Bressler Risk Blog

With thanks to Anthony Davis at Clyde & Co for the gracious invitation, I’m looking forward to this ABA webinar on April 20th (at 2pm eastern): “Are Outside Counsel Guidelines a Threat to the Practice?” —

• Have outside counsel guidelines gone a step too far? Are they being used to inappropriately restrict lawyers? Join our terrific ABA members and ethics lawyers Anthony Davis, Bruce Green, and Eric Hirschhorn as they grapple with the issues and discuss whether the ABA Model Rules of Professional Conduct should be amended to address these and similar concerns or whenever these should be left to bargaining between clients and their outside counsel.
• The ABA Model Rules of Professional Conduct strike a balance between allowing clients and lawyers to contract with one another as they see fit and protecting essential elements of the practice of law (including access to legal services, the definition of what constitutes a conflict of interest, confidentiality of client information, loyalty to clients, and the independence of lawyers)
• Some argue that this balance is being upset by a growing profusion of outside counsel guidelines (collectively, “OCGs”) that are generated by institutional clients.
• What’s a lawyer to do when OCGs:
  • Expand the definition of “client” far beyond the organization that will actually receive legal services;
  • Restrict a lawyer from providing services to competitors of the client;
  • Require disclosure of confidential information relating to other clients;
  • Expand the definitions of positional conflicts so as to restrict law firms’ availability to serve other clients; and
  • Restrict the lawyer’s future use of expertise garnered during the course of representing a client?

The event is free for ABA members with a registration fee for non-members. But I’ll aim to take a few notes on anything interest I hear…

ILTA’s upcoming IG webinar caught my eye as relevant on several fronts: “Teams and Other Collaboration Platforms With IG Considerations: An Open Mic Discussion” (if that link doesn’t work, see their general events page) —

• Apr 15, 2020 from 3:00 PM to 4:00 PM (ET)
• This virtual roundtable will be an open forum where members can learn and contribute to the topic of Microsoft Teams and other collaboration platforms with an IG (Information governance) structure. We will have several experts to help give some good suggestions for people to improve communications, and collaboration while proactively taking security into consideration. Other topics to be discussed:
  • Security of data while working remotely
  • Is now a good time to get your IG in order?
  • Time for spring cleaning?
  • Time to introduce and reinforce the culture and process changes needed to effectuate smart use of collaboration tools

Please join us to listen and share your thoughts and experiences in this topsy-turvy time.

Panel

• Rachael Heade – Sr. Program Manager Information Management Policy and Compliance, Microsoft
• Leigh Isaacs – Director, Information Governance & Records Management, Proskauer Rose LLP
• Rick Krzyminski – Client Solutions Officer, Baker Donelson Bearman Caldwell & Berkowitz
• Beau Mersereau – Chief Legal Technology Solutions Officer, Fish & Richardson PC
• Darrell Mervau – President, FileTrail

“How COVID-19 and a Recession Could Impact Malpractice Claims” —

• “During a recession, and for the three years following, there has historically been a huge spike in paid claims, which is a number that typically doesn’t return to a more normalized level until five years post-recession. In addition, and looking back at the events of 2008 specifically, legal malpractice insurers experienced a spike in paid claims above $10,000 that ranged from 35% to 41%. I share this in order to explain why recessions always capture the attention of the insurance industry because given how the markets look of late, another recession appears to be imminent thanks to the COVID-19 pandemic.”
• “Now, based upon what has happened as a result of past recessions coupled with the realities of the response to COVID-19 from the individual level to that of governments, here’s what legal malpractice insurers are currently concerned about.”
• “irst, claim frequency and/or claims severity will change for any number of reasons. We just can’t accurately predict how. At a minimum, clients will look to blame their lawyers when their business dealings go south as a result of the near-certain recession that’s coming. Lawyers and staff will make mistakes that would otherwise not have been made due to the rapid transition to working from home and/or being under excessive stress. And clients, who are also experiencing excessive stress, will question decisions they made in light of the advice their lawyer gave them if their legal matter doesn’t work out the way they expected it to. Regardless, there will be a new normal in terms of claims, at least for a few years.”
• “Second, policy retention may be an issue; but again, we can’t accurately predict how this might evolve. Lawyers facing difficult financial times may choose to leave the practice of law entirely or may decide to allow their policy to lapse and simply go bare as a way to save some money. Of course, there’s the flip side, some who have previously been bare may decide now’s the time to purchase coverage because the value of their assets have dropped, and their level of risk has risen. Only time will tell.”

