Editor’s note: This feature originally appeared in the October issue of DS News
Richard Nielson manages compliance, information technology, and the Kentucky operations for Reimer Law Co. Nielson received his B.A. from Northern Kentucky University in 1989, and his J.D. from the Salmon P. Chase College of Law at NKU in 1993. He is licensed to practice law in Kentucky and Ohio. He is admitted to practice before the U.S. Court of Appeals for the Sixth Circuit, and the U.S. District and Bankruptcy Courts for the Eastern and Western Districts of Kentucky, and the Southern District of Ohio.
Upon graduating from law school, Nielson founded the law firm of Nielson & Sherry, PSC. From 1993 to 2017, the firm grew to become one of the leading creditor’s rights firms in Kentucky. In early 2017, the firm made the strategic decision to merge with Reimer Law Co. based in Solon, Ohio.
Nielson spoke to DS News about the challenges that servicers face, how technology is impacting the industry, and best practices for compliance.
WHAT ARE SOME OF THE BIGGEST CHALLENGES THAT ARE FACING SERVICERS AND LAW FIRMS SO FAR THROUGH 2019?
For the most part, default referral volumes have been down across the board for law firms. We're seeing some rebound on that, but it has caused default firms across the country to re-examine business operations to see how they can gain more efficiencies in the process and deal with other issues related to a lower referral market. Lower volumes have caused many firms, including ours, to begin offering services in additional states. For example, Reimer Law recently expanded into West Virginia.
As a firm, we also continue to expand into other practice areas related to real estate and lending. We have seen growth of our litigation, general collections, and auto and other chattel bankruptcy and replevin matters. It has been critical for us to go into new markets and diversify the firm overall to make sure that we don't have all our eggs in one basket.
HOW DO YOU APPROACH THE EXAMINATION, OR THE COST BENEFIT ANALYSIS, OF EXPANDING INTO ANOTHER STATE?
There are two approaches to that. There's the opportunity-based approach, where a firm might get approached by another firm to merge with them. A lot of the times, those mergers aren't geographically contiguous.
We have not taken that approach. Instead we have chosen to look at geographically contiguous states for expansion possibilities. We will only expand into markets that make sense for us within our regional footprint. We're not interested in opening in Puerto Rico, for example. So, West Virginia was a perfect fit for us. It is contiguous to both Ohio and Kentucky, and in general, the laws and customs are somewhat similar. We continue to look for other regional opportunities that might make sense for the firm long term.
Much of the expansion decision is client driven. As volumes have gone down, the clients are also looking to economize on their compliance departments, their audit departments, and their attorney-management issues in general. As a result, many are looking to reduce the number of law firms they retain nationwide. For us, the decision to expand into West Virginia was driven mostly by client requests, because West Virginia volumes are small, relative to what other states see. We had multiple clients asking us to get in there simply because it alleviates some of their audit issues. They only stop once to audit a firm handling multiple states. This reduces their costs and administrative burden.
WHAT ARE SOME OF THE WAYS THAT ADVANCING TECHNOLOGY IS CHANGING HOW LEGAL PROFESSIONALS INTERACT WITH SERVICERS ABOUT THEIR PARTIES THAT ARE INVOLVED IN DEFAULT SPACE?
There's a lot of change going on in the IT world and how compliance interacts with that—disaster recovery, business continuity issues, data breach, cybersecurity issues. They are all huge issues and their impact is growing every day. The fraudsters get better and better at everything they do, and so we must be vigilant on those issues.
AI is something that law firms are finally starting to explore, and I think the technology is finally catching up with a lot of AI possibilities. Many of us are looking at artificial intelligence projects wrapped around military and bankruptcy searches—how the name searches are structured, and what kind of intelligence we can use to do those searches. We can also use AI to automate processing of new referrals. In a lot of ways, many of these more mundane processes in our industry, and law practice in general, are going to be replaced by artificial intelligence in the coming years.
WHAT ARE SOME OF THE WAYS THAT A LAW FIRM HAS TO TRY TO STAY AHEAD OF FRAUD?
The most dangerous element in cybersecurity and fraud is the human interaction. Your weakest link is your weakest employee. The actual technology piece of cybersecurity is now widely available and is good, by and large, within most organizations. It comes down to the training of your people. If you look at the big frauds that are being committed, that's where they're coming from. They're doing targeted fishing to get at your weakest link, and most often that is a company’s staff.
It is a constant struggle to train your staff and keep them one step ahead of the fraudsters. It is not always easy, that's for sure.
The other critical piece is data-retention on cybersecurity and data breach issues. Lawyers, traditionally, have been of the theory that they’re going to retain all records forever. There's obviously a direct business storage cost involved, although it's less so now because you don't have as much paper, but there is a cost, often tens or hundreds of thousands of dollars, for long-term server storage space. However, the biggest issue you're going to see come about in the next couple years is a push by the major servicers to encourage or mandate data destruction. What they're looking for is a way to limit the overall quantity of data that is compromised in the event of a breach.
The way the world works now, everybody is going to be breached at some point in time. It's not a matter of if, it's a matter of when. A
critical review of how you control those issues, reduce your costs, and reduce your liability risk is so important to all of us. I would suggest that one of the primary ways to limit risk and thereby reduce potential liability is by eliminating PII as soon as it is not needed.
My prediction is that, over the coming years, you will see more clients adopt a required destruction period. You will also see the cyberinsurance underwriters make the same type of recommendations. Because, as companies renew their cyber-insurance, they will start to see questions about how many data elements they actually have in their possession that are subject to potential breach. They will want to know how long the company retains them. The more private data elements the company has, the greater the risk. That will become super critical to the premium the company is going to pay.
People in the credit card collections area have seen more of these data security issues because their PII tends to be more sensitive in nature because it's comprised of credit card numbers and other more recent and actionable data for a fraudster. You get ahold of those elements, and you can use them much more effectively than mortgage related data. Of course, you could still use a social security number, but it's not quite as easy as it is to use a credit card number to commit fraud. If the fraudster gets a loan number on a first mortgage, they can use it, but again, it's not as risky. Our firm also runs a collections practice, and on that piece, we're seeing compliance and audit review ramp up to make sure that we consolidate that data and keep it in as secure a vault as possible.
FROM A COMPLIANCE STANDPOINT, WHAT DATA DO YOU NEED TO KEEP? AND WHAT DATA CAN YOU DESTROY?
Every client has different contractual requirements, and you must go and read in detail what their specific requirements are. You are obligated to follow their rules by contract. Also, some clients may be on a specific litigation hold. Then you obviously have tax requirements—the IRS, for example, generally requires you to keep certain things for seven years. Employment records might be required to be retained for a year or two. It depends what state you're in, how big of an employer you are; all those items factor into what kind of data you have to retain. Finally, as attorneys we all have record retention requirements placed upon us by the various state bar associations.
The real question is, what do you do when all those periods pass? Are you, as a law firm, properly categorizing your data? The day after the need to retain it expires, what are you doing with it? We're focusing heavily on how we deal with it.