Law Firm Risk Management Blog

Law Firm Engagement Letters in the News...

noreply@blogger.com (Dan) — Fri, 27 Jan 2012 15:48:00 +0000

“A Clearly Drafted Engagement Letter Can Limit the Scope of Attorney's Duties” – according to the U.S. District Court for the Eastern District of Louisiana, as reported by Hinshaw & Culbertson: "the firm’s clearly drafted engagement letter successfully provided a defense to the client’s allegations that the firm did not provide adequate legal representation."

A bit more colorful analysis is provided by legal news rag Above the Law, which offers specific advice:

“Retainer Agreement, engagement letter, whatever you want to call them. Have one. Just don’t make it a bunch of much-too-long, written “understandings” of too many things that the client isn’t absorbing at the initial consultation. These documents are not tools to attempt to impress the client with your ability to expand on: “You are going to pay me this, and I am going to do this, and I’m not paying for this, and if anything else comes up, we’ll talk about a separate retainer/fee/cost, and I’m not guaranteeing anything or giving you money back, and we have no other agreements, so sign here.”

Law Firm Conflicts and Controversy

noreply@blogger.com (Dan) — Wed, 25 Jan 2012 15:34:00 +0000

Megaupload, Megacontroversy, Megaconflict?
Hogan Lovells partner withdraws from representation of Megaupload in its recent legal troubles. The organization is currently defending itself against accusations that it built an elaborate system designed to encourage online copyright infringement: “Robert Bennett was required to withdraw from the case because of a conflict involving at least one other client of his law firm, Hogan Lovells, this person told Reuters. The other client or clients were not identified.” Interestingly, Bennett represented Megaupload in other matters, so this may be a base both of “business” as well as ethical conflicts. [See American Lawyer story for additional detail.]

When Risk Law Firms and Politicians Mix
An interesting article exploring the relationship between one firm and Wisconsin’s Republican leadership: “In December news broke that Wisconsin Supreme Court Justice Michael Gableman, a well-known conservative, had received about $100,000 worth of free legal services from a Michael Best & Friedrich attorney. The revelation created a controversy because the Supreme Court presides over cases argued by Michael Best & Friedrich. Accepting free services from the firm could be considered a conflict of interest.” [The judge in question denies a conflict of interest and will not recuse himself.]

Data Privacy News and Updates

noreply@blogger.com (Dan) — Wed, 18 Jan 2012 16:08:00 +0000

Firms that store and manage sensitive client information should take heed of recent privacy developments and news:

New California Data Privacy Law Now In Effect -- "SB 24 strengthens and standardizes the notification requirements when someone’s personal information has been hacked into, stolen, or lost. The bill also requires state agencies, businesses and others to notify the Attorney General if more than 500 Californians are affected by a data breach."
Privacy Enforcement Actions Set to Increase in 2012? -- "There's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them."
A pertinent example: UCLA Hospitals Sued Over Patient Data Breach -- "The suit, filed as a proposed class action on Dec. 14, alleges that by not protecting its patients' confidential information, the hospital system violated California's Confidentiality of Medical Information Act. The law allows each patient to recover $1,000 in statutory damages per occurrence." In this case, a former physician had sensitive information on his home computer, which was stolen by burglars. (Could this happen to a lawyer?)

Lateral Movement, Client Poaching and Staff Screening

noreply@blogger.com (Dan) — Mon, 16 Jan 2012 15:41:00 +0000

Laterals Be Careful? -- Lawyer May Be Liable to Former Firm in Tort For Improper Efforts to Recruit Firm's Clients -- "The U.S. District Court for the Eastern District of Pennsylvania Dec. 22 granted a law firm's motion for a preliminary injunction against a lawyer who tried to recruit many of the law firm's clients after she was fired (Feldman & Pinto PC v. Seithel, E.D. Pa., No. 11-5400, 12/22/11)."
Avoiding disqualification on matters due to non-lawyer firm changes -- Bill Freivogel published an excellent article on "what screens law firms should put in place to avoid problems with non-lawyers." The essay compares and contrasts US and Canadian standards, explores when unilateral lateral screening is permitted vs. when waivers are required, and provides a case study example. He also presents a list of the five minimum characteristics of an effective staff screen, including policy construction, notification, information access control and compliance documentation. [Update: h/t to Legal Ethics Forum for suggesting LA County Ethics Opinion 524 as a relevant related read.]

