Category Archives: Risk Management

Accounting Firm, Law Firm, Network Security, Risk Management

Is Chinese Government Really to Blame?

Just wondering.  Is the Chinese Government being set up?  One has to wonder why a year-old report by a British spy agency was only recently leaked to the press.  Among other things, the report claims that free USB memory sticks loaded with trojan software was given to business leaders and lawyers at various Chinese trade events.  Another report  recently in the press indicates that classified documents from government and private organizations “including the computers of the Dalai Lama and Tibetan exiles” were hacked into.  Really?   The Dalai Lama?   Another report indicates that oil drilling data was purloined by servers in China.  

Given none of these attacks have any real direct linkage to the Chinese Government, the only two factors being used to implicate the Chinese Government relates to the sophistication of the attacks and the fact they originated on servers based in China.   This is hardly persuasive evidence that the government was involved.  There are any number of governments and large corporations able to perform these attacks.  Moreover, the fact that servers in China are being used also does not really indicate anything.  According to a report in Information Week, the country that hosted the most phishing sites in the third quarter of 2009 was not China.  It was not even close.  For example, in September 2009, the United States hosted 75.76 percent of all reported phishing sites.  China came in third place with 3.44 percent.  It is likely that of the US-based servers used, many were used by foreign attackers looking to cover their tracks. 

Similarly, it seems like a odd coincidence that oil data theft and so many other intellectual property hacking incidents are only being traced to Chinese servers when the Chinese Government – if culpable – could have easily used US-based servers to cover their tracks.  In other words, let’s not be so quick to blame the Chinese Government for attacks that could very easily have been done by other sophisticated hackers or simply Chinese citizens working on their own initiative.

Law Firm, Litigation Management, Risk Management

Is the Bar Against Non-Lawyer Equity Owners Outdated?

Under Model Rule of Professional Conduct 5.4, “[a] lawyer or law firm shall not share legal fees with a nonlawyer” except under very limited circumstances.  Accordingly, it has long been the rule that only lawyers could manage or have an ownership interest in a law firm.   That is why, for example, no law firm (at least none in this country) has ever gone public.  Ostensibly, this rule prevents direct conflicts of interest in that shareholder interests are never allowed to trump client loyalty.  This rule mimics the rule that bars the corporate practice of medicine.  On the other hand, accounting firms generally only need a majority of their owners to be licensed CPAs.

If non-lawyers held an equity interest in a law firm, the Appearance of Impropriety Rulewould also apply whenever a law firm’s interests appeared to benefit equity owners’ interests over that of a client.  For example, a very conservative defense strategy might prolong a lawsuit and give the appearance that the strategy was enriching shareholders to the detriment of a client.  Aggressive collection strategies might also appear to create a direct conflict between shareholders and delinquent clients.  Although N.J. R. 1.7:210 is focused on barring dual representations, e.g., representing both sides in litigation, it can easily be envisioned that this rule might also apply to bar representations when outside shareholder interests were in direct conflict with a client. 

Are these ethical prohibitions fair or sound? 

Other than via the traditional “bill, manage, or produce” buckets, lawyers have few options when it comes to generating significant wealth.  For example, the potential upside for a successful litigation billed on an hourly basis is only the promise of future business.  Unlike their clients or even their investment banker peers, lawyers are not issued stock options, cannot invest in deals, and never reap the rewards of a seven figure annual bonus based on the upside of a corporate transaction.  This leads to an obvious disadvantage when it comes to law firms competing with hedge funds, investment banks, consulting firms, or high-growth companies.  It is clearly unfair that law firms experiencing double-digit growth are unable to reward those who contribute to such growth with some equity interest that can be sold to non-lawyers.  As for the soundness of such ethical prohibitions, they primarily make sense if one adopts a paternalistic approach – one that  assumes lawyers will not recognize the right ethical course of action unless given a blueprint.  Otherwise, the prohibition makes little sense.

