Bressler Risk Blog

My thanks to Charles Lundberg for writing in to note his latest article: “Quandaries and Quagmires: Legal ethics, risk management in pandemic” —

• “In a span of less than two weeks, the coronavirus outbreak has caused unprecedented disruption in law firms and created a host of new issues for firm general counsel and ethics partners. Here is a sampling of new ethics and risk management issues that have arisen almost overnight.”
• “A new paradigm for civility and reasonableness? Last week, a statement by the Los Angeles County Bar Association’s Professional Responsibility and Ethics Committee called for a new emphasis on lawyer civility… Now the point is this: A month ago there would have been nothing particularly remarkable about counsel pressing for an expedited hearing as he did. But everything has changed now. The pandemic has suddenly narrowed the Overton Window of reasonableness in litigation.”
• “New cybersecurity concerns for remote work. A recent ABA panel of experts noted that law firms need to be mindful of how employees working remotely can avoid computer viruses and other cybersecurity risks… Hackers are no doubt aware that they can exploit weakened technology systems because most lawyers and support staff are suddenly working remotely. Law firms must protect their clients’ sensitive personal information whether it is viewed in a lawyer’s home or at the firm.”
• “Wellness issues. Until about three years ago, “attorney wellness” as a law firm risk management issue wasn’t even a Thing. It is now one of the top 5 concerns of those in the ethics and risk management arena. And without question it has become a much bigger issue in the time of pandemic. The deeper issue here is that this is much more than just a law firm risk management issue. It is rather a part of the firm’s culture. Nothing will ensure loyalty to a firm like an open and transparent attitude of caring for the families of its staff in time of crisis. ‘This is the kind of firm we are’ should be the watchword.”
• “Competence: Keeping up with changes in the law and standards for practice. How do firms keep up with the changes that are occurring almost daily as governments respond to the pandemic? Every day, general counsel responsible for workers across jurisdictions are trying to get up to speed on new mandates, while seeking advice from outside counsel and other external resources. And the ethical duty of supervisory lawyers to ensure competent practice by subordinate lawyers is not subject to a pandemic exception… Across all practice areas, competence in using any new technology (e.g. Zoom for meetings with a client, etc.) must be confirmed. (Speaking of Zoom, have you checked the privacy policy for that app to see what information is being collected about you?)”

“K&L Gates Loses Dismissal Appeal in Conflict Case” —

• “K&L Gates has again suffered a loss in its effort to quash a Texas lawsuit alleging it engaged in conflicts of interest, including violations of the Deceptive Trade Practices Act… In the underlying suit, a Texas semiconductor company, Quantum Materials Corp., claimed the law firm represented lenders in a legal action against Quantum while also representing Quantum.”
• “Quantum retained K&L Gates in 2016 as corporate counsel—yet although they stopped sending work to the firm, the representation never formally ended, the company claims.”
• “While the panel ruled that claims the firm breached its fiduciary duty and engaged in deceptive trade practices should go forward, the judges took a more restrained view about another Quantum claim, that the firm engaged in legal malpractice… Instead, the panel found that the malpractice claim is ‘in substance’ a claim of breach of fiduciary duty.”
• “A K&L Gates spokesman declined comment on the opinion and the case.”

“Game Maker Says Eckert Seamans Can’t Represent Rival” —

• “A Georgia-based game machine maker asked a Pennsylvania federal court Tuesday to block its onetime law firm Eckert Seamans Cherin & Mellott LLC from representing its rival, arguing the legal attacks the firm has leveled since jumping ship to counsel the rival are ‘a clear breach of its fiduciary duty.'”
• “Pace-O-Matic, which refers to itself as an “amusement machine supplier,” sued the law firm in February, accusing it of breaching its contract and fiduciary duties by dropping the business “like the proverbial ‘hot potato'” to take on Greenwood Gaming, which allegedly has deeper pockets, as a client.”
• “According to the memo, Eckert Seamans began representing Pace-O-Matic in 2011 and was retained for a second matter in 2016. The firm argued on the company’s behalf up until last summer in a legal dispute in Virginia. In that dispute, the firm contended that its devices are games of skill and not gambling, according to the memo. Also during that time, the firm had access to Pace-O-Matic’s confidential material, Pace-O-Matic alleges.”
• “Counsel for Eckert Seamans declined to comment Wednesday.”

On the heels of last week’s note on digital assistants, comes increasing focus on and scrutiny of third-party conference providers. Today it seems like Zoom is on everyone’s minds, lips and screens. (For unrelated news on that, see: “SEC pauses Zoom Technologies trading because people think it’s Zoom Video“).

