Capital Connection is published monthly for members of the Capital Chapter of the Association of Legal Administrators to provide information for the education and benefit of legal administrators, law office managers, managing partners of law firms, and other law related associations. Capital Connection is not engaged in rendering legal, financial, or tax counseling or advice through this publication. The contents of all articles, letters, and advertisements published in Capital Connection should not be considered endorsements by the Capital Chapter of ALA nor the opinion expressed therein of any products advertised. Contributing authors are requested and expected to disclose financial an/or professional interests and affiliations that may influence their writing position. Articles and materials accepted for publication are subject to editing by the editorial team and become property of the Capital Chapter of the Association of Legal Administrators. Links to Capital Connection may not be shared without permission from the Chapter.
Editor: Cindy Conover
Associate Editors: Paula Serratore
Contributing Editors: Jenna Carter; Total Document Solutions; Erin Connors; Hilltop Consultants; Eileen Garczynski; Howie Schaffer
Newsletter Designed By: Jessica Davis
In this issue:
Welcome 2018-2019 Officers!
Hilltop Consultants Spotlight: GDPR Preparation and Compliance
If you are a European Union (EU) based firm or have business interests in the EU, you should be aware of the General Data Privacy Regulation (GDPR) that was approved two years ago.
How do you protect your interests and ensure compliance?
At Hilltop Consultants we support many firms that need to be GDPR compliant. Here are some frequently asked questions, tips and solutions related to GDPR.
General Data Privacy Regulation:
What is it? An EU regulation with the primary objective of strengthening security and privacy protection for individuals. It applies to all personal data that originated in the EU regardless of where it is processed, stored or transmitted. Any organization that has the personal data that originated in the EU in its systems will have to comply with the GDPR.
Who does it pertain to? Those who offer goods or services to EU citizens residing in the EU or monitor the behavior of EU citizens residing in the EU. GDPR places obligation onto (1) data controllers, the entity which determines the purposes and means of processing personal data and (2) data processors who processes the data on behalf of the data controllers.
What is the definition of Personal Data? Personal data is categorized as any identifiable information. There are several ways that an individual can be considered “identifiable” such as individual’s physical characteristics or name, physical address, photo, personal or work email address, bank information, medical information, posts on social media, biometric or IP address.
Keep in mind that all organizations having access to individual data that originated from the EU must maintain a plan to detect breaches, regularly evaluate security practices and document evidence of compliance. This is a major component of the GDPR regulation.
We recommend the following steps toward better protection:
Hilltop Consultants helps firms implement practices toward GDPR Compliance by:
There are ways of reducing the risks by taking the steps and actions mentioned above. Although the burden is substantial, mitigation is possible. For more information on how this applies to your firm call or email us!
Click on the links below regarding GDPR specifics and solutions aimed at GDPR compliance:
Ways in which Law Firms Should Look to Manage Potential Exposures as Internet and Cyber-Liability Threats Expand
Senior Vice President and Partner, Ames & Gough
If there was any doubt among law firms about their potential vulnerability to cyber-attacks, recent reports of the so called “Panama Papers” serve as a sobering reminder that the threat is not only real – but widespread and substantial.
In this case, a law firm was victimized by a series of hacking incidents by a single perpetrator. The hacks occurred without its knowledge, over several years, and involved more than 11 million documents and confidential details of more than 200,000 offshore facilities the firm established on behalf of its clients.
More recently, and closer to home, a specialty law firm in the U.S. Midwest is bringing suit against another Midwest firm alleging it failed to maintain a solid security system and safeguard client data. It’s feared that this action will trigger a wave of similar cases.
As individual hackers and organized criminals look for new ways to steal funds and access confidential corporate and personal financial information, professional services firms have become soft targets for their actions. Indeed, law firms have stores of personal and confidential financial data on employees and clients; they maintain sensitive information about client strategies, trade secrets, and pending business transactions. Firms may also have significant employee and client health data and information protected under the Health Insurance Portability and Accountability Act (HIPAA).
