2011 OFII General Counsel Conference Washington, D.C. Information Governance in an Era of Rapid...
-
Upload
brooke-richards -
Category
Documents
-
view
213 -
download
0
Transcript of 2011 OFII General Counsel Conference Washington, D.C. Information Governance in an Era of Rapid...
2011 OFII General Counsel Conference Washington, D.C.
Information Governance in an Era of Rapid Privacy and Data Security Change
Edward McNicholasSIDLEY AUSTIN LLP
2011 OFII General Counsel Conference Washington, D.C.
What Can Go Wrong• ChoicePoint - FTC obtained record $10 million fine and $5 million restitution,
plus substantial injunctive requirements; $500,000 settlement with 43 state AGs; $12 million spent on security upgrades since 2005
• TJX - computer intrusion and stolen customer transaction data leads to government investigations and scores of putative class actions around US and Canada (46 million customers)
• Monster.com - 1.6 million job searches compromised by Trojan horse and phishing attacks
• Telefonica Espana - fined €840,000 by the Spanish Data Protection Authority for sharing an individual’s data with one of its subsidiaries for marketing purposes
• Tyco Healthcare – fined €30,000 ($40,972) by the French Data Protection Authority (CNIL) for improper storage and cross-border transfer of employee data (April 2007)
• Lilly – FTC investigation started by single errant e-mail
2011 OFII General Counsel Conference Washington, D.C.
The Cost of Getting Data Protection Wrong• Breaches and data incidents can be extremely painful• Hard costs:
– Cost of notifying affected individuals– Credit monitoring– Investigation and legal fees
• Potential costs:– FTC, State AG, and regulatory investigations– Class actions by data subjects – Litigation with business partners over hard costs– Legal defense fees
• Brand/Reputation harm:– Charges of deceptive / unfair business practices– Lost confidence / uncertainty in clients / employees– Lost profits / business partners
2011 OFII General Counsel Conference Washington, D.C.
SEC Cybersecurity Guidance
• SEC issued significant new guidance suggesting that public companies should evaluate disclosure of cybersecurity risks.
• Several existing regulations could require disclosure of actual cyber-attacks, but that potential cyber-attacks should also be disclosed in some circumstances.
2011 OFII General Counsel Conference Washington, D.C.
Advanced Persistent Threat
• Cyberattacks against Google were "wake-up call" about vulnerabilities that could cripple US economy (DNI)
• Cybersecurity legislation will seek to:– Enhance coordination and prioritization of federal research and
development– Promote development of technical standards– Improve the transfer of cybersecurity technologies to the marketplace
• Government contractors and companies involved in critical infrastructure should assess their technical and legal responses to cybersecurity risks– DOD advanced notice of proposed rulemaking for defense contractors
2011 OFII General Counsel Conference Washington, D.C.
The Reality Facing Global Corporations
• Broad complexity and wide variety of national (and sub-national) privacy and data security laws complicates compliance
• Significant cultural – and legal – differences exist in the meaning and nuances of privacy and data protection
• Achieving compliance with overlapping federal, state, national, sub-national and multilateral rules is complex and burdensome
• Trend towards stricter, more prescriptive laws, with more complexity and greater enforcement appears likely
2011 OFII General Counsel Conference Washington, D.C.
U.S. Governmental Response• States have responded with increased
statutory protections for personal information• Congress has passed sector-specific
privacy and information security laws • Omnibus privacy and information security
actively under debate in Congress
2011 OFII General Counsel Conference Washington, D.C.
Overview of U.S. Privacy Law• No comprehensive federal privacy statute• In U.S., privacy is regulated via:
– Federal sector-specific and ad hoc statutes and regulations– FTC regulation and enforcement– State laws, AG enforcement actions and private litigation
• Industry self-regulation through company privacy policies, and association codes
• Changes likely in Washington
2011 OFII General Counsel Conference Washington, D.C.
Federal Legislation and Regulation
• Gramm-Leach-Bliley Act of 1999 (GLBA)– Regulates privacy of personally identifiable, nonpublic financial
information disclosed to non-affiliated third parties by financial institutions
– Requires administrative, technical, and physical safeguards• Health Insurance Portability and Accountability Act of 1996
(HIPAA) / Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)– HIPAA rules protect confidentiality and security of medical information
in hands of “covered entities” and “business associates” such as healthcare poviders, hospitals, employer-sponsored health plans, etc.
