Author: TSA Press

Ed. note: This is the second article in a two-part series about a heightened need for vigilance by companies around the cybersecurity of their supply chains in light of recent activity around the False Claims Act (FCA).  Part one addressed the legal landscape of the FCA as related to cyber risk and government supply chains and part two will address proactive steps that companies can take to reduce their FCA threat profile. 

The False Claims Act or FCA (31 U.S.C. §§ 3729 – 3733) was enacted by Congress in 1863 in response to concerns about the sale of fraudulent goods to the Union Army.  Today, the FCA is implicated if a company’s products or services introduce potential cybersecurity risks for requisitioning government agencies and those risks are not properly addressed when raised.

This craggy terrain calls for increased vigilance by companies selling hardware and software to government entities. “Business leaders should think carefully about what it means to managing the security supply chain and to manage your security towards outcomes,” remarked Chris Johnson, Global Compliance Lead for Google Cloud at CyberTalks, presented by CyberScoop in Washington, D.C., on October 24, 2019.

While companies like Nisos (disclosure: I work here) help assess supply chain vulnerabilities by performing attack simulations, vulnerability assessments, and threat investigations, it is imperative that companies adopt internal best practices to stay out of the crosshairs of the FCA.  “Strong, proactive steps are the first lines of defense of your business from the whistleblower claims,” according to Chris Brewster, Administrative Counsel of the House of Representatives.

The Best Defense is a Strong Offense

The following are recommendations from National Institute of Standards and Technology and other industry experts on how to create a defensible perimeter around a corporate supply chain:

• Get clear on government requirements: Before entering into a contract, government contractors should scrutinize and document cybersecurity requirements and assess the company’s ability to comply with those requirements, according to DLA Piper. Negotiate the terms of the contract carefully and ensure that language describing compliance activities, employee training, and data protection procedures accurately reflects company practices.
• Command and control third-party software and components: Be prescriptive about security requirements associated with third-party wares in all contracts. Once a vendor is accepted in the formal supply chain, open up discussions about vulnerabilities and security gaps software when possible and unpack, inspect, and x-ray parts before definitively accepting them.
• Make security inextricable: Establish a secure software development lifecycle process for all software.  Implement training for all engineers and employees in charge of supply chain cybersecurity and bake awareness and compliance into the overall employee experience.  According to the Compliance Resource Center, organizations should educate employees on state law requirements pertaining to civil or criminal FCA penalties, whistleblower rights, and internal requirements for preventing, detecting, and reporting fraud waste and abuse.  “By conducting employee training that emphasizes compliance and encouraging early internal reporting of potential issues before they ripen into FCA claims, companies can significantly reduce their threat profile,” advises Brewster.
• Increase automation: When possible, automate manufacturing and testing regimes to reduce the risk of human error.
• Document and track risk: Document activities and controls related to cybersecurity, such as operational assessments, analyses regarding whether the company possesses information that requires protection, and any correspondence with the government regarding exceptions, waivers, or applicability of cybersecurity requirements, according to DLA Piper.
• Open the lines of communication: Establish a transparent culture where potential whistleblowers are taken seriously.  Ensure that managers and HR are prepared to receive and respond to insider concerns before insiders take their concerns to regulators or lawyers.
• Demonstrate diligence in HR documentation: Executives and managers should be on guard for disgruntled employees who may have incentives to commit fraud in order to make false whistleblower accusations after termination.  While individuals who commit fraud as a whistleblower are barred from recovery for their own fraud, the cost and feat of proving the fraud are often high hurdles for a business.  Mitigate against this potential threat by documenting employee performance, negative reviews, and reasons for termination.  Establishing a protective backdrop in this manner can help refute allegations that the employee was terminated as retaliation for trying to prevent a false claim from being reported to the government.
• Establish a ”security handshake” for software and hardware: Secure booting processes should look for authentication codes and the system should not boot if codes are not recognized. Programs should capture “as built” component identity data for each assembly and automatically link the component identity data to sourcing information.
• Procure legacy support for products and platforms: Assure a continuous supply of authorized IP and parts to maintain continuity over systems. When legacy systems no longer have adequate support options, consider the vulnerabilities posed by the inability to patch or remediate.
• Limit access by third-party service vendors: Limit software access to as few vendors as possible. Limit hardware vendors’ physical access to mechanical systems and restrict access to control systems. Implement strong controls around physical access including maintenance of visitor logs and on-site supervision of vendors.

