Law Firm Risk Management Blog

Clients Advised to Ask Tougher Questions About Law Firm Information Security

2012-02-22T06:52:00.000-08:00

Law firm information security and information risk management is definitely in the zeitgeist. Corporate Counsel magazine just published an article advising clients to take greater interest in how outside counsel treat their sensitive information. "Securing Corporate Data in a Law Office's Computer Network" --

"It’s an issue that should be getting the attention of in-house counsel, especially as they share sensitive--and potentially valuable--data with outside counsel."
Digital risk consultancy Stroz Friedberg notes: “We’re advising law firms to segregate that data, and put much more security around that data."
"'The disparity in the levels of security we’re seeing is startling.' Some law firms have a very strong culture of security, at or beyond that of their corporate clients. Others continue to prioritize the convenience of a flat, open network over the security of a network with more barriers."
Echoing, similar comments published by the UK's Legal Support Network, Friedberg notes: “The issue ends up being that the lawyers are so oriented to the convenient use of computers. It presents real challenges to pervasively establish a culture of security, because convenience has to be subjugated to secure computer use.”

The article presents an extensive list of "Twelve Security Questions That Corporations Should Ask Their Law Firms," which includes:

Does the firm log access to its clients’ files, so who touched what file can be reconstructed?
Does the firm use secure enclaves, where highly sensitive data receives higher levels of security protection and monitoring?
Does the firm have state-of-the-art intrusion detection, session-recording, log-aggregation, and enterprise forensic tools?

New Federal Information Security Law -- Will It Affect Law Firms?

2012-02-21T07:14:00.000-08:00

The recently-introduced Cybersecurity Act of 2012 calls for the federal government to identify key systems that if attacked would result in severe economic or physical damage. Stated targets include utilities, banks and other critical service providers.

As Law Technology News reports: "Experts say it's possible that large law firms and corporate legal departments could be impacted and find themselves reporting security procedures to the federal government, or face fines and public scrutiny."

Steptoe & Johnson partner Stewart Baker outlines how the rules could affect law firms: "That is to say, there might be 100 or 200 law firms in America whose secrets, if compromised, would in aggregation result in really significant economic harm. At the end of the day, it's not the law firm's secrets that are important, it's their clients."
But he and others, like one security consultant, suggest that law firms are not the intended targets of the measure: "You can imagine hypotheticals, but I think in fairness, law firms are probably outside the zone of what the bill makers are actually contemplating. Probably lawyers are not life-sustaining, notwithstanding how important we think we are."

Law Firm Information Security: News, Opinions & Best Practices

2012-02-20T07:37:00.001-08:00

Law firm information security and confidentiality management continues to make headlines and draw industry attention. Here are recent updates worth reviewing:

Rupert Collins-White from the Legal Support Network starts things off with some bold opinions -- Why information security has now become a costly issue for law firms:

"It's not like lawyers and the business services people who work in law firms don't realise the information they deal in is, usually, sensitive and commercially useful to others - they know this very well... There's another reason things go wrong, though it won't be a popular one for me to say - partners and senior associates. Some partners and senior lawyers, and they're not all older members of the profession, think they are somehow outside the normal rules of behaviour, both in terms of manners and actions."

Next comes a recent article in The Recorder -- 10 Steps to Minimize Cybercrime Exposure at Your Firm:

"Recently, federal law enforcement officials have been quietly visiting major law firms to explain they may be vulnerable, which makes sense given the confidential nature of the data law firms store on their information technology systems... At this point, it's fair to say that firms that fail to implement thoughtful and appropriate cybersecurity measures may well be held to answer in the wake of a serious data breach incident."
"Review and modify access rights. You, your HR department, and IT staff should take a hard look at access rights, and conform access to what's necessary as opposed to what's convenient... Your firm's document and information management system should compartmentalize sensitive data and records so that the number of partners, associates, and other employees with access is minimized to the extent possible. Pay special attention to the access rights granted to temporary and contract employees, as well as remote access rights. Finally, make sure you timely disable and purge old user accounts; experience has shown these can become external and internal threat vectors. User accounts should be disabled at the time of an employee's departure."

