Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Developing a Proactive Plan, Identifying Potential Liabilities and Damages, Navigating the PR Fallout, Ensuring Business Continuity

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, JUNE 4, 2014

Presenting a live 90-minute webinar with interactive Q&A

Alison P. Buchanan, Shareholder, Hoge Fenton Jones & Appel, San Jose, Calif.

Theresa Adams Coetzee, Vice President & Assistant General Counsel, Marriott International, Washington, D.C.

Thomas F. Zych, Partner, Thompson Hine, Cleveland

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-961-8499 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the SEND button beside the box

If you have purchased Strafford CLE processing services, you must confirm your participation by completing and submitting an Official Record of Attendance (CLE Form).

You may obtain your CLE form by going to the program page and selecting the appropriate form in the PROGRAM MATERIALS box at the top right corner.

If you'd like to purchase CLE credit processing, it is available for a fee. For additional information about CLE credit processing, go to our website or call us at 1-800-926-7926 ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the ^ symbol next to “Conference Materials” in the middle of the left-hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.

• Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

5

CRISIS MANAGEMENT FOR IN HOUSE COUNSEL

DATA BREACHES, DISASTERS, FRAUD,

GOVERNMENT INVESTIGATIONS

AND MORE . . . Tom Zych

Thompson Hine LLP Tom.Zych@ThompsonHine.com

June 4, 2014

6

SETTING THE SCENE

Crises Are The New Norm:

Cyber Attacks and Data Breaches

Enforcer Actions and Investigations

Shareholder and Investor Activism

Political Instability

Product Failures

Financial Calamities

7

A VERY BAD DAY

CHAOS CORP. EARNS ITS NAME

8

WHEN IT RAINS . . .

Chaos Corp. is a publically traded, global manufacturer of a wide range of apparel, sporting goods and “wearable” technology.

Chaos Corp.’s upper management is regularly featured in the business press, cable television and its CEO was invited to Davos last year.

Chaos has enjoyed double digit year-over-year sales and earnings growth for three straight years.

9

THE PLOT THICKENS

Chaos has been approached by private equity funds to consider going private. Chaos management is currently evaluating the possibility.

Chaos has retained the assistance of consultants to create a strategy to “rationalize” its sourcing and manufacturing systems, including its extensive BPO relationships, to reduce costs.

10

AND THEN . . .

A well-known NGO publishes a scathing report revealing allegedly wretched working conditions in factories in southern and southeastern Asia that supply goods to Chaos.

Within weeks, hacktivists announce that Chaos is and will be the target of DDOS attacks.

They’re not bluffing: serious attacks begin.

11

Uh Oh!

Chaos IT managers and its IT consultant report indications that the interfaces with Chaos’ cloud hosted vendor management, CRM, manufacturing and order fulfillment systems have been compromised “behind” the DDOS attacks.

By Day 3 of the attacks, unusual purchasing and ordering patterns appear on Chaos’ customer-facing websites, along with unexplained spikes in atypical product orders.

12

BUT WAIT, THERE’S MORE!

By Day 4, Chaos HR files as well as employment records of Chaos vendors begin appearing on the internet. Workers are, understandably, unhappy. Threats of strikes appear on blogs and social media.

Chaos’ stock price takes a serious hit.

State attorneys general announce investigations at the NAAG annual meeting.

13

SETTING THE STAGE Data Are Assets

Knowing What Data You Manage Is No Longer Intuitive

Knowing Where The Data Are Gets More Complicated

Knowing How Data Can Be Lost Is Critical

We Have Met The Enemy . . .

