Thursday, August 28, 2014

Another Law Firm Trumpets ISO 27001 Security Certification

We've covered law firm adoption of the ISO 27001 information security standard over the years. Many firms see this as a quick path to addressing client concerns about managing sensitive data, and several view it as a competitive differentiator, including: "Aberdein Considine achieves ISO 27001:2013 certification"--
multiple times
  • "Aberdein Considine (18 offices and 400 staff), has had its commitment to high standards of information security across all of its practice areas and locations recognised with a national accreditation."
  • "The firm has achieved the prestigious ISO 27001:2013 certification which acknowledges the implementation of robust procedures and processes relating to information security management after it recently underwent a comprehensive independent audit of its systems."
  • "The certification standards set out a strict framework for managing the security of assets, including financial information, intellectual property, employee details and information entrusted to an organisation by third parties."
  • "Jacqueline Law, a corporate partner at Aberdein Considine, has welcomed the certification and believes it is reward to the high importance placed by the firm on the security of its own and its clients’ information: 'To achieve ISO 27001:2013 certification – one of only a handful of law firms in Scotland to do so – is incredibly pleasing and recognises our commitment to high standards of information asset security.'"

Wednesday, August 27, 2014

Law Firm Conflicts Allegations in the News

A few interesting stories making news. First: "The mysterious case of Hewlett-Packard’s Autonomy deal"--
  • " of the law firms that represented the shareholders in their case against H-P directors, Cotchett, Pitre & McCarthy LLP, now working with H-P, is being accused of a conflict of interest. Cotchett was previously the lead counsel in another class action against H-P. That suit, which also recently settled, alleged that the company’s inkjet printers falsely warned consumers when they were out of printer ink."
  • "Theodore Frank, of the non-profit Center for Class Action Fairness, has filed a motion contesting the ink jet settlement, seeking to disqualify the Cotchett firm... 'It’s just a black letter ethical violation,' Frank said... 'The inkjet litigation has no bearing on the Autonomy settlement,' an H-P spokeswoman said in an email."
  • "Rodney Cook... has his own separate derivative action against H-P regarding the Autonomy deal, also seeks to remove the Cotchett law firm as the lead plaintiff’s counsel, citing conflict of interest."
  • "One challenge has been filed by Autonomy’s former chief financial officer, Sushovan Hussain, who contends that the proposed settlement H-P poses a threat to his own legal rights... Hussain’s motion brings up a bigger question about the Autonomy acquisition. He states in his motion that with the settlement, 'H-P seeks to forever bury from disclosure the real reason for its 2012 write-down of Autonomy: H-P’s own destruction of Autonomy’s success after the acquisition.'"
  • "How this became a multi-billion-dollar write-down is a big question among investors. Perhaps these legal maneuvers will shine some light on the mystery. But it probably will be a long time before investors know what really happened."

Next: "DOJ: Hacking suspect's lawyers may face conflict"--
  • "Two attorneys representing the son of a prominent Russian lawmaker may face a conflict of interest because their firm represented victims of a hacking scheme he's accused of running, the U.S. Justice Department said Wednesday."
  • "Ray and Goldin are attorneys with Fox Rothschild, a national firm with 600 attorneys and 19 offices, according to its website. Ray succeeded Kenneth Starr in 1999 as the independent counsel on the Whitewater investigation. Seleznev is also represented by Seattle defense attorney Larry Finegold."
  • "'We feel strongly that our representation comports with all applicable rules of ethics and that Mr. Seleznev is legally entitled to vigorous defense - which we intend to provide,' Goldin wrote in an email Wednesday."
  • "Assistant U.S. attorney Norman Barbosa said the government was not implying any wrongdoing by the defense attorneys, only raising the question of whether they should continue to represent the defendant when at least one other attorney in their firm represented the pizza chain Z Pizza in connection with a breach in late 2010 and early 2011 that resulted in the theft of thousands of its customers' credit card numbers. Seleznev was responsible for the hack, prosecutors say."
  • "The government noted that if Seleznev is ultimately ordered to pay restitution in the case, Fox Rothschild could wind up representing both the defendant and the people he is required to pay. And if anyone from Z Pizza is called as a witness in the case, the firm could wind up cross-examining its own client.'
For more detail (and intrigue) on the case of an alleged hacker the US Secret Service calls "one of the most prolific in the world," see: "Accused Russian hacker must stay in custody, judge says," which covers details such as an arrest at the Maldives airport, a seized laptop containing over 2 million stolen credit-card numbers, and Russian allegations that the suspect was kidnapped...

