Defense Counsel Journal

The Changing Geography of Law Practice: Law Firm Risk Management Considerations

Volume 89, No. 4

March 15, 2023

Fucile_Mark_2017_sized Mark J. Fucile

Mark J. Fucile

IADC member Mark Fucile of Fucile & Reising LLP in Portland advises lawyers, law firms, and legal departments throughout the Pacific Northwest on professional responsibility, risk management, and the attorney-client privilege. Before co-founding his current firm in 2005, Mark served as an in-house ethics counsel for a large Northwest regional law firm. Mark also teaches legal ethics as an adjunct for the University of Oregon School of Law at its Portland campus.

“[I]n this day of a global pandemic, the legal profession has learned to adapt to virtual practices[.]”
~T Diamond Bar, LLC v. Empire Pipe & Supply Company, Inc.,
2020 WL 635523 at *3 (D. Or. Aug. 26, 2020) (unpublished)

“VIRTUAL” and “mobile” lawyering existed well before the Covid-19 pandemic. Similarly, multiple or “branch” offices are nothing new for law firms, either. In the wake of the pandemic, however, the “geography” of law practice has changed significantly. “Hybrid” offices and “remote” work models that initially emerged as expedients during the pandemic are increasingly becoming more permanent going forward.11See generally ABA Formal Ops. 498 (2021) (addressing virtual practice) and 495 (2020) (remote work).  This new geography of law practice has important implications for law firm risk management. Law firms that have approved permanent work-from-home arrangements for both lawyers and staff have, in many respects, acquired more “offices” for which they are responsible in both regulatory and civil liability senses. This evolving geography suggests rethinking corresponding risk management considerations for both the technology that enables physically dispersed work forces and the supervision of lawyers and staff who are not all “just down the hall.” 

This article will first briefly survey the general regulatory and liability principles that govern law firm responsibility for their lawyers and staff. It will then address the changing dynamics for managing those risks for both technological and human resources with the “new normal” of more physically dispersed work forces.22As the title suggests, this article focuses on the risk management aspects of hybrid offices and remote work.  Other areas, such as employment law governing physically dispersed workers and commercial landlord-tenant law stemming from possible reduction in traditional space needs, may also come into play.

I.   Law Firm Responsibility for Lawyers and Staff

Both state lawyer regulatory codes and common law generally make law firms responsible for the conduct of firm lawyers and staff—although they approach this concept in distinct ways.

The ABA Model Rules of Professional Conduct, on which all states’ lawyer regulatory codes are now patterned, focus on the conduct of individual lawyer-licensees rather than law firms.33Proposals dating back over thirty years have suggested that law firms themselves be directly liable for professional discipline. See generally Ted Schneyer, Professional Discipline for Law Firms, 77 Cornell L. Rev. 1 (1991) (suggesting law firm discipline); Elizabeth Chambliss and David B. Wilkins, A New Framework for Law Firm Discipline, 16 Georgetown J. Legal Ethics 335 (2003) (same).  Only a few states, however, have law firm discipline.  See, e.g., N. J. R. of Prof’l C. 5.1(a); N. Y. R. of Prof’l C. 5.1(a).  ABA Model Rule 5.1(a), however, addresses the responsibility of law firm management to make “reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.” ABA Model Rule 5.3(a) applies this same principle to supervision of law firm staff.44Model Rules of Prof'l Conduct Rs. 5.1(b) and 5.3(b) address direct supervision of, respectively, other lawyers and law firm staff regardless of whether the lawyer-supervisor is involved in a firm’s overall management.  Although these rules address the knowing failure to personally institute appropriate systems and policies rather than vicarious liability, the practical result in many instances is the same. Most reported decisions under state rules prior to the pandemic involved discipline of law firm partners for management deficiencies occurring in the same physical office.55See, e.g., Kentucky Bar Ass’n v. Weinberg, 198 S.W.3d 595 (Ky. 2006) (finding law firm partners violated Kentucky RPC 5.1 through failure to supervise associate and accompanying lack of “institutional controls”); In re Phillips, 244 P.3d 549 (Ariz. 2010) (law firm partner disciplined under Arizona ER 5.1 for inadequate practice management controls and related deficient supervision).  A few, involved the pre-pandemic version of “remote” supervision: disciplining law firm partners for inadequate supervision of “branch” offices.66See, e.g., Attorney Grievance Com’n of Maryland v. Kimmel, 955 A.2d 269 (Md. 2008) (disciplining Pennsylvania law firm partners for failing to supervise associate running Maryland branch office).

