lex mundi 2011 confidentiality and knowledge collaboration presentation - facilitated by dave...

© 2011 HBR CONSULTING LLC. All rights reserved.

Issues Relating to the Interrelationship of Knowledge Management and Data Privacy in Law Firms

Presented by:

James A. Harvey, Partner, Alston & Bird

David Cunningham, Managing Director, HBR Consulting

Confidentiality and Knowledge Collaboration

2

Data Privacy Overview

Regulatory Obligations

Client Confidential Information

Firm Confidential Information

DataPrivacy

3

Examples of data that is regulated by one or more privacy/security statutes

Name Social security number Last four of social

security number Drivers license number Date of birth Passport information Health information Maiden name Electronic or digitized

signature

Physical or mental health conditions

Information regarding provision of or payment for health care

Financial information (electronic payroll deposit)

Credit card or debit card information

Government identification numbers

Tax information Address or phone numbers Biometric information

(fingerprint, voice print, etc.)

4

HITECH / HIPAAProtected Health Information (PHI)

Data Privacy Regulations

State Privacy LawsPersonally Identifiable Information (PII)

EU Data Protection Directive /

Safe HarborPersonally Identifiable Information (PII)

Red FlagPersonally Identifiable Information (PII)

ITARClassified Defense Information

Data Privacy

Governing Body Health and Human Services and Federal Trade Commission

Sensitive DataProtected Health Information• Internal HR data• Client data

Compliance Date February 17, 2010

Penalty$100 - $50,000 per incident; $1.5M max per year.Plus potential criminal penalties

5

Data Privacy








Governing BodyState of Massachusetts (example state)

Sensitive DataPersonal information about a resident of the Commonwealth of Massachusetts

Compliance Date March 1, 2010

Penalty$5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties

6

Data Privacy





Safe Harbor



Governing Body US Dept of Commerce / Federal Trade Commission

Sensitive DataPersonal information transferred to or from 27 Members States of the European Union

Compliance Date Voluntary (replaces Data Transfer Agreements)

Penalty Up to $12,000 per day for violations

7








Data Privacy

Governing Body- Federal Trade Commission via Fair Credit Reporting Act

Sensitive Data

- Require financial institutions and creditors to create a program that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” -The purpose of the Red Flags Rules is to help avoid identity theft.

Compliance Date - June 1, 2010 (law firms exempt)

Penalty- $2,500 - $3,500 per violation, then up to $16,000 per violation for continued non-compliance

8

Data Privacy








Governing Body US Department of State

Sensitive Data“Export of technical data and classified defense articles”, as defined by the US Munitions List

Compliance Date60 days in advance of any intended sale or transfer to a foreign person of ownership or control

PenaltyPer violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment

9

Data Privacy








Client Data LeaksClient and Case / Transaction Data

Firm Data LeaksFirm and Partner Confidential Data

Protection of Sensitive Data

10

Data Privacy











Preservation OrdersLitigation, Subpoena or Client Requests

Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts

11

Data Privacy











Preservation OrdersLitigation, Subpoena or Client Requests

Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts

Data Standards

ISO 27001Competence in Addressing Data

Confidentiality

14

‘Anonymous’ Hacking of HB Gary

HB Gary, a security firm, was working with Hunton & Williams to help protect Bank of America from Wikileaks contributions.

The CEO of HB Gary announces his company has infiltrated the security group Anonymous.

In retaliation, Anonymous took control of HB Gary’s e-mail, dumping 68,000 e-mails, erasing files, and taking down their phone system.

They exposed contributors to Wikileaks and HB Gary’s CEO’s home address and social security number.

http://upload.wikimedia.org/wikipedia/commons/5/51/Anonymous_Flag.svg

15

Security Hacking for a Cause

Hackers appear to be widening their targets, stealing information from vendors or contractors that may have strategic data about their clients, including public relations and law firms

Law firms have been hacked due to their roles associated with copyright law

King & Spalding was a large firm known to have been attacked

16

Ex-Sonsini Attorney Charged In $32M Insider Trading Case

A former senior associate at Wilson Sonsini Goodrich & Rosati PC was arrested and charged in connection with allegations that he stole inside information from three firms that netted $32 million in a decades long insider trading scheme.

