Bressler Risk Blog

“Premier League accused of ‘unacceptable conflict of interest’ over use of law firm run by interim chairman” —

• “The Premier League has been accused by the former sports minister Tracey Crouch of an ‘unacceptable conflict of interest’ for using a law firm run by its interim chairman to carry out checks on club takeovers.”
• “Peter McCormick, who was appointed the interim chairman of the Premier League in January, is the senior partner of McCormicks Solicitors in Harrogate, Yorkshire, and is also the long-serving chairman of the Premier League’s Legal Advisory Group and Football Board and an FA board member.”
• “McCormick’s firm has carried out the owners’ and directors’ test checks for the league when clubs are being taken over or new directors appointed, and has previously been paid hundreds of thousands of pounds in legal fees.”
• “Crouch, who headed last year’s fan-led review of football, said the arrangement was another argument for the English game to have an independent regulator, which would carry out such checks on club takeovers.”
• ‘”Sources have told The Times that McCormicks Solicitors was involved in the owners’ and directors’ test checks for the most recent top-flight takeover — the purchase of Newcastle United in October by a consortium led by Saudi Arabia’s Public Investment Fund (PIF). It is understood that the firm could also be used in the process for the new Chelsea owners.”
• “Crouch told The Times: ‘This strikes me as an unacceptable conflict of interest. Any firm or organisation that carries out any checks for the owners’ and directors’ test should not be connected to any senior figure within the Premier League. This is exactly the kind of situation that would be avoided under an independent regulator.'”
• “Other senior figures in football have privately expressed surprise about the arrangement but McCormick defended his and his firm’s roles. He told The Times: ‘Tracey Crouch has commented without checking the facts. I, along with my firm, have been an adviser on the OADT [owners’ and directors’ test] for 12 years. It was agreed before I took the interim chair that the board wished that service to continue and it was agreed that I would not participate in the decision-making process on any club takeover while interim chair. Clubs were informed of this at the shareholders’ meeting which appointed me — at which I was not present, in accordance with good practice.'”
• “The Premier League added that McCormicks had been used to advise on the owners’ and directors’ test for more than a decade, along with other firms, and that McCormick himself would not take part in any vote by the league’s board on a takeover.”

“State Supreme Court considers attorney’s ‘conflicts’ in APS test-cheating appeal” —

• “A public defender representing six former educators convicted in the Atlanta Public Schools test-cheating scandal argued Tuesday he should not be required to represent all six clients in their appeals because to do so would raise conflicts of interest.”
• “If forced to represent them on his own, the educators ‘would proceed with motions for a new trial with counsel divided in his loyalty, his attention, his orientation of the defense,’ Fulton County public defender Stephen Scarborough told the Georgia Supreme Court.”
• “The appeal is occurring almost seven years after the conclusion of the trial, believed to be the longest in state history. Scarborough was appointed to represent six of the defendants on appeal, beginning with their motions for a new trial before trial judge Jerry Baxter.”
• “At least two years after taking the case, Scarborough told Baxter he realized he should not be representing all six because they had competing interests. But Baxter, expressing frustration by the lengthy passage of time, denied Scarborough’s motion to allow his clients to have separate, conflict-free counsel.”
• “Criminal charges were brought against Atlanta educators after The Atlanta Journal-Constitution, in both 2008 and 2009, revealed some schools were posting statistically unbelievable scores on state tests. Of the 35 educators indicted for racketeering and other offenses, 21 pleaded guilty and two died before trial. Of the 12 who stood trial, which lasted almost eight months, 11 were convicted.”
• “During arguments, some justices expressed concern that a ruling in Scarborough’s favor would open a Pandora’s Box that would allow countless future defendants to file appeals asserting their attorneys have conflicts of interest. They also noted that even if Scarborough has an alleged conflict and is required to proceed, his clients could later file appeals seeking to correct the problem.”
• “Even though justices worried about the precedent they might set in Scarborough’s appeal, some expressed concern about requiring Scarborough to proceed if he has divided loyalties to his six clients.”
• “‘If my counsel is representing both of us and in order to best represent my co-defendant is required to implicate me and does so, have I received conflict-free counsel?’ Justice Charles Bethel asked. ‘No.'”

“Baker Donelson Achieves ISO 27001 Certification for Information Security Management” —

• “Baker Donelson has achieved ISO 27001 certification, an internationally recognized certification for information security management.”
• “Earning the ISO 27001 certification shows that Baker Donelson is in compliance with rigorous international standards regarding utilization of best practices, ongoing governance, and management of information systems to ensure the security of client and firm data. Baker Donelson was awarded this certification by BSI, a leading provider of business improvement solutions.”
• “‘As a law firm, it is critically important that we safeguard the security of our clients’ information. Protecting the interests of our clients has always been paramount for us, and earning the ISO 27001 certification demonstrates that Baker Donelson has the necessary controls in place to ensure that all client data is secure and protected,’ said the Firm’s Chief Information Officer Lance N. Rea.”

“Stark & Stark Achieves ISO 27001 IT Certification” —

• “The law firm of Stark & Stark [100+ lawyers] announced its achievement of ISO 27001 certification, one of the most widely recognized and internationally accepted information security standards that defines how an organization should manage and treat information. Lawrenceville’s Stark & Stark is among a select group of law firms to achieve this certification.”
• “‘Providing our clients with great service is the core of what we do at Stark & Stark, and the security of our clients’ information is at the foundation of great service,’ Thomas Kline, Stark & Stark’s Director of Information Technology, stated. ‘Achieving the ISO 27001 certification illustrates our commitment to continuously improve our information security management, and it tests that commitment through annual audits that adhere to an internationally recognized standard.'”
• “The certification means Stark & Stark has adopted a best practices approach to information security management and has established policies and procedures to ensure the security of the firm’s client information will be continuously improving and evolving.”
  “Stark & Stark Managing Shareholder Michael Donahue stated, ‘Our drive to achieve this level of security is client satisfaction. We are committed to continuous improvement to information security. Obtaining this certification for our Firm was truly a team effort.'”