In contrast, law firm common law civil liability for legal malpractice and similar claims is based on vicarious liability—with a leading national treatise putting it this way: “A law firm, of course, is liable for the conduct of its principals and employees.”77Ronald E. Mallen, Legal Malpractice 572 (Mallen) (2020 rev. ed.).  Restatement (Third) of the Law Governing Lawyers (2000) echoes this unremarkable proposition: “[a] law firm is subject to civil liability for injury legally caused to a person by any wrongful act or omission of any principal or employee of the firm who was acting in the ordinary course of the firm’s business or with actual or apparent authority.”88Restatement (Third) of the Law Governing Lawyers, §58(1) (2020).  See also ABA Formal Op. 08-451 (2008) (discussing responsibility for outsourced legal and support services).  Although claims specifically asserting negligent supervision typically require expert testimony on the standard of care, vicarious liability is based simply on the employment or ownership relationship with the law firm.99Mallen, supra note 7, at 578; accord Restatement (Third) of the Law Governing Lawyers § 58, cmt. a.  Therefore, most reported decisions illustrating vicarious liability involve straightforward application of negligence principles.1010See generally Mallen, supra note 7, at 572-573.  Again, a few involved the pre-pandemic version of inadequate supervision of remote work: finding vicarious liability for legal malpractice for inadequate supervision of branch office personnel.1111See, e.g., Bill Parker & Associates v. Rahr, 456 S.E.2d 221 (Ga. App. 1995) (finding civil liability, in relevant part, for failing to supervise associate in branch office who failed to take timely action on a matter).

Historically, litigated decisions in this area often involved legal questions over whether the lawyer or law firm staff member involved was operating within the course and scope of their work for the firm.1212See, e.g., Wiatt v. Winston & Strawn LLP, 838 F. Supp.2d 296 (D. N.J. 2012) (law firm lawyer); Moser v. Davis, 79 S.W.3d 162 (Tex. App. – Amarillo 2002) (law firm staff).  These traditional cases will no doubt continue to be a staple in this area. With the “institutionalization” of hybrid offices and remote work law firms will more routinely be found liable for negligent conduct that occurred in home offices and remote locations. The changing “geography” of law practice moving forward suggests that law firm risk management also needs to focus on locations beyond the traditional offices that are listed on the home page of the firm’s web site.

II.   Law Firm Technology

The most recent update to the ABA’s Cybersecurity Handbook described in stark terms the threat to law firms from criminals both seeking to steal confidential information1313See, e.g., Leslie Picker, 3 Men Made Millions by Hacking Merger Lawyers, U.S. Says, N.Y. Times, Dec. 27, 2016 (describing insider trading by criminals who had penetrated the networks of several major law firms).  and to hold it hostage:1414In a “ransomware” attack, malware effectively locks a firm out of its own data and the bad actor then demands payment for a digital “key” to unlock the files concerned.  Jill D. Rhodes, Robert S. Litt and Paul Rosenzweig, eds., ABA Cybersecurity Handbook 27-34 (3d ed. 2022) (“ABA Cybersecurity Handbook”).  In other variants, hackers threaten to release confidential data unless ransom is paid.  Id.

As the frequency and sophistication of cyberattacks have increased in recent years, cybercriminals have targeted lawyers and law firms in the United States and abroad due to the vast amount of confidential client and firm information they collect and store. Firms regularly display their lawyers’ work and client lists on their websites, which provides bad actors with the key information they need to orchestrate . . . attacks.1515Id at 13 (citation omitted).