2011 OFII General Counsel Conference Washington, D.C.
Federal Trade Commission (FTC)• FTC is de facto federal privacy enforcement authority;
FTC Act § 5 (15 U.S.C. § 45)• FTC charged with preventing "unfair methods of
competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" – FTC enforces against companies that engage in the
“deceptive” practice of failing to adhere to their own privacy and/or information security policies
• FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data
• FTC enforces Gramm-Leach-Bliley Act; Fair Credit Reporting Act; Children's Online Privacy Protection Act
2011 OFII General Counsel Conference Washington, D.C.
FTC Investigative Demand
– All policies adopted or statements made regarding the collection, disclosure, use and protection of personal information
– All documents sufficient to identify and describe in detail all systems and/or databases that collect, maintain, store, transmit or otherwise handle personal information
– Any risk assessments conducted to identify risks to the security and confidentiality of personal information
– All documents that set forth, assess, evaluate, question, challenge, contest or recommend changes to the security procedures, practices, policies, and defenses with respect to personal information
– All service providers that receive, maintain, process or otherwise are permitted to access personal information
– All documents that reflect, concern or relate to incidents of possible unauthorized access to personal information
– EU Privacy safe harbor compliance documentation
2011 OFII General Counsel Conference Washington, D.C.
Communications PrivacyElectronic Communications Privacy Act (ECPA) • ECPA governs interception (“wiretap”), access to and disclosure – by
government and/or private entities – of contents of communications, or transactional and routing information related to communications, by providers of communications services and remote computing services
Computer Fraud and Abuse Act (CFAA) • Prohibits hacking or accessing computers in violation of, or in excess
of, authorization
Telecommunications Act • “Every telecommunications carrier has a duty to protect the
confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers”
2011 OFII General Counsel Conference Washington, D.C.
Data Breach Statutes• Data breach notification laws are pervasive
– 46 states, DC, Puerto Rico, and the Virgin Islands have breach notification requirements
– Some states require reporting to government agencies
• Triggers Vary– Risk of harm – Pure acquisition
• Encryption remains a key issue– Creates safe harbor from state data breach notice laws– Laptops, portable media (such as USB drives)– Wireless transmission; transmission over public network
2011 OFII General Counsel Conference Washington, D.C.
Massachusetts Data Security Standards
• Regulation 201 CMR 17.00 (effective March 1, 2010)• Requires anyone that owns, licenses, stores or maintains resident’s
personal information to develop and implement a comprehensive written information security program
• Requirements passed through to vendors• Personal information is defined as:
– Name plus SSN, driver’s license number or other state-issued identification number, or credit or debit card number or other financial account number
– Applies to electronic or paper data
2011 OFII General Counsel Conference Washington, D.C.
• Collect only minimum personal information necessary • Retain information only as long as necessary for purpose originally collected• Limit access to those with need to know • Promptly deactivate user name/password of terminated employee authorized
to access personal information• Encrypt personal information:
– in transmission over Internet– on all wireless transmissions
– on portable storage media • Develop policy to regulate when and how personal information may be
transported, stored and accessed off-site • Develop policies for telecommuting• Passwords required• Monitor access to personal information and review audit trails
Massachusetts Data Security Regulations
2011 OFII General Counsel Conference Washington, D.C.
Other State Issues To Watch• Social Security Number Protection laws that require special limitations on
the collection, use and display of SSNs • State “Unfair and Deceptive Acts and Practices” (UDAP) Statutes• Secure Disposal Laws that require businesses to dispose of personal data
records securely• Privacy Torts: Privacy invasions, negligence, misappropriation, defamatory
speech, trespass to chattel, stalking, etc.• RFID bills that prohibit the nonconsensual use or reading of RFID chips;
Missouri criminal law against employers requiring implants • Medical or Genetic Privacy – restrictions on the use of test results and the
use, disclosure and protection of biometric data• Employee Surveillance –DE and CT have notice rules• Locational Privacy – restrictions on use of GPS-enabled devices• Behavioral Tracking and Advertising