Kluger regularly “stole and disclosed material, nonpublic information regarding anticipated corporate mergers and acquisitions on which his law firms were working,” according to a copy of the criminal complaint.

17

From whom are knowledgemanagers protecting data?

Internal– Employees with insider trading intentions

– Employees who accidentally see confidential data

– Employees who re-use content outside their expertise

– Attorney client privilege

– Stock trading without appropriate notification and disclosure

External– Clients and third parties who may accidentally be sent confidential

information

18

What sources of information may be useful to insiders?

Document management (document names and descriptions)

Precedents Active material Litigation support data Conflicts New business intake Time entry

Extranet sites Verbal discussions Records data Newsletters and status

reports Physical war rooms Travel agendas Legal project management

systems

19

How do firms protect this information?

Standard Tools

Policies Ethical training and

reinforcement Ethical walls for known sensitive

matters Project code names Enterprise searching that

recognizes folder and file security

Password protection for documents and spreadsheets

Locking and wiping of remote access devices; security software on remote device

Minimum password sophistication Required screen saver usage Two-factor authentication Account auditing / monitoring

20

How do firms protect this information?

Emerging Tools Document naming standards Matters secured by default / ethical walls for all matters Knowledge Management as gatekeeper Third party agreements and procedures Identity management Monitoring for unusual activity (users and IT) Encryption (data in transit / data at rest) Intelligent redaction software

21

Data Privacy Solutions

22

Questions?

Jim Harvey

[email protected]

Dave Cunningham

[email protected]

mailto:[email protected]

mailto:[email protected]

23

Data Privacy - General Adequacy Questions

Does the Firm need the personal data that it is collecting about an individual?

Can the Firm document what it will use the personal data for?

Do these individuals know that the Firm has their personal data and do they understand what it will be used for?

If the Firm is asked to pass on personal data, would these individuals expect the Firm to do this?

Is the Firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the Firm willing to face a regulatory audit on this security?

Is it secure and are proper contracts with the third parties in place?

Is access to personal data limited to those with a strict need to know at the Firm?

Is the Firm sure that all personal data is accurate and up to date?

Does the Firm delete or destroy personal information as soon as it has no more need for it?

Has the Firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities?

Are all notifications to all Data or Information Commissioners current?

24

Selected Articles

Block, Meg & David Cunningham. “Legal Information Risk – Action Plan and Roadmap,” Peer to Peer, June 2011.

http://www.mygazines.com/issue/34686/33

Harbert, Tam. “Catch Me If You Can,” Law Technology News, June 1, 2011. http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202494769505&slreturn=1&hbxlogin=1

Nelson, Sharon. “Your Chance of Being Hacked in Twelve Months Now a ‘Statistical Certainty,’” Ride The Lightning Electronic Evidence Blog, June 30, 2011.

http://ridethelightning.senseient.com/2011/06/your-chance-of-being-hacked-in-twelve-months-now-a-statistical-certainty.html

http://www.mygazines.com/issue/34686/33

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202494769505&slreturn=1&hbxlogin=1

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202494769505&slreturn=1&hbxlogin=1



25

Selected Resources

Law Firm Risk Resouces (short list from 2009).

http://lawfirmriskresources.wikispaces.com/

Law Firm Risk Management Blog.

http://www.lawfirmrisk.com/

InfoRiskAwareness Blog (UK focus).

http://inforiskawareness.co.uk/best_practice/

Hildebrandt Baker Robbins Blog (selected posts).

http://info.hbrconsulting.com/blog/archive/2011/06/01/balancing-information-security-and-collaboration-a-knowledge-management-view.aspx and http://info.hbrconsulting.com/blog/archive/2011/05/13/risk-management-at-law-firms-a-rapidly-evolving-issue.aspx

http://lawfirmriskresources.wikispaces.com/

http://www.lawfirmrisk.com/

http://inforiskawareness.co.uk/best_practice/

http://info.hbrconsulting.com/blog/archive/2011/06/01/balancing-information-security-and-collaboration-a-knowledge-management-view.aspx



http://info.hbrconsulting.com/blog/archive/2011/05/13/risk-management-at-law-firms-a-rapidly-evolving-issue.aspx

http://info.hbrconsulting.com/blog/archive/2011/05/13/risk-management-at-law-firms-a-rapidly-evolving-issue.aspx