14

A CONFLUENCE OF FORCES

Customer/ Consumer

Schizophrenia

Intensifying Regulatory Focus

15

IT’S THE WHOLE ENTERPRISE Data Insecurity Impacts Your Company’s:

Brand and Reputation

Ability to Exploit Lawfully Gathered Information

Competitive Standing

Human Resources Management

System Integrity

Regulatory Risk Exposure

16

INFORMATION SECURITY: THE RISK PROFILE

Cyber hacking is one real risk

Advanced persistent threat actors:

Foreign government agencies

Industrial espionage

-BUT-

The highest risk profile comes from more prosaic sources

17

THE RISK PROFILE

Socially engineered vulnerabilities

Phishing

Impersonation – everyone needs a friend

The “too good to be true”

The “help” desk

Human frailty

+

A little engineering

+

Patience

=

Treasure Trove!

18

OTHER RISK SOURCES Insecure third party practices

Data on devices

Temporary work forces

Simple carelessness

Not knowing what is where

19

PLANNING, AND THEN MORE PLANNING

The time for learning the emergency plan is not while the disaster is happening!

An unknown plan is worth less than no plan at all.

A plan without training is more worthless yet.

Create, Implement, Train, Practice.

Theresa Coetzee

Marriott International, Inc. Theresa.Coetzee@Marriott.com

Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Preparing for the Worst

20

Preparing for the Worst…

Elements of Business Continuity

Management

21

Preparing for the Worst…

• RESOURCES • Federal Emergency Management Agency (FEMA)

Business Continuity Planning Suite software.

• The Federal Financial Institutions Examination Council (FFIEC) publishes the “Business Continuity Planning Booklet”.

• The American Bar Association provides a template disaster preparedness plan titled “Surviving a Disaster, Guide to Disaster Planning for Bar Associations”.

22

23

Crisis Management for In-House Counsel: Data Breaches, Disasters, Fraud, Government Investigations and More Ethics Considerations

Alison P. Buchanan

apb@hogefenton.com

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part One: Pre-Crisis

• The Rules apply equally to in-house counsel • Courts scrutinize in-house counsel’s conduct • Duties include:

– The duty to educate your client

– The duty to supervise outside counsel

• Consequences of rules violations include sanctions and discipline

24

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part One: Pre-Crisis

• WHO – Model Rule 1.13, Organization As Client

• WHAT – Model Rule 1.4, Communication

– Model Rule 1.2, Authority Between Client and Lawyer

• WHEN • WHY

25

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part One: Pre-Crisis

Having a pre-crisis plan in place protects the organization AND in-house counsel

– Allows for objectivity and protects against rash decisions driven by fear or panic made in the midst of the crisis

– Protects against organizational demands that its counsel ignore ethical obligations “for the good of the company”

26

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part Two: Mid-Crisis

Ethics issues during the mitigation/response phase: – Model Rule 1.7, Conflicts – Current Clients

– Model Rule 2.1, Advisor

– Model Rule 1.6, Confidentiality of Information

• Secrets are anything embarrassing or detrimental – The Attorney-Client Privilege and waiver

27

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part Two: Mid-Crisis

• Your organization’s PR team is not comprised of lawyers; they are not subject to the Rules of Professional Conduct, but you are – Model Rule 4.1, Truthfulness in Statements to Others

– Model Rule 4.4, Respect for Rights of Third Persons

– Model Rule 3.9, Advocate in Nonadjudicative Proceedings

• You cannot instruct someone to do something you are ethically prohibited from doing – Model Rule 5.3, Responsibilities Regarding Nonlawyer Assistants

28

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part Three: Post-Crisis

Ethical considerations during post-crisis litigation: • Model Rule 3.6, Trial Publicity

• Model Rule 4.2, The No Contact Rule

• Spoliation and e-Discovery

29

© 2014 Hoge Fenton Jones & Appel

Ethics Considerations Part Three: Post-Crisis Spoliation and e-Discovery

– Is litigation reasonably contemplated?

• Duty to issue a litigation hold

• Zubalake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y.)

• Duty also encompasses search, collection, and production (while preserving the attorney-client privilege)

• Trust, but verify, compliance efforts

– Model Rule 1.1, Competence

– Model Rule 3.3, Candor Toward the Tribunal

– Model Rule 3.4, Fairness to Opposing Party and Counsel

30

31

AND NOW . . .

IT’S CHAOS TIME