Category Archives: Law Firm

Ponemon Institute: Lost Laptops Cost Billions

The Ponemon Institute’s latest report, “The Billion Dollar Laptop Study,” shows that 329 organizations surveyed lost more than 86,000 laptops over the course of a year.  Based on these findings and an earlier survey that put the average cost of lost laptop data at $49,246, the total cost amounts to more than $2.1 billion or $6.4 million per organization.

Some other key findings of the report:  (1)  while 46 percent of the lost systems contained confidential data, only 30 percent of those systems were encrypted; (2) only 10 percent had any other anti-theft technologies; and (3) 71 percent of laptops lost were not backed up so all work in progress was lost.

At the release media event reported on by InformationWeek, Larry Ponemon explained that most of the cost “is linked to the value of intellectual property on these laptops and the fees associated with data breaches and statutory notification requirements.”   During this same press conference, Ponemon recounted interviewing one woman at a company who had lost 11 laptops in two years:  “She claimed she wasn’t really that careful with laptops because the only way she could get a better one was to lose it.”

It is this disconnect — the value of the information lost vs. the relative interest in the user in protecting such information — that becomes the ultimate challenge faced by most firms.   Employee training remains the front line in addressing this challenge but having employees pay for their lost corporate laptops may actually yield more desirable results.   It would be interesting to have the next Ponemon lost laptop study include the ratio of lost business laptops compared to lost personal laptops, i.e., those actually purchased by an employee.

IW: CIOs See Smartphones As Data Breach Time Bomb

As recently reported by InformationWeek, a study conducted by market researcher Ovum and the European Association for e-Identity and Security found that eight out of 10 CIOs believe using smartphones in the workplace increases their firm’s vulnerability to attack.  Although these CIOs rank data breaches as their top related security concern, half of the organizations acknowledge that they fail to provide some basic security measures for the use of smartphones.

This report should be of major concern to doctors and lawyers — two groups of professionals that rely heavily on the use of smartphones to manage their workloads.    At the very least, an easily applied security precaution for smartphones should be the use of a strong password that is changed every 60 days or sooner.  Two-factor authentication is preferable.   Users should back up data regularly and not have it remain solely on a mobile device – unfortunately, default settings can have the communications emanating from your mobile device remain resident solely on a mobile network.  Make sure your mobile device is equipped with anti-virus protection and if you receive an e-mail from a company or person that you’re not familiar with, do what you do on your work computer – just delete it.   Use your idle timer feature to lock down your smartphone as you would your laptop.  

If you have an IT support team (in-house or outsourced), make sure it keeps your operating system and server patches up to date and strictly enforces what applications can be used and what connections can be accessed.   What OS is even used may impact security.   For example, researchers have recently discovered flaws in the WebOS smartphone platform that could let an attacker build a mobile botnet or execute other remote attacks.  More advanced security features include the use of remote wiping applications, encryption and data loss/leak prevention tools.  

Notwithstanding the fact it can also place a call, the key to improving your security posture is to respect the fact your mobile smartphone is now no different from any other computer you use at work.  Act accordingly.

NLJ: Smaller Law Firms Have Digital Advantage

In a recent National Law Journal article, Adrian Dayton argues that smaller law firms have been much better at jockeying for online positioning and expanding their digital footprint.  Driven by the ultimate goal of search engine optimization (SEO), these firms have been using blogs, FaceBook, Twitter and LinkedIn to get noticed in ways the largest firms are not.

As pointed out by the author, run a Google search for “class action defense”and you will notice that the top listing is a blog produced by the law firm of Jeffer Mangels Butler & Mitchell — a firm with three offices and 138 attorneys.  Given  its blog, the firm dominates in SEO despite being relatively small.  Google’s search algorithms, including its PageRank methodology, place a premium on the sort of fresh content found on blogs.  Search results slanting in favor of smaller law firms pretty much run across the board given “the fact that in the entire AmLaw 100 there are more than 84,000 lawyers and only 130 law blogs.”  Not much in the way of competition.  In other words, if you want to get up in the rankings and get noticed by new clients looking for your perspective on legal matters, having a blog has been the quickest path to achieving that goal.

Why does any of this matter?