Recent FCA cases mark the increased vigilance required of government contractors, especially around cybersecurity requirements in supply chains.  Implementing front-end measures like strong compliance programs, proper vetting of contract requirements, documenting HR issues, and limiting vendor access can substantially lower your company’s risk profile.  Equally important is the need to adopt a culture of compliance which attends to insider concerns before they evolve into FCA claims and send companies down the slippery slope of litigation.

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm.  She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years.  You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.

San Diego Superior Court Judge Eddie C. Sturgeon jokingly boasted at one point during a series of hearings last Friday that even though some Los Angeles courts were setting trials as far out as 2021, he was only scheduling for 2020.

Then the attorneys in the People of the State of California v. Ashford University case came forward for their case management conference.

A lawyer for Ashford said that since there were roughly 40 more depositions to be completed in the case filed in late 2017, a trial date for April 2021 should be set.

A deputy attorney general suggested even that timeline may be ambitious given some of the litigation issues needing to be ironed out.

Sturgeon set a trial date for late April 2021.

The complaint filed by California Attorney General Xavier Becerra’s office alleged for-profit Ashford and its then San Diego-based parent company, Bridgepoint Education, made false promises and provided students with inaccurate information to get them to enroll.

The AG also accused the defendants of illegal debt collection practices against students who were having difficulty paying their bills.

“The People seek an injunction preventing further misconduct, restitution for victims, civil penalties, the Attorney General’s costs of suit, and other relief that the Court deems just, proper and equitable,” the AG’s office wrote in a recent case management statement.

Ashford and its renamed parent company, Zovio Inc., called the AG’s complaint “politically-motivated.”

“The allegations of any pattern or practice of condoned misrepresentations, fraudulent conduct, and misleading advertising are unfounded and false,” the defendants wrote in the recent case management statement. “At all times relevant to this action, Defendants acted in good faith, having implemented a corporate compliance program and other safeguards — which were carefully designed and implemented based on the model for compliance programs established under federal regulations — to prevent, detect, and remedy the type of conduct being challenged by the AG in this case.”

The defendants also highlighted that prior to the AG filing its suit, they entered into settlement agreements with the state of Iowa and the U.S. Consumer Financial Protection Bureau “that addressed virtually the identical issues raised in the complaint.”

In 2014, Ashford and Bridgepoint Education agreed to pay Iowa $7.25 million to settle allegations that they violated the state’s Consumer Fraud Act.

“The company also must comply with minimum standards in its future representations and disclosures to prospective and current students nationwide,” the Iowa Attorney General’s Office said.

Two years later, the company agreed to forgive loans and issue refunds totaling $23.5 million to resolve the Consumer Financial Protection Bureau’s findings that Bridgepoint deceived students into taking out loans that cost more than advertised. Bridgepoint also agreed to pay the bureau an $8 million civil penalty.

The bureau’s release about the consent order noted that the California Attorney General’s Office assisted with the investigation.

The AG acknowledged in the recent case management statement in the San Diego case that it did assist with CFPB with its investigation, including participating in two settlement meetings.

“Defendants ultimately chose to approach the CFPB alone with a settlement proposal which CFPB accepted,” the AG’s office wrote. “The People were not a party to and had no standing to object to Defendants’ settlements with the Iowa Attorney General or the CFPB. Furthermore, this case covers different issues than Defendants’ settlements with the Iowa Attorney General’s Office and CFPB.”

