Adoption of E-billing Tools – US versus Europe

Monday, February 6, 2017

Adoption of E-billing Tools – US versus Europe

Guest Blog by Bryan King, Independent E-Billing Consultant

Although e-billing is playing a role in the commercial relationship between a growing number of UK/European in-house legal departments and their law firms, there are still many organisations that aren’t yet reaping the benefits of e-billing. It’s often said that numerous non-US organisations don’t “get” the value of e-billing. I believe, it’s not that they don’t “get it”, rather the e-billing solutions, until recently, didn’t necessarily deliver against the needs of European organisations.

E-billing is a norm in the US

It is estimated that 90% of all litigation work is now e-billed in the US; and a recent study shows that in many mid-sized US firms, around 70% of annual revenue is collected via e-bills.

One of the key reasons why e-billing has been a success in the US is its single currency, the US Dollar. The e-bill format (LEDES 1998) is based on a single currency; and law firms and in-house legal departments don’t have to comply with a complex tax and regulatory environment, like in Europe. This facilitated standardisation of e-billing, and established it as a norm, becoming acceptable to lawyers and clients alike.

Europe sees the business value of e-billing

On the other hand, law firms and corporate legal departments in Europe faced significant barriers to the adoption of traditional e-billing solutions from financial, cultural and regulatory perspectives – and so, US market driven solutions proved inadequate to business requirements.

Are e-bills compliant with the various tax rules, regulatory bodies and legislations in Europe? Is the e-bill a VAT invoice as well as a note of legal costs? Does the e-bill comply with the requirements of the Solicitors Accounts Rules, HM Revenue & Customs, Data Protection laws, the Business Names Act and EU billing regulations? Law firms have to ensure that the e-billing intermediary system handles these issues correctly and that the e-bill as seen by the client complies with all the appropriate regulations. Therefore, on a technical level, organisations needed to accommodate several LEDES file formats, VAT and compliance issues, as well as a multi-currency, multi-jurisdictional billing environment.

Interest in e-billing started in earnest in 2003, when UK branches of US insurance and finance organisations started demanding such functionality from their regional law firms, which led to US e-billing solution vendors setting up offices in the UK. Over the past decade, many e-billing projects have been undertaken, with a number of law firms successfully e-billing their largest clients to the value of many millions of pounds per year.

On the corporate side, legal departments have used e-billing to make cost and fee cuts of course, but also tapped into it to develop a wider strategic relationship with their external law firms. The legal operations manager at a major retail bank that recently completed a high-profile e-billing project outside of the US, has been quoted as saying: “We believe it (e-billing) will make our in-house lawyers think more commercially. Are we putting the right resources on matters? What’s the selection process? We hope over time it will have a positive behavioural change.”

Similarly, a major transport insurance specialist has been motivated to adopt e-billing with an objective to reduce its law firm panel down from around 60 to between 5 and 12 firms.

Legal spend management – the most current incarnation of e-billing

Today, in-house legal departments and law firms are looking for legal spend management solutions that go beyond traditional e-billing in their functionality – such as ability to track billing information before the invoice is sent, monitoring compliance with client-agreed billing rules, ability to query disputed charges before billing, and so on. These latest requirements have led to the rise of new solution providers in not just the European markets, but in the US too.

In addition to e-billing, these web-based solutions incorporate a legal procurement module, which automates the issuance and evaluation of requests for proposals, demands for cost estimates and legal matter staffing plans. They offer sophisticated reporting and management information with easy to understand metrics and KPIs for corporate legal departments and the law firms. As these solutions integrate with other applications such as document, knowledge and legal project management and calendaring and such, often via standard e-mail interfaces, corporate lawyers and law firms have a connected business environment that also facilitates collaboration.

It is a matter of time before legal spend management solutions become a norm in the legal sector across regions and markets. The e-billing concept has evolved.

About Bryan King

Bryan King is an independent consultant, advising law firms and in-house legal departments on e-billing issues; and assisting with the successful implementation of legal spend management projects. Prior to this, he has senior IT management positions at Linklaters, Lovells and Clifford Chance. At Clifford Chance, he also held global responsibility for the firm’s electronic invoicing (e-billing) projects.

Monday, January 30, 2017

Lawyers Must Recognise the Value of their Data and Take Security Precautions

Lawyers Must Recognise the Value of their Data and Take Security Precautions

- Guest Blog by Richard De Vere, Principal Consultant, The AntiSocial Engineer Limited

Whilst content in our 9 – 5 employment, slightly resentful that our personal activities aren’t getting the attention they deserve, it’s easy to forget about the true value of things around us – especially their inherent value to other walks of life. Similar to a life of slavery in ‘The Matrix’ we start to just see the ones and zeros, contracts, pdf’s, ledgers and scribbled notes.

It’s hard to imagine a criminal world where there are no regular pay cheques, no need to wear a suit, people making up the rules as they go along, no Christmas parties, no AGMs and so forth. It’s all just so alien to our mindset in business that we feel we have no reason to focus on these carefree, parasitic lifestyles. But we should, or else, our ignorance could be our downfall.

Hackers, cyber-criminals, fraudsters or whatever they get labelled, are just people in search of a slightly better-off life. Based on all the crooks I’ve met, the thing nearly all of them have in common is a blunt ‘laziness’.