In addition to questions regarding the soundness or fairness of this ethical framework, a bar against law firm shareholders puts US law firms at a disadvantage with global law firms who do have non-lawyer shareholders.  An article in the Wisconsin Law Review argues exactly that point:  “The very fact that outside equity is now available to lawyers in other jurisdictions, especially the United Kingdom, could create an influx of external competitive pressures on the American legal-services industry.”  It remains to be seen whether global competition from law firms who have non-lawyer equity owners will ever be sufficiently strong to warrant removal of the ethical bar.  More to the point, given the public’s general distrust of lawyers, it is doubtful these ethical barriers will be removed anytime soon.   The most we can hope for is improved creativity when it comes to billing and an increase in hybrid law firm practices.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

SMBs Increase Investment in Data Security

More and more security firms are pushing their products towards the SMB market.  In a recent press release, Blackhat Solutions  looks to sell its services by warning “small to medium businesses of their financial and legal susceptibility in the face of increasingly sophisticated data hacking.”  This is no surprise given Forrester Research projects that about 40 percent of SMBs are planning to increase their IT security budgets for 2010.  In its $1,749 report, Forrester outlines why network security and data security top the IT investment and attention for SMBs.  The goal in increasing funding is to protect data rather than just finding broader operational savings – a past common driver of IT initiatives.

SMBs should also be looking to make a little lemonade with their added expenses.  Why not take this increase in data security expenditure and turn it into a profit-making marketing edge?  Most smaller firms who are able to position themselves as security stalwarts will eventually increase their market share no matter what industry they are in.  It’s that simple.   When building out their enhanced security capabilities, there is no reason SMBs cannot also get this marketing message out to their clients, business partners and employees.

Litigation Management, Middle Market Business, Network Security, Privacy, Risk Management

Data Breach Expenses and BCBS of TN

According to a news report, BlueCross BlueShield of Tennessee admitted on January 25th that it has spent more than $7 million to address an October theft of 57 computer hard drives.   The company said that it may have to spend millions more to assess what was on the missing computer records and to provide identity protection for affected customers.   According to its website, the company has notified 220,000 BCBS customers in Tennessee and other states where persons covered by BCBS of TN plans may work.  Further, determining what was on the stolen hard drives as required by the HITECH Act and state notification requirements has required the hiring of more than 700 contract and BlueCross workers.

If we are to accept the Ponemon Institute’s most recent Cost of Breach report, this breach will ultimately cost BCBS of TN over $44 million.   Given that 67% of the $204 per record cost consists of lost customers and other indirect costs, it looks like BCBS of TN has another $7.8 million to go on its notification, credit monitoring, forensics and other direct expenses.

This breach is a stark reminder that even though the lawsuits are being won by breach defendants, costs incurred prior to the first lawsuit can be very significant.  Having a post-breach gameplan in place to address these costs has certainly become absolutely crucial during the past few years.   After all, nothing hurts a bottom line as quickly as a significant unfunded expense.

Update:  March 14, 2012
BCBS of TN agrees to pay HHS $1.5 million under the HITECH Act’s breach notification settlement.  When coupled with the $17 million in first-party expenses already paid, this incident remains a stark reminder as to the benefits of a network security and privacy insurance policy.

 

Accounting Firm, IT Consultants, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Google Attacks Provide a Valuable Lesson

The facts are starting to surface regarding the recent attacks against Google, Yahoo! and Microsoft – all of which have been linked to Chinese interests.  According to one recent report, the attackers selected employees with access to proprietary data, determined their social networking friends and then hacked into those accounts.  Once in control of the friends’ accounts, the attackers (posing as friends) sent their actual targets instant messages with links to sites that installed spying software on their computers.   

This sort of criminal strategy could be applied to any company – large or small.  In fact, it is much easier to assume that the president of a large middle market firm has more valuable intelligence on his computer than a strategic employee at a larger company.   Having knowledge of this sort of attack is important given the overall number of attacks against business has been increasing.  According to a recent CSO Survey, 37% of businesses polled have seen an increase in attacks during the past 12 months.  