Alternative Business Structure Applications Live in the UK (ABA Says: "Not So Much")

noreply@blogger.com (Dan) — Fri, 13 Jan 2012 14:53:00 +0000

First ABS wannabes begin SRA application process -- "More than 10 prospective alternative business structures (ABSs) completed the first stage of the Solicitors Regulation Authority’s (SRA) application process on the first day, the authority has revealed." As explored in greater detail in the article, Law Society President John Wotton argues that ABS licensing provides England and Wales with a competitive global advantage for legal services.
ABA Panel Says No to Outside Law Firm Ownership -- "An American Bar Association commission is considering recommending that nonlawyers be allowed to take an equity stake in law firms for which they work while urging that an existing ban be maintained on the kind of outside investment in U.S. firms that is now possible in the United Kingdom and Australia."

Law Firm Rules & Regulations (News & Fighting)

noreply@blogger.com (Dan) — Wed, 11 Jan 2012 15:42:00 +0000

ABA and European Law Societies Fight New Efforts to Regulate Legal Industry -- Stemming from the debt crisis, new attempts at external law firm regulation threaten "...one of the core principles of the legal profession: regulation independent from the executive branch of the state," the industry argues, noting that a "guarantee of independence" is "fundamental to the profession."
Washington DC ethics opinion 361 allows referrals to non-lawyer service providers -- “…such as a financial services firm may accept compensation from the provider for the referral so long as the criteria of Rule 1.7(c) and, if applicable, Rules 1.8(a) and 5.7 are satisfied. Those criteria are exacting, however, and the arrangement may be beyond the lawyer’s malpractice coverage even if permitted by the Rules.”
Utah Bar Says Using Student's Lexis/Westlaw Access for Firm Work is Unethical -- "The Utah Legal Ethics Advisory Committee considered whether an attorney who encouraged a student to breach her agreement by doing firm-related research had committed an ethical violation. The Committee answered in the affirmative finding that an attorney's misuse of a student's educational Wexis access is theft of services, a potential felony."

2012: New Year, New (and Old) Risks

noreply@blogger.com (Dan) — Mon, 09 Jan 2012 15:37:00 +0000

A few interesting updates as we kick off the new year:

The ABA Commission on Ethics 20/20, the body charged with reviewing and recommending changes to the Model Rules, recently issued a Summary of Actions, writing: "For two years, we listened to all elements of the profession as well as clients, consumer groups and businesses that support, sell to, and report on the profession. Our proposals respond to what we have heard and are intended to address the following developments…"
From the frequently linked and hat-tipped Legal Ethics Forum -- John Steele published his "Top Ten Legal Ethics Stories of 2011." It’s excellent reading.

Law Firm Insider Trading Risk Management: Webinar Recording Now Available

noreply@blogger.com (Dan) — Tue, 20 Dec 2011 17:09:00 +0000

Content from our November webinar on managing insider trading risk at law firms is now online, for those who missed the live session:

Managing Insider Trading Risk -- Thanks again to our panelists. We welcomed another large group (100+ attendees) who heard speakers from SNR Denton (Adam Hanson), Baker & McKenzie (Dan Surowiec), and Hogan Lovells (Jeff Lolley).

Those who registered but were not able to attend these events should have received a link to the video recordings via email. Others interested in these sessions can view them online: [Law Firm Risk Management Webinars].

Report from Kansas City Risk Roundtable Session Hosted at Lathrop & Gage

noreply@blogger.com (Dan) — Thu, 15 Dec 2011 16:47:00 +0000

We hosted a Risk Roundtable last week in Kansas City. Thanks again to Lathrop & Gage for hosting. Brian Lynch sent his customary summary of the day:

Dan – I'm pleased to report back from our ISO 27001 Risk Roundtable discussion in Kansas City. Lathrop & Gage hosted our session, where we had a chance to check in with KC-based firms and their respective approaches to implementing ISO-friendly security programs. It was a lively discussion, where we had a chance to evaluate the benefits and costs of pursuing ISO certification.
As one of our attendees put it, creating a standard information security management system - e.g. ISO - is an inevitability. It's a difficult process for clients and law firms to work through the audit process. Managing audits seems to be something clients increasingly want, and firms are getting more comfortable addressing. But many are looking for a shorthand method to show that they meet a certain level of differentiated confidentiality management. This promises a quicker path to providing clients with peace of mind and enabling firms to address their obligations as they work across jurisdictions.
Several attendees commented on the role IntApp Wall Builder plays at their firm in managing confidentiality enforcement as part of their security programs. They're mapping the technology to the requirements and processes ISO 27001 defines to ensure consistent compliance.
Many thanks again to Sean Power @ Lathrop & Gage for providing the forum for an intellectually stimulating discussion.