“Restatement to the Rescue: 20-Year-Old Treatise May Help Ease Work-at-Home Privilege Problems” —

• “Since so many lawyers and clients are now communicating with each other from their homes, the COVID-19 pandemic presents such a time with respect to the protection of attorney-client privilege.”
• “For lawyers who have long since set themselves up to operate on a “virtual” basis and for clients who have developed sophisticated systems for assuring confidentiality, there may be no change. But what about the rest of us who now find ourselves or our clients communicating while regularly surrounded not only by household pets but also by children, relatives, and spouses or partners – with little or no guarantee of “private” space or time? This is where the 20-year-old §71 of the Restatement of the Law (Third), The Law Governing Lawyers (2000) can provide some helpful advice.”
• “It is known that a reasonable expectation of confidentiality at the time of a communication between attorney and client must exist before a communication can be potentially considered for privilege protection.”
• “Translated to the age of COVID-19, this can fairly be taken to mean that neither lawyers nor their clients can immediately be expected to go as far in protecting the confidentiality of their client communications from home as they used to do from the office.”
• “Nonetheless, two limitations must be noted. One is that steps that can reasonably be taken now… The other is that the duties that lawyers have to protect communications on their end and to advise clients about risks to confidentiality on the client end may well grow if and when it appears that lawyers and clients will remain working from home for a prolonged period of time.”

The Law Society: “Coronavirus (COVID-19) advice and updates” —

• “In response to questions from our members, our latest advice for firms is below.This information will be updated regularly to reflect the most recent guidance.”
• “Are solicitors key workers? Only legal practitioners who work on the types of matters, cases and hearings listed above can be classified as key workers:
  • advocates (including solicitor advocates) required to appear before a court or tribunal (remotely or in person), including prosecutors
    other legal practitioners required to support the administration of justice including duty solicitors (police station and court) and barristers,
  • solicitors, legal executives, paralegals and others who work on imminent or ongoing court or tribunal hearings
  • solicitors acting in connection with the execution of wills
  • solicitors and barristers advising people living in institutions or deprived of their liberty”
• “What are a solicitor’s professional obligations if they are unable to provide the services required, due to coronavirus? You should notify the client as soon as practical that due to coronavirus issues the service cannot be provided, and suggest that they try another solicitor (perhaps giving a list of three alternatives or a link to the Law Society’s Find a Solicitor service).”
• “What should I do if I have court deadlines coming up? A new Practice Direction under the Civil Procedure Rules seeks to address the issue of extensions of time. Practice Direction 51ZA, effective from 2 April 2020, makes provision for parties to agree extensions of time to comply with procedural time limits in the Civil Procedure Rules, Practice Directions and court orders. Parties can agree an extension up to 56 days without formally notifying the court (rather than the previous 28 days) so long as that does not put a hearing date at risk. Any extension of more than 56 days needs to be agreed by the court. It provides guidance to the court when considering applications for extensions of time and adjournments. This Practice Direction ceases to have effect on 30 October 2020.”

A few weeks ago, Zoom seemed to be poised to achieve “Ketchup/Kleenex/Xerox”-like brand status as a verb, offering convenient collaboration in a way that appealed to the remote working world. Now several shoes are dropping as security concerns are driving serious repercussions. While not our standard conflicts fare, this all seemed worth a consolidated review.