Finally, an example of alleged security-related malfeasance -- Pa. Firm Sues Ex-Partner for Allegedly Using Dropbox to Access Client Files:

"Elliott Greenleaf said that prior to Balaban leaving the firm, he and others deleted 5 percent of the firm's backup tapes for Harrisburg client files, took 78,000 files from the firm's computer system, and installed 'Dropbox' software that enabled Balaban continued access to Elliott Greenleaf's computer network through remote access, according to the complaint filed by name partner John M. Elliott."

Risk News: Law Firm Insurance Trends, Ethics and Disqualification Updates

2012-02-15T07:11:00.000-08:00

The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:

"Law firms are loading up on insurance against expensive liability claims as they increasingly find themselves on the wrong end of lawsuits."
"Some clients are even using the threat of litigation as a way to negotiate their bills."
"And because big law firms carry more insurance than smaller firms, the big practices are particularly attractive targets for litigation."
"Insurance brokers say many law firms have expanded their coverage to guard against claims from former employees or disgruntled partners and are looking to shield firm leaders from suits over management decisions, such as whether to merge with other practices."

The Wall Street Journal published an interesting update on law firm insurance and malpractice trends: "The Wrong End of Lawsuits: Firms Say They Increasingly Are Targets of Litigation by Clients, Ex-Partners." The article reviews several high profile malpractice cases making news (such as an $83 million lawsuit against Ropes and Gray) and digs into several identified insurance-related themes and trends:

"Am I My Brother's Keeper?" -- BNA writes: "Law Partners and Managers Must Be Active Overseers of Colleagues' Conduct," a recent published updates to the ABA/BNA Lawyers' Manual on Professional Conduct:

"Model Rule 5.1, which covers partners and managers in all types of law practices, requires supervisory lawyers to take affirmative measures to prevent and detect unethical conduct by lawyers in their firm, office, or agency. Those who own and manage law practices are expected to construct and maintain a framework to make sure that other lawyers in the firm toe the ethical line."
"Model Rule 5.2 makes clear that subordinate lawyers who act unethically aren't off the hook merely because they followed a supervisor's instructions. Attorneys working under the supervision of other lawyers are charged with learning the rules and laws that govern their conduct; they cannot blindly rely on instructions from those above them who push the boundaries of professional conduct."
"Law firms must set up and maintain internal policies and procedures to prevent and detect unethical conduct, including measures designed to spot and resolve conflicts of interest, to foreclose and uncover fraudulent billing and improper dealings with client funds, and to identify key deadlines in pending matters and verify they are met. Firms also must have policies and practices ensuring that lawyers receive appropriate training, supervision, and support needed to carry out their work. Model Rule 5.1 cmt. [2]; Restatement §11 cmt. g."

Finally, in keeping with the legal ethics theme, and, arguable from the lighter side, comes an update in developments in the disqualification motion in Wingate v. Celebrity Cruises, Ltd. The complete decision, filed February 8, is available online, but the following transcript snippet summarizes part of the drama involved:

"THE COURT: I am not going to give this man a nickel if I already found, as I have, that in fact he obtained an unfair advantage by bribing an employee on the other side to let him know what the settlement value of the case was."

Information Security, Ethical Walls and Confidentiality Management -- Making the Business Case (Webinar)

2012-02-14T06:46:00.000-08:00

This upcoming webinar will address the question: "How do you effectively make the business case for investing in information security and confidentiality management?"

Today a growing number of firms are using software to automate the enforcement of information barriers and access restrictions on confidential matters. Yet many firm risk and IT professionals find it challenging to educate others in the firm about the need for enhancing internal practices and controls.

