1 / 18

Talking Risk: How Can the Lawyer & CIO Speak the Same Language?

Talking Risk: How Can the Lawyer & CIO Speak the Same Language?. Fusion 2007 February 28, 2006. Overview. Background & Introductory Questions Some Samples in Two Hot Button Areas Electronic Discovery Data Privacy And then, briefly … Other General Compliance Matters

Download Presentation

Talking Risk: How Can the Lawyer & CIO Speak the Same Language?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Talking Risk: How Can the Lawyer & CIO Speak the Same Language? Fusion 2007 February 28, 2006

  2. Overview • Background & Introductory Questions • Some Samples in Two Hot Button Areas • Electronic Discovery • Data Privacy And then, briefly … Other General Compliance Matters A Few Words About Employees

  3. IT Impact On Risk Issues Is Ever-increasing • Technology permeates most organizations • Can you identify a business that does not touch any personal information? • Can you name a business that is immune from litigation? • Can you name a business that does NOT have a IT related risk factor at or near the top of the list? • When business relies on technology, business risk becomes technology dependent as well

  4. The Background in Numbers • More than 100 Million records containing sensitive personal information involved in security breaches that have been publiclyannounced • Federal Rules of Civil Procedure revised to account for “electronically stored information” in litigation • 34+ states with data breach notification laws, federal legislation pending • VISA is increasing penalties for non-compliance with the handling of card information; others will follow • Lawsuits of all types continue to proliferate

  5. The Background in Numbers • 62% of CIOs surveyed indicated that “Ensuring Data Security and Integrity” was one of the top 5 technology priorities for 2007 • 71% of CIOs listed “the ability to communicate effectively” as a personal skill necessary for them to be effective. But how do you communicate with a LAWYER?

  6. E-Discovery Issue Your in-house lawyer walks into your office and says “we’ve been sued for patent infringement and trade secret theft by our #1 competitor; we are going to be countersuing them and we need to begin thinking about discovery related issues, so I will need your help—as you know, under the new Federal Rules, we have a meet and confer in about a month and I’ll need to be equipped for that meeting.” Where do we go from here?

  7. Practical Result of the Changes to FRCP: • Lawyer’s Concern: Anticipate the type, volume, location and accessibility of potentially relevant data to obtain a discovery schedule allowing sufficient time to process and possibly review electronically stored information prior to production. • CIO’s Concern: Know what you have, where you have it, how much of it you have, what format(s) it is in, and how quickly you can get it together, and how business-disruptive this will be … (while I’m delivering on other (real) projects, hiring to fill empty positions and staying within my budget)

  8. The Stakes are High: • A well-informed attorney can better manage client costs without hurting the client’s case. • Egregious problems will equal egregious sanctions from the Court.

  9. Typical documents, spreadsheets, etc. E-mail Backups Webserver logs IDS logs Blackberry/PDA Source Code libraries Instant messaging Customer facing systems & databases supporting them USB/Flash drives Local drives Laptops / Home computers Third parties who hold data Others? Practical Recommendations – What Can I do Now? Think broadly & document your existing sources / stores of data:

  10. Practical Recommendations – Policy Considerations • Review (and document) policies applicable to each data store • How much do I need to keep? • How long do I need to keep it? • Do I need to keep it for everyone? • Is it backed up? How long is the backup kept? • Who is the system owner/responsible party?

  11. Practical Recommendations – Other final thoughts • Scrutinize ANY automatic process that would result in automatic deletion of current files/records – know how you will stop it if put on a litigation hold • Consider other proactive measures • Plan for a litigation hold / discovery project – how will you execute it? • If you don’t know, understand what types of suits you may face and how they would impact your discovery obligations. • Get used to working with discovery firm and outside litigation counsel

  12. Data Breach Issue One of your employees comes to you with a copy of an email he received that threatens the use and/or public disclosure of some unidentified, undisclosed portion of your customer file if you don’t pay $100,000 to a specific bank account within 24 hours. The email includes three sample records, with accurate personal information – the employee tells you that he has already confirmed with finance that the associated credit card numbers are accurate. Where do we go from here?

  13. Some considerations • What will a CIO want to know? • What will a lawyer want to know? • Do we have to notify affected customers? • Should we involve law enforcement? • Do we make any public statement? • Communications to other employees?

  14. Some additional facts … does your answer change? • Three customer records he shared with you are from Iowa, Wisconsin and Michigan • Employee who received breach email is authorized to work on systems with access to this information • Email came from an ISP account where you have a good business relationship • Incident is one week after employee review process completed

  15. Practical Recommendations – How to be Prepared • Prevention: Don’t have an incident • If you do: have an incident response plan with a clear decision making criteria and communicate it ! • Have an incident response team • Cultivate law enforcement and/or agency contacts • Draft and think about notifications before • Know the business impact of certain decisions before you have to implement them

  16. Other Compliance Matters: Know Your Industry • HIPAA • GLBA • PCI • SOX • FCRA • All kinds of others in the acronym soup

  17. Employee – Greatest Asset & Greatest Risk • Substantial number of data security / privacy issues are employee based • Employees do things that they shouldn’t • Music sharing • Download & install software – malware & virus issues • They “hack back” at others • Development staff: Open Source inclusion into larger projects • Can employees participate in open source initiatives? • Showing up in M&A representations • GPL 3.0 will make this a larger challenge • Blogging & disclosure issues: trade secret, securities, patent • Disgruntled employees report software license issues

  18. Questions / Comments? Erik Phelps, Esq. Michael Best & Friedrich, LLP ejphelps@michaelbest.com 608-283-2247

More Related