2011 OFII General Counsel Conference Washington, D.C.
Privacy in Congress• Cybersecurity• ECPA & USA PATRIOT Act• Senators Kerry and McCain have lead on privacy bill
– fair information principles-based, omnibus privacy bill– right for data subjects to receive a clear and concise notice of
uses that they might not reasonably anticipate – opt-out of unanticipated uses of PII; opt-in consent required for
uses of sensitive PII or third party transfer – mechanism for individuals to access and correct PII– new Commerce Office of Commercial Privacy Policy – enforcement by state Attorneys General and FTC
2011 OFII General Counsel Conference Washington, D.C.
White House• “2011 as Year of Privacy”?
– Chartering of inter-agency “Subcommittee on Privacy and Internet Policy” as part of National Science and Technology Council’s Committee on Technology
• Focus on commercial privacy policy issues
• Address global privacy policy challenges and pursue coordinated policy around the globe
• Promote favorable environment for cross-border information flows
• Coordinate Administration positions on privacy and Internet legislation
• No privacy “czar”; inter-agency committee
• White House Leadership
2011 OFII General Counsel Conference Washington, D.C.
Federal Trade Commission: Preliminary Staff Report
“Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for
Businesses and Policymakers”
2011 OFII General Counsel Conference Washington, D.C.
FTC Vision of Privacy by Design• Promote consumer privacy throughout the organizations
and at every stage of the development of the products and services.
• Incorporate substantive privacy protections into practices, such as:– data security, – reasonable collection limits, – sound retention practices, and – data accuracy.
• Maintain comprehensive data management procedures throughout the life cycle of products and services.
2011 OFII General Counsel Conference Washington, D.C.
Doubly Broad Applicability
“All commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers”
For any data that can be “reasonably linked to a specific consumer, computer, or other device”
2011 OFII General Counsel Conference Washington, D.C.
Three Key Principles“Privacy by Design”
Internal safeguards by commercial entities
Comprehensive business privacy programs
“Simplified Choice”“Just in time” notice and consumer choice
Standardized exceptions to the notice and choice
Do Not Track (national analog to Do Not Call)
“Greater Transparency”Consumer access to, and ability to correct, personal data
Prominent notification and express affirmative consent required from consumers before a company uses consumer data in a materially different manner than notified at collection
2011 OFII General Counsel Conference Washington, D.C.
Department of Commerce Green Paper
“Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy
Framework”
Draft “White Paper” (December ?)
2011 OFII General Counsel Conference Washington, D.C.
Fair Information Practice Principles (FIPPs)
• Transparency• Individual Participation • Purpose Specification • Data Minimization • Use Limitation • Data Quality and Integrity • Security • Accountability and Auditing
2011 OFII General Counsel Conference Washington, D.C.
Privacy Impact Assessments (PIAs)
• PIAs would “require organizations to identify and evaluate privacy risks arising from the use of personal information in new technologies or information practices”
• The report contemplates that such PIAs would be “prepared in sufficient detail and made public”
• Purposes – “create consumer awareness of privacy risks in a new
technological context” – “help organizations to decide whether it is appropriate to engage
in the particular activity at all, and to identify alternative approaches that would help to reduce relevant privacy risks”
2011 OFII General Counsel Conference Washington, D.C.
Commercial Privacy Policy Office
2011 OFII General Counsel Conference Washington, D.C.
EU Impacts
• EU Data Protection Directive (1995)– Limits on collection, processing, transfer, and export– EU member states prohibit or restrict transfers of personal
information to the United States unless certain compliance mechanisms are in place
– EU standards (derived originally from U.S. and OECD fair information principles) require:
• Notice of collection and use of personal information• Choice (consent) to uses of information • Access to information to review, correct or expunge• Integrity/security of data• Enforcement/redress of privacy rights