At this event, speakers from three firms will explain the different approaches they took and offer advice you can put into practice at your firm:

Mia Jiganti, Director of Risk Management, Dykema Gossett
Gavin Gray, CIO, Perkins Coie
Eric Carpenter, Information Systems Director, Rothgerber Johnson & Lyons

Date: Thursday, February 23
Time: 9 am Pacific / 12 pm Eastern / 5 pm GMT

The session, moderated by Pat Archbold, head of IntApp's risk practice group, and will include time for live Q&A. Attendance is by invitation only. For more information, please contact: webinars@intapp.com.

Law Firm Conflict Allegation Rejected: Google Not "Feeling Lucky"

2012-02-13T15:03:00.000-08:00

This update for a story we noted earlier today about Google's attempt to disqualify former counsel: "Google Loses Bid to Disqualify Lawyers Suing Android Partners."

The ITC ruled that “Google offers no evidence regarding how Google’s business interests will be harmed through this litigation... I find that the actions taken by Pepper Hamilton serve as a reasonable precaution to keep the confidential information of Google and Digitude separate."
"Pepper Hamilton has pledged not to question any Google witnesses and it’s set up an 'ethical screen' to keep lawyers who are working on behalf of Digitude in Washington and Boston from accessing confidential information related to Google’s patents."

Conflicts Management for Law Firms

2012-02-13T07:11:00.000-08:00

Conflicts Checks, A Necessary Pain
Two partners from McKenna Long & Aldridge just published an excellent article about the necessary pain that is law firm conflicts management. They start with full and honest disclosure -- noting that conflicts ranks at the top of the least favorite lawyer pursuits, but remains an important nevertheless:

"Other than billing, there is virtually nothing that lawyers dread more than checking, responding to, and resolving potential conflicts of interest…Legal newspapers are replete with articles about motions to disqualify, bar complaints, and legal malpractice claims based on an unidentified or unresolved conflict of interest."

They go on the review different types of conflicts and key considerations for prudent processes to identify, analyze and resolve potential conflicts. Importantly, they note that conflicts management software can help the process, but isn’t a substitute for human intervention and wisdom:

"Computers make conflicts screening much easier. But, computers are no substitute in the final conflicts analysis for involving lawyers in the process. Effective conflicts procedures involve both. The key is to make sure that both are looking for the right things."

Googling a Potential Conflict -- Can You Hear Me Now?
“Google is sparring with a law firm it's been using since 2008 after discovering that lawyers there began representing a patent-licensing business that sued the company's Android partners last month.”

Google submits that the firm in question represented it 50 patent applications, including 12 specifically related to Android and argues in a filing with the ITC that: "…Pepper Hamilton is accusing its own client of infringement… Pepper Hamilton should not be allowed to continue alleging infringement against the products and interests of its current client."

Another Law Firm Hacked – Gigabytes of Email Capture & Published

2012-02-09T07:17:00.000-08:00

More news in keeping with this week’s theme of the importance of law firm information security management – Yesterday we focused on the FBI’s warning concerning the very real threat of law firm hacking.

Now comes another example: "The announcement states that Anonymous stole 2.6 gigabytes of e-mail belonging to Puckett Faraj, a law firm that represents Staff Sgt. Frank Wuterich, who is accused of leading the group of Marines in Haditha." (As reported by Time and other news sources, this 2005 raid resulted in the deaths of 24 unarmed Iraqi civilians.)

The Haditha incident was recently in the news as Wuterich was convicted of negligent dereliction of duty on January 24. The cases against six other defendants were dropped, and the seventh was found not guilty.

The emails are said to contain: "…detailed records, transcripts, testimony, trial evidence and legal defence donation records pertaining to not only Frank Wuterich but also many other marines they have represented."

Equally troubling for the law firm, the emails included personal lawyer correspondence relating to other matters. Finally, the hackers and supporters are reported to be publishing the email trove online in a searchable form.

The US Naval Instituted called out and commented on this incident as another reminder to treat sensitive electronic information carefully.