This session concludes the 2011 Fall/Winter Risk Roundtable series (we promise this time). Plans are underway for future events in 2012. Watch this space for more details. (And if you'd like to host a Risk Roundtable in your neck of the woods, please get in touch: dan@riskroundtable.com.)

With Swift Ethical Screen, Quinn Emanuel Survives Disqualification from $10 Billion Lawsuit

noreply@blogger.com (Dan) — Tue, 13 Dec 2011 15:11:00 +0000

We first highlighted this case in October, when a Bank of America moved to disqualify Quinn Emanuel, counsel for AIG in a $10 billion lawsuit because of alleged conflicts stemming from the move of lateral partner. [h/t to Bill Frievogel for noting the recent update.]

The lawyer worked 5.8 hours on the matter at Quinn, starting in July, 2011, before Quinn became aware of the potential conflict after opposing counsel wrote them in September. Quinn argued that the matters were unrelated, that no sharing of confidential information had taken place and that the firm erected an ethical screen immediately upon discovering the situation.

Given the stakes, in order to avoid the impression or potential of future disclosure, the lawyer voluntarily left the firm in October, 2011.

When the motion was first filed, a legal ethics expert agreed the situation would likely not warrant disqualification, but opined that “…it could prove 'problematic' if presiding judge Barbara Jones decided Becker was not screened fast enough, but that an effective screen could address this issue.”

Last week, the judge agreed that disqualification was unwarranted [see: American Int'l Group, Inc. v. Bank of Am. Corp., 11 Civ. 6212 (BSJ) (S.D.N.Y. Dec. 6, 2011)]

The decision noted that: “…screens erected immediately upon discovery of the conflict weigh against disqualification.”
However: “Quinn’s screening procedure was imperfect, without question.”
But she ruled that the firm successfully rebutted the presumption that confidences were shared. For one, the lawyer brought no client files to the new firm. Furthermore, three years had passed since the lawyer worked on the original matter. Quinn also conducted extensive interviews of all significantly involved members of the matter team, securing affidavits that no confidences were sought or received.
Physical separation (the lawyer was based in London), the size of the firm (500+ lawyers) and the firm’s long client relationship also influenced the judge’s ruling.

This is yet another recent example where IT plays a critical role in disqualification defense. In this case, IT conducted an electronic audit of firm’s document system to support the firm’s arguments. (In this case, the audit showed the lawyer accessed two documents related to the matter. But that was insufficient to warrant disqualification, given the facts and factors in play in this case.)

Counsel for Bank of America in Multi-Billion Dollar Lawsuit Disqualified; Judge Cites “Porous and Ineffective” Ethical Wall

noreply@blogger.com (Dan) — Wed, 07 Dec 2011 16:51:00 +0000

Today comes a significant update in Line Trust Corp. Ltd, et al. v. David Lichtenstein, et al, heard before the Supreme Court of the State of New York.

It appears that a lawyer who represented Bank of America while a partner at Kaye Scholer LLP made a lateral move to Willkie Farr & Gallagher LLP. The client moved with her.

But Willkie was representing allegedly adverse parties in the same matter. And shortly thereafter, the existing client moved to disqualify the firm from representing BofA, asking for discovery to see if matters had been tainted. In the process, the firm shared important information:

In May of 2011, the firm’s IT department audited its electronic document management system and discovered that an associate had opened and printed a document they should not have in October, 2010. That associate was then removed from the matter at hand. (The court says: “perhaps negligently so.”)
Expanded to include time recording data, the IT audit also showed that a legal assistant cite-checked a memo and viewed five documents related to the matter in 2009.

This case highlights the critical importance of effective confidentiality, screening notification and information security controls. In his order the judge called out that:

“… Wilkie Farr has submitted insufficient proof that they erected adequate screening measures to prevent attorneys advising Bank of America from having access to (i) other Wilki Farr attorneys who worked for the Lichtenstein Defendants… If an ethical wall exists here at all, and it may not, it is porous and ineffective.”

