Lex mundi 2011 confidentiality and knowledge collaboration presentation - facilitated by dave cunningham sep 2011

448 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
448
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Third party agreements / due diligenceEncryptionAuditing of IT capabilityThird-party agreements (for extranets/collaboration rooms) and for subcontractors hosting client data
  • Lex mundi 2011 confidentiality and knowledge collaboration presentation - facilitated by dave cunningham sep 2011

    1. 1. Confidentiality and Knowledge Collaboration Issues Relating to the Interrelationship of Knowledge Management and Data Privacy in Law Firms Presented by: James A. Harvey, Partner, Alston & Bird David Cunningham, Managing Director, HBR Consulting© 2011 HBR CONSULTING LLC. All rights reserved.
    2. 2. Data Privacy Overview Regulatory Obligations Data PrivacyClient Confidential Firm Confidential Information Information 2
    3. 3. Examples of data that is regulated by one or more privacy/security statutes Name  Physical or mental health Social security number conditions Last four of social security  Information regarding provision number of or payment for health care Drivers license number  Financial information (electronic payroll deposit) Date of birth  Credit card or debit card Passport information information Health information  Government identification Maiden name numbers Electronic or digitized signature  Tax information  Address or phone numbers  Biometric information (fingerprint, voice print, etc.) 3
    4. 4. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) Health and Human Services and Governing Body Federal Trade Commission State Privacy Laws Personally Identifiable Information (PII) Protected Health Information Sensitive Data • Internal HR data • Client data EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Compliance Date February 17, 2010 Red Flag $100 - $50,000 per incident; $1.5M Personally Identifiable Information (PII) Penalty max per year. Plus potential criminal penalties ITAR Classified Defense Information 4
    5. 5. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) State of Massachusetts Governing Body (example state) State Privacy Laws Personally Identifiable Information (PII) Personal information about a Sensitive Data resident of the Commonwealth of Massachusetts EU Data Protection Directive / Safe Harbor Compliance Date March 1, 2010 Personally Identifiable Information (PII) Red Flag $5,000 per incident plus costs of Personally Identifiable Information (PII) Penalty investigation, litigation and legal fees, plus potential civil penalties ITAR Classified Defense Information 5
    6. 6. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) US Dept of Commerce / Governing Body Federal Trade Commission State Privacy Laws Personally Identifiable Information (PII) Personal information transferred to Sensitive Data or from 27 Members States of the European Union EU Data Protection Directive / Voluntary Safe Harbor Compliance Date (replaces Data Transfer Agreements) Red Flag Personally Identifiable Information (PII) Penalty Up to $12,000 per day for violations ITAR Classified Defense Information 6
    7. 7. Data PrivacyData Privacy Regulations - Federal Trade Commission HITECH / HIPAA Governing Body Protected Health Information (PHI) via Fair Credit Reporting Act State Privacy Laws - Require financial institutions and Personally Identifiable Information (PII) creditors to create a program that provides for the identification, detection, and response to patterns, EU Data Protection Sensitive Data practices, or specific activities – Directive / known as “red flags.” Safe Harbor Personally Identifiable Information (PII) -The purpose of the Red Flags Rules is to help avoid identity theft. Red Flag Personally Identifiable Information (PII) Compliance Date - June 1, 2010 (law firms exempt) ITAR Classified Defense Information - $2,500 - $3,500 per violation, then Penalty up to $16,000 per violation for continued non-compliance 7
    8. 8. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) Governing Body US Department of State State Privacy Laws Personally Identifiable Information (PII) “Export of technical data and Sensitive Data classified defense articles”, as defined by the US Munitions List EU Data Protection Directive / 60 days in advance of any intended Safe Harbor Personally Identifiable Information (PII) Compliance Date sale or transfer to a foreign person of ownership or control Red Flag Personally Identifiable Information (PII) Per violation, civil fines up to $500K; Penalty criminal penalties up to $1M and 10 ITAR years imprisonment Classified Defense Information 8
    9. 9. Data PrivacyData Privacy Regulations Protection of Sensitive Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy LawsPersonally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection Directive / Safe HarborPersonally Identifiable Information (PII) Red FlagPersonally Identifiable Information (PII) ITAR Classified Defense Information 9
    10. 10. Data PrivacyData Privacy Regulations Protection of Sensitive Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy LawsPersonally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection Directive / Safe Harbor Preservation OrdersPersonally Identifiable Information (PII) Litigation, Subpoena or Client Requests Red FlagPersonally Identifiable Information (PII) Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts ITAR Classified Defense Information 10