“How Law Firms Can Avoid Data Breaches Using the Cloud” —

• “Reports of increased cyberattacks significantly impacted the legal industry during the pandemic, with widely publicized ransomware attacks striking several prominent firms, resulting in serious reputational damage and significant liability. There’s little doubt that other attacks occurred but did not become public.”
• “Although firms may think they have appropriate protocols for cyberattack prevention and breach-response plans in place, data has shown that less than half of law firms participating in the ABA survey use even basic security tools like encryption, two-factor authentication, intrusion detection and prevention, or remote-device management protocols.”
• “As the ethical and practical imperatives for data security become clearer, some firms have adopted a stop-gap approach—purchasing insurance to mitigate financial exposure—while others are taking a wait-and-see approach, and the ABA survey reports only about a third of firms hold cyber liability insurance policies.”
• “Although it’s wise to purchase insurance policies, they don’t prevent data breaches, nor do they protect a company from contractual or regulatory consequences.”
• “Compounding poorly mitigated data-breach risk, many Big Law lawyers remain in the dark regarding security incidents at their firms. Whereas about three-quarters of survey respondents from firms with 50 lawyers or fewer report they are in the loop, nearly two-thirds of lawyers working in firms with 100 lawyers or more say they have no visibility into their firms’ data breaches.”
• “Firms rightfully worry about cybersecurity in the cloud generally and client contractual obligations specifically. Because outside counsel guidelines usually stipulate that client data must be stored in a specific fashion—which often entails keeping sensitive information in a firm-managed environment—firms are obligated to audit and update these contracts transparently before migrating client records to the cloud. For a large firm staring down thousands of contracts, it’s an onerous and expensive exercise”
• “Although advanced cloud models for risk and compliance incorporate key elements of secure computing by meeting or exceeding common regulatory requirements—and often provide a higher level of safety than on-premises deployment—the EU General Data Protection Regulation (GDPR) has generated renewed concerns about cloud storage for the legal industry.”
• “Because cloud service providers’ reputations and business models rely on state-of-the-art data security, these vendors invest heavily in robust security teams and rapid platform updates. It’s a simple matter of scale: It’s impossible for a single firm to develop and execute the same breadth and depth of security and innovation protocols as a cloud service provider.”
• “Most cloud service providers have a wide range of clients. As a result, they may be subject to stringent regulatory requirements; many voluntarily adhere to industry best practices and guidelines, such as ISO27001, which entail strict standards for building and maintaining data centers, as well as regular independent audit cycles to ensure compliance.”
• “In the past, law-firm data breaches often went unreported—and possibly undetected. Now, all 50 states plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted security breach notification laws requiring businesses to inform affected parties when their personal information is breached.”
• “Today, lawmakers continue to expand existing laws; 22 states strengthened security breach regulations in 2021, including shortening the window for firms to report breaches and requiring private sector entities to report breaches to the attorney general or other state entity.”
• “Survey data shows that cybersecurity remains a key challenge for law firms, and the sector finds itself increasingly targeted due to its wealth of sensitive data—and deep pockets. With representatives of nearly two-thirds of the 100 leading Big Law firms identifying cybersecurity threats as a key concern, it’s eye-opening that less than one-quarter of these firms employ a cybersecurity committee that reports into the party charged with governance.”
• “Although many persist in the belief that in-house servers are more reliable and secure than cloud-based solutions, cloud storage offers strategic redundancies that both protect data durability and availability and prevent file loss due to equipment error, damage, or data breach. As threats become increasingly relentless and sophisticated, firms focused on long-term data security are embracing the protections afforded by the cloud.”

“Kennedys-led consortium receives £783k from Innovate UK to develop reputational risk software” —

• “A consortium led by UK top 50 law firm Kennedys has been awarded £783,000 in funding from Innovate UK to develop software that is able to identify and assess reputational risk, as part of a £1.2m project. The difference will be covered by Kennedys and four fellow consortium members: The University of Manchester and University College London; public relations group Cicero/amo; and risk management company RiskCovered Limited.”
• “Reputation Advisor will be developed to analyse content – from corporate documents to publicly available information – to create a reputational index of risk relating to an organisation’s corporate citizenship via ESG (environmental, social and governance) practices that impact on a company’s bottom line.”
• “Reputation risk is considered as an intangible asset that is rising in company value. Karim Derrick, product and innovation director for Kennedys’ tech arm Kennedys IQ said: ‘In a world where companies are often accused of greenwashing, Reputation Advisor will also provide robust and transparent evidence of a firm’s genuine green credentials. From an insurance perspective, the product will help insurers in their conversations with their own clients to quantify ESG related risk.'”