At the same time, law firms face an increasingly complex legal environment in the event of a data breach involving client confidential information. ABA Model Rule 1.6, which governs lawyers’ confidentiality obligations, now contains a specific section addressing responsibility for protecting client confidential information from unauthorized access.1616Model Rules of Prof'l Conduct R 1.6(c) reads:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. This provision was added by amendment in 2012.  See America n Bar Ass’n, A Legislative History:  The Development of the ABA Model Rules of Professional Conduct, 1982-2013, 143-146 (2013) (describing origins of the amendment).  Data breach laws impose a variety of notification requirements in the event client information is compromised.1717See generally ABA Formal Op. 483 (2018) (addressing obligations following data breach); ABA Cybersecurity Handbook, supra note 14, at 134-137 (2022) (surveying regulations); see also ABA Formal Ops. 477R (2017) (addressing, in relevant part, electronic data storage and transmission), 99-413 (1999) (electronic communications).  The standard  of care also increasingly reflects these duties.1818See, e.g., Guo Wengui v. Clark Hill, PLC, 440 F. Supp.3d 30 (D. D.C. 2020) (allowing claims for breach fiduciary duty and legal malpractice to proceed involving data breach).  Depending on the circumstances, sophisticated clients may have incorporated data safeguard standards or breach notifications into their template engagement agreements with firms or associated corporate counsel guidelines that may be enforced through contractual remedies.1919See, e.g., Hiscox Ins. Co. Inc. v. Warden Grier, LLP, 474 F. Supp.3d 1004 (W.D. Mo. 2020) (allowing breach of contract claim to proceed involving data breach).

The theft, loss, or compromise of mobile devices was a risk for law firms even before the pandemic. With hybrid offices and remote work, firms face a more nuanced challenge; they have authorized firm lawyers and staff to work beyond what is ordinarily the “harder” security perimeter of the firm’s “brick and mortar” offices. A firm’s authorization for permanent off-site work effectively means becoming responsible for reasonable confidentiality safeguards for “offices” that may be a lawyer’s or staff member’s house or apartment.

Broadening the approval of office “locations” demands corresponding attention to the technology lawyers and staff employ when working routinely in their homes or other remote sites. The particular policies and practices used will vary with the number of lawyers and staff involved, overall firm size and practice.  In some instances, firms may choose to use only firm-owned equipment on home networks approved by the firm’s technology staff.2020See generally Model Rules of Prof'l Conduct R.1.6, cmts. 18-19 (these comments, which are titled “Acting Competently to Preserve to Preserve Confidentiality,” note that the measures taken to protect confidentiality vary with the circumstances and the sensitivity of the information involved).  In others, firms may instead set clear policies for the use and security of home-based devices and networks and provide lawyers and staff with appropriate training and support.2121See generally Model Rules of Prof'l Conduct R.1.1, cmt. 8 (including the use of law firm technology among the areas lawyers must remain “current” on if they use the technology involved).  Although the emphasis in most instances will be primarily on “high tech” systems, “low tech” devices like paper shredders can play an equally practical role in protecting client confidentiality off-site as they do within traditional offices. With both “high” and “low” tech, the dividing line for technology between “work” and “home” has largely been erased when firm personnel are using technology for firm business—regardless of location.

III.   Law Firm Human Resources

More dispersed workplaces potentially pose many challenges for law firms in managing their human resources as well. On the risk management side, two areas stand out:  confidentiality and supervision.

Confidentiality. It is critical that firm lawyers and staff receive appropriate training to understand and effectively use the technological tools that are available to reasonably safeguard client confidential information when operating from home offices or other remote locations. Beyond the technical aspects, firms authorizing a permanent blend of hybrid and remote work should also consider appropriate training and policies for the physical space involved.  At the outset of the pandemic, the exigency meant that kitchen tables became desks and closets became telephone booths.  Now that the immediacy has passed and firms are authorizing longer term arrangements, firms need assurance that home office spaces become sufficiently “secure” so that sensitive information—whether in paper, electronic, or audible form—will not inadvertently be seen or overheard.  Although most firms will likely not dictate specifics, it would not be surprising to see some basic design standards incorporated into firm work-at-home policies to make reasonably sure, for example, that a client’s commercially sensitive product designs are not seen by neighbors visiting a firm member’s home or that a privileged telephone conversation with a divorce client will not be overheard by a lawyer’s family.   

