Risk Update

Risk Round Up — Law Firm Document Disposition, Cyber Insurance & Liability, Russian Client Concerns

A bit of everything from my reading list to share today, starting with an article from Leigh Isaacs (DLA Piper) and Andrew Corridore (Akin Gump): “Defensible Disposition Program: Article One—Let’s get down to Basics” —

  • “This ‘keep everything forever’ mentality has led to an informational environment with severe financial and risk-related implications, and wading through volumes of data—often unclassified—can be a real hindrance to efficiency. The cost of storage has exponentially increased, and it is becoming more and more difficult to properly index the massive amounts of information. Failure to manage information can lead to over-retention of personal information or other sensitive materials that could cause serious financial or reputational damage in the event of a breach. It could also result in a violation of the ever-growing number of privacy regulations emerging around the globe.”
  • “Further, there’s the implicit cost of finding a particular piece of information and how that cost increases when the information you are looking for is held amongst a tremendous volume of data—think: trying to find a needle in a haystack when the person searching for the needle could otherwise be billing at $995 an hour.”
  • “So, what does defensible disposition actually mean? Disposition can include several actions, including destroying documents with no legal hold requirements or business value, moving data to less expensive storage (also known as archiving), or transferring custody of the information to another party (such as returning the data to the client to whom it belongs or transferring it to a third party such as another firm).”
  • “You should be able to demonstrate to the client or to a judge, if it came to it, that you took all reasonable efforts to get the required input regarding the disposition of a client’s data. Also, depending on any agreed-upon terms in outside counsel guidelines or other documented agreements with the client about file disposition, you may need to get input from partners, clients, general counsel, or other internal people/groups.”
  • “It is easy to get stuck in “analysis paralysis” when attempting to start and maintain a disposition program. To avoid this, it helps to approach your efforts with a two-pronged approach. These two prongs are: legacy and go-forward retention and disposition.”
  • “Legacy disposition refers to the actions taken on data that precede any formal retention policy implemented by the firm. All organizations have pockets of data that may not have been well organized or governed. Typically, legacy information has little to no business value because of its age. However, because there isn’t a distinct policy covering it—and, more importantly, telling you what to do with it—destroying legacy information isn’t as simple as just throwing it away. In order to mitigate the risk of the data being related to an existing legal hold or being needed down the line, analyze the information, and consult the owners and other involved parties (e.g., attorneys, outside counsel, etc.). This can be especially challenging to navigate when those with relevant institutional knowledge are no longer available to provide guidance and advice.”
  • “On the other hand, while still having its complexities, a go-forward retention and disposition policy is a bit more straightforward from a defensible disposition standpoint. This policy will explicitly detail the length of time a company will retain certain data and what happens to the data at the conclusion of the retention period. That said, it is important to invest in training and awareness along with monitoring and auditing lest the piles of unstructured and unclassified information continue to proliferate.”

via Eileen Garczynski (Ames & Gough), Cyber Special Ops, LLC notes: “How can a law firm’s Lawyer’s Professional Liability get triggered from a cyber attack, potentially eroding a firm’s entire E&O?” —

  • “In its third day of trial, a Missouri federal jury heard how the collaboration between a hacked law firm, Warden Grier, and Hiscox, broke down into days and weeks in intense efforts to co-manage technical experts and inform stakeholders.”
  • “As early as 2002, Hiscox retained Warden Grier to render professional legal services on behalf of Hiscox insureds for Non-Marine First Party Business and Non-Marine Casualty Business. According to the complaint, hackers obtained personally identifiable information of clients of Hiscox’s corporate policyholders through a cyberattack on Warden Grier.”
  • “A group known as The Dark Overlord first hacked Warden Grier in February 2017 and threatened to publicize its data unless the law firm paid a ransom. Warden Grier paid the ransom but did not notify Hiscox of the breach. A year later, the hackers made an additional ransom demand and told Hiscox of the breach. Two days later, Hiscox contacted Warden Grier about the breach and the law firm confirmed it had been hacked, court papers say.”
  • “Hiscox then hired various experts to help it manage its potential exposures arising from the breach. Costs the insurer incurred included $1.1 million paid to a firm that analyzed the breached data, $276,859 paid to another law firm, $107,456 paid to a public relations consultant and $6,189 paid to a call center.”
  • “Hiscox wants $1.37 million in compensatory damages for bills paid to Cooley, LLP and Charles River Associates for the forensic work.”

Legal firms ‘must raise defences against dirty cash’” —

  • “Solicitors across Scotland are under pressure to increase defences against dirty money after a Kremlin-linked oligarch claimed his business was based at the HQ of a blue-chip Edinburgh law firm.”
  • “Anti-corruption experts have already warned lawyers against offering mailbox or other services for anonymously or opaquely owned corporate entities, such as widely abused Scottish limited partnerships, or SLPs.”
  • “Last night Alison Thewliss, the SNP’s Treasury spokeswoman, said she is deeply concerned about legal firms being exploited as she warned against ‘flows of dirty money’ being assisted ‘by professionals right here in the UK’.”

Regulator probes law firms accused in Parliament over oligarch work” —

  • “The Solicitors Regulation Authority (SRA) has started visiting law firms named in Parliament amid concerns about their work for Russian oligarchs, it has emerged. It forms part of a series of actions the regulator is taking in the wake of Russia’s invasion of Ukraine.”
  • “In his update for the recent meeting of the SRA board, chief executive Paul Philip noted that there have been a number of comments made in Parliament, both in general and about specific firms, ‘that lawyers are helping individuals included on the sanctions list to seek a defence, are not conducting proper checks on clients, or are threatening litigation in a way designed to stifle public debate and discourage public criticism, known as strategic litigation against public participation (SLAPPs)’.”
  • “He said the SRA was writing to the MPs and peers making allegations to ask for further information, ‘in order to investigate any misconduct’. Further, it was ‘commencing visits to those firms named in the Parliamentary debate, and engaging in further visits as part of our ongoing rolling programme of inspections to ensure compliance with the money laundering regulations’.”
  • “Mr Philip said the regulator has also been ‘in touch’ with the firms that fall within its regulatory management regime – magic and silver circle firms conducting high-profile corporate, commercial and finance work, other large City and international firms, national firms, US firms with offices in England and Wales, and multi-disciplinary practices – to make sure they understood their obligations and the importance of compliance in this area.”
  • “Mr Philip added: ‘There will be unidentified costs for some of this work that we will need to cover both in this and next year’s budget…The main costs will be a system to check firms’ clients against the financial sanctions lists, which is necessary because of the number of clients and entries on the list involved and to eliminate false positives.'”