180 likes | 292 Vues
Talking Risk: How Can the Lawyer & CIO Speak the Same Language?. Fusion 2007 February 28, 2006. Overview. Background & Introductory Questions Some Samples in Two Hot Button Areas Electronic Discovery Data Privacy And then, briefly … Other General Compliance Matters
E N D
Talking Risk: How Can the Lawyer & CIO Speak the Same Language? Fusion 2007 February 28, 2006
Overview • Background & Introductory Questions • Some Samples in Two Hot Button Areas • Electronic Discovery • Data Privacy And then, briefly … Other General Compliance Matters A Few Words About Employees
IT Impact On Risk Issues Is Ever-increasing • Technology permeates most organizations • Can you identify a business that does not touch any personal information? • Can you name a business that is immune from litigation? • Can you name a business that does NOT have a IT related risk factor at or near the top of the list? • When business relies on technology, business risk becomes technology dependent as well
The Background in Numbers • More than 100 Million records containing sensitive personal information involved in security breaches that have been publiclyannounced • Federal Rules of Civil Procedure revised to account for “electronically stored information” in litigation • 34+ states with data breach notification laws, federal legislation pending • VISA is increasing penalties for non-compliance with the handling of card information; others will follow • Lawsuits of all types continue to proliferate
The Background in Numbers • 62% of CIOs surveyed indicated that “Ensuring Data Security and Integrity” was one of the top 5 technology priorities for 2007 • 71% of CIOs listed “the ability to communicate effectively” as a personal skill necessary for them to be effective. But how do you communicate with a LAWYER?
E-Discovery Issue Your in-house lawyer walks into your office and says “we’ve been sued for patent infringement and trade secret theft by our #1 competitor; we are going to be countersuing them and we need to begin thinking about discovery related issues, so I will need your help—as you know, under the new Federal Rules, we have a meet and confer in about a month and I’ll need to be equipped for that meeting.” Where do we go from here?
Practical Result of the Changes to FRCP: • Lawyer’s Concern: Anticipate the type, volume, location and accessibility of potentially relevant data to obtain a discovery schedule allowing sufficient time to process and possibly review electronically stored information prior to production. • CIO’s Concern: Know what you have, where you have it, how much of it you have, what format(s) it is in, and how quickly you can get it together, and how business-disruptive this will be … (while I’m delivering on other (real) projects, hiring to fill empty positions and staying within my budget)
The Stakes are High: • A well-informed attorney can better manage client costs without hurting the client’s case. • Egregious problems will equal egregious sanctions from the Court.
Typical documents, spreadsheets, etc. E-mail Backups Webserver logs IDS logs Blackberry/PDA Source Code libraries Instant messaging Customer facing systems & databases supporting them USB/Flash drives Local drives Laptops / Home computers Third parties who hold data Others? Practical Recommendations – What Can I do Now? Think broadly & document your existing sources / stores of data:
Practical Recommendations – Policy Considerations • Review (and document) policies applicable to each data store • How much do I need to keep? • How long do I need to keep it? • Do I need to keep it for everyone? • Is it backed up? How long is the backup kept? • Who is the system owner/responsible party?
Practical Recommendations – Other final thoughts • Scrutinize ANY automatic process that would result in automatic deletion of current files/records – know how you will stop it if put on a litigation hold • Consider other proactive measures • Plan for a litigation hold / discovery project – how will you execute it? • If you don’t know, understand what types of suits you may face and how they would impact your discovery obligations. • Get used to working with discovery firm and outside litigation counsel
Data Breach Issue One of your employees comes to you with a copy of an email he received that threatens the use and/or public disclosure of some unidentified, undisclosed portion of your customer file if you don’t pay $100,000 to a specific bank account within 24 hours. The email includes three sample records, with accurate personal information – the employee tells you that he has already confirmed with finance that the associated credit card numbers are accurate. Where do we go from here?
Some considerations • What will a CIO want to know? • What will a lawyer want to know? • Do we have to notify affected customers? • Should we involve law enforcement? • Do we make any public statement? • Communications to other employees?
Some additional facts … does your answer change? • Three customer records he shared with you are from Iowa, Wisconsin and Michigan • Employee who received breach email is authorized to work on systems with access to this information • Email came from an ISP account where you have a good business relationship • Incident is one week after employee review process completed
Practical Recommendations – How to be Prepared • Prevention: Don’t have an incident • If you do: have an incident response plan with a clear decision making criteria and communicate it ! • Have an incident response team • Cultivate law enforcement and/or agency contacts • Draft and think about notifications before • Know the business impact of certain decisions before you have to implement them
Other Compliance Matters: Know Your Industry • HIPAA • GLBA • PCI • SOX • FCRA • All kinds of others in the acronym soup
Employee – Greatest Asset & Greatest Risk • Substantial number of data security / privacy issues are employee based • Employees do things that they shouldn’t • Music sharing • Download & install software – malware & virus issues • They “hack back” at others • Development staff: Open Source inclusion into larger projects • Can employees participate in open source initiatives? • Showing up in M&A representations • GPL 3.0 will make this a larger challenge • Blogging & disclosure issues: trade secret, securities, patent • Disgruntled employees report software license issues
Questions / Comments? Erik Phelps, Esq. Michael Best & Friedrich, LLP ejphelps@michaelbest.com 608-283-2247