Bressler Risk Blog

“How COVID-19 and a Recession Could Impact Malpractice Claims” —

• “During a recession, and for the three years following, there has historically been a huge spike in paid claims, which is a number that typically doesn’t return to a more normalized level until five years post-recession. In addition, and looking back at the events of 2008 specifically, legal malpractice insurers experienced a spike in paid claims above $10,000 that ranged from 35% to 41%. I share this in order to explain why recessions always capture the attention of the insurance industry because given how the markets look of late, another recession appears to be imminent thanks to the COVID-19 pandemic.”
• “Now, based upon what has happened as a result of past recessions coupled with the realities of the response to COVID-19 from the individual level to that of governments, here’s what legal malpractice insurers are currently concerned about.”
• “irst, claim frequency and/or claims severity will change for any number of reasons. We just can’t accurately predict how. At a minimum, clients will look to blame their lawyers when their business dealings go south as a result of the near-certain recession that’s coming. Lawyers and staff will make mistakes that would otherwise not have been made due to the rapid transition to working from home and/or being under excessive stress. And clients, who are also experiencing excessive stress, will question decisions they made in light of the advice their lawyer gave them if their legal matter doesn’t work out the way they expected it to. Regardless, there will be a new normal in terms of claims, at least for a few years.”
• “Second, policy retention may be an issue; but again, we can’t accurately predict how this might evolve. Lawyers facing difficult financial times may choose to leave the practice of law entirely or may decide to allow their policy to lapse and simply go bare as a way to save some money. Of course, there’s the flip side, some who have previously been bare may decide now’s the time to purchase coverage because the value of their assets have dropped, and their level of risk has risen. Only time will tell.”

“Restatement to the Rescue: 20-Year-Old Treatise May Help Ease Work-at-Home Privilege Problems” —

• “Since so many lawyers and clients are now communicating with each other from their homes, the COVID-19 pandemic presents such a time with respect to the protection of attorney-client privilege.”
• “For lawyers who have long since set themselves up to operate on a “virtual” basis and for clients who have developed sophisticated systems for assuring confidentiality, there may be no change. But what about the rest of us who now find ourselves or our clients communicating while regularly surrounded not only by household pets but also by children, relatives, and spouses or partners – with little or no guarantee of “private” space or time? This is where the 20-year-old §71 of the Restatement of the Law (Third), The Law Governing Lawyers (2000) can provide some helpful advice.”
• “It is known that a reasonable expectation of confidentiality at the time of a communication between attorney and client must exist before a communication can be potentially considered for privilege protection.”
• “Translated to the age of COVID-19, this can fairly be taken to mean that neither lawyers nor their clients can immediately be expected to go as far in protecting the confidentiality of their client communications from home as they used to do from the office.”
• “Nonetheless, two limitations must be noted. One is that steps that can reasonably be taken now… The other is that the duties that lawyers have to protect communications on their end and to advise clients about risks to confidentiality on the client end may well grow if and when it appears that lawyers and clients will remain working from home for a prolonged period of time.”

The Law Society: “Coronavirus (COVID-19) advice and updates” —

• “In response to questions from our members, our latest advice for firms is below.This information will be updated regularly to reflect the most recent guidance.”
• “Are solicitors key workers? Only legal practitioners who work on the types of matters, cases and hearings listed above can be classified as key workers:
  • advocates (including solicitor advocates) required to appear before a court or tribunal (remotely or in person), including prosecutors
    other legal practitioners required to support the administration of justice including duty solicitors (police station and court) and barristers,
  • solicitors, legal executives, paralegals and others who work on imminent or ongoing court or tribunal hearings
  • solicitors acting in connection with the execution of wills
  • solicitors and barristers advising people living in institutions or deprived of their liberty”
• “What are a solicitor’s professional obligations if they are unable to provide the services required, due to coronavirus? You should notify the client as soon as practical that due to coronavirus issues the service cannot be provided, and suggest that they try another solicitor (perhaps giving a list of three alternatives or a link to the Law Society’s Find a Solicitor service).”
• “What should I do if I have court deadlines coming up? A new Practice Direction under the Civil Procedure Rules seeks to address the issue of extensions of time. Practice Direction 51ZA, effective from 2 April 2020, makes provision for parties to agree extensions of time to comply with procedural time limits in the Civil Procedure Rules, Practice Directions and court orders. Parties can agree an extension up to 56 days without formally notifying the court (rather than the previous 28 days) so long as that does not put a hearing date at risk. Any extension of more than 56 days needs to be agreed by the court. It provides guidance to the court when considering applications for extensions of time and adjournments. This Practice Direction ceases to have effect on 30 October 2020.”