Sunday, August 17, 2014

Information Security Policies & Practices -- Protecting Client Information

via Law Technology News "Law Firm Data Breaches: Protecting Clients --  Maintaining diligent protocols and educating personnel are crucial tools to protect client data" --
  • "Data threats against law firms can be generated from internal or external sources... Imagine a disgruntled employee who wants to get even with the employer and has unrestricted rights to  client data kept on the firm’s network folder."
  • "Some ways a firm can safeguard against internal data theft include:
  • Be careful about which users are given access to data systems.
  • Monitor user access control to each data source on a regular basis.
  • As users within the firm change positions and/or departments, ensure that system access is verified so that users only have access to the systems they need.
  • Promptly disable all system access (both internal and external) for terminated employees."

For those attending the ILTA conference this week, see also: "Security Policies and Procedures: Why You Need Them and How To Decide Which Ones Matter Most" --

8/21/2014 2:00 p.m. (Event Code:SOSPG6,  Presidential Ballroom B)
  • In response to client guidelines and regulatory requirements such as HIPAA, law firms are increasingly developing and documenting central policies and procedures for managing information security. But policies are only effective if they are living documents accepted by firm stakeholders and honed to match the business issues of greatest risk to the firm. This interactive session will include an overview of the drivers behind security policies as we teach participants how to use a risk-based methodology to develop security policies aligned with firm business goals and encourage buy-in from lawyers, management and staff.

Karen Campbell - Orrick, Herrington & Sutcliffe LLP
Michael Johnson - Security Grc2
Kathryn Hume - Intapp

Tuesday, August 12, 2014

Conflicts Story Update: $270k in Sanctions

Law360 (subscription required for full article) reports that: "Boies Schiller Fined For Conflict In $350M Antitrust Suit" --
  • "Boies Schiller & Flexner LLP was ordered by a New York federal judge Friday to pay Host Hotels & Resorts Inc. about $270,000 in sanctions for failing to bow out of a $350 million antitrust suit over a scheme to keep Marriott International Inc.'s flagship New York hotels union-free."
  • "U.S. District Judge Colleen McMahon, who initially ordered the law firm sanctioned in October for ignoring a conflict of interest that "could not have been clearer," awarded Host a sanction of $271,063 in legal fees for work..."
For non-paywalled history and detail on this matter, see also this article from 2013 for additional background, as the facts and accusations in this matter are complex and worth attention:
  • "On March 8 [2013], Boies Schiller filed a motion to withdraw from the case after Host Hotels threatened to file a motion to disqualify the firm from the litigation. Host Hotels hired the firm in 2000 to examine the company's business relationship with Marriott, which manages some of its hotel properties."
  • "Boies Schiller's outside ethics counsel informed Host Hotels that it would not reimburse it for any portion of its costs associated with drafting the motion because it made attempts to withdraw after the company presented the firm with documents solidifying the conflict, Host Hotels said."
  • "Host Hotels seeks reimbursement for its attorneys' fees and expenses associated with investigating Boies Schiller's conflict-of-interest. The company denies that it participated in any unlawful conduct in its dealings with Marriott."
At the time this matter first made news, we pointed out additional detail, commentary and analysis worth reviewing as well. (Including interesting details on the specific timing, scope and suitability of the searching performed by the firm.)

Monday, August 11, 2014

BB&K Improves Business Intake, Conflicts Management and Matter Evaluation

Best Best & Krieger LLP, a full-service law firm with nearly 200 lawyers in nine offices across California and in Washington, D.C., has selected Intapp Open to automate processes related to new business intake. BB&K, which represents many recognized public agencies and businesses, is using Intapp Open to enhance conflicts checks and accelerate new client matter inception.

Said the Firm's IT Director,  Tim Haynes:
  • "BB&K’s public agency, business and individual clients rely on us to quickly and efficiently help them solve their legal issues. Intapp Open allows us to identify, manage and clear any conflicts of interest that arise, and also provides our attorneys with a holistic view of the client, enabling us to be more strategic and responsive in our representation."
BB&K selected Intapp Open following a thorough evaluation by a panel that included firm management and lawyers, as well as representatives of the firm’s finance, conflicts and IT teams. Of all the products evaluated, Intapp Open was the most comprehensive and the most user-friendly – offering role-specific views and to-do lists for key stakeholders involved in new business intake, and eliminating duplication of effort. Intapp Open also allows designated users to create and modify processes to support firm- and practice-specific matter evaluation procedures.

Said the Intapp Managing Director,  Kerry Stivaletti:
  • "Having worked with Best Best & Krieger as an Intapp customer for more than nine years, we know that making the most of the data available throughout the firm has been a long-standing priority for executive management, finance and IT. Intapp Open supports this by providing firms with visibility into the strategic implications of new business acceptance."
  • "By introducing Intapp Open for new matter inception, as well as conflicts management, BB&K is bringing a new level of agility, efficiency and governance to its business intake processes."
Visit for more information on Intapp Open new business intake and conflicts management software, or to request a demonstration.