The firm argued that these breaches were accidental, minor and taken out of context. But the damage was done. The judge took evidence of smoke to suggest a fire:

“Willkie Farr submits time records to show that breaches of the wall were minimal. The time records are inadequate, as they cannot be expected to reflect the totality of breaches of the ethical wall.”

Recent Law Firm Conflicts, Disqualifications and Penalties

noreply@blogger.com (Dan) — Mon, 05 Dec 2011 15:12:00 +0000

In Washington, D.C., Butzel Long Tighe Patton PLLC recently found itself facing harsh words from a judge, who stripped the firm of $72,000 in fees for failing to disclose a conflict. "...the judge slammed a partner, saying it was "inexcusable" he didn't show up for a fee application hearing." [via BLT. See the written decision.]

In Washington State, a firm was disqualified for giving legal advice to both sides in the same dispute. "Grant PUD law firm disqualified in Crescent Bar case" --

"At the time, Aylward told Trautmann that there could be a conflict of interest, since his partner, David Sonn, occasionally did legal work for the PUD, but he added that he thought he could get a waiver."
"But with the waiver issue still unresolved, Aylward proceeded to correspond with Trautmann over the following month, including giving what she believed was 'specific advice regarding strategy' that the condo owners could use in their argument against the PUD."

Partner Event: Ark Group Risk Management for Law Firms (December 6-7, London)

noreply@blogger.com (Dan) — Fri, 02 Dec 2011 19:38:00 +0000

The Ark Group is hosting its annual "Risk Management for Law Firms" conference in London next week. Organizers have assembled a rich agenda and impressive roster of speakers who will address topics including:

A first-hand account of how firms including Taylor Wessing, Freshfields, and Allen & Overy have tackled the challenges in operating under the new outcomes-focused regulation
Clarity from the SRA, Law Society and Legal Ombudsman as they share their expectations for OFR, ABS and the claim trends for the coming year
Tools to benchmark your firm against leading law firms' risk management strategies and ensure you stay out of trouble
An understanding of the key changes and trends in claims over the past year and how these will affect your professional indemnity insurance renewal
Learning opportunities to avoid the pointed end of regulation, with an overview of high-profile disciplinary matters and rogue partners
A forum to consider all risks relating to outsourcing

Kaye Sycamore, IntApp Managing Director, will also be presenting a briefing on risk news and trends relating to confidentiality management, information barriers and information security issues affecting law firms, including a summary of recent Risk Roundtable events. She has invited UK-based firms interested in exploring these issues in greater detail to contact her directly.

Ethics Opinions: Little Fluffy Clouds, Lost Little Thumb Drives...

noreply@blogger.com (Dan) — Thu, 01 Dec 2011 15:04:00 +0000

Today, several stories about technology-driven law firm risk issues. (And a reminder to take our five minute, reader survey.)

Cloud Computing:

The Pennsylvania Bar joins several jurisdictions in publishing new ethics opinions on cloud computing: "Formal Opinion 2011-200, Ethical Obligations For Attorneys Using Cloud Computing/Software As A Service While Fulfilling The Duties Of Confidentiality And Preservation Of Client Property." In keeping with conventional wisdom, they support cloud storage of client information so long as information is kept confidential and reasonable safeguards are employed.
Iowa has issued a similar opinion on lawyer use of cloud services: "Iowa lawyers may store client information and other data on a third-party vendor's servers rather than their own computers, so long as the lawyer has unfettered access to the data and can reasonably verify that sound methods are being used to protect the information..."
The Daily Record has posted an interesting opinion piece on current industry thinking on the topic: "Legal Currents: Is a cloud backlash on the horizon?" The article is written by a lawyer currently writing a book on the topic for the ABA: "My hope is that I’m wrong, and that if the ABA Committee on Ethics and Responsibility does address the issue of consent when using any form of electronic communication, it concludes that the standard applicable to unencrypted email communications should likewise apply to the use of cloud computing platforms, which are inherently more secure than email."

Managing Ever-Shrinking Physical Data Storage:

"Discarded laptops, flash drives create ethical obligations for lawyers" – "A recent Florida Bar opinion advising that lawyers have an ethical duty to sanitize their storage devices has put a spotlight on how attorneys handle their discarded equipment...While some had expressed concern that the opinion would set unrealistic requirements, Tarbert [Florida Bar Ethics Counsel] said the committee didn't receive any feedback at all from the state's lawyers when the opinion was made available for public comment."

