Risk Update

Time for Time Entry, Phishing, Cloud & Malpractice Risk

Hat tip to Simon Chester at Gowling WLG for pointing out: “Email fraudsters impersonate Clifford Chance UK managing partner” — 

  • “The Solicitors Regulation Authority (SRA) confirmed that a number of emails have been sent misusing the name of Clifford Chance and Michael Bates, the magic circle player’s UK managing partner. The phishing-style emails invite recipients to review an attachment, which isn’t attached, regarding a client matter, according to the regulator’s alert.”

These security topics are timely. Last week, watching a webinar on integrating client OCG compliance into time entry software, jogged my memory on the topic of time and technology risk, and I thought I would share a few items of note.

First, on the topic of billing compliance see also: “Block Billing Gets Attorney Suspended” — 

  • “Ronald D. Hassan is a lawyer who admittedly engaged in “value billing” and “block billing” to calculate the amounts owed to him by the Public Defender Services (PDS) for his court-appointed representation of criminal defendants. Mr. Hassan’s billing practices resulted in impractical absurdities such as billing thirty or more hours on multiple days. He was charged with violating two separate provisions of the West Virginia Rules of Professional Conduct.”

Another interesting story about law firm time software risk caught my eye a few months ago, and I found myself exploring a chain of articles and reading a malpractice complaint.

As is widely reported, targeted spear phishing attacks are a known and growing problem for the entire industry. And according to an ABA survey published last year, one in five law firms experience a “cyber incident.” It’s actually noted that 20% of firms reported being the object of a cyber attack. The actual number may be higher.

And, as reported this week in the Texas Lawbook: “Four out of five corporate law firms operating in Texas have experienced a “cyber incident” or an actual data breach during the past two years, according to an exclusive new Texas Lawbook survey.”

The ABA also noted this fascinating incident: “Law Firm Cybersecurity Breach Opens Door to Lawsuit,” which notes this case Shore et al v. Johnson & Bell, Ltd (described here, but you have to scroll):

  • “The class action against Chicago firm Johnson & Bell is understood to be the first in which a law firm has been accused of exposing client information and failing to protect client data through inadequate security.”

  • “In the former, the claim states that the defendant operates a Webtime service developed by Rippe & Kingston, which the claimants say has not been properly configured and is running out of date software.”

  • “The claim, which Johnson & Bell has publicly called ‘baseless’ and ‘specious’ and says it will fully defend, seeks to compel Johnson & Bell to ‘implement industry standard protocols; to allow an independent third party firm to conduct a security audit; to inform Johnson & Bell’s clients that their confidential information has been exposed; and damages.'”

The complete complaint makes an interesting read.

To be fair to the vendor, it looks like the 100 lawyer firm’s IT standards were allegedly lacking… they hadn’t updated their self-managed, internet-facing system in several years.

But merits of this particular matter aside, no firm or vendor wants to see itself subject to this type of public attention and scrutiny. Like any category of serious risk, it’s always prudent to ensure your firm has its internal processes defined and up to date. And equally important that vendors are working carefully to ensure issues like these are addressed —  and updates are actually being implemented by clients. (I type as my Windows system informs me a mandatory shutdown is imminent…)