LAW FIRM EVOLVED

PC

Information Governance and the Changing Jurisdictional Landscape

Presented by John Isaza, Esq., FAI & Stacey Fiorillo

AMLaw 100 CIO Rountable

March 4, 2013

LAW FIRM EVOLVED

PC

Agenda

Scope of Information Governance

Who is responsible?

ABA Amendments – Ethical requirements

eDiscovery and IG

Retention and Disposition

Security and Privacy

Challenges for global firms

How to comply?

LAW FIRM EVOLVED

PC

Gartner defines Information

Governance

“an accountability framework to encourage

desirable behavior in the valuation, creation,

storage, use, archival and deletion of information.”

LAW FIRM EVOLVED

PC

Scope of Information

Governance

LAW FIRM EVOLVED

PC

Data Privacy Laws - International

– Forrester “Global Heat Map” shows privacy

and data protection by country.

LAW FIRM EVOLVED

PC

Who is Responsible for IG

Compliance?

General Counsel

Risk Management Committee / Partners

IG Advisory Committee

Information Technology

Records Management

Knowledge Management

Practice Group Leaders

Marketing

Administration

LAW FIRM EVOLVED

PC

Recent ABA Amendments

Commission on Ethics 20/20 created by then ABA

President Carolyn B. Lamm in 2009 “to perform a thorough

review of the ABA Model Rules of Professional Conduct

and the U.S. system of lawyer regulation in the context of

advances in technology and global legal practice

developments”

August 6, 2012 the ABA's policy-making House of

Delegates voted to approve changes to the Model Rules,

including Resolution 105A (Technology &

Confidentiality)

Not binding on lawyers unless and until adopted by

States but expect high adoption by states.

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

1.1

Model Rule 1.1 Competence

To maintain the requisite knowledge and skill, a lawyer should

keep abreast of changes in the law and its practice, including the

benefits and risks associated with relevant technology, engage in

continuing study and education and comply with all continuing

legal education requirements to which the lawyer is subject.

Though the commission used the phrase, “[b]ecause of the

sometimes bewildering pace of technological change,” the

transition to widespread use of digital technology has been in effect

since 1985, more than 25 years ago. This is hardly a “bewildering”

pace of change, unless you have stayed in a cave and remained a

Luddite. Now more than ever is the time to commit to

understanding digital change and ensure that you can competently

handle your client’s needs. Law Technology News, Aug 2012

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

1.4

Model Rule 1.4

Communication

A lawyer's regular communication with clients will minimize the

occasions on which a client will need to request information

concerning the representation. …Client telephone calls should

be promptly returned or acknowledged. A lawyer should

promptly respond to or acknowledge client communications.

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

1.6

Model Rule 1.6 Confidentiality of Information

(c) A lawyer shall make reasonable efforts to prevent the

inadvertent or unauthorized disclosure of, or unauthorized

access to, information relating to the representation of a client.

(Entirely new sub-section)

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

1.6

Comments to Rule 1.6

Lawyers must make reasonable efforts to prevent access or

disclosure. Factors to consider: the sensitivity of the information,

the likelihood of disclosure if additional safeguards are not

employed, the cost of employing additional safeguards, the

difficulty of implementing the safeguards, and the extent to which

the safeguards adversely affect the lawyer’s ability to represent

clients (e.g., by making a device or important piece of software

excessively difficult to use).

A client may require the lawyer to implement special security

measures not required by this Rule or may give informed

consent to forgo security measures that would otherwise be

required by this Rule.

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

4.4

Model Rule 4.4 (b) Respect the Rights of Third-

Parties

A lawyer who receives a document or

electronically stored information relating to the

representation of the lawyer’s client and knows or

reasonably should know that the document or

electronically stored information was inadvertently

sent shall promptly notify the sender.

LAW FIRM EVOLVED

PC

Recent ABA Amendments – Rule

5.3

Rule 5.3, Comments - amended to address outsourcing

issues, including the use of cloud computing providers for

the purpose of storing confidential client data. lawyers may use third party non-lawyer providers, including: “an investigative or

paraprofessional service, hiring a document management company to create and

maintain a database for complex litigation, sending client documents to a third party for

printing or scanning, and using an Internet-based service to store client information.

When using such services … a lawyer must make reasonable efforts to ensure that the

services are provided in a manner that is compatible with the lawyer’s professional

obligations.

“The extent of this obligation will depend upon the circumstances, including the

education, experience and reputation of the nonlawyer; the nature of the services

involved; the terms of any arrangements concerning the protection of client information;

and the legal and ethical environments of the jurisdictions in which the services will be

performed, particularly with regard to confidentiality … (A) lawyer should communicate

directions appropriate under the circumstances to give reasonable assurance that the

nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”

LAW FIRM EVOLVED

PC

What do the ABA changes mean ?

Although advisory at this point, the Rule changes

reflect the ABA acknowledgement that lawyers have

emerging obligations in light of new technology

Electronic Communications and Documents

Cloud

Third-Party Vendors

ESI

Shows trend to embrace and regulate lawyers’ use

of technology with client files. Expect wide state

adoption and further modifications of Rules with

changing technology

LAW FIRM EVOLVED

PC

eDiscovery and IG

Goals

Anticipate risk

Devise cost-efficient, defensible, automated

methods for production of relevant ESI

Balance with Federal requirements, as well as

state discovery rules when applicable

Consider implications of

Increasing use of encryption

Social media impact

Cloud storage

LAW FIRM EVOLVED

PC

Outsource to Cloud?