One sure way to reduce the risk of a corporate attack is to limit social networking access to those individuals in marketing or sales who have a corporate reason to go to those sites.   Even those individuals should have proper training so that they would know, for example, not to click on links that have strange URLs or link to content that does not serve a distinct corporate purpose.  Also, try hard to avoid clicking on an image.  It may be hard to do.  Our propensity to click on whatever online content we see is a habit not easily kicked.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Ponemon Cost of Breach Report Released

According to the latest Ponemon COB report, data breach attacks have doubled this past year while the average cost of a data breach has increased to $204 per compromised record.  The Ponemon Institute looked at several variables when determining this $204 number, including:  lost business; legal fees; disclosure expenses; consulting help, including forensics; and remediation expenses such as improved technology and training.  Page 16 of the report indicates that lost business is the most significant component of this number – representing $135 of the $204 amount.   In other words, those firms disclosing to the Ponemon Institute information regarding their breach have had a signficant documented loss of business.  In addition to providing this valuable insight regarding brand damage caused by a breach, the report is also instructive given it offers information regarding the causes of 2009 breaches. 

According to this Ponemon Insitute report, data breaches generally have three primary causes:   third party negligence; malicious attacks such as coordinated botnet attacks; and negligent insider behavior.  In fact, the Ponemon Institute points out that 42 percent of all cases in the study involved third-party negligence.  Although this overall number (as well information in the report) is based on information provided by only 45 businesses  willing to speak in detail with the Ponemon Institute, the number should not be taken lightly – especially since it is not that far off from numerous other studies and surveys done over the years. 

The two lessons here – breaches lead to lost business and third-party negligence is a signficant cause of breaches – actually have more to do with marketing then with risk management.  In a prolonged down economy, small and middle market companies need to differentiate by showcasing their network security and privacy strengths.  Instead of shying away from the efforts needed to improve your network risk profile, embrace the endeavor by realizing it will only be a matter of time before you are required to do what you are voluntarily doing now.  As with most corporate best practices, being one step ahead of your competition when it comes to network security and privacy can turn into a significant marketing advantage.  Depending on your business goals and what you do to generate revenue, this advantage can easily turn into a sustained  competitive edge.

Law Firm, Risk Management, Small Business

Is the Billable Hour Really Dead?

Law firms generally bill by charging an hourly rate for their “timekeeper” services.  Billing rates can slide up or down based on the litigation matter or transaction – for example, the pre-packaged rates provided to an insurer for defense work – or by the seniority of the timekeeper – with partners potentially charging hundreds more an hour than associates.  Even paralegals and some non-lawyer staff are charged at an hourly rate.

There are obviously a few other factors tied to the standard billable hour system:  (1) How many hours are logged; (2) How many hours actually get billed to a client; (3) How many hours actually get paid by the client; and (4) How much in expense is paid by the client.  At its core, however, it’s the annual ritual of increasing billable hourly rates that has caused law firm double-digit growth for so many years.  Our economic troubles these past few years, however, have put a damper on that yearly ritual.

To that end, the press has generously covered any example of a law firm providing an alternative to the billable hour regime – with an eye towards claiming these sorts of arrangements are becoming more and more commonplace.  For example, it is reported that over 10% of Reed Smith’s new engagements involve some form of alternative fee structure while Saul Ewing offers clients flat fees in some insurance, due diligence and employment matters as well as with will preparation and patent filings. According to a March and April 2009 Altman Weil survey of Managing Partners and Chairs at 687 law firms with 50 or more lawyers, 27.9% felt that “more non-hourly billing” was a permanent change in their firm’s strategy.

High profile lawyers such as Scott Turow have taken the “Kill the Billable” banner – even using his famous writing skills to pen an ABA Journal articleon the topic.  As Mr. Turow puts it, his “greatest concern is not merely that dollars times hours is bad for the lives of lawyers – even though it demonstrably is – but  that it’s worse for clients, bad for the attorney-client relationship, and bad for the image of our profession. Simply put, I have never been at ease with the ethical dilemmas that the dollars-times-hours regime poses, especially for litigators.”

