PRIVACY AND ETHICS

Key Challenges Facing In-house Counsel in 2013

JAMES A. MERKLINGER

Vice President & General Counsel Association of Corporate Counsel

JAMES L. CALIS Associate General Counsel & Deputy Chief Privacy Officer Global

Tel*Link Corporation

MERCEDES KELLEY TUNSTALL Of Counsel Ballard Spahr LLP

MARTY PROVIN CIPP/US, Executive Vice President Jordan Lawrence

REFRESHER ON ETHICS FOR

IN-HOUSE COUNSEL

• Who is your client?

• “Miranda” warnings

• Reporting obligations

• Personal issues raised by executives

• Boundaries of the attorney-client privilege

• Who controls the privilege?

WHO IS YOUR CLIENT?

• In-house counsel represent one and only one client: the corporation itself:

Client-Lawyer Relationship Rule 1.13 Organization As Client

A lawyer employed or retained by an organization represents the organization acting

through its duly authorized constituents.

“MIRANDA” WARNINGS

• It is common for in-house counsel to interact with employees whose actions may put them into a position adverse to the company.

• Counsel have the obligation to ensure that the employee understands that the lawyer represents the employer and will keep information disclosed confidential.

• Reference comment 10 to Rule 1.13(f): – Care must be taken to assure that the individual

understands that, when there is such adversity of interest , the lawyer of the organization cannot provide legal representation for the constituent individual and that discussion between the lawyer for the organization and the individual may not be privileged.

CONTENT OF “MIRANDA” WARNINGS

• I represent the company, not you individually.

• Anything you tell me, I may share with the company.

• The company will control the privilege, not you.

• The company may choose to waive the privilege and share information with regulators or others. You may not make these choices.

• You can choose to stop this discussion at any time.

• You can seek advice of your own counsel at any time.

DUTY TO DISCLOSE INFORMATION

• Lawyers must disclose any material information they learn during the course of their representation to the client. Schweizer v. Mulvehill, 93 F. Supp.2d 376, 397 (S.D.N.Y. 2000); Rice v. Perl, 320 N.W. 2d 407, 410 (Minn. 1982).

• Duty of disclosure may require “up the chain” reporting adverse to an employee or executive. See Rule 1.13(b)(3).

• Consider Sarbanes-Oxley overlay in publicly-traded companies.

WHAT IS PRIVILEGED?

• The attorney-client privilege applies to in-house lawyers, but there are some common situations in which discussions with in-house counsel fall outside the privilege:

– Privilege only covers communications relating to legal advice. Hoechst Celanese Corp. v. Nat’l Union Fire Insurance Co. of Pittsburgh, 623 A2d 1118, 1122 (Del. Super. Ct. 1992).

– Communications copying lawyers where no legal advice is sought or given.

– In-house counsel performing “business” functions.

WHO CONTROLS THE PRIVILEGE ANYWAY?

• The privilege ultimately belongs to the corporation.

– Board of Directors may choose to waive the privilege, especially in the context of internal investigations.

• The lawyer does not control the privilege.

• Neither lawyers nor executives can rely on privilege to protect themselves.

WHAT DOES THIS MEAN IN THE CONTEXT OF PRIVACY?

• Ethics considerations for in-house counsel revolve around protecting the client (i.e., the corporation) and keeping communications of the client privileged.

• Privacy concerns dovetail into ensuring that communications, privileged or not, are kept secure and are only available to appropriate audiences.

– Same type of analysis, with a broader applicability.

WHAT KEEPS CLOs UP AT NIGHT

ACC Survey representing 1,104 CLOs and general counsel

from 36 countries shows that they are most concerned about:

• Ethics and Compliance

• Data Breaches

• Social Media Management/ Governance

• Regulatory or Governmental Changes

• Highest Level of Importance Issue:

o Transparency & Privacy Obligations

LAW DEPARTMENT LEADING PRACTICES

• Base Your Data Protection Compliance Program Upon the Seven Standards of an Effective Compliance Program/EU Data Protection Directive.

• For Multinational Companies Relying Heavily on Intra-company Data Flows, Obtain Certification of Binding Corporate Rules.

• Obtain Executive Support and Sponsorship of the Privacy Program.

LAW DEPARTMENT LEADING PRACTICES

• Make Sure the Chief Privacy Officer is Involved in the Industry via Thought Leadership, Regulatory Advocacy, or Other Leading Groups in Privacy/Data Protection.

• Be Innovative and Proactive in Your Privacy Policies and Practices.

• Privacy Can’t Be A Beta; You Have to Do It Right the First Time.

LAW DEPARTMENT LEADING PRACTICES

• Keep Consumer Trust by Taking a Permissions-Based Approach to Data Collection and Usage.

• Develop a Formal Incident Response Program for Data Breaches and/or Leaks.

• From the Outset, Focus on Developing a Privacy Policy That Is Comprehensive, Yet Also Readable and Understandable by Everyone.

LAW DEPARTMENT LEADING PRACTICES

• Establish a Detailed Internal System of Processes and Procedures For Employees to Handle Privacy/Data Protection Matters.

• A Decentralized Organizational Structure for the Privacy Program To Handle Privacy Matters Across an Organization.

HOT TOPIC #1: CORPORATE SOCIAL MEDIA USE

• Engagement in social media sites

– Understand the privacy practices of third-party social media sites

– Corporate social media policies should clearly address how customer information posted on company social media pages/sites will be used/collected

• In most cases, it is best to not use such information in any way and to not associate with a customer record, unless social media is being used to encourage customer complaint resolution

– Ensure thorough knowledge of how advertising posted on sites will be tracked

• Consider how privilege can be affected

HOT TOPIC #2: BRING YOUR OWN DEVICE POLICIES

• In-house counsel specific concerns:

– Protecting privilege

– Intermingling of corporate communications with personal email

– What happens if there is a breach?

• Including family members, friends, neighbors

– Ethical considerations on data security

JAMES A. MERKLINGER

Vice President & General Counsel Association of Corporate Counsel

JAMES L. CALIS Associate General Counsel & Deputy Chief Privacy Officer Global

Tel*Link Corporation

MERCEDES KELLEY TUNSTALL Of Counsel Ballard Spahr LLP

MARTY PROVIN CIPP/US, Executive Vice President Jordan Lawrence