A few weeks ago, Zoom seemed to be poised to achieve “Ketchup/Kleenex/Xerox”-like brand status as a verb, offering convenient collaboration in a way that appealed to the remote working world. Now several shoes are dropping as security concerns are driving serious repercussions. While not our standard conflicts fare, this all seemed worth a consolidated review.

Today’s latest: “Elon Musk’s SpaceX bans Zoom over privacy concerns – memo” —

• “Elon Musk’s rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing “significant privacy and security concerns,” according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app.”
• “SpaceX’s ban on Zoom Video Communications Inc illustrates the mounting challenges facing aerospace manufacturers as they develop technology deemed vital to national security while also trying to keep employees safe from the fast-spreading respiratory illness.”
  “NASA, one of SpaceX’s biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.”
  “Investigative news site The Intercept on Tuesday reported that Zoom video is not end-to-end encrypted between meeting participants, and that the company could view sessions.”

(Having performed a cursory search to identify firms who have recently represented SpaceX, I note several familiar names. Curious if SpaceX or others are extending guidelines to address conference tools.)

In related Zoom news, see:

• “Attackers can use Zoom to steal users’ Windows credentials with no warning“
• “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing“
• “Ex-NSA hacker drops new zero-day doom for Zoom“
• “A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles“
• “Zoom’s security and privacy problems are snowballing“
• “Zoom hit with class-action lawsuit for sharing user data with Facebook“

(Of course, some of us are curious when client and firm attention will be turned to Microsoft Windows Telemetry and data gathering on that front… But that’s a post and discussion for another day…)

My thanks to Charles Lundberg for writing in to note his latest article: “Quandaries and Quagmires: Legal ethics, risk management in pandemic” —

• “In a span of less than two weeks, the coronavirus outbreak has caused unprecedented disruption in law firms and created a host of new issues for firm general counsel and ethics partners. Here is a sampling of new ethics and risk management issues that have arisen almost overnight.”
• “A new paradigm for civility and reasonableness? Last week, a statement by the Los Angeles County Bar Association’s Professional Responsibility and Ethics Committee called for a new emphasis on lawyer civility… Now the point is this: A month ago there would have been nothing particularly remarkable about counsel pressing for an expedited hearing as he did. But everything has changed now. The pandemic has suddenly narrowed the Overton Window of reasonableness in litigation.”
• “New cybersecurity concerns for remote work. A recent ABA panel of experts noted that law firms need to be mindful of how employees working remotely can avoid computer viruses and other cybersecurity risks… Hackers are no doubt aware that they can exploit weakened technology systems because most lawyers and support staff are suddenly working remotely. Law firms must protect their clients’ sensitive personal information whether it is viewed in a lawyer’s home or at the firm.”
• “Wellness issues. Until about three years ago, “attorney wellness” as a law firm risk management issue wasn’t even a Thing. It is now one of the top 5 concerns of those in the ethics and risk management arena. And without question it has become a much bigger issue in the time of pandemic. The deeper issue here is that this is much more than just a law firm risk management issue. It is rather a part of the firm’s culture. Nothing will ensure loyalty to a firm like an open and transparent attitude of caring for the families of its staff in time of crisis. ‘This is the kind of firm we are’ should be the watchword.”
• “Competence: Keeping up with changes in the law and standards for practice. How do firms keep up with the changes that are occurring almost daily as governments respond to the pandemic? Every day, general counsel responsible for workers across jurisdictions are trying to get up to speed on new mandates, while seeking advice from outside counsel and other external resources. And the ethical duty of supervisory lawyers to ensure competent practice by subordinate lawyers is not subject to a pandemic exception… Across all practice areas, competence in using any new technology (e.g. Zoom for meetings with a client, etc.) must be confirmed. (Speaking of Zoom, have you checked the privacy policy for that app to see what information is being collected about you?)”