Evan Chesler, head of Cravath, Swaine & Moore, has also very publicly called for the death of the billable hour.   According to Chesler, “[t]he system rewards inefficiency, frustrates clients and has little economic logic.”  Bill Lee, co-managing partner of Wilmer Cutler Pickering Hale and Dorr, offers his opinion in an article published by Corporate Counsel:  “For in-house counsel facing tremendous budgetary pressures, the fixed fee addresses the problems caused by the hourly rate, such as unpredictability, high costs divorced from actual value and, most importantly, the maddening law firm definition of ‘productivity’ — defined as more lawyers and more hours per matter.”

According to a BTI Consulting survey of 1,700 corporate counsel there is a high correlation between how high a law firm scores on positive brand awareness and its revenues – not too surprising here to find law firms are not that different from other companies when it comes to branding.  In fact, the survey revealed that a “10 percent incremental increase in positive differentiation translates into a 28.5 percent increase in revenue for a typical law firm.”

The survey reportedly uncovered that market differentiation was tied to a law firm’s innovation in technology, service and billing.  There is nothing too startling in listing “technology and service” given that most non-law firm businesses are measured by the same yardsticks.   What is more interesting is the fact that “billing” was considered by legal services buyers to be a marketing attribute that had a direct impact on differentiation and ultimately on a law firm’s revenues.  BTI suggested that “[m[aking aggressive use of alternative billing arrangements (sharing risk, being accountable, etc.)” would assist in such differentiation.   Despite the marketing potential of innovative billing structures, it remains to be seen whether the billable hour’s days are really numbered.

Network Security, Risk Management, Small Business

Security MSP Option for Small Business Owners

As pointed out by this article, when it comes to network security, small business owners are often “hampered by a lack of resources, fewer qualified security personnel, less money to buy necessary products, and more difficulties complying with regulations that often were written without companies of their size in mind.”  And, as pointed out in this article, a small business can be more of an attractive target for “spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.”  In fact, as reported by Business Week, some small businesses can even become victims of identity theft.

Unfortunately, given the increase in sophisticated attacks made against small business owners, it is becoming more and more difficult for these owners to deploy suitable resources.   One available option today to smaller companies is the “outsourcing” of security to a managed service provider.  MSPs who are focused on security and IT management for small business owners have network security resources and expertise built as their core competency.   Although it may seem to be the last thing a company would want to do, i.e., have another company take ownership over its network security, so long as the MSP is properly vetted and has clear staying power, there is little difference between using a MSP for data security or using a bank for financial security.

Privacy, Risk Management, Small Business

Is Privacy Really Dead?

According to this article, Facebook founder Mark Zuckerberg recently said that “privacy was no longer a ‘social norm”’.   This convenient point of view comes less than a month after Facebook changed the way it organizes user information.  Under the old system, people had the option of being  placed into regional networks like “North Jersey”, while the new system removes this distinction so that your information can be visible to any Facebook user and not just those in your network.   

As well, the new “Everyone” setting doesn’t just limit your page to Facebook users – it allows access to everyone on the Internet, including Google , Yahoo! and any other search engine spiders.  In other words, if you use the Facebook default settings – which many new users do – you will end up posting to anyone with online access and you may now also end up on a search engine results page.  LinkedIn has been doing this for years now.  This increase in exposure is obviously the goal behind the recent Facebook changes.  In other words, Facebook will be able to grow it’s user base beyond its already staggering 350 million users.

There is obviously a simple solution:  Limit your visability to those who are friends and curtail what you post on your page that is made visible to non-friends.  Go to this site for detailed information on how to set your Facebook privacy settings.  Privacy is not dead – unless you choose to let it die.

Risk Management, Small Business

Planning for Disaster

Today is the one year anniversary of the “Miracle on the Hudson” – the day a plane landed in the Hudson River after its engines ate too many geese and shut down.  All of this took place literally shouting distance from New York City’s skyscrapers.  The captain of the plane as well as a group of passengers each wrote a book detailing this amazing story.  

The key takeaway from this event is that planning for disaster – whatever that might be for your business – is not a waste of time.  According to an account reported in his book, Captain “Sully” actually studied beforehand an ocean ditching similar to the one he performed in the Hudson River.