With several stories specifically cautioning firms about confidentiality management as team move to remote working, this caught my eye and thoughts: “Zoom needs to clean up its privacy act” —

• “Two days ago, Consumer Reports, the greatest moral conscience in the history of business, published Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know: Videos and notes can be used by companies and hosts. Here are some tips to protect yourself. And there was already lots of bad PR. A few samples:
  • Zoom is a work-from-home privacy disaster waiting to happen (Mashable, March 13)
  • Zoom Privacy Policy is a Risk (Cumulus Global, March 24)
  • Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk (Forbes, March 25)
  • Zoom and Houseparty: Video Calling at Your Own (Privacy) Risk (VPN Overview, March 25)
• “What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it.”

And:  “Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know.” —

• “Zoom’s privacy policy is similar to many digital platforms’, claiming the right to collect and store personal data, and share it with third parties such as advertisers.”
• “In Zoom’s case, that extends to what the company calls customer content, or ‘the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.'”
• “Videos aren’t off-limits, according to the document, and neither are transcripts that can be generated automatically, the documents you share on your screen, or the names of everyone on a call. (The privacy policy posted online was updated over the weekend but backdated to Wednesday, March 18.)”
• “‘Zoom isn’t necessarily doing anything users would object to’ with the data, says Bill Fitzgerald, a Consumer Reports privacy researcher who analyzed the company’s policies. ‘But their terms of use give them a whole lot of leeway to collect information and share it, both now and in the future.’ (Consumer Reports is a Zoom client, using the service for some company-wide meetings.)”

Clearly, some of these risk concerns and issues are tied to the design of the system itself (including some arguably dark design patterns), while some are more related to how users use the system (which might apply to any technology). Still, worth considering what data is being created, collected and stored as the volume of this type of activity grows and grows…

Some of us in two-party consent states watch the growing adoption of recording devices with interest, to say the least. (Is that Ring doorbell recording folks unknowingly the subject of a future class action? Who can say… But better not be having conversations on anyone’s doorsteps these days…) But what many are increasingly saying is that concerns about in-home assistants are worth a bit of risk review. Here’s the latest law firm perspective on that: “Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls” —

• “As law firms urge attorneys to work from home during the global pandemic, their employees’ confidential phone calls with clients run the risk of being heard by Amazon.com Inc. and Google.”
• “Mishcon de Reya LLP, the U.K. law firm that famously advised Princess Diana on her divorce and also does corporate law, issued advice to staff to mute or shut off listening devices like Amazon’s Alexa or Google’s voice assistant when they talk about client matters at home, according to a partner at the firm. It suggested not to have any of the devices near their work space at all.”
• “Mishcon’s warning covers any kind of visual or voice enabled device, like Amazon and Google’s speakers. But video products such as Ring, which is also owned by Amazon, and even baby monitors and closed-circuit TVs, are also a concern, said Mishcon de Reya partner Joe Hancock, who also heads the firm’s cybersecurity efforts.”
• “Smart speakers, already notorious for activating in error, making unintended purchases or sending snippets of audio to Amazon or Google, have become a new source of risk for businesses.”
• “Amazon and Google say their devices are designed to record and store audio only after they detect a word to wake them up. The companies say such instances are rare, but recent testing by Northeastern University and Imperial College London found that the devices can activate inadvertently between 1.5 and 19 times a day.”

Hey Siri, have any Outside Counsel Guidelines had any words about you yet?

“How Law Firms Can Harden Their Data Security During COVID-19 Crisis” —

• “The COVID-19 pandemic has forced law firms into a new work paradigm, switching overnight to a remote workforce. Law firms, already an attractive target for cybercriminals, now face a workforce operating from informal home environments. As a result, law firms must address data security risks as they balance making data available for remote access.”
• “Sheryl A. Falk, a co-leader of Winston & Strawn’s global privacy and data security task force, answers some of the questions surrounding how a remote workforce can still protect client information. Her answers have been edited for clarity and brevity.”
• “Law firms should consider and adapt to new data security challenges presented by remote work. Ensure that all connections to the law firm’s information systems are made via a secure connection through a VPN or virtual desktop, with appropriate access controls in place, such as two-factor authentication… Restrict employee access to data needed to do their specific job functions…”
• “Law firms should arm employees with information to keep data safe. Redistribute any firm data security policies, such as bring your own device policy or written information security program. Counsel employees on remote working best practices.”
• “Firms should stay alert for potential unauthorized access, including monitoring logs and external connections to the network systems to detect an unauthorized third party from penetrating the law firm’s network. Firms should also ready their response to an incident by quickly reviewing their data security response plan and cyberinsurance.”