I’m reminded of the following quote by Bill Gates: “I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.”

This quote sums up perfectly why a criminal would rather target your law firm. Criminals after credit card data, target hotels – i.e. the aggregators of these details. Criminals after sensitive data for extortion or of victims regularly transferring large sums of money, target law firms. These hubs of commerce are fast becoming centres of illegal industry and are big targets.

It’s about time that law firms analysed the security risks and firmly instituted preventions. By this I don’t mean a new device or an extra padlock on the filing cupboard! It’s time to embed a real security culture and put into motion implementations.

This said, it’s not all doom and gloom. The best defence is knowing where the security risks in the organisation are, and being aware of the tricks of the ‘criminal’ trade and the variety of ways in which they will target you, ‘the individual’, so that the necessary measures can be taken. Let’s take a look:

Phishing Attacks

  • Phishing - This is the number one attack vector. It poses little risk to criminals and is relatively easy. Be wary of all attachments and never allow them to enable macros - ever!

  • Spear phishing - If the phishing doesn’t go too well for the criminals, next in line will be ‘spear phishing’ – i.e. targeted emails that are tailored to your typical areas of interest. They might guide you to login pages designed to harvest your credentials or might simply deliver malware, ransomware or a whole host of other nasty attacks on your computer.

  • Whaling - These emails target the ‘whales’ – i.e. the CEOs, the finance heads, CFOs and such. They are designed to blend straight in and are sophisticated attempts to go for the big wins. Often impersonating a company head, criminals will ask for payments to be made to bank accounts. Watch out for emails from your children’s school, rushed requests for money, emails from people who are on holiday and so on.

  • These emails are hard to spot, so as a rule, NEVER make a bank transfer based on an email request.

    Physical Access

  • Physical breaches are often disguised as robberies, but some criminals break in to steal computers containing data. Be sure all your law firm’s devices have full disk encryption.

  • Social engineering attacks come in many forms – the individual might appear as a potential client booking a meeting, but in reality, may be more interested in knowing the company WiFi password and location of cabinets in the firm, rather than contracting the organisation.

  • Phone Attacks

  • We all like to be helpful on the phone, but be on guard always! You are better off making your client jump through a few hoops to validate their identity as opposed to discussing their case with anyone who cares to call and enquire.

  • Be aware of text messages, especially the ones claiming to be from your bank or client. Text messages can easily be spoofed and should not be trusted. Instead agree a safe method of communication such as a messenger that validates the recipient and sender share ‘keys’ which can confirm it is indeed the correct device. Wickr Messenger, Signal or even WhatsApp have many security benefits over SMS.

  • Documents, data and processes that are considered routine by lawyers are often extremely valuable to cyber criminals. Firms must be acutely mindful of this and indeed the fact that criminals are adept at deception and manipulation to successfully gain the data for their own financial gain. A well-rounded awareness of breach methods and approach to security is essential.

    About Richard De Vere

    Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team', ‘phishing’ and ‘smshing’ exercises, and information gathering assessments for financial institutions and some of the UK’s largest companies.
    Thursday, February 9, 2017

    The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

    The ‘Perfect Storm’ - How Organisational Culture, Coincidence and Con Artists Create the Perfect Conditions to Breach Your Firm

    Guest Blog By Jenny Radcliffe, Social Engineering Expert

    Recently, I was commissioned by an organisation of significant size and in a high-risk industry to demonstrate to the Board the vulnerability of its employees to criminal hackers using non-technical means. Using Open Source Intelligence to gather information on a selection of the most senior individuals in the organisation, I was able to reveal how easily and legitimately, I was able to engage with them, physically access their office building; and if had I intended to do so, use the insight to hack into the business. It was an ‘eye-opener’ for the Board!

    This is what malicious social engineers do – they leverage the ‘Perfect Storm’ – created by the organisation’s culture, the employees’ frame of mind and lack of security awareness and the ready availability of detailed personal information, to use social engineering and the “human factor” to gain business sensitive information for their own financial gains.

    As the technology becomes more complex, many hackers see employees of organisations as “the weakest link”, but to what extent this is the case relies on many factors other than the mere fact of human beings working for an organisation. Several factors in organisations make firms more or less vulnerable to hackers, and it is possible to defend, mitigate and ‘patch’ your own human vulnerabilities.

    I’m talking about this issue at the upcoming Cyber Threat Landscape for Law Firms on 23 February 2017:

    • How an organisation can be “profiled” by a malicious criminal, who then uses the information to design a hack that is suited to the culture of the target company

    • Explain why “culture” is an important element in the shape and nature of an attack, communicating the threat to employees and ultimately in the defence against attacks

    • Highlight my own “experiences” as an ethical Social Engineer and share some tricks, tactics and methods that I use to attack organisations via their people.

    • Offer tips and guidance on how to “wake up the workforce” to the threat of Social Engineering, and how to maintain engagement of staff to prevent cyber threats

    My presentation will be fast paced, humorous and revealing! Hope to see you there!

    About Jenny Radcliffe

    Jenny Radcliffe is an ethical expert in Social Engineering, negotiation, persuasion and influence, non-verbal communication and deception. She uses her skills to help clients – from global corporations and law enforcement to poker players, politicians and the security industry – to protect themselves from cyber criminals.