Just “Smartphones”? Or are cloud/server/desktop-enacted LinkedIn/Outlook/Microsoft Teams integrations also in scope (among other data flows)?: “New York Bar Issues Ethics Opinion on Protecting ‘Confidential’ Client Identity Information on Smartphones” —

• “On April 8, 2022, the New York Bar issued an opinion to protect “confidential” client identity information stored on an attorney’s smartphone. In particular, the opinion prohibits an attorney who stores ‘confidential’ (as defined under Rule 1.6 of the New York Rules of Professional Conduct) client identity information in the attorney’s “contacts” folder on the attorney’s smartphone from consenting to share their “contacts’ with a smartphone app, unless certain criteria are met.”
• “The opinion is based on Rule 1.6(c), which provides that an attorney is required to ‘make reasonable efforts’ to prevent the disclosure of “confidential’ client information. The opinion explains that, before an attorney grants access to his or her smartphone’s contacts folder, the attorney must first determine whether any contact information is ‘confidential’ client information within the meaning of Rule 1.6. If clients’ names constitute ‘confidential’ information, the opinion states that an attorney must ‘make reasonable efforts to prevent the unauthorized access of others to those names, whether stored as a paper copy in a filing cabinet, on a smartphone, or in any other electronic or paper form.'”
• “If the attorney’s smartphone ‘contacts’ folder contains ‘confidential’ client information, the attorney may not consent to share the contacts folder with a smartphone app, unless the attorney determines that (1) no person will view the information and (2) the information will not be sold or transferred to additional third parties, without the client’s consent.”

“Former Alberta justice minister, ex-law partner accused of conflict of interest in Kamikaze campaign probe” —

• “Former Alberta justice minister Jonathan Denis and his ex-law partner Dale Fedorchuk have been accused of conflict of interest in connection with the Kamikaze campaign investigation — and of making one client ‘the scapegoat’ for another: United Conservative Party heavyweight Jeff Callaway.”
• “The allegation came out in an interview Cameron Davies, Callaway’s former communications director, gave to the Office of the Election Commissioners (OEC) as part of its probe into Callaway’s 2017 UCP leadership campaign. He also accused the two lawyers of breaching solicitor-client privilege, details of which are contained in the OEC investigator’s interview transcript and summary obtained by CBC News.”
• “Davies was Callaway’s co-campaign manager and ran communications. He told investigators he’d convinced a number of people to go along with putting their names on donations they didn’t make — and received two $7,500 fines in February 2019 for obstructing the investigation into the campaign by Alberta’s election commissioner. Davies was also fined $12,000 for facilitating irregular donations for the Callaway campaign.”
• “But the transcripts from the first in-person interview Davies gave to election commissioner investigators in March 2019 — a month after his obstruction fine — include allegations that his lawyer, Fedorchuk, wasn’t acting in his best interest.”
• “Instead, he alleges that the lawyer gave privileged information to his law partner, Denis, in order to help another client under investigation by the OEC: Callaway”
• “When contacted by CBC News, Fedorchuk and Denis said through Guardian Law that solicitor-client privilege prevents them from responding to these allegations — or even confirm their involvement in the case. Davies subsequently sent Guardian Law an email waiving his privilege for this story, but Guardian Law and Fedorchuk reiterated they’d be violating privilege were they to answer any of the inquiries.”
• “The interview and investigator’s summary include specific claims made by Davies, which would violate Law Society of Alberta rules if proven accurate.”
• “Running a dark horse campaign like Callaway’s isn’t against electoral law in itself. But much of its funding was, according to a months-long investigation by the election commissioner’s office.”
• “In the OEC interview, Davies said when he learned he could be targeted by the commission’s investigation, he was initially referred to Denis, who served as Alberta’s attorney general and justice minister from 2012 to 2015. But Davies said the former Progressive Conservative cabinet minister assigned the case to Fedorchuk, his then-partner at Guardian Law Group.”
• “What he didn’t know then, he said, is that Denis was representing Callaway. If a law firm is representing two clients who may have different interests, it’s essential to at least build an ethical wall between the two, University of Calgary assistant professor of law Gideon Christian says.”
• “‘You cannot be a slave to two masters,’ he said. ‘The law firm should have put in place a structure to prevent confidential information to be exchanged between the two lawyers acting on behalf of different individuals in this case.'”
• “Davies told investigators that no such wall existed. In fact, he said Denis was often present on privileged phone calls between himself and Fedorchuk.”

“Lawyers have an obligation to ensure employees don’t solicit clients, new ABA ethics opinion says” —

• “Attorneys not only must refrain from engaging in improper direct solicitation of potential clients, but there is also an ethical responsibility to ensure that employees or others hired by the lawyers do not engage in such misconduct, according to a new ethics opinion from the ABA’s Standing Committee on Ethics and Professional Responsibility.”
• “Formal Opinion 501, released Wednesday, identifies that a solicitation under ABA Model Rule of Professional Conduct 7.3(a) is a communication initiated on or behalf of a lawyer or a law firm directed to a specific person that the lawyer knows or reasonably should know needs legal services. The rule permits such direct, face-to-face solicitation if the contacted person is a lawyer, a family member or a close friend or a person who routinely uses the types of services offered by the lawyer.”
• “The opinion focuses on a lawyer’s ethical responsibilities regarding third parties who solicit on behalf of the lawyer. Model Rule 8.4(a) provides that it is professional misconduct for a lawyer to knowingly assist or induce another to violate the rules—including engage in impermissible solicitation. The lawyer is subject to discipline under 8.4(a) if the lawyer knows of the third party’s conduct or requests or authorizes it.”
• More via ABA at: “ABA issues guidance on ‘live person’ lawyer solicitation to clarify existing model rules“