One More Thing: Bonus Risk Roundtable Meeting on ISO 27001 (Kansas City @ Lathrop & Gage)

noreply@blogger.com (Dan) — Wed, 30 Nov 2011 15:42:00 +0000

We have a late entry into our Winter Risk Roundtable series. Based on member demand, we'll be hosting another session focused on ISO 27001 certification for law firms. Hosted in Kansas City by Lathrop & Cage, the presentation is scheduled for Wednesday December 14th.

Over the past 18 months, corporations have increasingly mandated more stringent information security requirements for outside counsel. This often means more time spent responding to client requests and RFPs. Today several firms are leveraging the ISO 27001 standard as a strategic response.

Session Agenda:

Business Drivers - Why are law firms investing in ISO27001?
Value - What is the true value and is it worth the effort?
Accreditation Process - What strategies are firms pursuing, is accreditation needed?
Lessons and Best Practices - What technical, business and other considerations can peer firms benefit from in their own thinking?
Information Risk Management Options - What tools are being deployed to respond to the new challenges?

Event attendance is by invitation only and is limited to qualified law firms and personnel. Please contact dan@riskroundtable.com for more details.

Report from Canadian Risk Roundtable Session Hosted at Fasken Martineau

noreply@blogger.com (Dan) — Tue, 22 Nov 2011 16:08:00 +0000

We hosted a Risk Roundtable last week in Toronto, Ontario. Many thanks to Fasken Martineau
for hosting. Brian Lynch delivered a presentation updating attendees on current risk issues and trends, and moderated group discussion. He sent his customary summary of the day:

Dan – I'm happy to report that we finished up our Winter Risk Roundtable series with an excellent session in Toronto. Fasken Martineau was gracious to host a large group of attendees, including General Counsels from leading Canadian firms.
First we walked through some of the risk trends that IntApp is observing in the US and the UK, especially trend-setting markets like New York and London. We covered familiar ground with the rise of Outside Counsel Guidelines, recent initiatives within the ABA, and Alternative Business Structures in the UK. Client audits continue to capture group attention -- one of the attendees shared his experiences with on-site auditors.
Next, Mary Trudell, Director, Conflicts and Records Management at Fasken, shared success stories about her firm’s work to harmonize information governance processes. They’re using IntApp Wall Builder as a foundational technology, supplemented by efforts of her team working across Canadian provinces and in Paris, London and Johannesburg to provide timely and consistent service to the firm's lawyers.
Finally, Simon Chester of Heenan Blaikie walked us through the recent decisions of Wallace and Nova. There are certainly interesting implications for both cases, and the assembled group had plenty of questions and commentary. Many thanks to Simon for summarizing the facts and history, and helping us understand the broader context.

This session concludes the 2011 Fall/Winter Risk Roundtable series. Plans are underway for future events in 2012. Watch this space for more details. (And if you'd like to host a Risk Roundtable in your neck of the woods, please get in touch: dan@riskroundtable.com.)

Webinar: Managing Insider Risk at Law Firms (CLE Eligible)

noreply@blogger.com (Dan) — Thu, 17 Nov 2011 14:15:00 +0000

We've had tremendous interest in our risk webinar series and are pleased to announce our latest session: Managing Insider Risk at Law Firms

Date: Tuesday, November 29
Time: 9 am Pacific / 12 pm Eastern / 5 pm BST

Description: In the past 18 months, surprising stories of lawyer and staff misuse of sensitive client information have dramatically raised the profile of this issue among law firms, clients, regulators and the media. [See previous blog updates: here, here, here and here.] In response, many firms are re-evaluating the policies and protections they have in place to mitigate insider risk.

This session is presented as part of the Risk Roundtable initiative and includes panelists from the Risk Roundtable Compliance Consortium, a working group focused on developing firm risk response guidelines:

Most firms have programs to educate lawyers and staff about their obligations not to act on inside or price-sensitive information. Yet in an environment where individuals generally have broad access to electronic repositories where sensitive information is stored, such as document management libraries, temptation may lurk. This is particularly true as new search tools make it even easier to locate sensitive materials (either accidentally or intentionally).

