Upload
duongkhue
View
223
Download
0
Embed Size (px)
Citation preview
LAW FIRM EVOLVED
PC
Information Governance and the Changing Jurisdictional Landscape
Presented by John Isaza, Esq., FAI & Stacey Fiorillo
AMLaw 100 CIO Rountable
March 4, 2013
LAW FIRM EVOLVED
PC
Agenda
Scope of Information Governance
Who is responsible?
ABA Amendments – Ethical requirements
eDiscovery and IG
Retention and Disposition
Security and Privacy
Challenges for global firms
How to comply?
LAW FIRM EVOLVED
PC
Gartner defines Information
Governance
“an accountability framework to encourage
desirable behavior in the valuation, creation,
storage, use, archival and deletion of information.”
LAW FIRM EVOLVED
PC
Data Privacy Laws - International
– Forrester “Global Heat Map” shows privacy
and data protection by country.
LAW FIRM EVOLVED
PC
Who is Responsible for IG
Compliance?
General Counsel
Risk Management Committee / Partners
IG Advisory Committee
Information Technology
Records Management
Knowledge Management
Practice Group Leaders
Marketing
Administration
LAW FIRM EVOLVED
PC
Recent ABA Amendments
Commission on Ethics 20/20 created by then ABA
President Carolyn B. Lamm in 2009 “to perform a thorough
review of the ABA Model Rules of Professional Conduct
and the U.S. system of lawyer regulation in the context of
advances in technology and global legal practice
developments”
August 6, 2012 the ABA's policy-making House of
Delegates voted to approve changes to the Model Rules,
including Resolution 105A (Technology &
Confidentiality)
Not binding on lawyers unless and until adopted by
States but expect high adoption by states.
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
1.1
Model Rule 1.1 Competence
To maintain the requisite knowledge and skill, a lawyer should
keep abreast of changes in the law and its practice, including the
benefits and risks associated with relevant technology, engage in
continuing study and education and comply with all continuing
legal education requirements to which the lawyer is subject.
Though the commission used the phrase, “[b]ecause of the
sometimes bewildering pace of technological change,” the
transition to widespread use of digital technology has been in effect
since 1985, more than 25 years ago. This is hardly a “bewildering”
pace of change, unless you have stayed in a cave and remained a
Luddite. Now more than ever is the time to commit to
understanding digital change and ensure that you can competently
handle your client’s needs. Law Technology News, Aug 2012
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
1.4
Model Rule 1.4
Communication
A lawyer's regular communication with clients will minimize the
occasions on which a client will need to request information
concerning the representation. …Client telephone calls should
be promptly returned or acknowledged. A lawyer should
promptly respond to or acknowledge client communications.
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
1.6
Model Rule 1.6 Confidentiality of Information
(c) A lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a client.
(Entirely new sub-section)
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
1.6
Comments to Rule 1.6
Lawyers must make reasonable efforts to prevent access or
disclosure. Factors to consider: the sensitivity of the information,
the likelihood of disclosure if additional safeguards are not
employed, the cost of employing additional safeguards, the
difficulty of implementing the safeguards, and the extent to which
the safeguards adversely affect the lawyer’s ability to represent
clients (e.g., by making a device or important piece of software
excessively difficult to use).
A client may require the lawyer to implement special security
measures not required by this Rule or may give informed
consent to forgo security measures that would otherwise be
required by this Rule.
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
4.4
Model Rule 4.4 (b) Respect the Rights of Third-
Parties
A lawyer who receives a document or
electronically stored information relating to the
representation of the lawyer’s client and knows or
reasonably should know that the document or
electronically stored information was inadvertently
sent shall promptly notify the sender.
LAW FIRM EVOLVED
PC
Recent ABA Amendments – Rule
5.3
Rule 5.3, Comments - amended to address outsourcing
issues, including the use of cloud computing providers for
the purpose of storing confidential client data. lawyers may use third party non-lawyer providers, including: “an investigative or
paraprofessional service, hiring a document management company to create and
maintain a database for complex litigation, sending client documents to a third party for
printing or scanning, and using an Internet-based service to store client information.
When using such services … a lawyer must make reasonable efforts to ensure that the
services are provided in a manner that is compatible with the lawyer’s professional
obligations.
“The extent of this obligation will depend upon the circumstances, including the
education, experience and reputation of the nonlawyer; the nature of the services
involved; the terms of any arrangements concerning the protection of client information;
and the legal and ethical environments of the jurisdictions in which the services will be
performed, particularly with regard to confidentiality … (A) lawyer should communicate
directions appropriate under the circumstances to give reasonable assurance that the
nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
LAW FIRM EVOLVED
PC
What do the ABA changes mean ?