– Member states differ significantly in approach
2011 OFII General Counsel Conference Washington, D.C.
EU International Data Transfer Restrictions• Articles 25 and 26 of the Data Protection Directive prohibit transfer of
personal data to countries outside EEA that do not ensure an adequate level of protection
• Possible means for dealing with data transfers outside the EU include:– Consent – but consent must be informed and freely given– Model Contracts– US Safe Harbor– Binding Corporate Rules– Article 26(1)(d) – transfer necessary or legally required on important
public interest grounds or for establishment, exercise or defence of legal claims
• Hague Convention – compliance with request under Hague Convention provides formal basis for transfer of personal data but some EU Member States have not signed Convention or have signed with reservations regarding civil discovery
2011 OFII General Counsel Conference Washington, D.C.
International PrivacyArgentina Cyprus Lithuania Netherlands Italy SpainTunisia Malta Estonia Austria Denmark France
Slovakia Czech Republic Ireland Finland GermanyIceland Greece Slovenia Suisse PolandLatvia Liechtenstein Sweden Japan PortugalLuxembourg Belgium
Singapore Mexico Israel Romania
Dubai HungaryChile South Africa NorwayParaguay Hong Kong Canada
Russia Australia United KingdomKorea New Zealand
Taiwan United States
BulgariaMalaysia Serbia
Bosnia ChinaAfrica Many Latin American countries Most Asian countries
Implemented Comprehensive
Data Privacy Law
No Local Privacy
Law
No Enforcement Capability
More Enforcement Capability
2011 OFII General Counsel Conference Washington, D.C.
Uncertainty in the Clouds• Not specifically regulated but a plethora of divergent laws and
enforcement approaches apply around the world• Many laws relating to data privacy are outdated and it is unclear
how they will be applied in Cloud circumstances• Laws of multiple jurisdictions may apply to transactions involving a
single data set• Transferring data to a Cloud provider may lead to ambiguity
regarding data protections• Liability for, and uncertainty about duties for responding to, data
breaches, unauthorized access, loss of data, demands for access to data
2011 OFII General Counsel Conference Washington, D.C.
Top Cloud Issues to Consider
1.Where Are the Data? Territorial jurisdiction continues
2.Privacy/Security Requirements
3.Incident Response and Control
4.Outages / Disaster Recovery
5.Service Levels / Speed
6.Termination / Migration to a Different Provider
7.Insurance / Indemnification / Risk Shifting
8.Government and Litigant Access to Information
2011 OFII General Counsel Conference Washington, D.C.
Threat of Cloud Balkanization: Complying with EU Privacy Law?
• Leading EU Parliamentarians are concerned about the US government’s ability to seek and obtain information without notice to data subjects in the name of national security– “Does the Commission consider that the U.S. PATRIOT Act thus
effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?”
“Essentially what is at stake is whether Europe can enforce its own laws in its own territory, or if the laws of a third country prevail.”
2011 OFII General Counsel Conference Washington, D.C.
Beginning of a Digital Trade War?
• Bloomberg (9/13/11): “Deutsche Telekom Wants ‘German Cloud’ to Shield Data From U.S.”
– Deutsche Telekom AG's T-Systems information technology unit is pushing regulators to introduce a certificate for German or European cloud operators to help companies guard data from the U.S. government.
– “The Americans say that no matter what happens I'll release the data to the government if I'm forced to do so, from anywhere in the world,'” Clemens said. “Certain German companies don't want others to access their systems. That's why we're well-positioned if we can say we're a European provider in a European legal sphere and no American can get to them.”
– Clemens said: “A German cloud” would be a “safe cloud”.
2011 OFII General Counsel Conference Washington, D.C.
CNIL (French DPA)
• CNIL has facilitated the use of outsourcing services performed in France on behalf of non-European companies (15 March 2011)
– Exempts required notification to CNIL for processing performed in the field of human resources and clients and prospects management by French service providers acting on behalf of companies established outside the European Union.
– CNIL wants to be realistic and pragmatic in applying the French law to such situations: ensure a high level of protection of personal data while, at the same time, generating practical solutions in order not to hamper the development of service provisions propositions by French companies.