While most firms take steps to control risk by using matter "code words" and emphasizing the need to control document distribution, organizations are increasingly pursuing greater confidentiality protections and the ability to better demonstrate compliance if required to do so by clients or regulators.

In this session, panelists will review several methods for dealing with insider risk, including ways to:

Encourage professional responsibility
Prevent inadvertent access
Prevent unauthorized use
Track suspicious behavior

CLE Credit: Certificates will be provided to attendees upon request. (Attendees outside of California are responsible for confirming CLE reciprocity in their particular jurisdiction.)

Attendance: Attendance is by invitation only. Risk Roundtable members and qualified parties are invited to request more information by emailing: dan@riskroundtable.com.

Risk News & Updates: Lateral Hire Intake Checklist, Canadian and UK Lawyer Regulation

noreply@blogger.com (Dan) — Wed, 16 Nov 2011 15:38:00 +0000

Authors at McKenna Long & Aldridge recently published "Ensure lateral moves are win-win," which reviews "questionnaires, conflicts checks and proper documentation [that] will help boost profitability, lower risk":

"Like all risk management issues, the most effective strategies involve systems. This means adopting practices, protocols and procedures that the law firm and its attorneys follow every time. Murphy's law applies in full force in lateral hiring. Inevitably, it is the one time that the law firm fails to follow the established rules that comes back to create the most difficult problems... Of course, it all sounds intimidating. But, it does not have to be so. The solution is an effective system with questionnaires, supplemental questionnaires, conflicts checks and a documented mutual understanding, which combine to do most of the work. Safer and more profitable—it is a winning combination."

University of Calgary law professor Alice Woolley opines on larger issues stemming from a recent disciplinary decision by the Law Society of British Columbia in "Lawyers Regulatory Lawyers?" --

"The decision warrants comment, however, because the threat it creates to the legitimacy of lawyer self-regulation applies to all Canadian law societies. Specifically, the misdirection in regulatory energy reflected by the decision of the Law Society of British Columbia in this case is something to which all Canadian law societies have shown themselves to be susceptible. This comment is a plea to the law societies to think more carefully about the cases they pursue; to take more seriously conduct by lawyers that undermines the rule of law; and, to allow lawyers to hold each other to account in circumstances where there is a reasonable basis to allege misconduct, even if lawyers sometimes do so with 'incivility.'"

Interesting developments in the UK:

Law Society and SRA unveil deal to resolve longstanding governance wrangling -- "The Law Society and Solicitors Regulation Authority (SRA) have hammered out 'a permanent resolution' of their long-running internal governance issues, the pair announced yesterday."
SRA eyes expanded international reach by offering to regulate foreign firms -- " In addition, it may seek to regulate firms that are English and Welsh law firm partnerships but part of a larger Verein structure – where it would be expected to designate the SRA as the lead/home regulator of the English and Welsh part of the Verein... For foreign firms with subsidiary operations in England and Wales which contains solicitor partners and have the majority of their turnover and activity outside of England and Wales, they would either be subject to the SRA Handbook regime only in England and Wales, or be able to have the SRA as its lead/home regulator worldwide."

Finally, a thank you to readers who have taken our reader survey, and a friendly reminder for those with feedback to share to take a few minutes to participate: 2011 Risk Blog Reader Survey.

ISO 27001 for Law Firms: Report from Houston Risk Roundtable Hosted at Baker Botts

noreply@blogger.com (Dan) — Tue, 15 Nov 2011 16:03:00 +0000

Last Friday we held a Risk Roundtable session in Houston, Texas. Many thanks to Baker Botts for hosting. The event focused on ISO 27001 for law firms. Brian Lynch moderated and sends his customary summary:

Dan – Greetings from the Great State of Texas! We had a very informative Risk Roundtable today at Baker Botts in Houston with our special guest, Andrew Rose, Principal Analyst, Security and Risk, from Forrester Research.
Andrew walked us through the ISO 27001 standard and how it applies to law firms. In response to growing client demands and increased regulatory obligations, law firms are finding themselves developing all sorts of security measures to accommodate a variety of requests. ISO 27001 certification has provided a reliable framework for a number of firms to respond effectively and provide security that clients have come to expect.
Bobby Tindel of Andrews & Kurth spoke to us about the robust processes and technologies that his firm has put in place over the past year and a half. One of the "sleeper risks" is a disgruntled employee turning whistle-blower over a minor violation.
The best approach is to close the loopholes and apply comprehensive and defensible security. Another participant pointed out the high standard established by the HIPAA/HITECH Act, and it's increasingly frequent appearance. Clients are pushing firms to provide security levels comparable to their own, not to other law firms.
As always, it was a great opportunity for an engaged group of participants to connect and share risk management perspectives.

