegalSEC). We’ll be highlighting several worth reviewing in the posts to come. Here's a recording from their keynote presentation: "The Soft Underbelly of Corporate America? Law Firms and the Cybersecurity Threat Matrix"--

  • Each day we hear about another data breach in the news. More personally identifiable information (PII) and account information is being siphoned out of respected companies. What about our intellectual property, our trade secrets and other business capital?
  • Oftentimes, the easiest place to attack is when the data is outside the walls of the owner — in many cases at their law firm.
  • During our keynote, we will walk through the cybersecurity threat matrix and its evolution, discuss how various state and federal laws drive forward controls that may or may not help protect our data, and the role of active defense and intelligence.
  • Attendees will learn what programs and controls will position their firms for success in assurance reviews, certifications and competing for business.
  • Together we will explore this topic — as you hear from someone who has worn the hats of law firm counsel, chief privacy officer, chief security officer and chief compliance officer — so we can operationalize against this threat.
See ILTA's web site for the audio recording and downloadable mp3.

Tuesday, July 8, 2014

Law Firm Conflicts Allegations Making News

It's always fascinating to see coverage of conflicts allegations and related news cross over into general media channels. Here are two stories that caught our eye. First, a situation which highlights challenges of finding representation when the conflicts landscape is more complex: "DVDFab files motion in lawsuit – shows it’s David vs. Goliath case" --
  • "Recently filed documents on the AACS-LA vs. DVDFab case show similarities of the battle between David and Goliath. It shows how little time DVDFab had to prepare itself and how hard it was to find a law firm to represent the company in the United States. Because the AACS-LA is a consortium of many companies (e.g. movie studios, Microsoft, Toshiba, Panasonic, IBM and more), many well known law firms were unable to defend DVDFab due to conflict of interest."
  • "Between February 26th and the 4th of March, DVDFab tried to find a law firm to represent them. Due to conflict of interest several law firms rejected DVDFab and referred DVDFab to other law firms, some of those didn’t want to handle the case or didn’t have time. It wasn’t until the 17th of March before DVDFab signed an agreement with a law firm to represent them."
  • "Between February 26th and the 4th of March, DVDFab tried to find a law firm to represent them. Due to conflict of interest several law firms rejected DVDFab and referred DVDFab to other law firms, some of those didn’t want to handle the case or didn’t have time. It wasn’t until the 17th of March before DVDFab signed an agreement with a law firm to represent them."
For our second, we turn, oddly enough, to twitter, where we often post risk stories (and track those of you retweeting or reposting our updates -- thank you!): "Gibson Dunn defends GFH role after jailed ex-GC claims conflict" --
  • "Gibson Dunn & Crutcher has defended its representation of Dubai-based private equity firm GFH Capital, after the client's former general counsel accused the firm of having a conflict of interest."
  • "David Haigh, the former managing director of Leeds United and one-time GC of GFH, has taken to Twitter to make the accusation against his former employer's lawyers.
    Haigh is currently in jail in Dubai, having been arrested on 18 May after GFH accused him of committing fraud, embezzlement and money laundering while he was employed at the bank."
  • "Gibson Dunn's litigation team is being led by partner Peter Gray, described by Haigh's spokesperson as "for many years a friend, legal adviser and business partner of [Haigh's]". In an email to Legal Week, Gray called the conflict allegations 'untrue and defamatory'."
For those without access beyond the linked paywall, a summary of the general story unfolding is available via the guardian and the accuser/accussed's twitter stream in question is located here.

Monday, July 7, 2014

Risk News & Updates: Legal Ethics, Regulations and Matters of Firm Business

From the always linkable Legal Ethics Forum comes an interesting post from NY professor of Law Stephen Gillers: "When and How Does Change in Lawyer Regulation Happen?" in which he reviews a bit history behind the Model Rules, touching on Ethics 2000 and the ABA 20/20 Commission. And he lays down the gauntlet:
  • "…the current bar leadership will not be bold. In this, it is like the leaders of the 50s through the early 80s. It will be the next generations that approach the issues with  appetite for change."
  • "I suggest that legal scholars have been and will continue to be the antennae of the profession. The momentum for change, which is different, will come from elsewhere -- from economic forces (rules change when it is in the economic interest of lawyers to change them, witness the adoption of lateral screening after 20 years of rejection), and to beat back external threats (witness the 2003 amendments to Rules 1.6 and 1.13, after repeated rejections, in order to dissuade the SEC from invoking its full Sarbanes-Oxley powers; it worked)."
That blog also notes a recent New York decision: "New York joins California federal court in rejecting unfinished business claims" --
  • "We hold that pending hourly fee matters are not partnership "property" or "unfinished business" within the meaning of New York's Partnership Law. A law firm does not own a client or an engagement, and is only entitled to be paid for services actually rendered."
  • "Treating a dissolved firm's pending hourly fee matters as partnership property, as the trustees urge, would have numerous perverse effects, and conflicts with basic principles that govern the attorney-client relationship under New York law and the Rules of Professional Conduct. By allowing former partners of a dissolved firm to profit from work they do not perform, all at the expense of a former partner and his new firm, the trustees' approach creates an "unjust windfall," as remarked upon by the District Court Judge in Geron (476 BR at 740)..."