“Fox Rothschild Faces DQ Bid In Athlete Shares Fraud Case” —

• “A startup that aimed to ‘tokenize’ and sell shares of professional athletes says the firm representing investors in a $1 million fraud suit in New York federal court, Fox Rothschild LLP, once represented a co-defendant and should be tossed from the case.”
• “New York-based SportBLX seeks to ‘tokenize’ professional athletes ‘by dividing them into tradeable, fungible units that fans and investors could buy and trade,’ according to the lawsuit. This would be done through a blockchain platform that SportBLX would create.”
• “Cypress Holdings III LP sued startup SportBLX, parent company GlassBridge Enterprises and the startup’s founders, George Hall and Joseph DePerio, in February alleging investors were duped into pouring $1 million into the venture in 2019 based on misrepresentations of a business plan that didn’t materialize.”
• “GlassBridge said in a letter Thursday that Fox Rothchild represented it ‘before and during the time period at-issue in this litigation on substantially related matters,’ including the company’s directors and officers liability insurance policy.”
• “GlassBridge paid Fox Rothschild $847,285 in legal fees before the firm ended the representation in early November 2021, two months before Cypress filed its lawsuit, according to the letter filed in Manhattan federal court.”
• “‘Through the prior representations, and at a time when GlassBridge first purchased and owned SportBLX assets, Fox Rothschild obtained sensitive and confidential information having to do with GlassBridge’s business,’ information that is ‘essential to Cypress’s allegations and GlassBridge’s defense,” the letter said.”

Hat tip to a kind reader for sending word of this fascinating update [see previously]: “McKinsey Opened a Door in Its Firewall Between Pharma Clients and Regulators” —

• “The firm let consultants advise both drugmakers and their government overseers, internal records show. ‘Who we know and what we know’ was part of their pitch.”
• “Jeff Smith, a partner with the influential consulting firm McKinsey & Company, accepted a highly sensitive assignment in December 2017. The opioid manufacturer Purdue Pharma, beleaguered and in financial trouble, wanted to revamp its business, and an executive there sought out Dr. Smith….But the corporate reorganization was not Dr. Smith’s only assignment at the time. He was also helping the Food and Drug Administration overhaul its office that approves new drugs — the same office that would determine the regulatory fate of Purdue’s new line of proposed products.”
• “The story of Dr. Smith’s simultaneous work for Purdue and its federal regulator is told through previously undisclosed internal McKinsey records. More broadly, they contain evidence of a porous firewall between the consulting firm’s work for private companies and for the authorities that oversee them.”
• “A review by The New York Times of thousands of internal McKinsey documents found that the firm repeatedly allowed employees who served pharmaceutical companies, including opioid makers, to also consult for the F.D.A., the drug industry’s primary government regulator.”
• “And, the documents show, McKinsey touted that inside access in pitches to private clients. In an email in 2014 to Purdue’s chief executive, a McKinsey consultant highlighted the firm’s work for the F.D.A. and stressed ‘who we know and what we know.'”
• “Since 2010, at least 22 McKinsey consultants have worked for both Purdue and the F.D.A., some at the same time, according to the committee’s 53-page report drafted by its Democratic majority. The firm provided no evidence to the committee that it had disclosed the potential conflicts of interest as required under federal contracting rules — an ‘apparent violation,’ the report said.”
• “McKinsey also allowed employees advising Purdue to help shape materials that were intended for government officials and agencies, including a memo in 2018 prepared for Alex M. Azar II, then the incoming secretary of health and human services under President Donald J. Trump.”
• “McKinsey says that its consultants are forbidden to share confidential information or discuss their work with clients that have competing interests, and in a statement a spokesman disputed that there was a disclosure requirement related to the work it did for the F.D.A.: ‘Since McKinsey has not advised the F.D.A. on specific regulatory decisions or on specific pharmaceutical products, our consulting engagements with pharmaceutical companies did not create a conflict of interest with McKinsey’s consulting work for the F.D.A.,’ the spokesman said. ‘Because there was not a conflict of interest, there was not a requirement for a disclosure.'”
• “For nearly a century, McKinsey has taken on clients in the same industries, with internal rules meant to prevent trade secrets from leaking to competitors. As McKinsey expanded to 67 countries, serving many of the world’s biggest companies, it also began to mine a new source of revenue: governments, including in the United States, Europe and Asia. It wasn’t until McKinsey began to work extensively with federal agencies that potential conflicts of interest drew the attention of Congress.”
• “McKinsey’s own guidelines on dealing with conflicts of interest for government work, which are based on federal rules, state that ‘even the appearance’ of a conflict compels its consultants to make a report to the government client’s contracting officer.”
• “In one F.D.A. proposal, McKinsey did note that Dr. Smith had previously served an unnamed opioid manufacturer, and in its statement to The Times, the firm’s spokesman said it had ‘repeatedly made the agency aware of our industry experience and our colleagues’ expertise in the pharmaceutical industry.’ But the committee’s report criticized McKinsey’s disclosures as ‘isolated and vague’ and not in accordance with the firm’s own policy. The F.D.A. has previously said it was unaware of McKinsey’s work for Purdue until 2021.”
• “In 2016, while Dr. Smith advised the F.D.A. on its use of data for tracking drug safety, colleagues sought his counsel on how the firm might draw on that work with the agency to help Purdue. The documents indicate multiple occasions when McKinsey promoted its connections with federal regulators when pitching its services to pharmaceutical clients.”
• “Earlier, in a 2009 presentation offering its services to a pharmaceutical industry group, McKinsey wrote that it directly supported regulatory bodies ‘and as such have developed insights into the perspectives of the regulators themselves.'”