Since the filing of the California AG’s case, Bridgepoint not only changed its name to Zovio, but also moved its headquarters to Arizona earlier this year. In addition, Ashford is working to convert from a for-profit to a nonprofit.

In the meantime, the school and its parent company will continue contending with the California AG’s suit.

Lyle Moran is a freelance writer in San Diego who handles both journalism and content writing projects. He previously reported for the Los Angeles Daily Journal, San Diego Daily Transcript, Associated Press, and Lowell Sun. He can be reached at lmoransun@gmail.com and found on Twitter @lylemoran.

It’s probably true that some people go to law school because — as rumor has it anyway — no math is required. What is indisputable is that nobody goes to law school hoping to spend their time on accounting and bookkeeping matters. Too boring. But as anyone who has ever tried to run a small legal practice (or any business for that matter) knows, the boring stuff matters.

In today’s fiercely competitive legal services market, it is imperative that smaller law firms get their bookkeeping, billing, and financial houses in order.  Proper accounting is not mere beancounting — it’s crucial for tracking the success of your practice.

Join our free webinar on December 13th at 1 p.m. ET and learn how to leverage cutting-edge technology bring your small or medium-sized practice the “Biglaw” advantage of back-office efficiencies and vital financial insights like the profitability of particular client relationships, practice areas, and matter types.

Learn how to monitor costs and revenues to maximize your profit margins.  Our webinar will be moderated by legal technology maven Bob Ambrogi who will be joined by T.C Whittaker, CPA MBA, of PwC.

Click here to register.

The normalization of alleged attempted rapist Brett Kavanaugh continues in all the ways these bad people get reintegrated into polite society. Kavanaugh enjoys the support of roughly half of the country who either believe that a childhood calendar exonerates the man of serious charges, or just straight up don’t care about how he treats women. His colleagues, who happen to be justices on the United States Supreme Court, say positive things about him in public as they try to forge a working relationship with a man who can, on a whim, take away the rights of vulnerable people. The press that covers him, with a few notable and heroic exceptions, has largely been made to understand that fighting Kavanaugh makes it harder for them to do their jobs, so accepting him is just much easier.

Kavanaugh should be toxic. In addition to the credible attempted rape allegations, there’s the issue of the 83 ethics complaints filed against him and dismissed because nobody can hold a Supreme Court justice accountable, except through impeachment. There’s the record of lying under oath at confirmation hearings; his closeness with disgraced judge Alex Kozinski; and, oh yeah, he sneeringly promised to use his position as Supreme Court justice to exact revenge against his enemies.

Instead of treating him like the drunk uncle who shouldn’t be left alone with the children at Thanksgiving, the Federalist Society is honoring him at an event tonight at their annual National Lawyer’s Convention. This is classic FedSoc: As long as you are committed to taking away the rights of women and minorities, anything you do in your private life that is hurtful to women or minorities is also okay.

In a reasonable world, we would view Supreme Court justices speaking to partisan organizations as incredibly problematic. The Federalist Society is a partisan, agenda-driven organization which has actively promoted legal arguments designed to upend precedent and crush individual rights. Even if one agrees with Federalist Society teachings, a sitting Supreme Court justice should not be giving them aid and succor by appearing at their national events.

Of course, we’re talking about Brett Kavanaugh here. This is a man who does ex-parte photo ops with people who have current business in front of the Supreme Court. Expecting Kavanaugh to not appear at a FedSoc event is like expecting a dog to not root around in the trash when it spends half of the day licking its butt anyway.

The wrinkle with this appearance is that tonight’s FedSoc event is in part sponsored by Facebook. Sorry, “FACEBOOK.”

Facebook has a long history of supporting Kavanaugh because one of its bigwigs — Joel Kaplan, vice president of global affairs — is reportedly close friends with Kavanaugh. That’s really all it takes. Credible allegations of sexual misconduct, documented history of being untruthful under oath, partisan hackery, and revenge threats against his enemies aside, Kavanaugh has a “buddy” inside Facebook, so of course the company will support Kavanaugh and an organization that thinks the original intent of slavers is the most scared foundation of Constitutional law.