Information Risk Threats: Law Firms Increasingly Targeted by Hackers

2012-02-08T08:03:00.000-08:00

Following yesterday's update about the growing adoption of ISO 27001 information security standard by law firms comes renewed news about external attacks on firms: "China-Based Hackers Target Law Firms to Grab Secret Deal Data."

The issue is serious, the FBI convened a meeting of the top 200 firms a few months ago. As the head of the FBI’s New York cyber division summed up the threat: "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry."

She noted that of the firms in attendance: "Some were really well prepared; others didn’t know what we were talking about," and that firm culture and related factors make law firms a "soft" target for attackers.

The article mentions several law firm hacking incidents:

"...the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board..."
"In one recent case, a corporation was negotiating to open a major plant in China when the law firm helping with the deal was hacked…"
"Similarities between the Canadian attack and other recent intrusions at U.S. law firms suggest that cyberattacks on attorneys are now part of the hacking playbook for gathering sensitive information on corporate clients…"

Given these threats, it’s no reason why many firms are seeing more stringent client mandates about how sensitive information is stored, accesses and protected:

"'If clients start thinking they can’t give private information to their lawyers because it might get out, it’s a huge problem for the profession,' said Richard Goldberg, a former software programmer and lawyer in Washington involved in the data security issue. 'The whole system will start to fail.'"

Risk and Compliance as Competitive Advantage: A&O Highlights New ISO 27001 Certification

2012-02-07T10:05:00.000-08:00

Last week, Allen & Overy made a very public announcement that it has received ISO 27001 certification in the US for its confidentiality management practices. What’s fascinating is the firm’s aggressive use of certification as a competitive differentiator:

"[Our] firm stays ahead of competitors on information security with prestigious certification…"
CIO Gareth Ash adds: "We are leading the pack on information security. This certification provides real business benefits when working with our clients and future clients, especially within the financial industry."

With clients issuing stricter guidelines, asking tougher questions on RFPs, and even commissioning audits of their law firms, it’s easy to understand why a firm would emphasize its capabilities and advantage.

Allen & Overy selected IntApp Wall Builder in 2010 to support its internal confidentiality efforts. Speaking at the time, the firm’s head of risk and compliance noted:

"We made a strategic decision to adopt technology controls to help us manage information barrier and wider client confidentiality issues and in particular to enhance our ability to monitor and audit compliance. We selected Wall Builder because it's a mature product that has been widely adopted by law firms, and because IntApp possesses the necessary expertise and could demonstrate success working with large, global firms to address information barrier and client confidentiality requirements."

Commenting on the recent ISO announcement, Pat Archbold, head of IntApp’s risk practice group, writes: "We’re seeing continuing law firm interest in ISO 27001 and have developed solutions that enable law firms to accelerate their compliance certification efforts. I happy to share more detail with readers who’d like to get in touch directly at: Pat.Archbold@intapp.com."

Terminated Lawyers Level Law Firm Conflicts and Ethics Accusations

2012-02-02T07:57:00.000-08:00

Careful Calling “Conflicts”
The U.S. District Court for the Western District of Kentucky just ruled that a lawyer cannot sue for being terminated after failing to take part in a referral arrangement he believed created a conflict of interest under state ethics rules: “He contended that a quid-pro-quo referral arrangement existed between the law firm and Kentucky Spine and Rehab, creating a conflict of interest under Kentucky ethics rules. The firm terminated his employment because he refused to participate in the referral scheme, the plaintiff asserted. For purposes of the law firm's motion to dismiss, the court took the facts alleged in the complaint at face value. Even so, Heyburn concluded that the complaint did not state a viable claim against the firm under Kentucky law.”

Lawyer Claims Firm Encouraged Fraud with 3000-Hour Billable Quota, as reported in the ABA Journal. Commenting on the article, one contribute suggests that: “Billing 3,000 hours should trigger an ethics investigation. More than 3,500 hours should trigger an ethics investigation with a rebuttable presumption of guilt. Trouble is, you’re billing multiple clients, so no individual client knows to complain. The only person who sees the high numbers is the boss…” [Clearly, there’s an opportunity for added controls to mitigate this risk, either triggered by manual review or automated technology.]