“What Law Firms Should Know About COVID-19” —

• “According to a recent private survey about COVID-19, 74% of law firm respondents expect that there will be a modest to severe impact on legal services demand over the next two quarters. In addition to the issues facing all businesses during this time, law firms also face unique risks as a result of the spread of COVID-19.”
• “Law firms face risks based on their role as employers and also based on the duties owed to clients… The onset of COVID-19 does not mean that law firms’ duties to clients go away or that lawyers can treat this period as a “vacation” from their obligations. But, changes from courts and other entities have created uncertainty among practitioners. There will inevitably be some confusion and perhaps even some gridlock once courts reopen and deadlines begin to apply again. Law firms and lawyers can use this time to advise clients of the status of their cases and matters in light of the shutdown and advise on the recommended next steps.”
• “Law firms may also consider educating their work force about the importance of maintaining client confidentiality while working remotely. This may include reminding attorneys and staff that client confidential matters must remain discrete, even within the home, and that attorneys and staff have an obligation to protect the confidentiality of client matters wherever they are.”

I’ve been having conversations with colleagues about how the Covid-19 situation is affecting everything, including risk operations and management. One element noted in one of yesterday’s articles — moving from paper-based processes to electronic everything — is something I’ve definitely seen come up in a few areas (internal bill generation processes being a recent example).

So I wanted to invite risk readers to share their experiences and stories:

• How have you and your risk teams responded to the shift to remote work?
• What challenges have you faced (expected or unexpected)?
• And how have you been managing?
• Have you made changes or adjustments along the way? Why?
• Beyond your team operations, how have things changed in terms of working internally across functions, particularly in terms of your lawyer stakeholders?
• Are there interesting stories or advice would you share with your risk peers out there?
• What am I not asking about that I should be? And what’s your answer?

If you’re reading this in your inbox, you can just reply, answering any or all of the above. (And if you’re reading online, you can use the contact form, after you subscribe.)

When you do, please let me know if I can share your identifying details in any summary I generate. Or if you’d rather be anonymous to the world.

I don’t know what the response we’ll get here will be, if anything. But I like experiments. Feels right for a blog about risk…

With my living room transformed into the Bressler Academy for Precocious and Mischievous Young Ladies (who have been known to suggest clip art while watching over my shoulder during evening risk blogging sessions), I note, more seriously, that today many of you are working remote, managing personal and professional challenges, and waiting to see what the days ahead bring.

On a professional front, I’ve noted an expected and increasing crop of general stories of how organizations are adapting to this new landscape, and advice about the same ranging from the generic to the incredibly astute. Here are some specifically focused on law firm risk:

“Client Service Continuity Strategies for Law Firms Responding to Coronavirus Pandemic” —

• “During this period of uncertainty, the health and welfare of your lawyers, staff, and clients is a top priority. However, attorneys must also be prepared to continue to provide legal services to clients regardless of measures taken by any government or oversight organization. In addition, the need to potentially self-quarantine has to be taken seriously. The best and only time to prepare for an interruption in practice—whether self-imposed or by a third party—is before it happens.”
• “One of the primary risks for law firms in a quarantine situation are missed deadlines… Immediately review upcoming deadlines for the next 60 days and consider how you will meet those deadlines should you be quarantined.”
• “Consider arrangements to have mail delivered to your home or scanned and sent to you if you are out of the office. Again, do not rely strictly on your legal assistant in the event he or she is unavailable for any reason. Identify a backup for that task.”
• “Review and consider the privacy and security of any client records and documents, as well as your ability to meet the requirements of outside counsel guidelines when working remotely. This typically means client information should not be placed or stored on home computers, personal storage devices, or in the cloud, which violate most—if not the majority of—standard outside client guidelines.”

“COVID-19: How to Maintain Regulatory Obligations While Working Remotely” —

• “Remote working increases the risk of data breaches and loss of confidential information through hard copy documents being transported and kept at home, rather than in offices with the necessary systems and controls in place. Colleagues should work digitally wherever possible and be advised against working from hard copy documents and minimising the need to make handwritten notes of calls or virtual meetings they attend – typed notes should be encouraged.”
• “Colleagues should be reminded to work in private environments where conversations of a confidential nature cannot easily be overheard and computer screens cannot be easily seen by third parties. The importance of locking computer screens when unattended (even within one’s home) should be reinforced.”
• “Being away from the office should not lead to a relaxed attitude to the importance of one’s regulatory obligations. Individuals should be aware that they are responsible for the professional judgement they exercise when working at home and that the various discussions and decisions taken on a particular case, for example around disclosure or potential conflict points, should be carefully recorded. This should include reasoning for why they have chosen to act in a certain way, so that they can justify their decisions, should they need to, in the future. The SRA’s Enforcement Strategy recognises, however, that mistakes do happen; clear record keeping will help the SRA decipher between honest mistakes and those that are less excusable.”