“[Judge] Alsup Calls Amazon In-House Atty’s LinkedIn Gap ‘Suspicious’” —

• “Mulling a motion to disqualify Amazon’s counsel from litigation accusing the e-commerce giant of infringing MasterObjects Inc.’s search engine patents, U.S. District Judge William Alsup said Wednesday it ‘looks suspicious’ that an Amazon in-house lawyer omitted from his LinkedIn profile a two-year stint at a law firm that represented MasterObjects.”
• “U.S. District Judge William Alsup didn’t issue a ruling Wednesday on MasterObjects’ bid to boot from the case both Amazon’s in-house lawyer and outside counsel at Hueston Hennigan LLP, taking the matter under submission. He did, however, deny Amazon’s request for sanctions against MasterObjects and its Hosie Rice LLP counsel for bringing the motion, saying he didn’t find it to be frivolous.”
• “Wednesday’s arguments focused on Scott Sanford, a senior in-house patent lawyer at Amazon.com Inc. who is leading the company’s defense case. He worked from 2000 to 2002 for Fliesler Meyer LLP, a San Francisco firm that handled MasterObjects’ patent prosecution. Sanford was not present for Wednesday’s court proceedings.”
• “In a declaration, Sanford said he doesn’t pay close attention to his LinkedIn resume and inadvertently left that off. However, his positions before and after his employment at Fliesler Meyer were on his LinkedIn resume, and that’s a red flag, said Diane Rice of Hosie Rice, a lawyer for MasterObjects.”
• “MasterObjects also submitted a declaration from a lawyer, Karl Kenna, who worked with Sanford at Fliesler Meyer. Kenna said it was a very small law firm, with attorneys working in a small San Francisco office. ‘They were cheek to jowl,’ Rice said, ‘and courts understand that people who work in close quarters talk to each other about their work.'”
• “While Sanford claims he didn’t do work for MasterObjects during his time at Fliesler Meyer, the lawyer had access to information about the client, Rice argued.”

“Judge’s Blind Trust Didn’t Resolve Financial Conflict of Interest, Federal Circuit Strongly Hints” —

• “The $1.9 billion bench verdict Centripetal Systems won against Cisco Systems Inc. in 2020 is going to be sent back for a do-over. That much was clear following arguments at the U.S. Court of Appeals for the Federal Circuit on Monday.”
• “The question now will be how much needs to be redone due to U.S. District Judge Henry Morgan’s failure to divest or to recuse himself after finding out midtrial that his wife held $4,688 worth of Cisco stock. Monday’s argument provides a judicial test of an issue highlighted last fall by a series of Wall Street Journal articles about judges or their family members holding stock in companies that appear in the judges’ court.”
• “Kramer Levin Naftalis & Frankel partner Paul Andre argued that the verdict should stand because Morgan hired a lawyer who immediately devised a blind trust once the judge learned about the holding. But Federal Circuit Judges Timothy Dyk, Richard Taranto and Tiffany Cunningham sounded convinced that the judicial disqualification laws require actual divestment of the financial interest.”
• “Cisco argued that the judge’s financial interest in Cisco, however minor, mandated his recusal under 28 U.S.C. 455(b). Morgan ruled that Section 455(b) requires recusal only if a judge has actual knowledge of the financial interest.”

“Congressional Democrats propose new rules on recusal, secrecy for U.S. judges” —

• “Democrats in the U.S. Congress proposed a raft of new rules for the federal judiciary on Wednesday including a formal mechanism to remove judges from hearing cases in the event of a conflict of interest and another intended to reduce secret court filings.”
• “The bill comes as U.S. Supreme Court Justice Clarence Thomas has faced calls by some Democrats to recuse himself from any cases involving the Jan. 6, 2021, attack on the U.S. Capitol by former President Donald Trump’s supporters, citing the activities of the justice’s wife Virginia Thomas, a conservative political activist. read more.”
• “Under current practice, the nine Supreme Court justices individually decide whether to recuse themselves from a case because of a conflict of interest. Under the proposed legislation, the full Supreme Court would be required to review requests for recusal.”
• “In addition, the legislation would require the Supreme Court to provide live video of its oral arguments on the internet as well as other ethics guidelines for judges. The Supreme Court has not allowed video of its arguments but began allowing live audio in 2020 at the outset of the COVID-19 pandemic and has continued that practice.”

“SRA Guidance: Confidentiality of client information (Updated 5 April 2022)” —

• “You need to have appropriate arrangements in place to help you to meet your obligations in relation to confidentiality. This will mean that any information supplied to you by clients is kept confidential in accordance with, as well as data protection law, any terms of engagement between you and the client. For example:
  • Information should not be passed to third parties without the client’s consent. This includes via marketing materials (including contributions to law firm directories or league tables) or passing client details by way of referral.
  • Confidential information regarding one client should not be passed to another.
  • Consider limiting the confidential information that you obtain from the client before a conflict check has been carried out and it has been established that you can act. This minimises the risk of such information being inadvertently disclosed, within the firm.”
• “Disclosure may be permitted by law. For example, you may be permitted or even required by law to disclose the potential commission of a criminal offence by your client, such as money laundering.”
• “Some firms may have overseas or connected offices or be part of a group structure where they are separate legal entities (such structures are often known as a “Verein” after a type of association of separate legal entities allowed under Swiss law).”
• “Such a firm may wish to share information about their clients with other parts of the group for conflict of interest checks or other due diligence. For example, a UK firm may be part of an international group that has set up a business acceptance unit within one overseas jurisdiction to carry out conflict and anti- money laundering checks for all the group’s prospective clients.”
• “Firms should provide current and prospective clients with an explanation of the group structure and of any data sharing and confidentiality arrangements within the group before seeking their consent to the disclosure of confidential information to separate legal entities in the group or their individual members or directors. As well as obtaining consent firms should consider whether it is in their client’s best interests to share the information across other members of the group and should restrict access in terms of the data supplied, and those who see it, to that necessary for the purpose.”
• “In the example given of the international group structure above, there may well be advantages to having all conflict and other checks carried out by a specific unit which puts in place information barriers to reduce the spread of information around the group. This could help prevent, for example, information about potential competing bids being shared between offices within the group and perhaps inadvertently released to clients (see case studies on reporting duties in the Overseas Rules).”
• “We recognise that, where firms are proposing to merge, or one firm is proposing to acquire another or part of another practice, that they will need to understand key information in relation to the other’s business. This can present challenges in terms of sharing information about your client base.”
• “You will wish to consider carefully what information you actually need and what is available in the public domain (for example where the firm is on the public record as acting for a key client) or without recourse to client specific information (for example, financial data about billing in respect of the business generally and specific practice areas or aggregated into bands).”
• “Any disclosure of confidential information should only be with consent and should be limited to that necessary for the purpose.”
• “In order to enable conflict checks to be carried out you may wish to disclose the identity of key clients, and in general terms the type of work done for the client. Including a provision in the client’s terms of business permitting disclosure expressly limited to this information for the purposes of merger discussions may be sufficient if it amounts to informed consent on the part of the client. More detailed information about work done or client billings is likely to require specific consent to be taken.”
• “It should be borne in mind for example, that the merger or acquisition may not proceed and that the proposed acquiring firm may act for those with interests adverse to the other firm’s clients. Therefore, there should be express requirements limiting the data to be disclosed and who sees it, their obligations to protect it and its return or destruction if the transaction does not proceed.”
• “In 2018, an SRA regulated firm received a large fine after it disclosed unredacted and in some cases sensitive and privileged confidential information and documents from over 7,000 client matter files to another firm that was proposing to acquire it. This disclosure was made without the knowledge or consent of the relevant clients. The purchasing firm which inspected that confidential material was also fined on the basis that it had failed to act with independence and behave in a way that maintains public trust in legal services by inspecting the unredacted confidential information and documents provided by the other firm without the knowledge or consent of the relevant clients and also by disclosing unredacted confidential information and documents from the acquisition targets’ client matter files to two other firms without the relevant clients’ knowledge or consent.”