Should I outsource this service to a cloud

provider?

Can compliance requirements be balanced safely with other priorities

(cost, speed, flexibility)?

Does this function/service have clearly defined business processes and

technical requirements?

Can standardized features meet the needs of most users?

Can we provide best-of-breed services more efficiently?

YES

YES

YES

YES

NO

NO

NO

NO

DO IT YOURSELF

OUTSOURCE TO CLOUD

external private or public

LAW FIRM EVOLVED

PC

Retention and Disposition

Authorities

State bar ethics rules and opinions, case law, statutes of

limitation, Federal and State laws covering the particular

industry or practice, International laws, regulations, and

ethics requirements

Challenges

Important to research and develop schedules for all

client and administrative files that are as simple as

possible to maintain and administer

Implement technology to manage against all

repositories

Develop defensible disposition strategy for legacy

data

LAW FIRM EVOLVED

PC

Privacy and Information

Security

Affected Law Firm Information

Employee personal information

Firm monitoring of employee information on Firm’s

network and devices

Note: State Laws vary on monitoring and notice

requirements

Personal information from client and other parties

(includes financial, medical, personal)

Third-party vendors who assist in processing client

document

LAW FIRM EVOLVED

PC

Privacy and Information

Security

Monitoring Employee Information on Firm’s

network and devices

– Note that requirements vary by jurisdiction

– Firms should research all relevant jurisdictions and

develop a compliant process for monitoring

– Generally, Policy should

• Establish the absence of privacy on Firm network and

devices

• Establish in writing the nature of the monitoring protocol

• Employees should acknowledge the policy by signature

• Policy should be reviewed and signed by employees

periodically

LAW FIRM EVOLVED

PC

Privacy and Information

Security

Health Insurance Portability and Accountability

Act of 1996 (“HIPAA”), whose regulations govern

privacy and data security issues related to health

information (including data maintained by

employee health plans);

Health Information Technology for Economic and

Clinical Health Act (the “HITECH Act”), which

imposes additional information security obligations

on HIPAA covered entities and business

associates of covered entities

LAW FIRM EVOLVED

PC

Impact of HIPAA and HITECH

on Law Firms?

HIPAA applies to law firms that accept affected

health care information from their healthcare

clients

HITECH extended regulations to professionals

servicing healthcare industry, including lawyers

Enforcement of penalties will take effect upon

release of final set of rules (pending for 2 years)

After that time, Security and Privacy rule

violations could result in fines ranging from

$50,000 to $1.5 million for a single violation

LAW FIRM EVOLVED

PC

Privacy and Information

Security

State laws requiring the provision of privacy notices to

individuals, such as the California Online Privacy Protection

Act

State information security breach notification laws, which

are in place in over 45 states, Washington, D.C. and Puerto

Rico; See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82; N.Y.

Gen. Bus. Law § 899-AA.

State laws imposing minimum information security

requirements, such as the Massachusetts Standards for

the Protection of Personal Information; See, e.g., 201

Mass. Regs. Code §§ 17.01–17.05.

LAW FIRM EVOLVED

PC

Privacy and Information

Security

State laws that regulate the collection, use and other

processing of Social Security numbers (“SSNs”)

State laws requiring the secure disposal of records

containing certain personal information, e.g.,

California, Georgia, Indiana, Montana, New Jersey,

New York, North Carolina, Texas, Utah, Vermont,

Washington and Wisconsin (some states also regulate

disposal of personal info, whether a client or employee

LAW FIRM EVOLVED

PC

Impact on Law Firms

Example - Massachusetts Standards for the Protection of

Personal Information

One of the most far-reaching personal information data security

regulations in the country

Imposes obligation on any entity having the described personal

information of an individual (SSN, Driver License/State ID, Financial

account information)

Requires documented security program, with administrative,

technical and physical safeguards

Raises the importance of law firms researching all states

from which they might have an individual’s personal

information and having defined policies and practices in

place to ensure compliance

LAW FIRM EVOLVED

PC

Data Privacy Laws -

International

Data Privacy Laws outside the US

For example, in the EU, personal information

includes business contact information or

memberships in trade groups or political

organizations.

One of the consequences of the EU restrictions on

cross-border transfer of personal information are

the limitations these requirements impose on a law

firm’s ability to receive in the U.S. documents

containing personal information from the EU. The

issue is exacerbated further by the broad

interpretation of the term “personal information”

under EU data protection law.

LAW FIRM EVOLVED

PC

Data Privacy Laws -

International

Forrester “Global Heat Map” shows privacy

and data protection by country.

LAW FIRM EVOLVED

PC

Challenges for Global Firms

EU Broad view of data privacy requires special

International data privacy laws impact US law firms

exporting the information across borders

LLP structure vs. Verein structure and impact of

international requirements

LAW FIRM EVOLVED

PC

Create a Roadmap

Research all relevant regulations, laws, ethics requirements for

jurisdictions in which the firm does business or from which the

firm receives personal information for clients/employees

Establish ultimate authority over risk and legal, e.g., General

Counsel, Risk Committee, etc.

Evaluate all policies, systems, and processes for compliance

Evaluate shared or secondary use of client information – brief

banks, expert banks, etc.

Evaluate third-party vendor contracts and monitor ongoing

compliance

If needed, implement technology, policy/process changes to

meet requirements

LAW FIRM EVOLVED

PC

John J. Isaza, Esq., FAI Information Management Partner, Rimon, PC

John.Isaza@RIMonLaw.com

949-715-7010

www.RIMonLaw.com