Presenting a live 90 -minute webinar with interactive Q&A...
Transcript of Presenting a live 90 -minute webinar with interactive Q&A...
Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Developing a Proactive Plan, Identifying Potential Liabilities and Damages, Navigating the PR Fallout, Ensuring Business Continuity
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, JUNE 4, 2014
Presenting a live 90-minute webinar with interactive Q&A
Alison P. Buchanan, Shareholder, Hoge Fenton Jones & Appel, San Jose, Calif.
Theresa Adams Coetzee, Vice President & Assistant General Counsel, Marriott International, Washington, D.C.
Thomas F. Zych, Partner, Thompson Hine, Cleveland
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the SEND button beside the box
If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).
You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.
If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
5
CRISIS MANAGEMENT FOR IN HOUSE COUNSEL
DATA BREACHES, DISASTERS, FRAUD,
GOVERNMENT INVESTIGATIONS
AND MORE . . . Tom Zych
Thompson Hine LLP [email protected]
June 4, 2014
6
SETTING THE SCENE
Crises Are The New Norm:
Cyber Attacks and Data Breaches
Enforcer Actions and Investigations
Shareholder and Investor Activism
Political Instability
Product Failures
Financial Calamities
8
WHEN IT RAINS . . .
Chaos Corp. is a publically traded, global manufacturer of a wide range of apparel, sporting goods and “wearable” technology.
Chaos Corp.’s upper management is regularly featured in the business press, cable television and its CEO was invited to Davos last year.
Chaos has enjoyed double digit year-over-year sales and earnings growth for three straight years.
9
THE PLOT THICKENS
Chaos has been approached by private equity funds to consider going private. Chaos management is currently evaluating the possibility.
Chaos has retained the assistance of consultants to create a strategy to “rationalize” its sourcing and manufacturing systems, including its extensive BPO relationships, to reduce costs.
10
AND THEN . . .
A well-known NGO publishes a scathing report revealing allegedly wretched working conditions in factories in southern and southeastern Asia that supply goods to Chaos.
Within weeks, hacktivists announce that Chaos is and will be the target of DDOS attacks.
They’re not bluffing: serious attacks begin.
11
Uh Oh!
Chaos IT managers and its IT consultant report indications that the interfaces with Chaos’ cloud hosted vendor management, CRM, manufacturing and order fulfillment systems have been compromised “behind” the DDOS attacks.
By Day 3 of the attacks, unusual purchasing and ordering patterns appear on Chaos’ customer-facing websites, along with unexplained spikes in atypical product orders.
12
BUT WAIT, THERE’S MORE!
By Day 4, Chaos HR files as well as employment records of Chaos vendors begin appearing on the internet. Workers are, understandably, unhappy. Threats of strikes appear on blogs and social media.
Chaos’ stock price takes a serious hit.
State attorneys general announce investigations at the NAAG annual meeting.
13
SETTING THE STAGE Data Are Assets
Knowing What Data You Manage Is No Longer Intuitive
Knowing Where The Data Are Gets More Complicated
Knowing How Data Can Be Lost Is Critical
We Have Met The Enemy . . .
15
IT’S THE WHOLE ENTERPRISE Data Insecurity Impacts Your Company’s:
Brand and Reputation
Ability to Exploit Lawfully Gathered Information
Competitive Standing
Human Resources Management
System Integrity
Regulatory Risk Exposure
16
INFORMATION SECURITY: THE RISK PROFILE
Cyber hacking is one real risk
Advanced persistent threat actors:
Foreign government agencies
Industrial espionage
-BUT-
The highest risk profile comes from more prosaic sources
17
THE RISK PROFILE
Socially engineered vulnerabilities
Phishing
Impersonation – everyone needs a friend
The “too good to be true”
The “help” desk
Human frailty
+
A little engineering
+
Patience
=
Treasure Trove!
18
OTHER RISK SOURCES Insecure third party practices
Data on devices
Temporary work forces
Simple carelessness
Not knowing what is where
19
PLANNING, AND THEN MORE PLANNING
The time for learning the emergency plan is not while the disaster is happening!
An unknown plan is worth less than no plan at all.
A plan without training is more worthless yet.
Create, Implement, Train, Practice.
Theresa Coetzee
Marriott International, Inc. [email protected]
Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Preparing for the Worst
20
Preparing for the Worst…
• RESOURCES • Federal Emergency Management Agency (FEMA)
Business Continuity Planning Suite software.
• The Federal Financial Institutions Examination Council (FFIEC) publishes the “Business Continuity Planning Booklet”.
• The American Bar Association provides a template disaster preparedness plan titled “Surviving a Disaster, Guide to Disaster Planning for Bar Associations”.
22
23
Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Ethics Considerations
Alison P. Buchanan
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part One: Pre-Crisis
• The Rules apply equally to in-house counsel • Courts scrutinize in-house counsel’s conduct • Duties include:
– The duty to educate your client
– The duty to supervise outside counsel
• Consequences of rules violations include sanctions and discipline
24
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part One: Pre-Crisis
• WHO – Model Rule 1.13, Organization As Client
• WHAT – Model Rule 1.4, Communication
– Model Rule 1.2, Authority Between Client and Lawyer
• WHEN • WHY
25
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part One: Pre-Crisis
Having a pre-crisis plan in place protects the organization AND in-house counsel
– Allows for objectivity and protects against rash decisions driven by fear or panic made in the midst of the crisis
– Protects against organizational demands that its counsel ignore ethical obligations “for the good of the company”
26
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part Two: Mid-Crisis
Ethics issues during the mitigation/response phase: – Model Rule 1.7, Conflicts – Current Clients
– Model Rule 2.1, Advisor
– Model Rule 1.6, Confidentiality of Information
• Secrets are anything embarrassing or detrimental – The Attorney-Client Privilege and waiver
27
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part Two: Mid-Crisis
• Your organization’s PR team is not comprised of lawyers; they are not subject to the Rules of Professional Conduct, but you are – Model Rule 4.1, Truthfulness in Statements to Others
– Model Rule 4.4, Respect for Rights of Third Persons
– Model Rule 3.9, Advocate in Nonadjudicative Proceedings
• You cannot instruct someone to do something you are ethically prohibited from doing – Model Rule 5.3, Responsibilities Regarding Nonlawyer Assistants
28
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part Three: Post-Crisis
Ethical considerations during post-crisis litigation: • Model Rule 3.6, Trial Publicity
• Model Rule 4.2, The No Contact Rule
• Spoliation and e-Discovery
29
© 2014 Hoge Fenton Jones & Appel
Ethics Considerations Part Three: Post-Crisis Spoliation and e-Discovery
– Is litigation reasonably contemplated?
• Duty to issue a litigation hold
• Zubalake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y.)
• Duty also encompasses search, collection, and production (while preserving the attorney-client privilege)
• Trust, but verify, compliance efforts
– Model Rule 1.1, Competence
– Model Rule 3.3, Candor Toward the Tribunal
– Model Rule 3.4, Fairness to Opposing Party and Counsel
30