“3 Big Pitfalls To Avoid Regarding The California Consumer Privacy Act Compliance” —

• “The reach of the CCPA cannot be underestimated — businesses outside of California are not necessarily outside the scope of the CCPA.”
• “More specifically, the CCPA gives California residents the right to (i) know what personal information is being collected, used, shared, or sold about them, (ii) know whether and to whom their personal information is sold or otherwise disclosed, (iii) access and review their personal information, (iv) opt-out of the sale of their personal information, and (v) non-discrimination in the level of service and pricing despite exercising any of their privacy rights.”
• “Such responsibilities under the CCPA, however, only apply to those businesses that meet one or more of the following criteria: (a) gross annual revenues in excess of $25 million; (b) buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices; and/or (c) derive 50 percent or more of annual revenues from selling consumers’ personal information.”
• “The reach of the CCPA cannot be underestimated — businesses outside of California are not necessarily outside the scope of the CCPA… Given the scope and reach of the CCPA, it comes as no surprise that most companies in the United States that do business with California residents and meet any of the qualification criteria are scrambling to comply.”
• “Being GDPR Compliant Does NOT Mean Your Company Is CCPA Compliant. It may come as a surprise to some, but GDPR compliance does not guarantee CCPA compliance. In fact, your company (or client) may have additional obligations under the CCPA.”
• “Once the policies implemented by your company (or client) have been updated to address CCPA requirements, those policies must not be set in stone. The CCPA may give the consumer the right to delete personal information held by businesses (or their service providers), but this “right to be forgotten” does not extend to the privacy policies of your company (or client). Revisit these policies on a regular basis to update them based upon guidance from enforcement actions, newly promulgated regulations or potential modifications to the statute.”

A law firm focused exploration of response strategies: “4 Ways Firms Can Keep Compliant With the CCPA” —

• “A law firm’s website should describe California residents’ rights including their right to authorize personal data deletion, or allow disclosure of information and notice of collection. What’s more, a firm must also provide opt-outs for the selling of consumer information.”
• “Law firms leveraging outside vendors, such as e-discovery providers, to store or process data that includes Californians’ personal information should update their vendor contracts to ensure that such information is not used for anything outside of specified services, said Jackson Lewis principal Joseph Lazzarotti.”
• “Law firms need to prepare for data requests, which includes having a system to process such requests and protocols to find data and verify a requester’s identify. Law firms may face more difficulties in this regard compared to other businesses because of the data large sets corporate clients send them.”
• “Implement ‘Reasonable Security Procedures.’ Lazzarotti noted the CCPA provides statutory damages for anyone whose ”nonencrypted or nonredacted public information” was breached because a company lacked “reasonable security procedures and practices.” Plaintiffs could be awarded $100 to $750 per consumer per incident or actual damages, whichever is greater, and injunctive or declaratory relief.”

For those wondering, here’s: “A Comparison of GDPR and CCPA.”

And, worth noting: “States Are Proposing Their Own CCPA-Like Privacy Laws” —

• “The Washington Privacy Act (Senate Bill 6281), which failed to pass last year, was reintroduced in the state senate for the 2020 legislative session.”
• “A bill that is strikingly similar to the CCPA has been introduced in Nebraska.”
• “House Bill No. 473 (Virginia bill) would amend Virginia law to add the Virginia Privacy Act. The bill applies to any company doing business in Virginia or that produces products or services “intentionally targeted to residents” of Virginia…”
• “Companion bills have been introduced in the Florida Senate (Senate Bill 1670) and the Florida House of Representatives (House Bill 963)…”
• “New York has recently seen its own share of privacy laws and regulations proposed. Most notably, the New York Privacy Act (NYPA), which some refer to as “groundbreaking,” was reintroduced in the state senate at the beginning of the year…”