A privacy or security incident can cause a firm a great deal of unwanted press and involve substantial costs. If the firm’s system goes down for any amount of time, significant billable time may be lost. Then there’s the cost of any forensic investigation, potential federal and state regulatory fines and notification costs. Not to mention issues with third parties; flurry of lawsuits, negative publicity, reputational damage and disgruntled clients.
Network security lapses could also give rise to ethical complaints, as inadequate data security or protection of privacy can constitute a failure to abide by the duty of confidentiality. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Unfortunately, law firms generally have lagged behind other industries when it comes to data protection. To make sure your firm gets up to speed, the following are some suggested best practices for firms to follow to anticipate, prevent, and respond to a data breach, including the purchase of a cyber-liability insurance policy:
Anticipate. Catalog all confidential data owned or maintained by the firm and ensure that proper security procedures are in place for keeping it safe. Conduct ongoing risk assessments, invest in state-of-the-art security measures, and consider hiring “ethical hackers” to test data security. It is important to understand that most firms are targeted for intrusion because of exploitable security weaknesses, not because of their high profiles or the value of their confidential information. Testing the integrity of the system on a regular basis is a wise investment.
Train. Inform employees and vendors of proper security procedures and periodically review and update data security policies.
Prevent. Simple steps law firms can take to prevent a breach include:
Organize. Create a response team to implement a plan of action when a breach occurs. The team should be multi-disciplinary and include procedures for promptly identifying and repairing the breach, investigating the cause of a breach, analyzing the implications of the breach, and notifying the necessary parties.
Insure. In the wake of so many cyber-breaches, cyber-liability insurance should be considered a critical component of every law firm’s risk management portfolio along with a comprehensive breach response plan. Keep in mind, however, that all cyber-insurance policies are not identical.
In choosing a cyber-liability insurance policy, carefully consider the scope of coverage and exclusions under a data breach policy, including whether the policy covers costs related to lawsuits, regulatory investigations, internal investigations, notifications to affected consumers, public relations management, credit monitoring, and/or statutory penalties.
Stand-alone cyber-liability insurance policies, addressing both first- and third-party perils, offer a full range of cover that is key to mitigating risk. The policies typically provide coverage through numerous insuring clauses that afford coverage for losses arising out of data or privacy breaches. These include expenses related to the management of an incident, such as forensic investigation, remediation, notification and credit checking. They also provide coverage for business interruption losses, extortion network damage, and regulatory investigation costs arising out of a cyber-event.
Understanding potential coverage restrictions
Law firms purchasing stand-alone cyber-liability insurance policies should thoroughly understand exactly what their insurance covers, the extent of coverage provided, as well as any coverage exclusions or restrictions.
In comparing various cyber-liability policies offered by different insurance companies, be aware that many insurers will attempt to add exclusions either through the policy wording itself or by endorsement.
While it is not always possible to remove these exclusions, law firms should understand their potential impact and attempt to have them modified or removed. There are more than a dozen specific types of coverage exclusions or restrictions that might appear in many or some cyber-liability insurance policies for law firms. Here are a few key examples:
With respect to the last point, the conduct exclusion for fraudulent or criminal acts of senior management should be worded to apply only after final adjudication, or determination, that the excluded conduct did, in fact, occur.
Many policies don’t cover theft of hardware from your premises and limit protection for breaches to those involving only U.S. privacy statutes or regulations. There are also inadequate sub-limits for forensics and crisis management expenses, which can leave law firms without sufficient funds to investigate where their systems were infiltrated or to address the costs of effectively managing a related crisis event.
In addition, there are likely to be restrictions for restoration of intellectual property or proprietary business information. And when related coverage is provided, it typically is limited to the amortized value.
Another area to check involves the policy’s requirements regarding use of vendors to address data breaches and related issues. Many insurers require policyholders to use the insurance company’s preferred vendors; to have this language changed to allow a law firm to choose its own vendors may require additional premium.
Policy waiting periods
Cyber-liability insurance policies offer an aggregate limit of liability (e.g. the total limit of liability for all claims) as well as sub-limits for each first-party coverage and the fines and penalties aspect of the third-party coverage.