“K&L Gates Loses Dismissal Appeal in Conflict Case” —

• “K&L Gates has again suffered a loss in its effort to quash a Texas lawsuit alleging it engaged in conflicts of interest, including violations of the Deceptive Trade Practices Act… In the underlying suit, a Texas semiconductor company, Quantum Materials Corp., claimed the law firm represented lenders in a legal action against Quantum while also representing Quantum.”
• “Quantum retained K&L Gates in 2016 as corporate counsel—yet although they stopped sending work to the firm, the representation never formally ended, the company claims.”
• “While the panel ruled that claims the firm breached its fiduciary duty and engaged in deceptive trade practices should go forward, the judges took a more restrained view about another Quantum claim, that the firm engaged in legal malpractice… Instead, the panel found that the malpractice claim is ‘in substance’ a claim of breach of fiduciary duty.”
• “A K&L Gates spokesman declined comment on the opinion and the case.”

“Game Maker Says Eckert Seamans Can’t Represent Rival” —

• “A Georgia-based game machine maker asked a Pennsylvania federal court Tuesday to block its onetime law firm Eckert Seamans Cherin & Mellott LLC from representing its rival, arguing the legal attacks the firm has leveled since jumping ship to counsel the rival are ‘a clear breach of its fiduciary duty.'”
• “Pace-O-Matic, which refers to itself as an “amusement machine supplier,” sued the law firm in February, accusing it of breaching its contract and fiduciary duties by dropping the business “like the proverbial ‘hot potato'” to take on Greenwood Gaming, which allegedly has deeper pockets, as a client.”
• “According to the memo, Eckert Seamans began representing Pace-O-Matic in 2011 and was retained for a second matter in 2016. The firm argued on the company’s behalf up until last summer in a legal dispute in Virginia. In that dispute, the firm contended that its devices are games of skill and not gambling, according to the memo. Also during that time, the firm had access to Pace-O-Matic’s confidential material, Pace-O-Matic alleges.”
• “Counsel for Eckert Seamans declined to comment Wednesday.”

On the heels of last week’s note on digital assistants, comes increasing focus on and scrutiny of third-party conference providers. Today it seems like Zoom is on everyone’s minds, lips and screens. (For unrelated news on that, see: “SEC pauses Zoom Technologies trading because people think it’s Zoom Video“).

With several stories specifically cautioning firms about confidentiality management as team move to remote working, this caught my eye and thoughts: “Zoom needs to clean up its privacy act” —

• “Two days ago, Consumer Reports, the greatest moral conscience in the history of business, published Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know: Videos and notes can be used by companies and hosts. Here are some tips to protect yourself. And there was already lots of bad PR. A few samples:
  • Zoom is a work-from-home privacy disaster waiting to happen (Mashable, March 13)
  • Zoom Privacy Policy is a Risk (Cumulus Global, March 24)
  • Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk (Forbes, March 25)
  • Zoom and Houseparty: Video Calling at Your Own (Privacy) Risk (VPN Overview, March 25)
• “What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it.”

And:  “Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know.” —

• “Zoom’s privacy policy is similar to many digital platforms’, claiming the right to collect and store personal data, and share it with third parties such as advertisers.”
• “In Zoom’s case, that extends to what the company calls customer content, or ‘the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.'”
• “Videos aren’t off-limits, according to the document, and neither are transcripts that can be generated automatically, the documents you share on your screen, or the names of everyone on a call. (The privacy policy posted online was updated over the weekend but backdated to Wednesday, March 18.)”
• “‘Zoom isn’t necessarily doing anything users would object to’ with the data, says Bill Fitzgerald, a Consumer Reports privacy researcher who analyzed the company’s policies. ‘But their terms of use give them a whole lot of leeway to collect information and share it, both now and in the future.’ (Consumer Reports is a Zoom client, using the service for some company-wide meetings.)”