UK Risk News and Updates

2012-01-31T07:50:00.000-08:00

UK-based Legal Risk LLP has published its latest newsletter, which contains updates on Alternative Business Structures, Outcomes-focused regulation, Anti-money laundering compliance, and Professional indemnity insurance.
International firms offered global entity regulation – “The Solicitors Regulation Authority (SRA) is proposing to sweep away the old system of registering foreign offices of global firms and to replace it with a single international ‘passport to practice’… Under the proposals, international law firms will have greater flexibility to operate in any form that is allowed in other countries. They will also be able to bring into their partnerships lawyers from key emerging markets.” [via MP Magazine]

Law Firm Engagement Letters in the News...

2012-01-27T07:48:00.000-08:00

“A Clearly Drafted Engagement Letter Can Limit the Scope of Attorney's Duties” – according to the U.S. District Court for the Eastern District of Louisiana, as reported by Hinshaw & Culbertson: "the firm’s clearly drafted engagement letter successfully provided a defense to the client’s allegations that the firm did not provide adequate legal representation."

A bit more colorful analysis is provided by legal news rag Above the Law, which offers specific advice:

“Retainer Agreement, engagement letter, whatever you want to call them. Have one. Just don’t make it a bunch of much-too-long, written “understandings” of too many things that the client isn’t absorbing at the initial consultation. These documents are not tools to attempt to impress the client with your ability to expand on: “You are going to pay me this, and I am going to do this, and I’m not paying for this, and if anything else comes up, we’ll talk about a separate retainer/fee/cost, and I’m not guaranteeing anything or giving you money back, and we have no other agreements, so sign here.”

Law Firm Conflicts and Controversy

2012-01-25T07:34:00.000-08:00

Megaupload, Megacontroversy, Megaconflict?
Hogan Lovells partner withdraws from representation of Megaupload in its recent legal troubles. The organization is currently defending itself against accusations that it built an elaborate system designed to encourage online copyright infringement: “Robert Bennett was required to withdraw from the case because of a conflict involving at least one other client of his law firm, Hogan Lovells, this person told Reuters. The other client or clients were not identified.” Interestingly, Bennett represented Megaupload in other matters, so this may be a base both of “business” as well as ethical conflicts. [See American Lawyer story for additional detail.]

Risk When Law Firms and Politicians Mix
An interesting article exploring the relationship between one firm and Wisconsin’s Republican leadership: “In December news broke that Wisconsin Supreme Court Justice Michael Gableman, a well-known conservative, had received about $100,000 worth of free legal services from a Michael Best & Friedrich attorney. The revelation created a controversy because the Supreme Court presides over cases argued by Michael Best & Friedrich. Accepting free services from the firm could be considered a conflict of interest.” [The judge in question denies a conflict of interest and will not recuse himself.]

Data Privacy News and Updates

2012-01-18T08:08:00.000-08:00

Firms that store and manage sensitive client information should take heed of recent privacy developments and news:

New California Data Privacy Law Now In Effect -- "SB 24 strengthens and standardizes the notification requirements when someone’s personal information has been hacked into, stolen, or lost. The bill also requires state agencies, businesses and others to notify the Attorney General if more than 500 Californians are affected by a data breach."
Privacy Enforcement Actions Set to Increase in 2012? -- "There's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them."
A pertinent example: UCLA Hospitals Sued Over Patient Data Breach -- "The suit, filed as a proposed class action on Dec. 14, alleges that by not protecting its patients' confidential information, the hospital system violated California's Confidentiality of Medical Information Act. The law allows each patient to recover $1,000 in statutory damages per occurrence." In this case, a former physician had sensitive information on his home computer, which was stolen by burglars. (Could this happen to a lawyer?)

