Talking Risk: How Can the Lawyer & CIO Speak the Same Language?

Fusion 2007

February 28, 2006

Overview

Background & Introductory Questions Some Samples in Two Hot Button Areas

Electronic Discovery Data Privacy

And then, briefly …

Other General Compliance Matters

A Few Words About Employees

IT Impact On Risk Issues Is Ever-increasing

Technology permeates most organizations Can you identify a business that does not touch any

personal information? Can you name a business that is immune from

litigation? Can you name a business that does NOT have a IT

related risk factor at or near the top of the list? When business relies on technology, business risk

becomes technology dependent as well

The Background in Numbers

More than 100 Million records containing sensitive personal information involved in security breaches that have been publicly announced

Federal Rules of Civil Procedure revised to account for “electronically stored information” in litigation

34+ states with data breach notification laws, federal legislation pending

VISA is increasing penalties for non-compliance with the handling of card information; others will follow

Lawsuits of all types continue to proliferate

The Background in Numbers

62% of CIOs surveyed indicated that “Ensuring Data Security and Integrity” was one of the top 5 technology priorities for 2007

71% of CIOs listed “the ability to communicate effectively” as a personal skill necessary for them to be effective.

But how do you communicate with a LAWYER?

E-Discovery Issue

Your in-house lawyer walks into your office and says “we’ve been sued for patent infringement and trade secret theft by our #1 competitor; we are going to be

countersuing them and we need to begin thinking about discovery related issues, so I will need your help—as you know, under the new Federal Rules, we have a meet and confer in about a month and I’ll need to be

equipped for that meeting.”

Where do we go from here?

Practical Result of the Changes to FRCP:

Lawyer’s Concern: Anticipate the type, volume, location and accessibility of potentially relevant data to obtain a discovery schedule allowing sufficient time to process and possibly review electronically stored information prior to production.

CIO’s Concern: Know what you have, where you have it, how much of it you have, what format(s) it is in, and how quickly you can get it together, and how business-disruptive this will be …(while I’m delivering on other (real) projects, hiring to fill

empty positions and staying within my budget)

The Stakes are High:

A well-informed attorney can better manage client costs without hurting the client’s case.

Egregious problems will equal egregious sanctions from the Court.

Practical Recommendations – What Can I do Now?

Typical documents, spreadsheets, etc.

E-mail Backups Webserver logs IDS logs Blackberry/PDA Source Code libraries

Instant messaging Customer facing systems &

databases supporting them USB/Flash drives Local drives Laptops / Home computers Third parties who hold data Others?

Think broadly & document your existing sources / stores of data:

Practical Recommendations – Policy Considerations

Review (and document) policies applicable to each data store

How much do I need to keep? How long do I need to keep it? Do I need to keep it for everyone? Is it backed up? How long is the backup kept? Who is the system owner/responsible party?

Practical Recommendations – Other final thoughts

Scrutinize ANY automatic process that would result in automatic deletion of current files/records – know how you will stop it if put on a litigation hold

Consider other proactive measures Plan for a litigation hold / discovery project – how

will you execute it? If you don’t know, understand what types of suits

you may face and how they would impact your discovery obligations.

Get used to working with discovery firm and outside litigation counsel

Data Breach Issue

One of your employees comes to you with a copy of an email he received that threatens the use and/or public disclosure of some unidentified, undisclosed portion of

your customer file if you don’t pay $100,000 to a specific bank account within 24 hours. The email

includes three sample records, with accurate personal information – the employee tells you that he has

already confirmed with finance that the associated credit card numbers are accurate.

Where do we go from here?

Some considerations

What will a CIO want to know? What will a lawyer want to know? Do we have to notify affected customers? Should we involve law enforcement? Do we make any public statement? Communications to other employees?

Some additional facts … does your answer change?

Three customer records he shared with you are from Iowa, Wisconsin and Michigan

Employee who received breach email is authorized to work on systems with access to this information

Email came from an ISP account where you have a good business relationship

Incident is one week after employee review process completed

Practical Recommendations – How to be Prepared

Prevention: Don’t have an incident If you do: have an incident response plan with a clear decision

making criteria and communicate it ! Have an incident response team Cultivate law enforcement and/or agency contacts Draft and think about notifications before Know the business impact of certain decisions before you

have to implement them

Other Compliance Matters: Know Your Industry

HIPAA GLBA PCI SOX FCRA All kinds of others in the acronym soup

Employee – Greatest Asset & Greatest Risk

Substantial number of data security / privacy issues are employee based

Employees do things that they shouldn’t Music sharing Download & install software – malware & virus issues They “hack back” at others

Development staff: Open Source inclusion into larger projects Can employees participate in open source initiatives? Showing up in M&A representations GPL 3.0 will make this a larger challenge

Blogging & disclosure issues: trade secret, securities, patent Disgruntled employees report software license issues

Questions / Comments?

Erik Phelps, Esq.

Michael Best & Friedrich, LLP

ejphelps@michaelbest.com

608-283-2247