I’m sure it doesn’t hurt that, should Facebook fail in its efforts to hand another election to Donald Trump, the company will be facing a legal reckoning under a Democratic administration. Facebook will likely challenge any new regulations in court. And nearly any court challenge could wind up on the desk of Brett Kavanaugh, speaking for a conservative super-majority.

Demand Justice is trying to launch a protest campaign against Facebook’s support of Kavanaugh, led by employees of Facebook.

“Facebook should not be sponsoring the rehabbing of Brett Kavanaugh’s reputation when Dr. Blasey Ford remains unable to resume a normal life after bravely coming forward last year,” said Katie O’Connor, senior counsel for Demand Justice. “You can claim to respect survivors of sexual assault or you can pay for a celebration of Brett Kavanaugh, but you can’t do both.”

People are trying.

The Federalist Society is the nexus point of a little bubble where the legal vanguard of white supremacist logic gets to mingle and swap notes with fellow culture warriors. These are the people who bring you ethno-nationalist Steven Menashi (who is being confirmed today, by the way). These are the people who bring you the zealotry of Amy Coney Barrett. These are the people who bring you torture defenders like James Ho.

Brett Kavanaugh is the perfect symbol for the entire organization: A white man of unexamined privilege who gets dangerously angry when anybody tries to hold him to account for his past actions. He is the embodiment of everything that is wrong. Of course they are honoring him. His mere existence as a Supreme Court justice is a triumph for every white man who ever thought he could drown out the cries of his victims merely by turning up the music a little louder.

It should be a great night for these people. They’ve won.

But we don’t have to treat their victory, their supremacy, and their smugness as “normal.” It is not normal. I will never treat them as normal. I will never stop fighting these people, even to the point where I’m regarded as the weird one.

Elie Mystal is the Executive Editor of Above the Law and a contributor at The Nation. He can be reached @ElieNYC on Twitter, or at elie@abovethelaw.com. He will resist.

Reserve Bank of Zimbabwe (RBZ) says Ecobank is responsible for releasing the wads of brand new notes circulating on social media.

A new report by the American Bar Association and ALM Intelligence, called “Walking Out the Door: The Facts, Figures and Future of Experienced Women Lawyers in Private Practice,” surveyed more than 1,200 Biglaw attorneys to find out why women are leaving the Biglaw life. Because while law schools are pretty regularly hitting between 45 and 52 percent women enrolled, it drops off in practice — only 20 percent of law firm equity partners are women in 2018. What they found was wildly differences in perceptions about what firms are doing to promote gender diversity.

For example, they asked managing partners if their firms were “active advocates of gender diversity,” and 82 percent said yes. Ninety-one percent of men surveyed agreed as well, but only 62 percent of women were on board. Similarly, 84 percent of managing partners agreed that their firms promote women into leadership. And while 75 percent of men also thought so, a dismal 55 percent of women agreed. When asked if their firms have success retaining experienced women, 74 percent of managing partners said yes, compared with 64 percent of men, and a mere 47 percent of women who agreed.

And as study co-author Stephanie Scharf told Law.com, this is a problem:

“The data suggests that firms may not understand how their own people are viewing the policy and practices that they are implementing with respect to advancing women,” said study co-author Stephanie Scharf, a partner with the women-owned firm Scharf Banks Marmor and chair of the ABA’s commission on women in the profession.

The other co-author, Roberta Liebenberg, senior partner at Fine Kaplan and Black, pointed to an overall culture of bias in Biglaw, calling it “death by a thousand cuts. It’s not one thing, but an accumulation of experiences they believe are different because of their gender.” For example, 50 percent of women surveyed said they’re satisfied with the recognition of their work compared with 70 percent of men. Only 45 percent of women reported satisfaction with their opportunities for advancement, yet 69 percent of men said they were satisfied with their opportunities. Plus a whopping 82 percent of women surveyed said they’ve been mistaken for a low-level employee. Ugh.