Today’s latest: “Elon Musk’s SpaceX bans Zoom over privacy concerns – memo” —

• “Elon Musk’s rocket company SpaceX has banned its employees from using video conferencing app Zoom, citing “significant privacy and security concerns,” according to a memo seen by Reuters, days after U.S. law enforcement warned users about the security of the popular app.”
• “SpaceX’s ban on Zoom Video Communications Inc illustrates the mounting challenges facing aerospace manufacturers as they develop technology deemed vital to national security while also trying to keep employees safe from the fast-spreading respiratory illness.”
  “NASA, one of SpaceX’s biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.”
  “Investigative news site The Intercept on Tuesday reported that Zoom video is not end-to-end encrypted between meeting participants, and that the company could view sessions.”

(Having performed a cursory search to identify firms who have recently represented SpaceX, I note several familiar names. Curious if SpaceX or others are extending guidelines to address conference tools.)

In related Zoom news, see:

• “Attackers can use Zoom to steal users’ Windows credentials with no warning“
• “Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing“
• “Ex-NSA hacker drops new zero-day doom for Zoom“
• “A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles“
• “Zoom’s security and privacy problems are snowballing“
• “Zoom hit with class-action lawsuit for sharing user data with Facebook“

(Of course, some of us are curious when client and firm attention will be turned to Microsoft Windows Telemetry and data gathering on that front… But that’s a post and discussion for another day…)

My thanks to Charles Lundberg for writing in to note his latest article: “Quandaries and Quagmires: Legal ethics, risk management in pandemic” —

• “In a span of less than two weeks, the coronavirus outbreak has caused unprecedented disruption in law firms and created a host of new issues for firm general counsel and ethics partners. Here is a sampling of new ethics and risk management issues that have arisen almost overnight.”
• “A new paradigm for civility and reasonableness? Last week, a statement by the Los Angeles County Bar Association’s Professional Responsibility and Ethics Committee called for a new emphasis on lawyer civility… Now the point is this: A month ago there would have been nothing particularly remarkable about counsel pressing for an expedited hearing as he did. But everything has changed now. The pandemic has suddenly narrowed the Overton Window of reasonableness in litigation.”
• “New cybersecurity concerns for remote work. A recent ABA panel of experts noted that law firms need to be mindful of how employees working remotely can avoid computer viruses and other cybersecurity risks… Hackers are no doubt aware that they can exploit weakened technology systems because most lawyers and support staff are suddenly working remotely. Law firms must protect their clients’ sensitive personal information whether it is viewed in a lawyer’s home or at the firm.”
• “Wellness issues. Until about three years ago, “attorney wellness” as a law firm risk management issue wasn’t even a Thing. It is now one of the top 5 concerns of those in the ethics and risk management arena. And without question it has become a much bigger issue in the time of pandemic. The deeper issue here is that this is much more than just a law firm risk management issue. It is rather a part of the firm’s culture. Nothing will ensure loyalty to a firm like an open and transparent attitude of caring for the families of its staff in time of crisis. ‘This is the kind of firm we are’ should be the watchword.”
• “Competence: Keeping up with changes in the law and standards for practice. How do firms keep up with the changes that are occurring almost daily as governments respond to the pandemic? Every day, general counsel responsible for workers across jurisdictions are trying to get up to speed on new mandates, while seeking advice from outside counsel and other external resources. And the ethical duty of supervisory lawyers to ensure competent practice by subordinate lawyers is not subject to a pandemic exception… Across all practice areas, competence in using any new technology (e.g. Zoom for meetings with a client, etc.) must be confirmed. (Speaking of Zoom, have you checked the privacy policy for that app to see what information is being collected about you?)”