For more information about ISO 27001 for law firms, see our recent New York Roundtable summary.

Report from Atlanta Risk Roundtable Session Hosted at Ogletree Deakins

noreply@blogger.com (Dan) — Mon, 14 Nov 2011 15:27:00 +0000

Last Thursday we held a Risk Roundtable session in Atlanta, Georgia. Many thanks to Ogletree Deakins for hosting. Brian Lynch delivered an update on current risk trends and issues, and moderated group discussion. Here's his summary:

Dan – Reporting from our latest Risk Roundtable in Atlanta. The group discussed legal trends, but also spent a good amount time talking about the reality of client audits.
One firm reported that a banking client recently completed a security audit of their security processes. The client is spending time with multiple law firms to establish a baseline that they can all follow.
Dan Drake of Ogletree shared with the group some of their current challenges with consumerization of law firm technology. iPads, iPhones, Android-based technologies, and other non-standard alternatives have found their way into many law firms, and they have brought security risks with them.
Many firms have "solved the hacker problem" with standardized firewall software, they have effectively locked down access internally with products like Wall Builder, and they have taken on preventative measures to reduce the risk of data breaches. These firms start by ensuring their " house is in order" and restricting internal access to sensitive documents.
One of our attendees spoke about the benefits of tracking indicative behaviors to identify potential bad situations before they happen. He identified the example that we’ve seen cited frequently: dark-of-night downloads. If a lawyer is downloading an unexpectedly high volume of documents to his local drive, it is a possible indicator of imminent departure. Securing and tracking have become essential and complementary functions that firm are looking for in their confidentiality management toolkit.
It was a productive forum for risk professionals to ask their peers how they approach different issues, like preparing for client audits.

Be Heard -- 2011 Risk Blog Reader Survey

noreply@blogger.com (Dan) — Thu, 10 Nov 2011 14:27:00 +0000

Last week, legal ethics maven Bill Freivogel was kind enough to submit a public endorsement of the blog. (I won’t produce it verbatim as it now resides on the right side of the web view of the blog.)

This bit of encouragement led to additional reflection – Over the past two years, the Law Firm Risk Management Blog has grown significantly. Today our diverse and significant readership reflects the importance law firms and related stakeholders (insurers, technologists, consultants) place on risk issues.

We'd like to know more about you, our readers. So please join your peers and take a few moments to participate in the 2011 Risk Blog Reader Survey.

Plans are already in the works for 2012 blog and Risk Roundtable programs, including surveys. Your input can help shape our direction.

Law Firm Risk Management Software : 2011 Product Adoption Survey Data

noreply@blogger.com (Dan) — Wed, 09 Nov 2011 15:42:00 +0000

The International Legal Technology Association (ILTA) published its annual technology survey. The report provides key data about decisions law firms are making when adopting software related to risk management. The complete report, with detailed breakouts across several categories, is available via ILTA.

Here's a slice of that, summarizing large law firm (700 or more lawyers) use of commercially-available software that supports risk management functions:

Electronic Records Management

Autonomy / iManage -- 25%
CA Records -- 10%
DM / DOCS (Open Text) -- 5%
LegalKEY (Open Text) -- 5%

Ethical Screens / Information Barriers / Confidentiality

Wall Builder (IntApp) -- 72%
CompliGuard Protect (The Frayman Group) -- 20%
iMPrivate (DocAuto) -- 4%
SecurityGuard (Olson Consulting) -- 4%
WincWall (Wertheim Global Solutions) -- 0%
MasterEthics (RBRO Solutions) -- 0%
The Wall (Younts Consulting) -- 0%

(For additional data on confidentiality software adoption by firms with 150-349 and 350-699 lawyers, see the Legal Technology Insider.)