Lateral Movement, Client Poaching and Staff Screening

2012-01-16T07:41:00.000-08:00

Laterals Be Careful? -- Lawyer May Be Liable to Former Firm in Tort For Improper Efforts to Recruit Firm's Clients -- "The U.S. District Court for the Eastern District of Pennsylvania Dec. 22 granted a law firm's motion for a preliminary injunction against a lawyer who tried to recruit many of the law firm's clients after she was fired (Feldman & Pinto PC v. Seithel, E.D. Pa., No. 11-5400, 12/22/11)."
Avoiding disqualification on matters due to non-lawyer firm changes -- Bill Freivogel published an excellent article on "what screens law firms should put in place to avoid problems with non-lawyers." The essay compares and contrasts US and Canadian standards, explores when unilateral lateral screening is permitted vs. when waivers are required, and provides a case study example. He also presents a list of the five minimum characteristics of an effective staff screen, including policy construction, notification, information access control and compliance documentation. [Update: h/t to Legal Ethics Forum for suggesting LA County Ethics Opinion 524 as a relevant related read.]

Alternative Business Structure Applications Live in the UK (ABA Says: "Not So Much")

2012-01-13T06:53:00.000-08:00

First ABS wannabes begin SRA application process -- "More than 10 prospective alternative business structures (ABSs) completed the first stage of the Solicitors Regulation Authority’s (SRA) application process on the first day, the authority has revealed." As explored in greater detail in the article, Law Society President John Wotton argues that ABS licensing provides England and Wales with a competitive global advantage for legal services.
ABA Panel Says No to Outside Law Firm Ownership -- "An American Bar Association commission is considering recommending that nonlawyers be allowed to take an equity stake in law firms for which they work while urging that an existing ban be maintained on the kind of outside investment in U.S. firms that is now possible in the United Kingdom and Australia."

Law Firm Rules & Regulations (News & Fighting)

2012-01-11T07:42:00.000-08:00

ABA and European Law Societies Fight New Efforts to Regulate Legal Industry -- Stemming from the debt crisis, new attempts at external law firm regulation threaten "...one of the core principles of the legal profession: regulation independent from the executive branch of the state," the industry argues, noting that a "guarantee of independence" is "fundamental to the profession."
Washington DC ethics opinion 361 allows referrals to non-lawyer service providers -- “…such as a financial services firm may accept compensation from the provider for the referral so long as the criteria of Rule 1.7(c) and, if applicable, Rules 1.8(a) and 5.7 are satisfied. Those criteria are exacting, however, and the arrangement may be beyond the lawyer’s malpractice coverage even if permitted by the Rules.”
Utah Bar Says Using Student's Lexis/Westlaw Access for Firm Work is Unethical -- "The Utah Legal Ethics Advisory Committee considered whether an attorney who encouraged a student to breach her agreement by doing firm-related research had committed an ethical violation. The Committee answered in the affirmative finding that an attorney's misuse of a student's educational Wexis access is theft of services, a potential felony."

2012: New Year, New (and Old) Risks

2012-01-09T07:37:00.000-08:00

A few interesting updates as we kick off the new year:

The ABA Commission on Ethics 20/20, the body charged with reviewing and recommending changes to the Model Rules, recently issued a Summary of Actions, writing: "For two years, we listened to all elements of the profession as well as clients, consumer groups and businesses that support, sell to, and report on the profession. Our proposals respond to what we have heard and are intended to address the following developments…"
From the frequently linked and hat-tipped Legal Ethics Forum -- John Steele published his "Top Ten Legal Ethics Stories of 2011." It’s excellent reading.

Law Firm Insider Trading Risk Management: Webinar Recording Now Available

2011-12-20T09:09:00.000-08:00

Content from our November webinar on managing insider trading risk at law firms is now online, for those who missed the live session:

Managing Insider Trading Risk -- Thanks again to our panelists. We welcomed another large group (100+ attendees) who heard speakers from SNR Denton (Adam Hanson), Baker & McKenzie (Dan Surowiec), and Hogan Lovells (Jeff Lolley).

