Category Archives: Law Firm

Law Firm, Network Security, Privacy, Risk Management

Law Firm Management of Network Security – Proactive or Reactive?

Several recent articles – one in the March 2010 issue of the ABA Journal and another in the March 9, 2010 issue of The National Law Journal – offer a study in contrast regarding how law firms are dealing with data security exposures.  The ABA Journal takes the position that law firms are proactive in managing this exposure by, for example, barring use of the iPhone.  The National Law Journal article takes the position that although attacks against law firms have been increasing the past several years, “[w]hen it comes to network security, however, law firms in general do not invest as heavily as do other industries.”

A review of the law firm procedures and attitudes related to data security indicates a wide gulf that is really hard to find consensus on.  Some law firms absolutely do not focus on this as an issue and really go about their business as if their network security is an autonomous part of the office that can take care of itself.   On a relative scale, revenue generation for these firms is number one or two while data security is between ten and twenty.  That is not to say there aren’t some small firms who actually do understand how rainmaking can be enhanced with a strong data management system in place.  They are just in the minority.

Given the economic downward spiral that has not let up for the past several years, law firms must obviously be judicious with their resources.  It is clear to some, however, that spending time and money improving the network security and privacy posture of a firm can ultimately help improve its financial position.   As with most things in business (go ask Steve Jobs), it is about the proper marketing of your services.  Running a tight data security ship is no different from being well-versed in environmental law prior to advising clients who may have an environmental exposure.  It should be considered part of the advance work necessary to be a successful attorney.  On the flip side, if you are one of the hundreds of law firms to have sustained a data breach during the past several years, there is no need for further prodding.   The old adage “once bitten, twice shy” will certainly apply and money to improve data security will flow quite easily.

IT Consultants, Law Firm, Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

New MA Data Protection Law Impacts Companies Around the Country

As of March 1, 2010, any company, organization, association or entity that has any sensitive personal information of a Massachusetts resident must now comply with a new law – Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).  This new law impacts an entity even if it is not located in or even does business in Massachusetts – all that is necessary to trigger a compliance obligation is that the firm maintains personal information on Massachusetts residents, including information on any customers and employees.  

Taking a page from the FTC’s Red Flags regulations, the new law requires that companies implement a written security plan to protect protected personal information.  An employee needs to oversee this security program, it must be regularly monitored, and the efficiency of the program needs to be reviewed at least annually or at any time when there’s a major change in a company’s business practices. 

Going further than the FTC and not wanting to disappoint given its name, Massachusetts has actually set forth specific data security standards in its new law.  For example, all records containing personal data that are transmitted wirelessly or sent via public networks need to be encrypted.  As well, sensitive personal data stored on laptops and other portable devices also must be encrypted. Companies will need to restrict access to records and files that contain personal information to only those employees who need such information to do their jobs.

Third party vendors who contract with businesses after March 1, 2010 are subject to the new law and also need to comply.  Those companies who contracted prior to March 1, 2010 are given two additional years to comply.  It remains to be seen whether other states will follow suit with Massachusetts but given the reach of the statute, it may not even matter.   Between the FTC and MA, good common sense may dictate that your firm implement a written ID theft prevention program sooner rather than later.

Law Firm, Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Xinhua: China Cyber Attacks Against Google Pure Fabrication

In its sharpest defense to date, the Chinese Government – by way of its state-controlled media outlet, Zinhua News Agency – argues that it does not make sense to blame the recent corporate hacking incidents on the Chinese Government.   According to the February 24, 2010 People’s Daily article,  “China’s attitude toward cyber attacks has been unequivocal and has adopted laws against such crimes, as China is one of the countries that bear the brunt of cyber attacks. It is way far-fetched to say that cyber attacks — even if they were to originate from China or were to be carried out by Chinese citizens — would have the support of the Chinese government.”  The authors point out the IP addresses are not necessarily accurate for determining the initial location of a hacking incident given those traced computers can be hijacked from elsewhere.  The article closes by saying:  “Cyber crimes could cause immense losses for individuals, enterprises and nation-states. Effective supervision and closer international cooperation are ways to boost cyber security.  Finger pointing is not.”    Although it remains to be seen whether the Chinese Government was behind this latest round of corporate exploits, keeping an open perpective is never a bad idea.

Accounting Firm, Law Firm, Network Security, Risk Management

Is Chinese Government Really to Blame?