Docketing

CompuLaw -- 35%
CPI -- 23%
MA3000 -- 18%
PATTSY -- 18%
Microsoft Outlook -- 9%
Aderant -- 13%
ProLaw -- 10%
Law Bulletin -- 8%
LegalKEY -- 5%
Amicus -- 3%
CourtAlert -- 3%
IPMaster -- 3%

Conflicts Management

LegalKEY (Open Text) -- 40%
Elite (Thomson) -- 28%
Aderant -- 13%
Accutrac -- 3%

Law Firm Ethical Walls and Confidentiality Screens: Not Just for Conflicts

noreply@blogger.com (Dan) — Tue, 08 Nov 2011 16:14:00 +0000

Nancy Beauchemin, president of law firm client intake and record management consultancy InOutsource, recently published an excellent article on law firm confidentiality management: "Ethical Walls and Confidentiality Screens: Not Just for Conflicts."

The piece provides a concise summary of the expanding confidentiality drivers facing law firms, from traditional scenarios like waiver-driven ethical screens, to expanding regulatory rules and increasingly stringent client outside counsel guidelines:

"Today, law firms are applying confidentiality screens for a variety of reasons, including an increasingly complicated legal and regulatory environment that demands compliance with record-keeping requirements defined by their clients. Law firms are realizing that they must know where their information resides and how it is accessed and stored before they can protect it from inadvertent disclosure. Clients will sometimes exercise their right to audit a firm’s internal record-keeping processes to ensure compliance with their guidelines. In a legal proceeding, courts will require evidence that policies were consistently followed."

She cautions firms about the need to understand and update their current practices:

Law firm confidentiality policies are often disconnected from requirements mandated by clients and regulatory bodies. Firms need to understand where they have gaps and commit to correcting deficiencies in policies and use of technology to ensure that their clients’ confidential information is protected.
Ideally, repositories and applications that store confidential client matter information should be centrally maintained and managed by a firm’s IT department, and all client matter information should be readily identifiable by the applicable client matter.
The screening function should be centralized within the office that is primarily concerned with risk management and loss prevention issues. This is sometimes the responsibility of the firm’s general counsel.
There must be immediate and direct communication with affected users, records and IT staff. Screening processes should be documented and require affected individuals to acknowledge and comply with the screen.
Screens should be regularly reviewed and removed when no longer needed. There should also be policies to notify appropriate governing bodies and clients of data breaches.

Law Firm Outside Counsel Guidelines: Webinar Recording Now Available

noreply@blogger.com (Dan) — Tue, 08 Nov 2011 15:51:00 +0000

Content from our October webinar on managing risk and response to outside counsel guidelines is now online, for those who missed the live session:

Responding to Outside Counsel Guidelines -- Thanks again to our panelists. We welcomed another large group (100+ attendees) who heard speakers from Holland & Knight (Gilda Russel), Orrick, Herrington & Sutcliffe (Mike Guernon), and McKenna Long & Aldridge (Paul Hurdle).

Update: Imputation Risk and Joint Defense Agreements

noreply@blogger.com (Dan) — Mon, 07 Nov 2011 15:54:00 +0000

Eighteen months ago we noted Nintendo's move to disqualify plaintiff's counsel in a patent suit, arguing that a lawyer at the firm was exposed Nintendo's confidential information through participation in a previous, unrelated joint-defense matter.

At the time, the plaintiff's firm's managing partner noted that if Nintendo prevails it would be: "extremely risky for a company entering into an joint defense agreement in that all knowledge is imputed to everyone in your organization. Companies often enter into joint defense agreements with their own competitors."

Now comes an update from a few turns later:

World 2-1: The district court did indeed disqualify the firm, agreeing that the joint defense agreement provision in which the parties agreed not to seek future disqualifications did not apply once the lawyer in question moved from AMD to another organization. (A second judge dissented.)
World 3-1: The U.S. Court of Appeals for the Federal Circuit overturned. No Disqualification Where Disclosure of Confidential Information Controlled by Joint Defense Agreement: "Considering the joint defense agreement as a whole and its use of the term “respective counsel” throughout, the Court rejected Nintendo’s argument, reasoning that Nintendo should have had the expectation that Cooper was a “respective counsel” who would be bound by the agreement’s confidentiality provisions. By analogy, the Court ruled that Cooper was also a “respective counsel” for purposes of the agreement’s waiver provision. Having so ruled, the Court granted the petition for writ and vacated the district court’s decision disqualifying F&B." (A second judge also dissented in this instance.)

[8/11: See also good discussion on this at the Legal Ethics Forum.]