A bit of everything from my reading list to share today, starting with an article from Leigh Isaacs (DLA Piper) and Andrew Corridore (Akin Gump): “Defensible Disposition Program: Article One—Let’s get down to Basics” —

• “This ‘keep everything forever’ mentality has led to an informational environment with severe financial and risk-related implications, and wading through volumes of data—often unclassified—can be a real hindrance to efficiency. The cost of storage has exponentially increased, and it is becoming more and more difficult to properly index the massive amounts of information. Failure to manage information can lead to over-retention of personal information or other sensitive materials that could cause serious financial or reputational damage in the event of a breach. It could also result in a violation of the ever-growing number of privacy regulations emerging around the globe.”
• “Further, there’s the implicit cost of finding a particular piece of information and how that cost increases when the information you are looking for is held amongst a tremendous volume of data—think: trying to find a needle in a haystack when the person searching for the needle could otherwise be billing at $995 an hour.”
• “So, what does defensible disposition actually mean? Disposition can include several actions, including destroying documents with no legal hold requirements or business value, moving data to less expensive storage (also known as archiving), or transferring custody of the information to another party (such as returning the data to the client to whom it belongs or transferring it to a third party such as another firm).”
• “You should be able to demonstrate to the client or to a judge, if it came to it, that you took all reasonable efforts to get the required input regarding the disposition of a client’s data. Also, depending on any agreed-upon terms in outside counsel guidelines or other documented agreements with the client about file disposition, you may need to get input from partners, clients, general counsel, or other internal people/groups.”
• “It is easy to get stuck in “analysis paralysis” when attempting to start and maintain a disposition program. To avoid this, it helps to approach your efforts with a two-pronged approach. These two prongs are: legacy and go-forward retention and disposition.”
• “Legacy disposition refers to the actions taken on data that precede any formal retention policy implemented by the firm. All organizations have pockets of data that may not have been well organized or governed. Typically, legacy information has little to no business value because of its age. However, because there isn’t a distinct policy covering it—and, more importantly, telling you what to do with it—destroying legacy information isn’t as simple as just throwing it away. In order to mitigate the risk of the data being related to an existing legal hold or being needed down the line, analyze the information, and consult the owners and other involved parties (e.g., attorneys, outside counsel, etc.). This can be especially challenging to navigate when those with relevant institutional knowledge are no longer available to provide guidance and advice.”
• “On the other hand, while still having its complexities, a go-forward retention and disposition policy is a bit more straightforward from a defensible disposition standpoint. This policy will explicitly detail the length of time a company will retain certain data and what happens to the data at the conclusion of the retention period. That said, it is important to invest in training and awareness along with monitoring and auditing lest the piles of unstructured and unclassified information continue to proliferate.”

via Eileen Garczynski (Ames & Gough), Cyber Special Ops, LLC notes: “How can a law firm’s Lawyer’s Professional Liability get triggered from a cyber attack, potentially eroding a firm’s entire E&O?” —

• “In its third day of trial, a Missouri federal jury heard how the collaboration between a hacked law firm, Warden Grier, and Hiscox, broke down into days and weeks in intense efforts to co-manage technical experts and inform stakeholders.”
• “As early as 2002, Hiscox retained Warden Grier to render professional legal services on behalf of Hiscox insureds for Non-Marine First Party Business and Non-Marine Casualty Business. According to the complaint, hackers obtained personally identifiable information of clients of Hiscox’s corporate policyholders through a cyberattack on Warden Grier.”
• “A group known as The Dark Overlord first hacked Warden Grier in February 2017 and threatened to publicize its data unless the law firm paid a ransom. Warden Grier paid the ransom but did not notify Hiscox of the breach. A year later, the hackers made an additional ransom demand and told Hiscox of the breach. Two days later, Hiscox contacted Warden Grier about the breach and the law firm confirmed it had been hacked, court papers say.”
• “Hiscox then hired various experts to help it manage its potential exposures arising from the breach. Costs the insurer incurred included $1.1 million paid to a firm that analyzed the breached data, $276,859 paid to another law firm, $107,456 paid to a public relations consultant and $6,189 paid to a call center.”
• “Hiscox wants $1.37 million in compensatory damages for bills paid to Cooley, LLP and Charles River Associates for the forensic work.”