– CNIL decided to exempt from declaration the processing of human resources, client management and prospects files. This exemption relates to the processing performed by French service providers on behalf of data controllers established outside the EU.
– CNIL wishes to encourage a reflection on how to improve and make more effective the rules relating to the national applicable law. The revision of the EU Directive, currently in progress, certainly provides a unique opportunity to embark on this path.
2011 OFII General Counsel Conference Washington, D.C.
Google: All Governments Seek Data
• Google statistics on the number of requests it receives for the personal data of its users from governments around the world:
– Governments of France, Germany, Italy, Spain, the United Kingdom, and the Netherlands all submitted significant numbers of requests for user data
– Other government requests do not seem disproportionately more circumspect or privacy protective than the number of requests received from the U.S. government
• Accordingly, it not useful or accurate to single the United States out as significantly more intrusive on the Internet than other governments
2011 OFII General Counsel Conference Washington, D.C.
Government Access: National SecurityUS and European governments have similar approaches to the balance between privacy and national security: •USA PATRIOT Act provides the FBI access to any business record with a court order, and expands the government’s ability to obtain records pursuant to a National Security letter; “probable cause” warrant or equivalent typically required for acquisition of communications or sensitive information•EU Data Protection Directive – Article 13 specifically exempts “national security” from otherwise applicable privacy protections•EU Treaty of Lisbon, which ensured personal data protection in the EU, expressly allows member countries to impose derogations on personal privacy where necessary for national security purposes•Specific European countries, such as the Netherlands and Spain, have created carve-outs in personal data privacy protections for activities conducted under the rubric of national security or certain law enforcement activities.
Some Europeans have exaggerated the differences between US and EU law regarding governmental access to personal data for national security purposes
2011 OFII General Counsel Conference Washington, D.C.
Corporate Cloud Strategies
• Recognize that Cloud legal issues concern B2B as well as consumer (privacy) issues
• Take stock of where in the world your data are (conduct data inventory and track flows of): personal information, IP and trade secrets, HR data, other valuable information assets
• Engage in careful contracting: preserve control, reduce risk of disclosure, assign security obligations and enforcement costs
– Affirmatively deny consent to interception or disclosure of data conveyed by/through Cloud provider to governments or litigants
– Require notification of breach/disclosures/requests for data– Deny access unless specifically authorized in advance or compelled by law (in
which case notification is requested)– Require maximum possible resistance to disclosure– Determine access controls and encryption protocols
2011 OFII General Counsel Conference Washington, D.C.
Privacy Challenges in Social Media
Internal Challenges
• Mosaic leakage• Whistle-blowers• Employee leakage
External challenges
• Customers• Hacktivists• Hackers• Journalists• Regulators
38
2011 OFII General Counsel Conference Washington, D.C.
German Ban on “Like” Button
• From a German law perspective, any company operating a Facebook fanpage and using Facebook Insight as a service may well be considered to have a data processing relationship with Facebook
• Schleswig-Holstein DPA Thilo Weichert ordered businesses to remove the Facebook ”like” button from their websites and shut down so-called “fan” pages
• Weichert emphasized that the wording in the conditions of use and privacy statements of Facebook do not meet the legal requirements for compliance of legal notice, privacy consent, and general terms of use
2011 OFII General Counsel Conference Washington, D.C.
Privacy in Social Media: Google Buzz
• FTC charged that Google used deceptive tactics and violated its own privacy promises to consumers when it launched a social network by pulling information from Gmail accounts
• Buzz settlement is the first to require implementation of a comprehensive “Privacy by Design” program to protect the privacy of consumers’ information, including
– Risk assessment to identify reasonably-foreseeable risks and assess the sufficiency of safeguards
– Regularly test or monitor the effectiveness of the program’s key privacy controls and procedures
• Settlement mandates a compliance and reporting program, including biennial assessments and reports from a qualified, independent third-party
2011 OFII General Counsel Conference Washington, D.C.
NLRA Claims
• NLRA claims challenge employer decisions and policies that interfere with employees’ right to engage in concerted activity.