Just wondering.  Is the Chinese Government being set up?  One has to wonder why a year-old report by a British spy agency was only recently leaked to the press.  Among other things, the report claims that free USB memory sticks loaded with trojan software was given to business leaders and lawyers at various Chinese trade events.  Another report  recently in the press indicates that classified documents from government and private organizations “including the computers of the Dalai Lama and Tibetan exiles” were hacked into.  Really?   The Dalai Lama?   Another report indicates that oil drilling data was purloined by servers in China.  

Given none of these attacks have any real direct linkage to the Chinese Government, the only two factors being used to implicate the Chinese Government relates to the sophistication of the attacks and the fact they originated on servers based in China.   This is hardly persuasive evidence that the government was involved.  There are any number of governments and large corporations able to perform these attacks.  Moreover, the fact that servers in China are being used also does not really indicate anything.  According to a report in Information Week, the country that hosted the most phishing sites in the third quarter of 2009 was not China.  It was not even close.  For example, in September 2009, the United States hosted 75.76 percent of all reported phishing sites.  China came in third place with 3.44 percent.  It is likely that of the US-based servers used, many were used by foreign attackers looking to cover their tracks. 

Similarly, it seems like a odd coincidence that oil data theft and so many other intellectual property hacking incidents are only being traced to Chinese servers when the Chinese Government – if culpable – could have easily used US-based servers to cover their tracks.  In other words, let’s not be so quick to blame the Chinese Government for attacks that could very easily have been done by other sophisticated hackers or simply Chinese citizens working on their own initiative.

Law Firm, Litigation Management, Risk Management

Is the Bar Against Non-Lawyer Equity Owners Outdated?

Under Model Rule of Professional Conduct 5.4, “[a] lawyer or law firm shall not share legal fees with a nonlawyer” except under very limited circumstances.  Accordingly, it has long been the rule that only lawyers could manage or have an ownership interest in a law firm.   That is why, for example, no law firm (at least none in this country) has ever gone public.  Ostensibly, this rule prevents direct conflicts of interest in that shareholder interests are never allowed to trump client loyalty.  This rule mimics the rule that bars the corporate practice of medicine.  On the other hand, accounting firms generally only need a majority of their owners to be licensed CPAs.

If non-lawyers held an equity interest in a law firm, the Appearance of Impropriety Rulewould also apply whenever a law firm’s interests appeared to benefit equity owners’ interests over that of a client.  For example, a very conservative defense strategy might prolong a lawsuit and give the appearance that the strategy was enriching shareholders to the detriment of a client.  Aggressive collection strategies might also appear to create a direct conflict between shareholders and delinquent clients.  Although N.J. R. 1.7:210 is focused on barring dual representations, e.g., representing both sides in litigation, it can easily be envisioned that this rule might also apply to bar representations when outside shareholder interests were in direct conflict with a client. 

Are these ethical prohibitions fair or sound? 

Other than via the traditional “bill, manage, or produce” buckets, lawyers have few options when it comes to generating significant wealth.  For example, the potential upside for a successful litigation billed on an hourly basis is only the promise of future business.  Unlike their clients or even their investment banker peers, lawyers are not issued stock options, cannot invest in deals, and never reap the rewards of a seven figure annual bonus based on the upside of a corporate transaction.  This leads to an obvious disadvantage when it comes to law firms competing with hedge funds, investment banks, consulting firms, or high-growth companies.  It is clearly unfair that law firms experiencing double-digit growth are unable to reward those who contribute to such growth with some equity interest that can be sold to non-lawyers.  As for the soundness of such ethical prohibitions, they primarily make sense if one adopts a paternalistic approach – one that  assumes lawyers will not recognize the right ethical course of action unless given a blueprint.  Otherwise, the prohibition makes little sense.

In addition to questions regarding the soundness or fairness of this ethical framework, a bar against law firm shareholders puts US law firms at a disadvantage with global law firms who do have non-lawyer shareholders.  An article in the Wisconsin Law Review argues exactly that point:  “The very fact that outside equity is now available to lawyers in other jurisdictions, especially the United Kingdom, could create an influx of external competitive pressures on the American legal-services industry.”  It remains to be seen whether global competition from law firms who have non-lawyer equity owners will ever be sufficiently strong to warrant removal of the ethical bar.  More to the point, given the public’s general distrust of lawyers, it is doubtful these ethical barriers will be removed anytime soon.   The most we can hope for is improved creativity when it comes to billing and an increase in hybrid law firm practices.