Well, according to a Greentarget/ALM survey, 35% of in-house counsel had visited a law blog within the past 24 hours and forty-three percent of in-house counsel cited law blogs among their top “go-to” sources for news and information.  This sort of “drip marketing” may take law firms months or even years to obtain an engagement given the strong  existing relationships that first need to be shaken loose.  On the other hand, it is likely the most cost-effective way to get the ball rolling.

Given free publishing tools such as WordPress coupled with inexpensive professional themes and low-cost hosting options, the only real cost is the time it takes to write the blog post.  If you are a competent brief writer, it should take you no more than 30 minutes of your time every few days.   And, as correctly pointed out by Adrian Dayton, this small time commitment is well worth it.  Try it.  You may even enjoy the experience.  Just make sure what you write is not something that will impact a client relationship — after all, that is likely the reason larger firms have generally stayed away from the blogosphere.

ABA: Law firms are Likely Targets for Attacks Seeking to Steal Information off Computer Systems

According to a recent ABA Journal article, the global digital infrastructure is under siege and law firms are to some extent on the front lines given the vast amounts of sensitive data they process and maintain.  Bradford A. Bleier, unit chief to the Cyber National Security Section in the FBI’s Cyber Division, is quoted in the article:  “Law firms have tremendous concentrations of really critical private information” and breaking into a firm’s computer system “is a really optimal way to obtain economic and personal security information.”  Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, believes this threat is increasing for two different reasons.   First, he said, “the skill level of attackers is growing across the board.” And, secondly, the nation’s networks of computer systems are becoming more connected and complex all the time, “and complexity is the enemy of security.”  Marc Zwillinger, a founding partner of Zwillinger Genetski, recognized another obvious problem for law firms:   “Lawyers haven’t been as diligent with security as some of the institutions that gave them information.”

After sufficiently spreading the FUD (fear, uncertainty, and doubt) throughout, what does the ABA author suggest as a solution.  Well, not much of note.  It is suggested that firms change their culture to be more in tune to security – which will likely need to be done from the top down given most managing partners, according to the author, have little time with sophisticated passwords and things that might otherwise slow them down.   It is also suggested that data be segregated and that encryption be deployed. 

The most relevant bit of information from the article actually was added in the sidebar and builds on Marc Zwillinger’s suggestion that a client’s security is usually more evolved than that of its law firm.    The author’s sidebar comment points out that clients may soon be auditing their law firm’s security.  Given that lawyers have been helping clients with technology due diligence for years now and have also been advising  on the use of audits, it is not much of a stretch to expect one law firm to recommend auditing another firm.  Those law firms in front of this issue will not only keep existing clients – they will also be in great shape to potentially win new ones.   Afterall, what law firm would suggest such an audit if it did not already deploy a sophisticated security infrastructure of its own?

Law Firms Feel Pressure From New Breed of Competitors

In a recent article, author Gina Passarella argues that the law firm industry “is moving away from a monolithic provider of legal services – the law firm – to a fragmented service platform where the competition isn’t just a broadening array of law firms, but legal process outsourcers [LPOs] and other non-law firm legal service providers as well.”

In essence, Ms. Passarella argues that the industry is “unbundling” into various constituent parts — from the client (who is keeping more and more work in-house) to the legal LPO vendor (who is doing more and more specialized work ).  And, according to experts quoted in the article, the trend is towards global firms that can do everything and boutique firms that can do certain things very well — with little room in between for other types of firms.  These legal consultants argue that law firms can no longer be “bet the farm” firms and commodity firms at the same time. 

What the article posits as future fact may actually be the a short-term trend towards cost-cutting.  For example, a good portion of LPO competition may actually be driven now by those lawyers who could not otherwise get a job with a traditional firm.   Once the market picks up again, those lawyers may find a more traditional home.    As recognized by K&L Gates chairman Peter Kalis, who is quoted in the article,  LPOs do not provide the same attorney-client privilege guarantees as law firms; and therefore, can never really be a threat to most of the business his firm does.  As he puts it, “they are a gnat in an elephant’s ear when it comes to K&L Gates.” 

Not sure if LPOs are ultimately law firm gnats or very large bed bugs.  What is clear, however, is that a law firm needs to continually reassess its business model – with a constant eye towards improving efficiencies – before it can ever hope to improve its bottom line.  A good starting point is to hone in on core competencies.   There are good reasons boutiques have taken a chunk out of BigLaw books over the past decade or so — all of which boils down to self-awareness on core competencies tied to a focused business plan that is well executed.