“Legal firms ‘must raise defences against dirty cash’” —

• “Solicitors across Scotland are under pressure to increase defences against dirty money after a Kremlin-linked oligarch claimed his business was based at the HQ of a blue-chip Edinburgh law firm.”
• “Anti-corruption experts have already warned lawyers against offering mailbox or other services for anonymously or opaquely owned corporate entities, such as widely abused Scottish limited partnerships, or SLPs.”
• “Last night Alison Thewliss, the SNP’s Treasury spokeswoman, said she is deeply concerned about legal firms being exploited as she warned against ‘flows of dirty money’ being assisted ‘by professionals right here in the UK’.”

“Regulator probes law firms accused in Parliament over oligarch work” —

• “The Solicitors Regulation Authority (SRA) has started visiting law firms named in Parliament amid concerns about their work for Russian oligarchs, it has emerged. It forms part of a series of actions the regulator is taking in the wake of Russia’s invasion of Ukraine.”
• “In his update for the recent meeting of the SRA board, chief executive Paul Philip noted that there have been a number of comments made in Parliament, both in general and about specific firms, ‘that lawyers are helping individuals included on the sanctions list to seek a defence, are not conducting proper checks on clients, or are threatening litigation in a way designed to stifle public debate and discourage public criticism, known as strategic litigation against public participation (SLAPPs)’.”
• “He said the SRA was writing to the MPs and peers making allegations to ask for further information, ‘in order to investigate any misconduct’. Further, it was ‘commencing visits to those firms named in the Parliamentary debate, and engaging in further visits as part of our ongoing rolling programme of inspections to ensure compliance with the money laundering regulations’.”
• “Mr Philip said the regulator has also been ‘in touch’ with the firms that fall within its regulatory management regime – magic and silver circle firms conducting high-profile corporate, commercial and finance work, other large City and international firms, national firms, US firms with offices in England and Wales, and multi-disciplinary practices – to make sure they understood their obligations and the importance of compliance in this area.”
• “Mr Philip added: ‘There will be unidentified costs for some of this work that we will need to cover both in this and next year’s budget…The main costs will be a system to check firms’ clients against the financial sanctions lists, which is necessary because of the number of clients and entries on the list involved and to eliminate false positives.'”

(From time to time I find myself spelunking down various risk rabbit holes. Sometimes nothing comes of that. Sometimes there’s treasure. Sometimes it’s in between.)

Looking at some statistics, I observed that audit letter response (past posts) has actually been an area of healthy reader interest over the years. So I took a drive along the information highway to see if there were any fresh materials of note. Found some fresh and some older but still interesting examples I thought I’d share today.

I also found a job posting from a 1000+ law firm looking to hire for an audit letter analyst position specifically, so that was another interesting data point for my risk radar. According to the always completely scientific LinkedIn search, there are at least 20 individuals (on LinkedIn) working at law firms comprising at least 200 individuals with “audit letter” in their actual job titles. Though ~90% of those are at firms comprising 1000+ individuals. Make of all of this what you will. I think it’s all fascinating. (Hence the rabbit hole.)

For those interested other materials on the topic, see:

2021 Presentation: “Audit Response Letters and Disclosures: Counsel’s Role in Balancing Auditor Demands and Company Privileges” —

• “This CLE course will guide counsel for responding to external auditor inquiries concerning their client’s litigation, claims and assessments, and related financial reporting and disclosures. The panel will explain best practices for providing information regarding ‘pending or overtly threatened’ legal claims in audit response letters and updates without compromising the client’s privileges and confidentiality.”
• “Accountants conducting external audits of a company’s financial statements and related disclosures must ask the company for information about “pending or overtly threatened” legal matters, including litigation and government investigations. However, the longstanding ABA Treaty between the legal and accounting professions contemplates that attorneys providing this information will limit their discussion of these matters to protect attorney-client privilege and the company’s litigation position.”
• “In recent years, auditors have pushed for information from attorneys beyond the ABA Treaty, and counsel must deal with more difficult issues in their responses to audit letters. When responding to auditors, counsel must act carefully and strategically. This includes an internal inquiry to determine what to disclose in the response, setting a mutually agreed-upon dollar amount threshold for materiality, including a confidentiality clause in the audit engagement letter.”
• “Listen as our authoritative panel discusses recent trends in audit response letters and the complicated legal issues counsel must navigate in determining what to disclose in their responses.”
• “Outline:
  • Latest trends in audit response letters
  • External audits: duties of auditors and attorneys
  • Attorney-client privilege issues with audit response letters
  • Best practices for responding to auditor inquiries”
• Thankfully, for those who just want the PDF of materials, those are linked on the summary page above, and available here.

2019 Presentation: “Audit Response Letters and Disclosures: In-House Counsel’s Role in Balancing Auditor Demands and Company Privileges.” While the title and outline are the same as above, the actual course materials include: “In-House Counsel: Considerations for Interacting with Auditors,” which goes into greater detail.