Law Firm, Risk Management, Small Business

Is the Billable Hour Really Dead?

Law firms generally bill by charging an hourly rate for their “timekeeper” services.  Billing rates can slide up or down based on the litigation matter or transaction – for example, the pre-packaged rates provided to an insurer for defense work – or by the seniority of the timekeeper – with partners potentially charging hundreds more an hour than associates.  Even paralegals and some non-lawyer staff are charged at an hourly rate.

There are obviously a few other factors tied to the standard billable hour system:  (1) How many hours are logged; (2) How many hours actually get billed to a client; (3) How many hours actually get paid by the client; and (4) How much in expense is paid by the client.  At its core, however, it’s the annual ritual of increasing billable hourly rates that has caused law firm double-digit growth for so many years.  Our economic troubles these past few years, however, have put a damper on that yearly ritual.

To that end, the press has generously covered any example of a law firm providing an alternative to the billable hour regime – with an eye towards claiming these sorts of arrangements are becoming more and more commonplace.  For example, it is reported that over 10% of Reed Smith’s new engagements involve some form of alternative fee structure while Saul Ewing offers clients flat fees in some insurance, due diligence and employment matters as well as with will preparation and patent filings. According to a March and April 2009 Altman Weil survey of Managing Partners and Chairs at 687 law firms with 50 or more lawyers, 27.9% felt that “more non-hourly billing” was a permanent change in their firm’s strategy.

High profile lawyers such as Scott Turow have taken the “Kill the Billable” banner – even using his famous writing skills to pen an ABA Journal articleon the topic.  As Mr. Turow puts it, his “greatest concern is not merely that dollars times hours is bad for the lives of lawyers – even though it demonstrably is – but  that it’s worse for clients, bad for the attorney-client relationship, and bad for the image of our profession. Simply put, I have never been at ease with the ethical dilemmas that the dollars-times-hours regime poses, especially for litigators.”

Evan Chesler, head of Cravath, Swaine & Moore, has also very publicly called for the death of the billable hour.   According to Chesler, “[t]he system rewards inefficiency, frustrates clients and has little economic logic.”  Bill Lee, co-managing partner of Wilmer Cutler Pickering Hale and Dorr, offers his opinion in an article published by Corporate Counsel:  “For in-house counsel facing tremendous budgetary pressures, the fixed fee addresses the problems caused by the hourly rate, such as unpredictability, high costs divorced from actual value and, most importantly, the maddening law firm definition of ‘productivity’ — defined as more lawyers and more hours per matter.”

According to a BTI Consulting survey of 1,700 corporate counsel there is a high correlation between how high a law firm scores on positive brand awareness and its revenues – not too surprising here to find law firms are not that different from other companies when it comes to branding.  In fact, the survey revealed that a “10 percent incremental increase in positive differentiation translates into a 28.5 percent increase in revenue for a typical law firm.”

The survey reportedly uncovered that market differentiation was tied to a law firm’s innovation in technology, service and billing.  There is nothing too startling in listing “technology and service” given that most non-law firm businesses are measured by the same yardsticks.   What is more interesting is the fact that “billing” was considered by legal services buyers to be a marketing attribute that had a direct impact on differentiation and ultimately on a law firm’s revenues.  BTI suggested that “[m[aking aggressive use of alternative billing arrangements (sharing risk, being accountable, etc.)” would assist in such differentiation.   Despite the marketing potential of innovative billing structures, it remains to be seen whether the billable hour’s days are really numbered.

Law Firm, Network Security, Risk Management

Law Firm Suing Chinese Developers Suffers Attack

Although law firms have been hit with network security attacks over the years and sustained significant losses in the process, it has never been the case that they were targeted simply because they chose the wrong side in a litigation.  That is until now.   According to this report, an exploit took place weeks after “filtering software firm CYBERsitter announced that it had retained Gipson Hoffman & Pancione to sue the Chinese government, two Chinese software developers and seven PC makers for allegedly distributing its software code as part of the Chinese state-sponsored filtering and monitoring program known as Green Dam Youth Escort.” 

There are reports of other attacks that were recently launched against Google and Yahoo! in order to retrieve account information regarding Chinese dissidents.   According to a report in The Economic Times, McAfee has stated that the Google attack exploited an Explorer flaw.   It will be interesting to see how these “China” exploits pan out in the coming weeks.