“As Clients Demand More Than Ever, How Can Lawyers and Firms Respond?” —

• “As the legal industry continues to disaggregate and is increasingly flooded with technology, clients and in-house counsel report that they want a more personalized legal relationship. As hyperpersonalization permeates the legal industry, clients will continue to push for more tailored service.”
• “These circumstances suggest that a key step in bridging the gap between client expectations and law firm efforts is for both sides to open a dialogue about needs and obstacles and how to develop collaborative ways to address them. Below, we discuss a few specific areas to consider as a starting place for those initial conversations, and for making the investment in better understanding clients’ specific business and legal needs.”
• “The Value of Data. Leveraging data and analytics is one way in which firms can accede to client requests for more predictable pricing, staffing and results. Metrics about prior matters and their variables can also provide clients with more information about anticipated turnaround time, settlement value, jury verdicts and other considerations, which, in turn, clients can use at the outset of an engagement to make decisions that align with their broader business goals and directives. Essentially, data allows for a more informed decision-making process… Outside counsel are well-positioned to help clients navigate their in-house use of legal technology. In turn, this effort may result in clients being able to provide more and better data to firms, which firms can then use to augment their services—including data and analytics on particular matters and broader trends.”
• “A New Staffing Model. One way for firms to address these issues is to establish dedicated teams for particular clients and encourage those attorneys and staff to invest in a deeper understanding of the clients’ business and requirements… Instead of having a partner or associate manage all tasks, the team, with collaborative input from the client, may be better positioned to assess which tasks can be managed by paralegals, passed off to a consulting arm, or even outsourced to alternative (and more cost-effective) service providers… A benefit of any secondment program is that it gives the firm insight into the client’s day-to-day business needs and culture; seconded lawyers gain experience that serves them, the firm and the client long after the secondment period ends.”
• “Incentives to Add Value. Rather than relying solely on client pressure to create attorney buy-in, firms should also consider internal policies and incentives to help their lawyers meet client demands for greater understanding of their business and proactive advice… It is all too easy for both clients and outside counsel to sit back and expect the other party to present ideas for innovation and improved services. For law firms, waiting to change until a client asks for something new runs the risk of not seeing a problem until it is too late: the client never asks and instead moves the work elsewhere.”

From Stephanie Spangler, an associate at Norris McLaughlin PA, and Dai Wai Chin Feman a director and corporate counsel at Parabellum Capital LLC, comes an overview on the latest news and view on litigation finance: “What Courts Are Saying About Litigation Finance Disclosure” —

• “That debate continues, with defendants persisting in propounding document requests, interrogatories and deposition questions regarding the identity, terms and other aspects of financing arrangements. As defendants continue to seek discovery, courts continue to weigh in.”
• “In Pipkin v. Acumen,[3] the U.S. District Court for the District of Utah prohibited any discovery regarding litigation funding on the basis of relevance… In granting the plaintiff’s motion for a protective order, the Pipkin court held that ‘information related to funding of the litigation is irrelevant to the claims and defenses of the case and, therefore, Plaintiffs’ funding of the lawsuit is not discoverable.’ With respect to credibility, the court found the defendant’s argument to be ‘entirely speculative and insufficient to demonstrate the relevance of the sought-after fee agreements.'”
• “In Fulton v. Foley, the U.S. District Court for the Northern District of Illinois quashed a subpoena to a litigation funder on the grounds of relevance and attorney work product. However, the Fulton court ordered the plaintiff to produce ‘all non-mental impressions, fact-based information and documents including any statements provided by Plaintiff directly, if any, that was provided to [the litigation funder].'”
• “In looking at the specific discovery issues at hand, the court held that the funding agreement documents are irrelevant to the mitigation of damages because in the event of a successful outcome, the plaintiff will be obligated to repay the funder and, therefore, the funds are not income.”
• “However, the Fulton court took the rare step of ordering production of nonprivileged fact-based communications between the plaintiff and litigation funder. This may be of limited ultimate utility for the defendant, as the common interest privilege will likely apply to most, or all, of the materials shared.”
• “In Continental Circuits LLC v. Intel Corp., the U.S. District Court for the District of Arizona denied the defendants’ motion to compel the production of litigation funding agreements on the basis of work product.”
• “However, the court ordered the plaintiffs to identify “all persons or entities (other than counsel) with a fiscal interest in the outcome of the litigation,” and held that ‘the fact of the funding agreements’ existence’ does not, in and of itself, constitute work product.”
• “In support of their motion to compel, the defendants argued the discovery is relevant to ‘to refute any David vs. Goliath narrative at trial, to evaluate the value of the patents at issue and any damages claimed by Plaintiff, to address bias and prejudice of witnesses who may appear at trial, and to identify any jurors who may have a relationship with a litigation funder.’ The plaintiff asserted that the requests were not relevant and disclosure was barred by the work product doctrine.”