“K&L Gates Loses Dismissal Appeal in Conflict Case” —

• “K&L Gates has again suffered a loss in its effort to quash a Texas lawsuit alleging it engaged in conflicts of interest, including violations of the Deceptive Trade Practices Act… In the underlying suit, a Texas semiconductor company, Quantum Materials Corp., claimed the law firm represented lenders in a legal action against Quantum while also representing Quantum.”
• “Quantum retained K&L Gates in 2016 as corporate counsel—yet although they stopped sending work to the firm, the representation never formally ended, the company claims.”
• “While the panel ruled that claims the firm breached its fiduciary duty and engaged in deceptive trade practices should go forward, the judges took a more restrained view about another Quantum claim, that the firm engaged in legal malpractice… Instead, the panel found that the malpractice claim is ‘in substance’ a claim of breach of fiduciary duty.”
• “A K&L Gates spokesman declined comment on the opinion and the case.”

“Game Maker Says Eckert Seamans Can’t Represent Rival” —

• “A Georgia-based game machine maker asked a Pennsylvania federal court Tuesday to block its onetime law firm Eckert Seamans Cherin & Mellott LLC from representing its rival, arguing the legal attacks the firm has leveled since jumping ship to counsel the rival are ‘a clear breach of its fiduciary duty.'”
• “Pace-O-Matic, which refers to itself as an “amusement machine supplier,” sued the law firm in February, accusing it of breaching its contract and fiduciary duties by dropping the business “like the proverbial ‘hot potato'” to take on Greenwood Gaming, which allegedly has deeper pockets, as a client.”
• “According to the memo, Eckert Seamans began representing Pace-O-Matic in 2011 and was retained for a second matter in 2016. The firm argued on the company’s behalf up until last summer in a legal dispute in Virginia. In that dispute, the firm contended that its devices are games of skill and not gambling, according to the memo. Also during that time, the firm had access to Pace-O-Matic’s confidential material, Pace-O-Matic alleges.”
• “Counsel for Eckert Seamans declined to comment Wednesday.”

On the heels of last week’s note on digital assistants, comes increasing focus on and scrutiny of third-party conference providers. Today it seems like Zoom is on everyone’s minds, lips and screens. (For unrelated news on that, see: “SEC pauses Zoom Technologies trading because people think it’s Zoom Video“).

With several stories specifically cautioning firms about confidentiality management as team move to remote working, this caught my eye and thoughts: “Zoom needs to clean up its privacy act” —

• “Two days ago, Consumer Reports, the greatest moral conscience in the history of business, published Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know: Videos and notes can be used by companies and hosts. Here are some tips to protect yourself. And there was already lots of bad PR. A few samples:
  • Zoom is a work-from-home privacy disaster waiting to happen (Mashable, March 13)
  • Zoom Privacy Policy is a Risk (Cumulus Global, March 24)
  • Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk (Forbes, March 25)
  • Zoom and Houseparty: Video Calling at Your Own (Privacy) Risk (VPN Overview, March 25)
• “What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate (for example with a shrink talking to a patient) without anyone in the conversation knowing about it.”

And:  “Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know.” —

• “Zoom’s privacy policy is similar to many digital platforms’, claiming the right to collect and store personal data, and share it with third parties such as advertisers.”
• “In Zoom’s case, that extends to what the company calls customer content, or ‘the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.'”
• “Videos aren’t off-limits, according to the document, and neither are transcripts that can be generated automatically, the documents you share on your screen, or the names of everyone on a call. (The privacy policy posted online was updated over the weekend but backdated to Wednesday, March 18.)”
• “‘Zoom isn’t necessarily doing anything users would object to’ with the data, says Bill Fitzgerald, a Consumer Reports privacy researcher who analyzed the company’s policies. ‘But their terms of use give them a whole lot of leeway to collect information and share it, both now and in the future.’ (Consumer Reports is a Zoom client, using the service for some company-wide meetings.)”