Supervision. Two risk management aspects of supervision that were problems for law firms before the pandemic will become even more challenging with more dispersed workforces in the aftermath of the pandemic: “administrative” errors, and “lone wolf” partners. 

The ABA’s periodic “Profile of Legal Malpractice Claims” series was last published in 2020 and reflects pre-pandemic data compiled from carriers nationally from 2016 through 2019.2222American Bar Ass’n, Profile of Legal Malpractice Claims 2016-2019 (2020).  Administrative errors, such as failure to either calendar deadlines accurately or to take appropriate action on calendared events, comprised nearly 20 percent of all malpractice claims.2323Id. at 22-23.  The most recent snapshot was not an anomaly. This category has persisted stubbornly since the ABA Profile series was first released in 1985.2424Id.  If these kinds of errors occurred routinely when everyone was in the same physical office, how do firms manage this risk when they are not? The answer is not easy. By the latest data set, many firms had already deployed case management software to track, among other items, key deadlines. This suggests that software alone is only part of the solution.  

Firms also need to actively encourage human interaction appropriate to firm size and practice by, for example, having more than one person both input and monitor docketed dates and related filings. This was already sound risk management practice when lawyers and staff were together in the same physical office. In a more geographically dispersed environment, the need to communicate is even more critical precisely because the working dynamic has changed. An email reminder is easier to overlook than a trusted assistant standing in a lawyer’s office doorway. Calendaring is a ready—but not exclusive—example of the administrative errors cataloged in the ABA Profile series. In hybrid and remote work settings, firms need to adjust their internal communication and not assume that what worked when everyone was in the same office will necessarily work when lawyers and staff are not always in their offices at the same time and place.

On the latter, there are no precise statistics reflecting the number of claims arising from the “lone wolf” scenario where a partner, often at a large firm, acts without oversight and creates potential liability for the lawyer’s firm. Some cases in this genre involve lawyers who engage in fraudulent or other improper conduct that may involve significant potential exposure for the firm.2525See, e.g., Wiatt, 838 F. Supp.2d 296 (claim against law firm for alleged improper conduct by former partner operating largely on his own).  For other examples in this unhappy area, a Google or similar Internet search for “law firm partner sentenced in Ponzi scheme” will unfortunately yield a number of illustrations of the “lone wolf” phenomenon.  Ponzi schemes are not the only “bad thing” that can ensnare law firms through “lone wolf” partners or shareholders.  Due to their potentially catastrophic exposure when they unravel, however, Ponzi schemes and similar investment frauds are especially fraught for law firms.   Others simply involve relatively senior lawyers operating without effective peer review who commit errors—often in areas that are not within their areas of expertise.2626LRY, LLC v. Lake County, 2021 WL 4993480 (D. Or. Oct. 27, 2021) (unpublished) (claim against law firm for alleged malpractice by former partner operating largely on his own).  See also Viner v. Sweet, 70 P.3d 1046 (Cal. 2003) (malpractice claim arising when law firm partner enlisted firm corporate lawyer to assist partner’s friend in complex California transaction even though corporate lawyer was not familiar with California law).  As lawyers become more physically dispersed, a corresponding risk is that they become “siloed” without much, if any, peer supervision, support, or review. Although those situations will not inevitably result in claims, firms moving to more dispersed work arrangements may also need to re-examine their internal mechanisms for supporting and reviewing the work of their partners and shareholders.2727Lack of supervision can create issues for associates and other non-owner lawyers, as well, but employee-lawyers typically work with more senior lawyers who supply oversight.  Undoubtedly, “one size does not fit all,” and practical solutions will need to be tailored to firm size, practices and culture. Keeping the idea of “firm” in the forefront of practice management, however, will lessen the risk that a physically dispersed work force will unravel into something more closely resembling a loosely connected collection of solo practitioners.  

IV.   Summing Up

Given the disruption and the duration of the Covid-19 pandemic and the corresponding changes to both individual and institutional approaches to work, hybrid offices and remote work appear likely to become a permanent part of a “new normal” for law firms moving forward. As expediency transitions into routine, law firm risk management must also evolve to take into account this changing “geography” of law practice.

View Article