Talking Risk: How Can the Lawyer & CIO Speak the Same Language?
-
Upload
victor-robles -
Category
Documents
-
view
28 -
download
2
description
Transcript of Talking Risk: How Can the Lawyer & CIO Speak the Same Language?
Talking Risk: How Can the Lawyer & CIO Speak the Same Language?
Fusion 2007
February 28, 2006
Overview
Background & Introductory Questions Some Samples in Two Hot Button Areas
Electronic Discovery Data Privacy
And then, briefly …
Other General Compliance Matters
A Few Words About Employees
IT Impact On Risk Issues Is Ever-increasing
Technology permeates most organizations Can you identify a business that does not touch any
personal information? Can you name a business that is immune from
litigation? Can you name a business that does NOT have a IT
related risk factor at or near the top of the list? When business relies on technology, business risk
becomes technology dependent as well
The Background in Numbers
More than 100 Million records containing sensitive personal information involved in security breaches that have been publicly announced
Federal Rules of Civil Procedure revised to account for “electronically stored information” in litigation
34+ states with data breach notification laws, federal legislation pending
VISA is increasing penalties for non-compliance with the handling of card information; others will follow
Lawsuits of all types continue to proliferate
The Background in Numbers
62% of CIOs surveyed indicated that “Ensuring Data Security and Integrity” was one of the top 5 technology priorities for 2007
71% of CIOs listed “the ability to communicate effectively” as a personal skill necessary for them to be effective.
But how do you communicate with a LAWYER?
E-Discovery Issue
Your in-house lawyer walks into your office and says “we’ve been sued for patent infringement and trade secret theft by our #1 competitor; we are going to be
countersuing them and we need to begin thinking about discovery related issues, so I will need your help—as you know, under the new Federal Rules, we have a meet and confer in about a month and I’ll need to be
equipped for that meeting.”
Where do we go from here?
Practical Result of the Changes to FRCP:
Lawyer’s Concern: Anticipate the type, volume, location and accessibility of potentially relevant data to obtain a discovery schedule allowing sufficient time to process and possibly review electronically stored information prior to production.
CIO’s Concern: Know what you have, where you have it, how much of it you have, what format(s) it is in, and how quickly you can get it together, and how business-disruptive this will be …(while I’m delivering on other (real) projects, hiring to fill
empty positions and staying within my budget)
The Stakes are High:
A well-informed attorney can better manage client costs without hurting the client’s case.
Egregious problems will equal egregious sanctions from the Court.
Practical Recommendations – What Can I do Now?
Typical documents, spreadsheets, etc.
E-mail Backups Webserver logs IDS logs Blackberry/PDA Source Code libraries
Instant messaging Customer facing systems &
databases supporting them USB/Flash drives Local drives Laptops / Home computers Third parties who hold data Others?
Think broadly & document your existing sources / stores of data:
Practical Recommendations – Policy Considerations
Review (and document) policies applicable to each data store
How much do I need to keep? How long do I need to keep it? Do I need to keep it for everyone? Is it backed up? How long is the backup kept? Who is the system owner/responsible party?
Practical Recommendations – Other final thoughts
Scrutinize ANY automatic process that would result in automatic deletion of current files/records – know how you will stop it if put on a litigation hold
Consider other proactive measures Plan for a litigation hold / discovery project – how
will you execute it? If you don’t know, understand what types of suits
you may face and how they would impact your discovery obligations.
Get used to working with discovery firm and outside litigation counsel
Data Breach Issue
One of your employees comes to you with a copy of an email he received that threatens the use and/or public disclosure of some unidentified, undisclosed portion of
your customer file if you don’t pay $100,000 to a specific bank account within 24 hours. The email
includes three sample records, with accurate personal information – the employee tells you that he has
already confirmed with finance that the associated credit card numbers are accurate.
Where do we go from here?
Some considerations
What will a CIO want to know? What will a lawyer want to know? Do we have to notify affected customers? Should we involve law enforcement? Do we make any public statement? Communications to other employees?
Some additional facts … does your answer change?
Three customer records he shared with you are from Iowa, Wisconsin and Michigan
Employee who received breach email is authorized to work on systems with access to this information
Email came from an ISP account where you have a good business relationship
Incident is one week after employee review process completed
Practical Recommendations – How to be Prepared
Prevention: Don’t have an incident If you do: have an incident response plan with a clear decision
making criteria and communicate it ! Have an incident response team Cultivate law enforcement and/or agency contacts Draft and think about notifications before Know the business impact of certain decisions before you
have to implement them
Other Compliance Matters: Know Your Industry
HIPAA GLBA PCI SOX FCRA All kinds of others in the acronym soup
Employee – Greatest Asset & Greatest Risk
Substantial number of data security / privacy issues are employee based
Employees do things that they shouldn’t Music sharing Download & install software – malware & virus issues They “hack back” at others
Development staff: Open Source inclusion into larger projects Can employees participate in open source initiatives? Showing up in M&A representations GPL 3.0 will make this a larger challenge
Blogging & disclosure issues: trade secret, securities, patent Disgruntled employees report software license issues
Questions / Comments?
Erik Phelps, Esq.
Michael Best & Friedrich, LLP
608-283-2247