3.25.2016

What Kind of Effect Does the Structure of a Law Firm Have on a Data Breach Incident at the Firm?



What kind of effect does the structure of a law firm have on a data breach incident at the firm?

Well, by now we know that though the details of such incidents remain cloaked in secrecy, a consensus is emerging that a data breach is a legal event. But how do and should we be thinking about these events when lawyers have carved out legal protections, such as the Red Flag Rules (https://en.wikipedia.org/wiki/Red_Flags_Rule) for ourselves? Okay, let’s forget about the law for a moment, how about ethics? Is it part of our ethical duty to understand and opine upon which legal organizational structures are a better fit for an eventual data breach incident response? Is this less or more important than understanding a firms’ financial disclosures or are they intertwined?

In Grand Illusion (http://www.klgates.com/files/tempFiles/4ee9900d-b476-42b5-9253-2b24a1615834/Am_Law_Swiss_verein.pdf) from May of 2011, Peter Kalis, K& L Gates Chairman, attacks the Swiss verein structure, noting: “When law firms avoid financial integration and common ownership even where permitted by local law, you’re dealing with firms that wish to simulate rather than to combine as a global law firm.”

Yet we recently learned that FTC Commissioner Julie Brill is heading to Hogan & Lovells, another firm using the verein structure (http://www.hoganlovells.com/newsmedia/newspubs/detail.aspx?news=1573), to lead their Privacy and Cybersecurity practice (http://www.hldataprotection.com/2016/03/articles/news-events/ftc-commissioner-julie-brill-to-co-lead-hogan-lovells-privacy-and-cybersecurity-practice-as-of-1-april/).
Surely in the area of data breaches and ensuing legal issues, Ms.Brill is more prepared than most of us.

In the domain of data transfers and cybersecurity generally, precisely at a time when many have called for greater harmonization of the rules, we face what looks like an increasingly balkanized set of laws, globally. It has been noted that though many of these laws look different, some are essentially equivalent (http://www.sidley.com/publications/essentially-equivalent), by thought leaders at Sidley Austin, a limited liability partnership.

As the globalization of law firms continues to wax and wane (http://www.americanlawyer.com/top-stories/id=1202749529592/Skadden-To-Close-Sydney-Office-Amid-Australia-Jitters?mcode=1202615731542&curindex=2&slreturn=20160225131953), and as long as different continents have different customs and regulations about data incidents, it is possible that these questions will continue to intrigue counselors and insurance underwriters alike. Happy Spring to you all.