The Importance of Value-Added Billing Based upon the Circumstances Presented

As the cost of legal fees continues to rise, many clients are justifiably concerned about the economic implications of retaining an expensive law firm. According to the legal fee analysis organization NALFA, a not insignificant proportion of the country’s top attorneys have recently begun charging more than one thousand dollars an hour for their services.1 Adding to that the ever-increasing cost of junior associate billings,1 many businesses are facing a conundrum: the price of legal services often exceeds the cost involved with litigating or settling a matter. To fulfill their responsibilities to clients, law firms must move beyond costly price structures and embrace value-added billing – an approach that emphasizes the importance of improving a client’s bottom line by embracing flexible billing rates and alternative fee arrangements. 

What value can a law firm legitimately claim to provide when its billings outstrip the cost of a settlement? Despite all the cachet that comes with the retention of a large national firm, common sense dictates that clients are getting a raw deal when law firms cannot add value in the course of their work. If clients do not see their bottom line improve after retaining a certain firm, that firm simply does not deserve their business.

Value-added billing does not just benefits clients, however. In the long run, it may well benefit law firms to make an honest accounting of the cost of legal services – especially because clients may cut and run if they find themselves overpaying for legal fees. Value-added billing may also obviate the newfound preference of many businesses for non-traditional legal services,2 which often prove to be more flexible and economical than the costly billing practices employed by most firms.

To transition from unfair, costly billing practices to value-added billing, firms can make several changes to their fee structures. First, they can adjust their average billing rates in accordance with the estimated cost of litigating or settling a certain matter. If the attorney tasked with handling a certain matter realizes that their usual legal fees will surpass the expected cost of litigation or settlement, he or she should adjust them accordingly. In addition, firms can add value by embracing alternative fee structures. If an attorney determines that taking a matter on a contingency basis is likely to improve their client’s bottom line, he or she should not hesitate to do so. 

 Obviously, this sort of common-sense calculation can be thrown into confusion by uncertainty as to the final cost of litigation or settlement. The success or failure of legal procedures like litigation or arbitration (not to mention their length) cannot easily be predicted, especially considering that the introduction of new evidence or an unexpected level of intransigence on the part of the opposing party sometimes scramble the contours of a certain matter. But legal expertise and experience can help ameliorate this problem. Presumably, senior partners will have handled similar cases in the past and can extrapolate from the cost of litigating or settling those cases to estimate the potential impact on a client’s bottom line. (This assumes, of course, that firms are keeping close track of their total billings for each matter they handle).

Law is a business like any other, even if many attorneys are loath to admit it. Their primary task should be to add value, not to charge unfair fees. Anything else risks hurting the firms they were hired to represent.


Connecticut’s New Insurance Data Security Law: The Costs and Benefits of Compliance

An important section of the recent budget bill adopted by the state of Connecticut demonstrates that regulatory fever has become contagious, at least as far as data security is concerned. Section 230 of the recently adopted bill sets forth a comprehensive set of cybersecurity regulations for the state’s insurers, requiring them to comport with guidelines modeled after those developed by New York State’s Department of Financial Services (DFS).1 Connecticut insurers will now have to develop a “comprehensive written information security program,” evaluate the efficacy of that program “not less than annually,” and periodically aver to the state’s Insurance Commissioner that the law’s provisions are being followed.2 In addition, the law requires that insurers establish strict cybersecurity regulations for third parties and develop “incident response plan[s]” to recover in the wake of a cyberattack.3

The data security law also establishes a comprehensive enforcement regime to investigate and punish noncompliance. Under the provisions of Section 230, the state’s Insurance Commissioner has a broad investigative power to verify compliance with the new regulations.4 Furthermore, the Commissioner retains the power to punish recalcitrant insurers by revoking business licenses and issuing fines of up to fifty thousand dollars (provided that the offending firms have not shown themselves to be exempt in an evidentiary hearing).5 The law does contain some exceptions, however. For a one-year period between 2020 and 2021, insurers with fewer than twenty employees will be exempt from the law’s requirements, and from 2021 on insurers with fewer than ten employees will be exempt.6 Moreover, those firms already compliant with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (a federal statute)7 are exempted from the Connecticut law if they can certify their compliance to state regulators.8 Nevertheless, compliance figures to be costly for Connecticut insurers.

As discussed on this blog previously, however, the cost of a cyberattack can often far outstrip the cost of compliance with cybersecurity regulations. This goes double for insurance companies, especially because such firms often possess “high-value consumer information, such as sensitive personal information, health information and payment card information.”9 Thanks to the creation of cybersecurity insurance, insurers are often left holding the bill in the wake of a devastating cyberattack elsewhere. Because they have presumably processed numerous such claims, they should know better than anyone else the true cost of a data breach. The aid of knowledgeable legal professionals and a healthy dose of common sense are all that stand in the way of cost-saving compliance with Connecticut’s new cybersecurity regulations.


  3. Ibid
  4. Ibid
  5. Ibid
  6. Ibid
  7. Better known as HIPAA

Data-Centric Security Strategies and Regulatory Compliance

In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1

Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.

But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.