The sub-limits have generally increased in recent years so that law firms can typically get up to 50 percent of the total limit to apply to first-party costs. A dollar deductible also applies to each coverage part that varies, depending on the size of the policy and the firm insured. In addition to a dollar deductible, most policies include a “time element” or waiting period deductible to trigger the first-party business interruption coverage.
For example, a cyber-policy might require that your network be impaired for more than 12 – 24 hours before the business interruption coverage would apply or be triggered. Law firms should be aware of these policy features and requirements for reporting incidents and related business loss.
Determining how much coverage you need
While there’s no simple formula for determining how much cyber-liability insurance any law firm should purchase, there are three key considerations when choosing insurance policy limits and deductibles:
As internet and cyber-related risks become increasingly widespread and complex, law firms and other professional services firms have become targets of a growing number of attacks. Managing these exposures requires a comprehensive approach that includes sound risk management practices and a careful evaluation of available insurance. Although insurance coverage and pricing has been improving, law firms need to evaluate their coverage options carefully, note potential coverage restrictions and work with insurance companies to address them.
Diversity Corner: Inclusion is Forged in Unlearning
Chief Inclusion Officer, Bonanza Communications
Strangers might be dangerous. Fat people are lazy. Older people are less capable. Women are more caring then men. Men are more confrontational than women. Our heads are full of generalizations, beliefs and ideas planted in our brains, and reinforced by others. Our minds are populated with lessons we have learned from our families, our schools, our friends, our workplaces, our religions or cultures, and yes, from society and the media.
Some of these lessons with have inherited uncritically from others without examining them deeply. Who can we trust? Who can we feel safe with? Who is helpful? Who won’t be offended by feedback? Who will work hardest? These are evaluations we are making all the time in our lives. And these decisions are often unconscious and without our control or clear intention. To be effective in the workplace, every day we need to fight some aspect of our socialization that has taught us a lesson or belief that doesn’t serve us well.
To learn something new we have to forget or ignore something we have previously learned. The patterns of our thinking are so deeply ingrained that we may never lose our snap judgments or the reactive voice inside our head that speaks before examining the evidence. Almost every decision we make daily in business settings requires us to make intentional efforts to challenge our prior knowledge. Unlearning is like stripping the existing paint of a wall so that new paint sticks. If you’ve ever done this work, you know that paint removal is 70% of the job and repainting is 30%.
What do you need to unlearn? How will you do about it? Your career trajectory might depend in part upon the answers you provide.
3 Unlearning Tips
Communications and Media Relations
As members of the Newsletter and Media Relations Committee, Chapter members participate in producing the award-winning Capital Connection. Members gather to brainstorm new ideas for editorial themes for upcoming editions. The newsletter reports Chapter business activities such as Section and Committee news and provides information about upcoming educational and other events. It also includes articles of interest to members and other legal management personnel, collected, authored and/or edited by members of the committee. This committee also works with other legal associations and the media to ensure that ALA and the Capital Chapter are represented in the legal industry. The Newsletter Committee welcomes new members.
Contact: Cindy Conover, Cindy.Conover@Shearman.com; Paula Serratore, firstname.lastname@example.org
Diversity & Inclusion
The Capital Chapter of the Association of Legal Administrators is a professional organization comprised of administrative managers from private, corporate and government legal organizations in the Washington DC, Northern Virginia and suburban Maryland areas. ALACC embraces and encourages diversity within the legal profession. We value diversity and those initiatives that promote it and look to partner with affiliated professional legal organizations to advance diversity. We not only strive to raise awareness, but to increase our sensitivity in the area of diversity and more closely reflect the diversity of our community at large. Having a more inclusive and diverse legal community will improve the quality of our organizations workforce and respond to our client’s requirements for diversity. As a committee we are very interested in your thoughts, comments, and suggestions about achieving greater diversity in our Chapter, our profession, and in our firms.