And it’s in the 2017 version of that resource from the even earlier version of that session (available here, with standard caveats that often updates, edits and removals are done for a reason) includes a specific story of law firm audit letters playing a role in a DOJ matter: SEC v. RPM International Inc., Case 1:16-cv-01803 (D.D.C. Sept. 9, 2016):

• “In this case, the SEC alleges that RPM, as a result of conduct by Mr. Moore, failed to timely accrue for and disclose a loss contingency related to a government investigation arising from a sealed qui tam complaint. Although the SEC’s complaint does not assert any scienter­based claims, it nonetheless seeks to leave the misleading impression that Mr. Moore committed “fraud.” It does so by taking statements out of context; understating the complexity, nuance and ambiguity of the accounting standards at the heart of this case; and omitting inconvenient, yet relevant, facts from documents on which it otherwise relies, including the following:
  • An independent investigation by RPM’s audit committee, relied upon and cited in the SEC’s Complaint, found no evidence of intentional wrongdoing, fraud, or indeed any unlawful conduct, by Mr. Moore or anyone else at the Company;
  • Mayer Brown, the law firm handling the investigation for RPM, did not believe that the matter constituted a disclosable loss contingency during the period in question, a view conveyed in its quarterly audit response letters to RPM’s auditor, Ernst & Young (“EY”);
  • In a communication described only in part in the Complaint, the U.S. Attorney’s Office asked RPM and Mr. Moore not to disclose the existence of the sealed qui tam complaint or the related government investigation allegedly giving rise to the loss contingency;
  • There was no material impact on RPM’s share price after the contingency was accrued for and disclosed; and
  • Mr. Moore did not obtain any benefit, monetary or otherwise, from the alleged delay.”

In my journey, I also spotted that a year ago WilmerHale won another award (complimenting its earlier ILTA finalist honor) from The American Lawyer: “The American Lawyer Recognizes WilmerHale With Best Use of Technology Award.” So, belated congrats to that team —

• “WilmerHale was named the winner of the Best Use of Technology Award at The American Lawyer Industry Awards in recognition of the firm’s work to create an almost fully automated workflow to respond to client audit letters. The annual award recognizes the firm that has implemented technology to either improve the delivery of legal services, improve efficiency in internal or client-facing operations, or improve work-life balance.”

“Lawyer Witness Rule, Other Concerns, Justify Disqualification” —

• “The North Carolina Court of Appeals affirmed the grant of a motion to disqualify as counsel an attorney sued for malpractice by his former client under the lawyer-as-witness rule.”
• “The court held that the attorney could not represent either himself or a law firm co-defendant. The defendant attorney had contended that the motion was “premature” at the pretrial stage. The court disagreed.”
  • “‘A lawyer’s right to be self-represented even when the lawyer is likely to be a necessary witness notwithstanding, the question remains whether circumstances may arise permitting a court to disqualify a lawyer from appearing pro se in a particular case. North Carolina courts do not appear to have addressed this question. At least one court has suggested, however, that while the witness-advocate rule codified in Rule 3.7 does not apply to lawyers appearing pro se, the pro se lawyer may still be subject to discipline or sanctions including disqualification for abusing the role of lawyer-litigant'”
  • “‘Here, while it is apparent that the trial court did rely on Rule 3.7 in part for the basis of disqualifying Fine from representing both himself and Marshall Grant, it is also clear this was not the sole basis for disqualifying Fine. In fact, the trial court’s Findings reflect the trial court’s concern was not merely that Fine may likely be a necessary witness, but rather that Fine would likely be the key witness with unique knowledge upon which both his and Marshall Grant’s liability may hinge. Further, the trial court’s Findings reflect concern about Fine’s ability to operate and advocate objectively in this tripartite role of litigant, lawyer, and key witness as illustrated by Fine’s behavior and demeanor in this case including Fine’s own acknowledgment: ‘he was angry about being sued by Plaintiff and therefore his filed motions may reflect his emotional feelings…'”

“Eckert Seamans Gets Fraud Charges Cut from Conflict Suit” —

• “A federal court trimmed fraud claims from a gaming company’s lawsuit accusing its former lawyers at Eckert Seamans Cherin & Mellott LLC of hiding a conflict of interest, but it gave the plaintiff an opportunity to revise the suit.”
• “U.S. District Judge Jennifer Wilson partly granted Eckert Seamans’ motion to dismiss parts of the lawsuit that Pace-O-Matic had filed over the firm simultaneously representing POM in Virginia and gaming rival Parx Casino in Pennsylvania, reasoning that even if the firm had denied any involvement with litigation adverse to POM’s interests, POM hadn’t shown that it took the firm at its word and suffered because of it.”
• “‘The court finds the allegation of reliance lacking in this case. There is no averment that POM altered its intended course of action because of Eckert’s representations, and POM does not explain how it relied on these representations,’ Judge Wilson wrote in her opinion Thursday.”
• “The court dismissed without prejudice POM’s claim of fraud, as well as its request for a declaratory judgment that the firm had violated ethical rules and its fiduciary duty. She denied motions to dismiss a request for punitive damages, or a declaration that the firm should be barred from representing POM’s rivals in the future.”
• “Georgia-based POM had hired Eckert Seamans to represent it in a lawsuit in Virginia in 2016, where the firm argued that POM’s game machines required the use of skill and therefore weren’t illegal gambling. At the same time, Eckert Seamans was also representing Greenwood Gaming & Entertainment, which operates as Parx, in Pennsylvania. But in 2018, when POM filed two lawsuits in Pennsylvania over the removal of its games, Eckert Seamans — allegedly working with another firm — took the opposite position and argued in an amicus brief for the casino operator that POM’s devices were gambling machines and should be barred.”
• “The court had initially refused to let Eckert Seamans duck the request for a preliminary injunction, deriding the firm’s claim it was no longer representing Parx as “pinky promises,” but the two sides eventually reached an agreement to resolve the injunction in January 2022, Judge Wilson noted.”