Those who registered but were not able to attend these events should have received a link to the video recordings via email. Others interested in these sessions can view them online: [Law Firm Risk Management Webinars].

Report from Kansas City Risk Roundtable Session Hosted at Lathrop & Gage

2011-12-15T08:47:00.000-08:00

We hosted a Risk Roundtable last week in Kansas City. Thanks again to Lathrop & Gage for hosting. Brian Lynch sent his customary summary of the day:

Dan – I'm pleased to report back from our ISO 27001 Risk Roundtable discussion in Kansas City. Lathrop & Gage hosted our session, where we had a chance to check in with KC-based firms and their respective approaches to implementing ISO-friendly security programs. It was a lively discussion, where we had a chance to evaluate the benefits and costs of pursuing ISO certification.
As one of our attendees put it, creating a standard information security management system - e.g. ISO - is an inevitability. It's a difficult process for clients and law firms to work through the audit process. Managing audits seems to be something clients increasingly want, and firms are getting more comfortable addressing. But many are looking for a shorthand method to show that they meet a certain level of differentiated confidentiality management. This promises a quicker path to providing clients with peace of mind and enabling firms to address their obligations as they work across jurisdictions.
Several attendees commented on the role IntApp Wall Builder plays at their firm in managing confidentiality enforcement as part of their security programs. They're mapping the technology to the requirements and processes ISO 27001 defines to ensure consistent compliance.
Many thanks again to Sean Power @ Lathrop & Gage for providing the forum for an intellectually stimulating discussion.

This session concludes the 2011 Fall/Winter Risk Roundtable series (we promise this time). Plans are underway for future events in 2012. Watch this space for more details. (And if you'd like to host a Risk Roundtable in your neck of the woods, please get in touch: dan@riskroundtable.com.)

With Swift Ethical Screen, Quinn Emanuel Survives Disqualification from $10 Billion Lawsuit

2011-12-13T07:11:00.000-08:00

We first highlighted this case in October, when a Bank of America moved to disqualify Quinn Emanuel, counsel for AIG in a $10 billion lawsuit because of alleged conflicts stemming from the move of lateral partner. [h/t to Bill Frievogel for noting the recent update.]

The lawyer worked 5.8 hours on the matter at Quinn, starting in July, 2011, before Quinn became aware of the potential conflict after opposing counsel wrote them in September. Quinn argued that the matters were unrelated, that no sharing of confidential information had taken place and that the firm erected an ethical screen immediately upon discovering the situation.

Given the stakes, in order to avoid the impression or potential of future disclosure, the lawyer voluntarily left the firm in October, 2011.

When the motion was first filed, a legal ethics expert agreed the situation would likely not warrant disqualification, but opined that “…it could prove 'problematic' if presiding judge Barbara Jones decided Becker was not screened fast enough, but that an effective screen could address this issue.”

Last week, the judge agreed that disqualification was unwarranted [see: American Int'l Group, Inc. v. Bank of Am. Corp., 11 Civ. 6212 (BSJ) (S.D.N.Y. Dec. 6, 2011)]

The decision noted that: “…screens erected immediately upon discovery of the conflict weigh against disqualification.”
However: “Quinn’s screening procedure was imperfect, without question.”
But she ruled that the firm successfully rebutted the presumption that confidences were shared. For one, the lawyer brought no client files to the new firm. Furthermore, three years had passed since the lawyer worked on the original matter. Quinn also conducted extensive interviews of all significantly involved members of the matter team, securing affidavits that no confidences were sought or received.
Physical separation (the lawyer was based in London), the size of the firm (500+ lawyers) and the firm’s long client relationship also influenced the judge’s ruling.

This is yet another recent example where IT plays a critical role in disqualification defense. In this case, IT conducted an electronic audit of firm’s document system to support the firm’s arguments. (In this case, the audit showed the lawyer accessed two documents related to the matter. But that was insufficient to warrant disqualification, given the facts and factors in play in this case.)