Clearly, some of these risk concerns and issues are tied to the design of the system itself (including some arguably dark design patterns), while some are more related to how users use the system (which might apply to any technology). Still, worth considering what data is being created, collected and stored as the volume of this type of activity grows and grows…

Some of us in two-party consent states watch the growing adoption of recording devices with interest, to say the least. (Is that Ring doorbell recording folks unknowingly the subject of a future class action? Who can say… But better not be having conversations on anyone’s doorsteps these days…) But what many are increasingly saying is that concerns about in-home assistants are worth a bit of risk review. Here’s the latest law firm perspective on that: “Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls” —

• “As law firms urge attorneys to work from home during the global pandemic, their employees’ confidential phone calls with clients run the risk of being heard by Amazon.com Inc. and Google.”
• “Mishcon de Reya LLP, the U.K. law firm that famously advised Princess Diana on her divorce and also does corporate law, issued advice to staff to mute or shut off listening devices like Amazon’s Alexa or Google’s voice assistant when they talk about client matters at home, according to a partner at the firm. It suggested not to have any of the devices near their work space at all.”
• “Mishcon’s warning covers any kind of visual or voice enabled device, like Amazon and Google’s speakers. But video products such as Ring, which is also owned by Amazon, and even baby monitors and closed-circuit TVs, are also a concern, said Mishcon de Reya partner Joe Hancock, who also heads the firm’s cybersecurity efforts.”
• “Smart speakers, already notorious for activating in error, making unintended purchases or sending snippets of audio to Amazon or Google, have become a new source of risk for businesses.”
• “Amazon and Google say their devices are designed to record and store audio only after they detect a word to wake them up. The companies say such instances are rare, but recent testing by Northeastern University and Imperial College London found that the devices can activate inadvertently between 1.5 and 19 times a day.”

Hey Siri, have any Outside Counsel Guidelines had any words about you yet?

“How Law Firms Can Harden Their Data Security During COVID-19 Crisis” —

• “The COVID-19 pandemic has forced law firms into a new work paradigm, switching overnight to a remote workforce. Law firms, already an attractive target for cybercriminals, now face a workforce operating from informal home environments. As a result, law firms must address data security risks as they balance making data available for remote access.”
• “Sheryl A. Falk, a co-leader of Winston & Strawn’s global privacy and data security task force, answers some of the questions surrounding how a remote workforce can still protect client information. Her answers have been edited for clarity and brevity.”
• “Law firms should consider and adapt to new data security challenges presented by remote work. Ensure that all connections to the law firm’s information systems are made via a secure connection through a VPN or virtual desktop, with appropriate access controls in place, such as two-factor authentication… Restrict employee access to data needed to do their specific job functions…”
• “Law firms should arm employees with information to keep data safe. Redistribute any firm data security policies, such as bring your own device policy or written information security program. Counsel employees on remote working best practices.”
• “Firms should stay alert for potential unauthorized access, including monitoring logs and external connections to the network systems to detect an unauthorized third party from penetrating the law firm’s network. Firms should also ready their response to an incident by quickly reviewing their data security response plan and cyberinsurance.”

“What Law Firms Should Know About COVID-19” —

• “According to a recent private survey about COVID-19, 74% of law firm respondents expect that there will be a modest to severe impact on legal services demand over the next two quarters. In addition to the issues facing all businesses during this time, law firms also face unique risks as a result of the spread of COVID-19.”
• “Law firms face risks based on their role as employers and also based on the duties owed to clients… The onset of COVID-19 does not mean that law firms’ duties to clients go away or that lawyers can treat this period as a “vacation” from their obligations. But, changes from courts and other entities have created uncertainty among practitioners. There will inevitably be some confusion and perhaps even some gridlock once courts reopen and deadlines begin to apply again. Law firms and lawyers can use this time to advise clients of the status of their cases and matters in light of the shutdown and advise on the recommended next steps.”
• “Law firms may also consider educating their work force about the importance of maintaining client confidentiality while working remotely. This may include reminding attorneys and staff that client confidential matters must remain discrete, even within the home, and that attorneys and staff have an obligation to protect the confidentiality of client matters wherever they are.”

