January/February 2020

Ethics

Are Your Outside Counsel Guidelines Ticking Time Bombs?

Lucian T. Pera

In many law offices, quietly tucked away among the oldest documents in individual client files, are ticking time bombs.

Some are small. Some are large. Many are completely unread.

It’s long past time to send the bomb disposal unit out to find them. It’s also time to get organized by identifying, cataloging and defusing them as they come into your office.

What Are OCGs?

Over the last five years or so, more organizational clients have begun to use outside counsel guidelines (OCGs) or broadened their use of them. More recently, many clients have used these guidelines, and equally onerous cybersecurity questionnaires, as tools for imposing all manner of technology security obligations on lawyers and firms.

OCGs have been used for decades, especially by insurers hiring defense counsel and the largest of business clients. Their traditional subjects have included tedious topics like billing procedures—they won’t pay for research or faxes; “block billing” is forbidden; you cannot bill for time spent on in-office conferences; time entries must include task-based billing codes.

Over time, however, the scope of OCGs and the number and types of clients using them have crept steadily broader. New favorites and dangerous topics for OCGs include broad definitions of client identity, indemnity provisions and cybersecurity requirements.

And to be clear, the size of the lawyer’s office does not matter. The kind of OCGs a lawyer may be subject to, and their onerousness, depends mostly on the kind of organizational clients the lawyer serves and, increasingly, what business the clients are in. Health care, banking and mass consumer-credit clients, for example, have imposed new and burdensome requirements on their lawyers.

What, Me Worry?

Too many lawyers, just happy to have a new client, simply receive a lengthy set of OCGs, sign or agree to them and throw them in the file without reading them. It’s true even in some larger firms. What could possibly go wrong?

Well, for starters, that oblivious lawyer (and all her partners) could have just unknowingly agreed to take on dozens of new clients. Her firm could have agreed to indemnify the new client for missteps that might not otherwise have led to law firm liability. The lawyer could have agreed that her firm would not take on any number of new matters from potential clients that the new client sees as its competitors. The lawyer could have signed up for fee discounts only triggered by lower rates only later given to other clients (e.g., a “most-favored nations” provision).

Oh, and the lawyer might well have given away the benefit of carefully written engagement letter provisions by agreeing to a client’s OCGs stating that its provisions trump any other agreement between lawyer and client.

Old Favorites

Over the years, patterns have emerged in troublesome OCG provisions.

Client identity.

Regular readers of this column know I am a fan of clear agreement between lawyer and client—especially any organizational client—about who the client is and is not. And I love getting that in writing.

But many corporate clients use OCGs to broaden the definition of client to extremes. Years ago, one client sent us OCGs saying that, by taking on this one corporate client, we were agreeing to take on all its affiliates, pointing to an exhibit of more than 30 pages that listed more than 1,000 affiliates worldwide. Some of them were joint ventures in which the parent company had a minority stake.

In recent years, corporate clients have become less extreme in their positions, but just as I urge lawyers to confirm in engagement agreements who is and is not a client, so I urge lawyers to carefully scrutinize every new client’s definition of the lawyer’s client. Further, insist that clients specifically identify whomever they want to identify as a client—not merely “all affiliates.”

Conflicts of interest.

Much mischief lives in some clients’ attempts to redefine conflicts of interest.

It’s bad enough when a client seeks to restate the definition of a conflict of interest. That’s unnecessary. (Courts and ethics nerds have done a darn good job of this without OCGs, and clients should just leave this alone.) But there often appears to be an ulterior motive—broadening the loyalty required of the lawyer, for example. Lawyers should push back on this to identify the true and legitimate client concerns leading to new conflict definitions, so as to meet them directly.

Clients often use this approach to forbid a lawyer from representing the client’s competitors or to bar their new lawyers from taking some position adverse to their economic interests, even in a matter in which the new client has no direct involvement.

It is also true that some better-conceived OCGs provide assistance and clarity to the lawyer by clearly laying out how conflicts of interest must be addressed and stating when, how and under what circumstances waivers of conflicts may be sought or given. Instructions and ground rules on these subjects are welcome.

Indemnity provisions.