It’s pretty clear that firms have to do more than want a gender diverse work environment — they have to take real steps to make it happen.

Kathryn Rubino is a Senior Editor at Above the Law, and host of The Jabot podcast. AtL tipsters are the best, so please connect with her. Feel free to email her with any tips, questions, or comments and follow her on Twitter (@Kathryn1).

With the “Fall” Recruiting Cycle having come to an almost complete close, the legal recruiting world has hit a bit of a lull in the schedule.  Those of us in Career Services have likely shifted to working with 1Ls, and even that is not particularly intense at this moment as that cohort gears up for their first taste of law school final exams  — the notable exception being my peers who work with international LL.M.s, who are likely awash in résumés as the deadlines for LL.M. job fairs are either rapidly approaching or have just passed, depending on which job fair is at issue and how long it takes me to write this column.  On the legal employer side, with much of the Biglaw 2020 2L summer associate class locked in, one might be hard-pressed to find a Carribean beach without at least one legal recruiting professional having drinks with little umbrellas brought to them.

Without the same sort of day-to-day stressors prevalent in the late summer and early fall, this quieter period allows those of us in legal recruiting to be a bit more contemplative about bigger issues and more fundamental matters in this little slice of the legal profession.  Such big-picture thinking has only been amplified this year as we all live through the first iteration of the post-NALP Guidelines era.  One such macro question I have heard bandied about recently is whether On-Campus Interviews (OCI) still serve a purpose in 2019.

On its face, such an inquiry is borderline sacrilegious.  It is quite likely that many of those reading this column obtained their current position through OCI, or at the very least got their first job out of law school via the structured interview process.  Indeed, for many law students, especially those at the nation’s top law schools, going through OCI is an exhausting rite of passage.

From a historical perspective — strangely, actual histories of OCI and how it came to be an integral part of the legal recruitment process are seemingly nonexistent online, so if anyone is looking for a remarkably niche law journal/NALP Bulletin topic, be my guest — OCI makes sense.  Several decades ago, a law student in Boston who wanted to work in Minneapolis, or a Chicago firm looking for students in Texas, would have had a difficult time connecting.  The lone option very well could have been sending out résumés/firm solicitations by mail in the hopes they would be seen by the corresponding parties.

By having firms come to campus, it ensured that employers could meet with at least a subset of the population while students could have access to employers from across the country.

Of course, communication technology has significantly evolved over the last several decades.  An oft-used, but accurate, example is that the average cellphone that nearly everyone currently has in their pocket/purse has more computing power than the entirety of NASA during the Apollo program.  That same device allows a law student to contact all, or nearly all, employers for which s/he might want to work while similarly allowing legal employers to keep in near touch with certain targeted students.  Indeed, through email, text, social media, and more, legal employers can recruit law students at a level typically reserved for five-star high school athletes — hopefully, we can skip the recruiting diaries.

On top of the technological advancements, the last several years have seen an increasingly aggressive push by legal employers to try and snatch up the “top” law student talent earlier and earlier.  OCI calendars around the country have moved further into the summer, but even that has not been enough with firms seeking to collect résumés from students before the summer even starts and schools developing/taking part in off-campus job fairs that have cannibalized OCI.  Not to mention that the entire idea of using initial interviews to cull down the list of job applicants might soon be on its way out.

So with all of this in mind, does OCI still make sense in 2019?  I say yes for a few reasons.  First and foremost, at schools where OCI includes at least a partial lottery process, it provides an opportunity for all parties to go beyond their preconceived notions and what is found on a piece of paper.  By that, I mean that when employers are reviewing candidates, oftentimes they rely on a fixed list of traits in their quest for a “good” attorney.  High grades, top-ranked law school, law journal participation, etc.  Often times, there is a strong correlation between those traits and someone who will go on to become a valuable member of a law firm or other employer.  But the correlation is not 100 percent.  At each and every law school in this country, there are at least a handful of students who might not stand out when looking and their application materials, but once you sit down across from them in a room, they absolutely shine.  Without an at least partial lottery-based OCI, these future attorney gems will likely go undiscovered.  In fact, that is why I think ALL law schools who have an OCI program should make at least part of the interviews lottery-based.  Granted, this will lead to some awkward interviews between students and employers who are not well matched (see, e.g., my OCI interview with Cravath), but the benefits far outweigh the downsides.