Contact: Ellen Clinton (Chair), email@example.com; Cameron Gowan (Co-Chair), firstname.lastname@example.org
The Salary Survey Committee is responsible for maintaining, updating and running the local survey each year. They review the positions listed, the job descriptions, and the benefits questions to ensure that the survey remains relevant to the end users. The members of the committee also promote the survey within the Chapter to stimulate participation.
Contact: Julie Tomey (Chair), email@example.com; Sheri Shifflett (Co-Chair), Cheryl.Shifflett@saul.com
The Member Experience Committee will establish a welcoming environment for new members to be integrated into the Chapter through a formal Ambassador Program. Ambassadors will provide support and guidance to new members through their first 12 months of membership, ensuring new members realize benefits of membership and become ambassadors of the Chapter.
Contact: Sarahi Estrella (Chair), firstname.lastname@example.org ; Dot Mooney (Co-Chair), email@example.com
Branch Office Administrators
The Branch Office Adminsitrators Section focuses on a broad range of topics of interest to local adminisraotrs who must coordinate with other officees of their firms. The Section's monthly luncheon meetings, held on the second Tuesday of the month, provide a venue for members to discuss issues of common interest, share ideas, and network. Members are encouraged to raise topics and to recommend speakers.
Contact: Jackie Thomas (Chair), firstname.lastname@example.org; Anjanette Milladge (Co-Chair), email@example.com
Office Operations Management
The members of the Office Operations Management Section represent a cross section of legal expertise from functional administrators to branch office managers. The Office Operations Management Section (OOMS) meets on the fourth Wednesday of every month to discuss operations related hot topics. We welcome all members to join the section, especially if you are an administrator in a small law office and you have to wear multiple hats. We can provide you with many best practices to run your operation smoothly.
Contact: Linda Padron (Chair), firstname.lastname@example.org; Janice Byrum-Jackson (Co-Chair), email@example.com
Intellectual Property (IP)
The Intellectual Property (IP) Section focuses on all aspects of legal management as it pertains to the IP Administrator. The group discusses the complexity of the ever-changing IP environment and how to effectively create and apply IP specific, non-legal procedures in both boutique and general practice firms.
Contact: Astrid Emond (Chair), firstname.lastname@example.org; Matthew Cichocki (Co-Chair), email@example.com
Small Firm Administrators
The purpose of the Small Firm Administrators Section is to provide Administrators of law firms with 35 or fewer attorneys educational opportunities through vendor presentations, idea sharing and open forums specifically designed for those who work in smaller firms. The Small Firm Management Section meets the fourth Tuesday of the month at host law firms.
Contact: Wilmara Guido-Chizhik (Chair), firstname.lastname@example.org; Jo Jo Ruby (Co-Chair), email@example.com
Next Generation Leaders
The mission of the Next Generation Leaders section is to support our next generation of leaders and close the gap faced by our association and the legal industry as a whole by providing a community for Millennial legal managers and new managers in the legal field with a focus on mentoring, education, and networking. To accomplish this goal, the section hosts monthly section meetings, pop-up events, and educational sessions, and provides 2-way mentoring opportunities.
Contact: Danielle Smith (Chair), firstname.lastname@example.org; Tania Jose (Co-Chair), email@example.com
The Human Resources Section operates as a venue for educational information on global human resources issues. While the Section is mostly comprised of HR professionals, any member is invited to participate in the meetings which typically take place on the second or third Wednesday of each month. The meetings feature industry speakers or roundtable discussions on topics such as recruiting, benefits, strategic planning, performance management, career pathing, retention and other matters of interest.
Contact: Jasmine Stribling (Chair), firstname.lastname@example.org; Tiffany Montgomery (Co-Chair), email@example.com
The Technology Section is looking for members to join the group for lively discussions about practical situations we all face daily in the information technology world. With ever-changing IT needs and issues, we will look at our firms' policies and procedures and help develop best practices and speak of the many concerns we all have. Even if you are not in the IT field, your experiences and opinions will help us in bringing all departments of a law firm together and working on the same page.
Contact: Kenny Mitchell (Chair), firstname.lastname@example.org