Counsel for Bank of America in Multi-Billion Dollar Lawsuit Disqualified; Judge Cites “Porous and Ineffective” Ethical Wall

2011-12-07T08:51:00.000-08:00

Today comes a significant update in Line Trust Corp. Ltd, et al. v. David Lichtenstein, et al, heard before the Supreme Court of the State of New York.

It appears that a lawyer who represented Bank of America while a partner at Kaye Scholer LLP made a lateral move to Willkie Farr & Gallagher LLP. The client moved with her.

But Willkie was representing allegedly adverse parties in the same matter. And shortly thereafter, the existing client moved to disqualify the firm from representing BofA, asking for discovery to see if matters had been tainted. In the process, the firm shared important information:

In May of 2011, the firm’s IT department audited its electronic document management system and discovered that an associate had opened and printed a document they should not have in October, 2010. That associate was then removed from the matter at hand. (The court says: “perhaps negligently so.”)
Expanded to include time recording data, the IT audit also showed that a legal assistant cite-checked a memo and viewed five documents related to the matter in 2009.

This case highlights the critical importance of effective confidentiality, screening notification and information security controls. In his order the judge called out that:

“… Wilkie Farr has submitted insufficient proof that they erected adequate screening measures to prevent attorneys advising Bank of America from having access to (i) other Wilki Farr attorneys who worked for the Lichtenstein Defendants… If an ethical wall exists here at all, and it may not, it is porous and ineffective.”

The firm argued that these breaches were accidental, minor and taken out of context. But the damage was done. The judge took evidence of smoke to suggest a fire:

“Willkie Farr submits time records to show that breaches of the wall were minimal. The time records are inadequate, as they cannot be expected to reflect the totality of breaches of the ethical wall.”

Recent Law Firm Conflicts, Disqualifications and Penalties

2011-12-05T07:12:00.000-08:00

In Washington, D.C., Butzel Long Tighe Patton PLLC recently found itself facing harsh words from a judge, who stripped the firm of $72,000 in fees for failing to disclose a conflict. "...the judge slammed a partner, saying it was "inexcusable" he didn't show up for a fee application hearing." [via BLT. See the written decision.]

In Washington State, a firm was disqualified for giving legal advice to both sides in the same dispute. "Grant PUD law firm disqualified in Crescent Bar case" --

"At the time, Aylward told Trautmann that there could be a conflict of interest, since his partner, David Sonn, occasionally did legal work for the PUD, but he added that he thought he could get a waiver."
"But with the waiver issue still unresolved, Aylward proceeded to correspond with Trautmann over the following month, including giving what she believed was 'specific advice regarding strategy' that the condo owners could use in their argument against the PUD."

Partner Event: Ark Group Risk Management for Law Firms (December 6-7, London)

2011-12-02T11:38:00.000-08:00

The Ark Group is hosting its annual "Risk Management for Law Firms" conference in London next week. Organizers have assembled a rich agenda and impressive roster of speakers who will address topics including:

A first-hand account of how firms including Taylor Wessing, Freshfields, and Allen & Overy have tackled the challenges in operating under the new outcomes-focused regulation
Clarity from the SRA, Law Society and Legal Ombudsman as they share their expectations for OFR, ABS and the claim trends for the coming year
Tools to benchmark your firm against leading law firms' risk management strategies and ensure you stay out of trouble
An understanding of the key changes and trends in claims over the past year and how these will affect your professional indemnity insurance renewal
Learning opportunities to avoid the pointed end of regulation, with an overview of high-profile disciplinary matters and rogue partners
A forum to consider all risks relating to outsourcing

Kaye Sycamore, IntApp Managing Director, will also be presenting a briefing on risk news and trends relating to confidentiality management, information barriers and information security issues affecting law firms, including a summary of recent Risk Roundtable events. She has invited UK-based firms interested in exploring these issues in greater detail to contact her directly.