Recent times have seen an increase in attempts by clients to impose obligations to indemnify the client, or even to indemnify others associated with the client. These can be exceptionally dangerous, potentially even removing or voiding some malpractice insurance coverage. Consult your carrier before agreeing to any such provision. This is another subject where intelligent client-lawyer discussion might lead a client to reconsider. After all, wouldn’t most clients prefer insurance coverage?

Heightened standard of care.

Some OCG provisions attempt to define—and in the process raise—the standard of care to which the lawyer must perform or be liable to the client. Lawyers should be vigilant for such provisions.

Confidentiality.

One would think that a lawyer’s traditional obligations of confidentiality under the ethics rules, attorney-client privilege and fiduciary duty would be sufficient. But not for some clients. These provisions may result from some clients using the same approach (and terms) to hire lawyers and other vendors. But that’s not much excuse. And lawyers should be wary of taking on additional, ill-defined confidentiality obligations.

Client ownership of work product.

Perhaps also stemming from some clients’ treatment of lawyers as just another species of vendor, some clients claim sole and exclusive ownership of all work product generated by the lawyer. These provisions can, in theory, restrict the lawyer’s traditional ability to repurpose work product for the benefit of other clients.

New Favorites

Cybersecurity is the latest playground for onerous, or sometimes simply wrongheaded, OCG provisions.

For example, I have seen OCG provisions that require not only notice of law firm data breaches that affect that client’s data but also require the client to be notified of breaches that only affect other clients.

The former is perfectly understandable: ABA Model Rule 1.4 on client communications and the lawyer’s fiduciary duty of candor probably mandate that result. But is it really any of Client A’s business that a hack of their law firm somehow affected Client B’s data? In fact, it’s virtually certain that telling Client A about a breach affecting only Client B would violate the lawyer’s ethical and fiduciary duties to Client B. Do you really want to agree to violate the ethics rules? And does Client A really want to agree that their lawyer should tell Client B about a breach only affecting Client A?

What to Do

Vigilant lawyers and law firms do have good options to cope with OCGs.

First, identify any OCGs as soon as they come in. If at all possible, review them individually before agreeing to an attorney-client relationship. But be aware that some clients only send them after signing the lawyer’s own engagement terms. That can lead to confusion on both sides. Take steps to unravel any such confusion.

Second, review them carefully. Where the OCGs are innocuous, this is easy. Still, someone with an awareness of the issues sketched above must review them.

Third, for firms of almost any size, centralize this review in one person—maybe one partner in a three-partner firm or the same staff lawyers who review conflicts in a 500-lawyer firm. A central understanding of what the firm does—and does not—find acceptable is crucial to this review.

Significantly, cybersecurity or IT provisions (or separate requirements or questionnaires) almost always require closer review by IT professionals. Centralizing review of IT and cybersecurity requirements for this purpose is essential.

Defusing the Bombs

Fourth, engage and negotiate with the client on any problematic requirements. Some provisions in today’s OCGs are simply unacceptable, and lawyers should not accept them. Most, however, are subject to improvement after dialogue with the client. Many provisions—notably, on conflicts and confidentiality—can be massaged into acceptable forms after intelligent discussion with the client. That’s especially true with cybersecurity and IT requirements, many of which are today still not fully thought-through, even by thoughtful clients. Clarity and candor by both lawyer and client can often resolve these issues. And one critical thing: If you agree to amend an OCG provision, document it in writing.

Fifth, collect and maintain OCGs separately from the client file. For any lawyer or law firm that regularly represents organizational clients, OCGs are a fact of life and will continue to be. Thoughtful clients need to continue to amend and develop their requirements of outside counsel, and lawyers and law firms must continue to think through what they can and should accept from clients. For this reason, they must maintain and develop over time an internal view about what is and is not acceptable, and then implement it with new clients over time. That requires awareness of the firm’s history on these issues and easy access to the “historical record.”

Today’s the day. Deputize your office’s bomb disposal unit, search out those ticking OCGs in your files, and be sure you’re checking for incoming threats.

Lucian T. Pera

Lucian T. Pera is a partner in the Memphis, Tennessee, office of Adams and Reese LLP. He counsels lawyers, law firms, clients and those who do business with lawyers and law firms on ethics and professional responsibility issues. He is a past president of the Tennessee Bar Association and a past ABA treasurer. Lucian.Pera@arlaw.com