Clearly, some of these risk concerns and issues are tied to the design of the system itself (including some arguably dark design patterns), while some are more related to how users use the system (which might apply to any technology). Still, worth considering what data is being created, collected and stored as the volume of this type of activity grows and grows…

Some of us in two-party consent states watch the growing adoption of recording devices with interest, to say the least. (Is that Ring doorbell recording folks unknowingly the subject of a future class action? Who can say… But better not be having conversations on anyone’s doorsteps these days…) But what many are increasingly saying is that concerns about in-home assistants are worth a bit of risk review. Here’s the latest law firm perspective on that: “Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls” —

• “As law firms urge attorneys to work from home during the global pandemic, their employees’ confidential phone calls with clients run the risk of being heard by Amazon.com Inc. and Google.”
• “Mishcon de Reya LLP, the U.K. law firm that famously advised Princess Diana on her divorce and also does corporate law, issued advice to staff to mute or shut off listening devices like Amazon’s Alexa or Google’s voice assistant when they talk about client matters at home, according to a partner at the firm. It suggested not to have any of the devices near their work space at all.”
• “Mishcon’s warning covers any kind of visual or voice enabled device, like Amazon and Google’s speakers. But video products such as Ring, which is also owned by Amazon, and even baby monitors and closed-circuit TVs, are also a concern, said Mishcon de Reya partner Joe Hancock, who also heads the firm’s cybersecurity efforts.”
• “Smart speakers, already notorious for activating in error, making unintended purchases or sending snippets of audio to Amazon or Google, have become a new source of risk for businesses.”
• “Amazon and Google say their devices are designed to record and store audio only after they detect a word to wake them up. The companies say such instances are rare, but recent testing by Northeastern University and Imperial College London found that the devices can activate inadvertently between 1.5 and 19 times a day.”

Hey Siri, have any Outside Counsel Guidelines had any words about you yet?

“How Law Firms Can Harden Their Data Security During COVID-19 Crisis” —

• “The COVID-19 pandemic has forced law firms into a new work paradigm, switching overnight to a remote workforce. Law firms, already an attractive target for cybercriminals, now face a workforce operating from informal home environments. As a result, law firms must address data security risks as they balance making data available for remote access.”
• “Sheryl A. Falk, a co-leader of Winston & Strawn’s global privacy and data security task force, answers some of the questions surrounding how a remote workforce can still protect client information. Her answers have been edited for clarity and brevity.”
• “Law firms should consider and adapt to new data security challenges presented by remote work. Ensure that all connections to the law firm’s information systems are made via a secure connection through a VPN or virtual desktop, with appropriate access controls in place, such as two-factor authentication… Restrict employee access to data needed to do their specific job functions…”
• “Law firms should arm employees with information to keep data safe. Redistribute any firm data security policies, such as bring your own device policy or written information security program. Counsel employees on remote working best practices.”
• “Firms should stay alert for potential unauthorized access, including monitoring logs and external connections to the network systems to detect an unauthorized third party from penetrating the law firm’s network. Firms should also ready their response to an incident by quickly reviewing their data security response plan and cyberinsurance.”

“What Law Firms Should Know About COVID-19” —

• “According to a recent private survey about COVID-19, 74% of law firm respondents expect that there will be a modest to severe impact on legal services demand over the next two quarters. In addition to the issues facing all businesses during this time, law firms also face unique risks as a result of the spread of COVID-19.”
• “Law firms face risks based on their role as employers and also based on the duties owed to clients… The onset of COVID-19 does not mean that law firms’ duties to clients go away or that lawyers can treat this period as a “vacation” from their obligations. But, changes from courts and other entities have created uncertainty among practitioners. There will inevitably be some confusion and perhaps even some gridlock once courts reopen and deadlines begin to apply again. Law firms and lawyers can use this time to advise clients of the status of their cases and matters in light of the shutdown and advise on the recommended next steps.”
• “Law firms may also consider educating their work force about the importance of maintaining client confidentiality while working remotely. This may include reminding attorneys and staff that client confidential matters must remain discrete, even within the home, and that attorneys and staff have an obligation to protect the confidentiality of client matters wherever they are.”