• NLRA protects all employees regardless of union status.• Recently, NLRB has issued complaints against employers in the
context of social networking.• The NLRB has also issued advice memoranda addressing social
networking issues.
“[W]hether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions . . . and they have a right to do that.”
-- Lafe Solomon, GC of the NLRB, on the “Facebook firing” case
2011 OFII General Counsel Conference Washington, D.C.
Employment Privacy Issues
• Duty to investigate sites where it knows of facts or has reliable objective evidence that would lead a reasonably prudent person to investigate a prospective or current employee:
– Past history or recent threats of violence– Complaints of harassment, sexual or otherwise– Knowledge of other conduct – such as involvement in racist or hate groups – that
could create liability for the company• Employer responsible for employee posts on his/her blog during
non-work hours on non-work equipment? It depends . . .
– The nature of the post– Whether the employee clearly identified himself or herself as an individual (as
opposed to an employee of the company)– Whether the individual truly acts as an individual, with
no apparent nexus to the company
2011 OFII General Counsel Conference Washington, D.C.
Employment Privacy Issues: To Monitor or Not To Monitor
Steps Forward• Use to screen in and screen
out applicants– Bona fide qualifications– Honesty in resume
• Get FCRA Consent• Obey terms of use• Use consistent approach• Use non-decision maker• Investigate when prudent
Steps to Avoid• Private sites• Protected groups• Protected activities (wages,
hours, safety)• Consumption Statutes• Lifestyle Discrimination
– California prohibits discrimination for any off-dutyconduct
2011 OFII General Counsel Conference Washington, D.C.
Corporate Strategies: Assessment• Factual assessment
– Map how personal data is collected, stored and transferred • Cultural assessment
– Assess privacy training and employee awareness– How does privacy fit within the goals of the organization?
• Legal assessment– Analyze existing policies and procedures– Review vendor contractual provisions– Find a transborder data flow solution – Review website policies – Labor Unions / Worker’s councils – Registrations with DPAs
• Security assessment – Document information security vulnerabilities and protections
• Third party service providers and their policies
2011 OFII General Counsel Conference Washington, D.C.
Mind the Common Compliance Gaps
The ability to deliver on privacy and security compliance obligations is often outpaced by
market, technological, and organizational changes
Vendors, Vendors, Vendors New Technologies Analog Problems in a Digital World People, People, People Wireless and Slippery Devices Organizational Commitment
2011 OFII General Counsel Conference Washington, D.C.
Shift to Information Governance• Paradigm shift in which privacy becomes merely a
part of information governance
• Duties of privacy officers expanding or being subsumed
– Information Security– Privacy– Marketing– Customer Sales– Records Management– eDiscovery
2011 OFII General Counsel Conference Washington, D.C.
Key Insights
• The issue is information governance – collection, use, sharing, security, eDiscovery, retention and disposal
• Focus on data security, particularly due diligence over Internet systems and service providers
• Clear legal obligations will generally lag industry standards, reasonable practices, and new technologies
• Include privacy in the design of new projects• Ensure board and senior management involvement
2011 OFII General Counsel Conference Washington, D.C.
Ten Items to Worry About
1. Locational privacy: geo-located ubiquitous mobile web devices
2. Security: Will cybersecurity overwhelm privacy?
3. Children: Protecting digital natives, without breaking the web
4. Smart grid: Will appliances become surveillance machines?
5. Face recognition: Will useful apps enable mass surveillance?
6. Privacy Notices: Are privacy policies useful? What is next?
7. Anonymization: Is everything on a spectrum of identifiability?
8. Analyzing social media: Birds of a feather.
9. Droit a l'Oubli: Is forgetting censorship?
10.Conflicts in the cloud: Is the global web balkanizing?
2011 OFII General Counsel Conference Washington, D.C.
Edward McNicholasPartner
Sidley Austin LLP1501 K Street, NW
Washington, DC 20005(202) 736-8010
www.sidley.com/infolaw
This presentation has been prepared by Sidley Austin LLP as of November 14, 2011, for educational and informational purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does not
constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice from professional advisers.
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability
partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley
Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.