I’ve been having conversations with colleagues about how the Covid-19 situation is affecting everything, including risk operations and management. One element noted in one of yesterday’s articles — moving from paper-based processes to electronic everything — is something I’ve definitely seen come up in a few areas (internal bill generation processes being a recent example).

So I wanted to invite risk readers to share their experiences and stories:

• How have you and your risk teams responded to the shift to remote work?
• What challenges have you faced (expected or unexpected)?
• And how have you been managing?
• Have you made changes or adjustments along the way? Why?
• Beyond your team operations, how have things changed in terms of working internally across functions, particularly in terms of your lawyer stakeholders?
• Are there interesting stories or advice would you share with your risk peers out there?
• What am I not asking about that I should be? And what’s your answer?

If you’re reading this in your inbox, you can just reply, answering any or all of the above. (And if you’re reading online, you can use the contact form, after you subscribe.)

When you do, please let me know if I can share your identifying details in any summary I generate. Or if you’d rather be anonymous to the world.

I don’t know what the response we’ll get here will be, if anything. But I like experiments. Feels right for a blog about risk…

With my living room transformed into the Bressler Academy for Precocious and Mischievous Young Ladies (who have been known to suggest clip art while watching over my shoulder during evening risk blogging sessions), I note, more seriously, that today many of you are working remote, managing personal and professional challenges, and waiting to see what the days ahead bring.

On a professional front, I’ve noted an expected and increasing crop of general stories of how organizations are adapting to this new landscape, and advice about the same ranging from the generic to the incredibly astute. Here are some specifically focused on law firm risk:

“Client Service Continuity Strategies for Law Firms Responding to Coronavirus Pandemic” —

• “During this period of uncertainty, the health and welfare of your lawyers, staff, and clients is a top priority. However, attorneys must also be prepared to continue to provide legal services to clients regardless of measures taken by any government or oversight organization. In addition, the need to potentially self-quarantine has to be taken seriously. The best and only time to prepare for an interruption in practice—whether self-imposed or by a third party—is before it happens.”
• “One of the primary risks for law firms in a quarantine situation are missed deadlines… Immediately review upcoming deadlines for the next 60 days and consider how you will meet those deadlines should you be quarantined.”
• “Consider arrangements to have mail delivered to your home or scanned and sent to you if you are out of the office. Again, do not rely strictly on your legal assistant in the event he or she is unavailable for any reason. Identify a backup for that task.”
• “Review and consider the privacy and security of any client records and documents, as well as your ability to meet the requirements of outside counsel guidelines when working remotely. This typically means client information should not be placed or stored on home computers, personal storage devices, or in the cloud, which violate most—if not the majority of—standard outside client guidelines.”

“COVID-19: How to Maintain Regulatory Obligations While Working Remotely” —

• “Remote working increases the risk of data breaches and loss of confidential information through hard copy documents being transported and kept at home, rather than in offices with the necessary systems and controls in place. Colleagues should work digitally wherever possible and be advised against working from hard copy documents and minimising the need to make handwritten notes of calls or virtual meetings they attend – typed notes should be encouraged.”
• “Colleagues should be reminded to work in private environments where conversations of a confidential nature cannot easily be overheard and computer screens cannot be easily seen by third parties. The importance of locking computer screens when unattended (even within one’s home) should be reinforced.”
• “Being away from the office should not lead to a relaxed attitude to the importance of one’s regulatory obligations. Individuals should be aware that they are responsible for the professional judgement they exercise when working at home and that the various discussions and decisions taken on a particular case, for example around disclosure or potential conflict points, should be carefully recorded. This should include reasoning for why they have chosen to act in a certain way, so that they can justify their decisions, should they need to, in the future. The SRA’s Enforcement Strategy recognises, however, that mistakes do happen; clear record keeping will help the SRA decipher between honest mistakes and those that are less excusable.”