Thursday, August 7, 2014

Risk News & Updates (Screening, Conflicts & Security)


First, from Bill Frievogel comes another Canadian pro-ethical screening/information barrier decision: Province of Ontario v. Chartis Ins. Co. of Canada, 2014 ONSC 4221 (Ont. Super. Ct. July 16, 2014) --
  • "We are simplifying the history somewhat, but the essentials for this audience are this: Lawyer worked at Firm A to some considerable extent on cases for the Province against InsCo. Lawyer wound up at Firm B, which is representing InsCo against the Province in those same cases. Firm B erected in advance a screen essentially in compliance with ethics rules of the Law Society of Upper Canada. Nevertheless, the Province moved to disqualify Firm B. In this opinion the court denied the motion, finding that the screen was satisfactory. Excellent discussion of the judicial history of screening in Canada."

Next, from James Tallon, litigation partner at Shearman & Sterling, comes an interesting article: "Ethics Corner: When Conflicts Rules Conflict" --
  • "Consider the following hypothetical: Lawyer A is admitted to practice in New York and resident in his firm's New York office. Currently, A represents Del Corp., a Delaware corporation headquartered in New York City, as borrower negotiating a significant credit facility from a bank syndicate. Lawyer B is A's partner; B is admitted as a solicitor of the Senior Courts of England and Wales and is resident in the London office of the firm in which A and B are partners. Euro Corp., a long-time client of B, has asked her to represent it in connection with the purchase of Del Corp.'s wholly-owned English subsidiary. B would like C, who also is admitted in New York, but resident in the firm's London office, to work on the transaction. Can B take on the engagement for Euro Corp.? If so, can C work on the deal?"

Finally, from Bill Caraher, CIO at von Briesen & Roper, comes: "Different Data, Different Security" --
  • "'Privacy' and 'security' are two terms taken very seriously in law firms. When it comes to e-discovery and client-matter data, privacy and security are paramount. But, in practice, these two types of data are often treated differently."
  • "Let’s ask this again: Why is the cloud acceptable for one type of law firm data but not the other? It comes down to control and the agreement between parties. When a firm’s DMS data are outside the control and watch of senior management and IT, people get nervous. You also have cloud providers that run shared infrastructure and shared storage between multiple clients."

Wednesday, August 6, 2014

Information Governance Report Focuses on Law Firm HIPAA Compliance

The folks at Iron Mountain have published the results of their 2014 Law Firm Information Governance Symposium. These events brought together industry thinkers and leaders to discuss and develop best practices.

Industry experts Brian McCauley and Ann Killilea (McDermott), Rudy Moliere (Morgan Lewis), Charlene Wacenske (MoFo), Scott Christensen (Edwards Wildeman), Grant James (Troutman Sanders), Sharon Keck (Polsinelli) and Intapp's Kathryn Hume collaborated on: "HIPAA Omnibus Task Force Report" --
  • "The following report summarizes and analyzes key components of the HIPAA Omnibus Rules that affect law firms as HIPAA business associates, i.e., in their role as custodians of HIPAA protected health information on behalf of their clients."
  • "After presenting the elements of the HIPAA Omnibus Rule for which law firm business associates are liable, the report outlines the framework for a law firm enterprise data protection program comprehensive enough to satisfy the multiple data privacy and security requirements imposed by HIPAA. The report concludes by recommending a set of industry best practices for achieving HIPAA compliance in a law firm environment."
  • "Especially when considered alongside emerging state data privacy and security laws and transitive requirements imposed on firms from clients in regulated industries like financial services, the Omnibus Rule is significantly impacting the way law firms develop and implement a culture focused on regulatory compliance, client data privacy, and client confidentiality. To achieve compliance with the new HIPAA rules, many firms have little choice but to enhance their confidentiality controls and to adopt more stringent security measures to prevent unauthorized disclosure of any information protected under HIPAA’s rules."

Tuesday, August 5, 2014

UK Risk Roundtables Set: London & Jersey

We're pleased to announce two more Risk Roundtables.  Our London event is set for September 9th:
  • Guest speaker Heather McCallum, former Head of Risk & Compliance at Allen & Overy, will overview the challenges firms face in managing terms of business in client RFPs, outside counsel guidelines & questionnaires, and suggested best practices to negotiate terms and achieve firm-wide compliance.
  • A panel of experts from leading firms will debate staffing models for new business inception and conflicts management, weighing up the benefits and setbacks of managing conflicts centrally, and complying with requirements across jurisdictions.
  • Intapp experts will then showcase Intapp Open & Intapp Wall Builder, fresh approaches to simplifying and streamlining new business acceptance, and securing client information.

Set for September 10th, the Jersey session will cover moderate a general forum on topics of interest, enabling risk, IT and related professionals to connect in a collaborative environment and gain insights on:
  • Strategies for negotiating terms of business in client Request For Proposals 
  • Increasing expectations around achieving, managing, and positively demonstrating appropriate controls around client confidentiality and information security
  • Achieving firm-wide compliance
  • Demonstration of Intapp business acceptance and information barriers software

Attendance is by invitation only and is limited to qualified law firms and personnel. Please contact for more details.