Risk Update

Risk Reading — Law Firm’s “Worst HIPAA Nightmare,” Court Clerk Recruitment Face Palm, SEC v Covington Client ID Fight News, Another Consulting Conflict of Interest,

Biglaw Attorney Learns Hard Lesson About When *Not* To Recruit New Lawyers” —

  • “Maybe Perkins Coie attorneys think they *always* need to be recruiting potential lateral lawyer talent, but they’re learning there is a time and a place for everything.”
  • “An unnamed Perkins Coie attorney was benchslapped by Northern District of California Judge Yvonne Gonzalez Rogers for trying to recruit one of her clerks mid-trial.”
  • “Yeah, even if you’re uniquely impressed by the legal acumen of a law clerk, it seems like discretion would warrant at least waiting until the end of trial to try to recruit them to your firm.”
  • “And Judge Gonzalez Rogers made it abundantly clear that nonsense would not fly in her courtroom or in her district:
    • ‘No Lawyer should ever reach out to a law clerk of a judge during trial and suggest that at some point [the clerk] should contact him if he wants a job. It is so inappropriate that it’s shocking to me that I have to say anything about this.”
    • ‘In the Northern District of California, it is inappropriate, and it should never happen,’ she said. ‘So I don’t know what people think is okay, but it is not.'”

Law Firm Hack Affects Victims of an Earlier Breach Again” —

  • “Orrick, Herrington & Sutcliffe on July 20 reported the data breach to several state regulators, including the attorneys general of Maine and California, as well as a HIPAA breach to the U.S. Department of Health and Human Services.”
  • “Among the affected individuals was an Orrick client tied to a vision benefits plan that had suffered its own health data breach several years ago. Orrick said it had provided legal counsel for a 2020 security event involving the manager of the vision benefits plan.”
  • “Law firms such, as Orrick, that receive PHI from clients to provide legal services, including to assist in health data breach response, are clearly business associates subject to compliance with HIPAA rules, said regulatory attorney Paul Hales.”
  • “‘This is every law firm’s worst HIPAA nightmare, even more so for one with the well-regarded reputation like Orrick, Herrington & Sutcliffe,’ Hales said. ‘Government investigations and private lawsuit discovery will examine Orrick’s HIPAA compliance program in minute detail. Those proceedings will be painful and unpleasant for Orrick and its client. And likely will pit legal counsel against its client,’ he said.”
  • “The San Francisco-based law firm, which has 25 offices worldwide, told regulators that information contained in the compromised file of the vision benefits plan included individuals’ name, address, date of birth and Social Security number. Social Security and financial information were not among the member information contained in the compromised Delta Dental of California file, Orrick told regulators.”

SEC Wins Access to Some Covington & Burling Clients’ Names” —

  • “Covington & Burling LLP must turn over the names of seven clients whose data was compromised in a cyberattack to the US Securities and Exchange Commission, despite objections by the firm and others that to do so would weaken attorney-client privilege.”
  • “The SEC had asked in March for the names of almost 300 ‘public company ‘ of the law firm, saying it needed them to determine if the hackers had used the information they stole to engage in illicit trading.”
  • “US District Court Judge Amit Mehta in Washington ruled that request was ‘too broad’ and he ordered the law firm to reveal the names only of clients whose material, nonpublic information may have been accessed by hackers during the 2020 breach of the law firm’s computer files.”
  • “Such a request by the SEC ‘does not exceed its statutory authority or cross any constitutional lines,’ the judge wrote.”

PwC admits to another conflict of interest breach” —

  • “Embattled consultancy firm PwC has admitted to another serious conflict of interest breach, but has clarified that it did not involve the misuse of government information.”
  • “The breach occurred in 2018 and is separate to the misuse of confidential tax policy information that has triggered a reputation crisis for the firm and seen the divestment of its government services division for just $1.”
  • “This breach involved a PwC staff member entering into an exclusivity agreement with a client without proper authorisation from the firm’s conflict of interests team.”
  • “Details about the 2018 matter were not addressed during previous parliamentary inquiries and are likely to prompt more scrutiny and criticism of the firm, which initially sought to downplay the seriousness of the scandal.”