    11. 11. Data PrivacyData Privacy Regulations Protection of Sensitive Data Standards Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy Laws Personally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection ISO 27001 Directive / Competence in Addressing Data Safe Harbor Preservation Orders Confidentiality Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests Red Flag Personally Identifiable Information (PII) Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts ITAR Classified Defense Information 11
    12. 12. 12
    13. 13. 13 13
    14. 14. „Anonymous‟ Hacking of HB Gary HB Gary, a security firm, was working with Hunton & Williams to help protect Bank of America from Wikileaks contributions. The CEO of HB Gary announces his company has infiltrated the security group Anonymous. In retaliation, Anonymous took control of HB Gary‟s e-mail, dumping 68,000 e-mails, erasing files, and taking down their phone system. They exposed contributors to Wikileaks and HB Gary‟s CEO‟s home address and social security number. 14
    15. 15. Security Hacking for a Cause Hackers appear to be widening their targets, stealing information from vendors or contractors that may have strategic data about their clients, including public relations and law firms Law firms have been hacked due to their roles associated with copyright law King & Spalding was a large firm known to have been attacked 15
    16. 16. Ex-Sonsini Attorney Charged In $32M Insider Trading Case A former senior associate at Wilson Sonsini Goodrich & Rosati PC was arrested and charged in connection with allegations that he stole inside information from three firms that netted $32 million in a decades long insider trading scheme. Kluger regularly “stole and disclosed material, nonpublic information regarding anticipated corporate mergers and acquisitions on which his law firms were working,” according to a copy of the criminal complaint. 16
    17. 17. From whom are knowledge managers protecting data? Internal – Employees with insider trading intentions – Employees who accidentally see confidential data – Employees who re-use content outside their expertise – Attorney client privilege – Stock trading without appropriate notification and disclosure External – Clients and third parties who may accidentally be sent confidential information 17
    18. 18. What sources of information may be useful to insiders? Document management  Extranet sites (document names and  Verbal discussions descriptions)  Records data Precedents  Newsletters and status Active material reports Litigation support data  Physical war rooms Conflicts  Travel agendas New business intake  Legal project management Time entry systems 18
    19. 19. How do firms protect this information? Standard Tools Policies  Password protection for documents Ethical training and and spreadsheets reinforcement  Locking and wiping of remote Ethical walls for known sensitive access devices; security software matters on remote device Project code names  Minimum password sophistication Enterprise searching that  Required screen saver usage recognizes folder and file  Two-factor authentication security  Account auditing / monitoring 19
    20. 20. How do firms protect this information? Emerging Tools Document naming standards Matters secured by default / ethical walls for all matters Knowledge Management as gatekeeper Third party agreements and procedures Identity management Monitoring for unusual activity (users and IT) Encryption (data in transit / data at rest) Intelligent redaction software 20
    21. 21. Data Privacy Solutions 21
    22. 22. Questions? Jim Harvey jim.harvey@alston.com Dave Cunningham dcunningham@hbrconsulting.com 22
    23. 23. Data Privacy - General Adequacy Questions Does the Firm need the personal data that it is collecting about an individual? Can the Firm document what it will use the personal data for? Do these individuals know that the Firm has their personal data and do they understand what it will be used for? If the Firm is asked to pass on personal data, would these individuals expect the Firm to do this? Is the Firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the Firm willing to face a regulatory audit on this security? Is it secure and are proper contracts with the third parties in place? Is access to personal data limited to those with a strict need to know at the Firm? Is the Firm sure that all personal data is accurate and up to date? Does the Firm delete or destroy personal information as soon as it has no more need for it? Has the Firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities? Are all notifications to all Data or Information Commissioners current? 23
    24. 24. Selected ArticlesBlock, Meg & David Cunningham. “Legal Information Risk – Action Plan and Roadmap,” Peer to Peer, June 2011. http://www.mygazines.com/issue/34686/33Harbert, Tam. “Catch Me If You Can,” Law Technology News, June 1, 2011. http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id =1202494769505&slreturn=1&hbxlogin=1Nelson, Sharon. “Your Chance of Being Hacked in Twelve Months Now a „Statistical Certainty,‟” Ride The Lightning Electronic Evidence Blog, June 30, 2011. http://ridethelightning.senseient.com/2011/06/your-chance-of- being-hacked-in-twelve-months-now-a-statistical-certainty.html 24
    25. 25. Selected ResourcesLaw Firm Risk Resouces (short list from 2009). http://lawfirmriskresources.wikispaces.com/Law Firm Risk Management Blog. http://www.lawfirmrisk.com/InfoRiskAwareness Blog (UK focus). http://inforiskawareness.co.uk/best_practice/Hildebrandt Baker Robbins Blog (selected posts). http://info.hbrconsulting.com/blog/archive/2011/06/01/balancing- information-security-and-collaboration-a-knowledge-management- view.aspx and http://info.hbrconsulting.com/blog/archive/2011/05/13/risk- management-at-law-firms-a-rapidly-evolving-issue.aspx 25

    ×