OCI also provides an invaluable opportunity for legal recruiting professionals to actually interact in person with one another.  A lot of my job is done via email or, if absolutely necessary, via the phone.  While such basic levels of communication are valuable and can allow a CSO to function, truly strong relationships are developed when CSO staff and legal recruiters are in the same room and can have actual face-to-face conversations.  While there are non-OCI avenues for such interactions — on-campus professional development events, NALP gatherings — OCI provides a rare opportunity to have a large number of legal recruiters come to campus in a relatively short amount of time.  Conversely, it allows recruiters to visit an array of schools and strengthen those relationships.  It is not just legal recruiting professionals either, OCI allows attorneys, often alumni, to come back to campus.  This can strengthen their bond with the law school, a fact that will definitely please those in a law school’s Development Office.  The drawback is that OCI is an expensive endeavor for both law schools and legal employers, not only financially but also in the attorney time and staff resources that have to be invested.  However, it is clear to me that the investment is one that will reap a significant yield.

The legal recruiting world is currently undergoing some significant changes and the Class of 2022 is encountering a much different recruiting ecosystem than that of my colleagues in the Class of 2008.  OCI has long been a tentpole of legal recruiting and while changes and updates are valuable, I do not think we need to abandon the process entirely.  Legal employers, law schools, and most importantly law students would lose far more than they would gain in a world without OCI.

Nicholas Alexiou is the Director of LL.M. and Alumni Advising as well as the Associate Director of Career Services at Vanderbilt University Law School. He will, hopefully, respond to your emails at abovethelawcso@gmail.com.

It’s nice, if somewhat boring, to report when a Biglaw firm offers a straight match of the market standard set by Milbank earlier this month. There’s clarity for associates — current and prospective. Unfortunately, that’s just not how every firm rolls. Ropes & Gray announced their bonus schedule today, and while junior associates are clear on what they’ll take home (subject to some conditions, as described below), mid-level and senior associates are not afforded that clarity.

Here’s the bonus grid the firm circulated:

Class of 2019 – $15,000 (pro-rated)
Class of 2018 – $15,000
Class of 2017 – $25,000

Anyone more senior than the class of 2017 is off the grid. The world of individualized compensation could be good, could be bad, or could be average for associates, putting them largely at the mercy of how busy their practice group was this year.

Additionally, Ropes & Gray is the first Biglaw firm to announce bonuses this year that have significant stipulations on them (there will be more before bonus season is over). The target for the bonuses is 1,900 billable and pro bono hours, and the firm may adjust the bonuses up if associates bill “substantially” more than that, or down if they fail to meet the target. Plus, the firm’s policy will automatically deduct from the bonus amount if the associate fails to diary their hours in a timely manner.

Bonuses will be paid by the firm on December 24th. (Full memo on the next page.)

Remember, we depend on your tips to stay on top of important bonus updates, so when your firm matches, please text us (646-820-8477) or email us (subject line: “[Firm Name] Matches”). Please include the memo if available. You can take a photo of the memo and send it via text or email if you don’t want to forward the original PDF or Word file.

And if you’d like to sign up for ATL’s Bonus Alerts (which is the alert list we also use for all salary announcements), please scroll down and enter your email address in the box below this post. If you previously signed up for the bonus alerts, you don’t need to do anything. You’ll receive an email notification within minutes of each bonus announcement that we publish. Thanks for your help!

Kathryn Rubino is a Senior Editor at Above the Law, and host of The Jabot podcast. AtL tipsters are the best, so please connect with her. Feel free to email her with any tips, questions, or comments and follow her on Twitter (@Kathryn1).