Study: Electronic Theft Costs More Than Physical Theft

In a recently published study conducted by security firm Kroll, findings showed electronic and information theft are at 27.3 percent of total fraud losses while physical theft at 27.2 percent.  Although this is statistically a dead heat, the fact that it is even close is significant for all companies looking to curtail fraud costs.  Interestingly, China had the highest level of fraud, with 98 percent of businesses affected, and Colombia and Brazil came in next, with 94 percent and 90 percent respectively.  

According to Kroll, “information-based industries reported the highest incidence of theft of information and electronic data over the past 12 months. These include financial services (42% in 2010 versus 24% in 2009), professional services (40% in 2010 versus 27% in 2009) and technology, media and telecoms (37% in 2010 versus 29% in 2009).”

There are two common sense takeaways from this recent study — devote the right resources (including training) to avoid electronic theft and fraud and ensure the right security and vetting processes are in place when doing business in emerging markets, especially if your firm holds a good deal of sensitive data.  Although both suggestions may seem obvious it often takes the cumulative impact of these surveys and anecdotal evidence to really push the risk management needle.

UK Law Firms Face a Sea Change that May Impact US Firms

As reported in this recent article in American Lawyer, in less than a year, “the UK’s legal landscape will change forever.”   This sea change is taking place given the third and final stage of the UK’s Legal Services Act comes into effect in October 2011 — allowing for UK law firms to accept outside equity investments for the first time.   Specifically,  Alternative Business Structure (ABS) will be allowed to have both lawyer and non-lawyer ownership and management.   These entities will be able to solely provide legal services or provide legal services in combination with non-legal services such as financial services. 

Not surprisingly, UK law firms are busy preparing for this change — a change that will likely reshape the legal profession in the UK and beyond.   Unlike law firms in most parts of the world — including the United States — UK law firms will no longer have an ethical bar prohibiting them from taking on non-lawyer equity owners or managers.  The ethical prohibitions barring non-lawyer equity ownership of US law firms were discussed earlier this year in a post that challenged the status quo.

Come next October, the UK legal community will no longer have several significant barriers to growth and in so doing will reap an immediate advantage compared to US peers.  UK firms will see an influx of capital that mimics what happened after financial services firms first went public years ago.  Coupled with this new capital infusion and partner equity bonanza will be demands from investors for improved processes tied to a reduction in expense.   That’s where the new managers will come in to improve the bottom line.  These changes will likely lead to competitive advantages and a rapid increase in revenue.   US firms will be at a marked disadvantage for years to come on those legal services that can more easily be commoditized and outsourced.   ABS entities may find that success higher up the legal food chain will be more difficult to achieve and will take more time to address.  That is where traditonal firms may be able to obtain an advantage.

In other words, in the short-term, there may actually be some good news for US-based firms competing with ABS entities.  Complex corporate and litigation work may eventually increase — not only will firms be wary of using a hybrid law firm that may sometimes have a perceived conflict of interest, these process/outsource driven firms may not be perceived sophisticated enough to handle high-end business.  Moreover, the “professional touch” found in a traditional firm may also be perceived to be missing from these new UK hybrid firms.  This is obviously all speculation at this point given ABS entities may be part of a yet-unknown corporate structure that takes into account the above potential weaknesses.

All in all, the change that will take place next year in the UK will likely eventually lead to greater billing transparency and stronger competition.   Maybe having such competition will cease $60 empty emails and law firms charging for  nice window views.  It may also prod US state bars to recognize there can be no expanding “business of law” until law firms are allowed to conduct business more like other businesses — which may or may not entail the seismic changes taking place in the UK.   It would be nice, however, if those changes were at least discussed.

Location, Firm Size Key to Legal Billing Rates

Released on September 1, 2010, CT TyMetrix’s Real Rate Report, which is based on empirical data “gathered from $4.1 billion in invoicing generated by over 3,500 law firm and 90,000 individual billers over three years (2007-2009),” provides unique insight on the billing practices of law firms around the country.   This report demonstrates  that it may not necessarily be the skills set or experience of an attorney that drives his or her billable rate.  Given that the 92-page report costs $4,500, a cost-effective way to learn what’s in the report is to review the September issue of The American Lawyer

As detailed in the article, “legal bills increased at rates that exceeded inflation, in-house lawyers who spent more at a particular law firm were not getting any discounts, and partner status added nearly $100 on average to a lawyer’s rate regardless of experience.”  What was even more interesting was the report’s finding that 85% of lawyers charge clients different rates for the same work and the “location of the biller and the size of the biller’s firm – not the biller’s experience – are the variables that most influence how much a client will pay.” 

Although geographic location obviously impacts law firm and employee living expenses, clients may perceive no real justification for paying more qualified lawyers in mid-sized suburban firms less pay simply because of their firm size and location.   It also does not appear to make sense to charge $100 more an hour simply because of a change in ownership rights.   What if the associate was made partner largely on the basis of being a great rainmaker?   How does that justify being a higher-priced M&A lawyer?

When it comes to the business of law, if law firms are going to continue to tie their collective hitches to the billable hour, they need to do a better job of meshing their actual expenses with their hourly fees and communicating their results to clients.   If there is an expense associated with tapping into a large New York City law firm, i.e., higher rents, increased costs of hiring, etc., firms need to communicate those additional costs.   Although doing that might make it more difficult to later reduce fees by 30% when in-house counsel balks on a given bill, it will end up leading to more consistency and a better relationship with those who actually pay the bills. 

By blanketly adding additional dollars to a billable rate without spelling out exactly why the rates are at that level, law firms are missing a great marketing opportunity.    The more successful manufacturers routinely lay bare their component expenses in order to close large orders.   In other words, widgets should be no different from legal briefs when it comes to transparency of expense.    

Here are some other interesting findings from the report (as listed in the American Lawyer article):

BigLaw Warning: Law Firms Face Increasing Risks When Handling Personal Information

In a pair of articles sent out by CNA to its law firm insureds, two large law firms showcase (by way of their privacy and risk management departments) the rising data loss exposures faced by all law firms.  An article written by seasoned privacy attorneys from Hunton & Williams provides “an overview of key privacy and information security issues impacting the practice of law.”   And, in an article written by Ann Ostrander, the Senior Director of Loss Prevention at Kirkland & Ellis, we learn of how Kirkland addresses part of its data confidentiality problem by deploying a sophisticated web-based solution. 

Ms. Ostrander provides some good common sense advice when she writes:

With new rules, new precedents and new information technologies continuing to complicate and inflate the ways in which information is created and communicated, the risk of unexpected incidents, breaches or gaps is increasing. Thankfully, educational resources, technology and services exist which can enable organizations to enhance their capabilities and reduce risk. As more firms adopt more rigorous approaches to managing confidentiality and compliance, they’re creating stricter de-facto standards and expectations for the legal industry as a whole.  In this context, every firm should carefully consider the state of confidentiality management in their environment, as this is an issue whose profile will only continue to grow.

Because the Hunton attorneys are very process driven in their approach, they advocate law firms build out new security processes such as those found in a vendor management program.  As with Ms. Ostrander, Hunton’s privacy group, however, ends by providing a baseline of what every law firm should be doing:

For law firms, it is difficult to overemphasize the importance of (i) understanding how the firm collects, uses and otherwise processes personal information, (ii) thoroughly analyzing the firm’s relevant legal obligations, and (iii) implementing a comprehensive privacy and information management strategy to address these obligations. 

Although diminishing billable hours may tear into a firm’s ability to implement the firm-wide technology initiatives found at BigLaw firms such as Kirkland, the rewards found in adequately addressing data loss exposures will pay long-term dividends for any sized law firm.   As chronicled in the Hunton article, there are many regulatory landmines on the horizon.  It may be hard for a client to justify staying with its law firm after the firm is hit with a public rebuke regarding its data security – especially when there are so many other competitors in the water.  

Moreover, all law firms can, and should, be known as stalwarts of data privacy “future” best practices – and not just what is considered a current best practice.   In fact, it can be argued that the smaller the law firm, the easier it is to run such an office.  Although  attorney-client privileged material is already sacrosanct within all law firms, as counsel to banks, retailers, healthcare providers, and other users of sensitive data, law firms should live and breathe data protection on behalf of their clients.  There is a financial silver lining to any upgrade expense given that  new  implementations immediately become marketing fodder for rainmakers.  In other words, as some clients point to their use of sophisticated data management procedures when marketing their services, so should law firms when marketing their own services.

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.