Although advisory at this point, the Rule changes
reflect the ABA acknowledgement that lawyers have
emerging obligations in light of new technology
Electronic Communications and Documents
Cloud
Third-Party Vendors
ESI
Shows trend to embrace and regulate lawyers’ use
of technology with client files. Expect wide state
adoption and further modifications of Rules with
changing technology
LAW FIRM EVOLVED
PC
eDiscovery and IG
Goals
Anticipate risk
Devise cost-efficient, defensible, automated
methods for production of relevant ESI
Balance with Federal requirements, as well as
state discovery rules when applicable
Consider implications of
Increasing use of encryption
Social media impact
Cloud storage
LAW FIRM EVOLVED
PC
Outsource to Cloud?
Should I outsource this service to a cloud
provider?
Can compliance requirements be balanced safely with other priorities
(cost, speed, flexibility)?
Does this function/service have clearly defined business processes and
technical requirements?
Can standardized features meet the needs of most users?
Can we provide best-of-breed services more efficiently?
YES
YES
YES
YES
NO
NO
NO
NO
DO IT YOURSELF
OUTSOURCE TO CLOUD
external private or public
LAW FIRM EVOLVED
PC
Retention and Disposition
Authorities
State bar ethics rules and opinions, case law, statutes of
limitation, Federal and State laws covering the particular
industry or practice, International laws, regulations, and
ethics requirements
Challenges
Important to research and develop schedules for all
client and administrative files that are as simple as
possible to maintain and administer
Implement technology to manage against all
repositories
Develop defensible disposition strategy for legacy
data
LAW FIRM EVOLVED
PC
Privacy and Information
Security
Affected Law Firm Information
Employee personal information
Firm monitoring of employee information on Firm’s
network and devices
Note: State Laws vary on monitoring and notice
requirements
Personal information from client and other parties
(includes financial, medical, personal)
Third-party vendors who assist in processing client
document
LAW FIRM EVOLVED
PC
Privacy and Information
Security
Monitoring Employee Information on Firm’s
network and devices
– Note that requirements vary by jurisdiction
– Firms should research all relevant jurisdictions and
develop a compliant process for monitoring
– Generally, Policy should
• Establish the absence of privacy on Firm network and
devices
• Establish in writing the nature of the monitoring protocol
• Employees should acknowledge the policy by signature
• Policy should be reviewed and signed by employees
periodically
LAW FIRM EVOLVED
PC
Privacy and Information
Security
Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”), whose regulations govern
privacy and data security issues related to health
information (including data maintained by
employee health plans);
Health Information Technology for Economic and
Clinical Health Act (the “HITECH Act”), which
imposes additional information security obligations
on HIPAA covered entities and business
associates of covered entities
LAW FIRM EVOLVED
PC
Impact of HIPAA and HITECH
on Law Firms?
HIPAA applies to law firms that accept affected
health care information from their healthcare
clients
HITECH extended regulations to professionals
servicing healthcare industry, including lawyers
Enforcement of penalties will take effect upon
release of final set of rules (pending for 2 years)
After that time, Security and Privacy rule
violations could result in fines ranging from
$50,000 to $1.5 million for a single violation
LAW FIRM EVOLVED
PC
Privacy and Information
Security
State laws requiring the provision of privacy notices to
individuals, such as the California Online Privacy Protection
Act
State information security breach notification laws, which
are in place in over 45 states, Washington, D.C. and Puerto
Rico; See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82; N.Y.
Gen. Bus. Law § 899-AA.
State laws imposing minimum information security
requirements, such as the Massachusetts Standards for
the Protection of Personal Information; See, e.g., 201
Mass. Regs. Code §§ 17.01–17.05.
LAW FIRM EVOLVED
PC
Privacy and Information
Security
State laws that regulate the collection, use and other
processing of Social Security numbers (“SSNs”)
State laws requiring the secure disposal of records
containing certain personal information, e.g.,
California, Georgia, Indiana, Montana, New Jersey,
New York, North Carolina, Texas, Utah, Vermont,
Washington and Wisconsin (some states also regulate
disposal of personal info, whether a client or employee
LAW FIRM EVOLVED
PC
Impact on Law Firms
Example - Massachusetts Standards for the Protection of
Personal Information
One of the most far-reaching personal information data security
regulations in the country
Imposes obligation on any entity having the described personal
information of an individual (SSN, Driver License/State ID, Financial
account information)
Requires documented security program, with administrative,
technical and physical safeguards
Raises the importance of law firms researching all states
from which they might have an individual’s personal
information and having defined policies and practices in
place to ensure compliance
LAW FIRM EVOLVED
PC
Data Privacy Laws -
International
Data Privacy Laws outside the US
For example, in the EU, personal information
includes business contact information or
memberships in trade groups or political
organizations.
One of the consequences of the EU restrictions on
cross-border transfer of personal information are
the limitations these requirements impose on a law
firm’s ability to receive in the U.S. documents
containing personal information from the EU. The
issue is exacerbated further by the broad
interpretation of the term “personal information”
under EU data protection law.
LAW FIRM EVOLVED
PC
Data Privacy Laws -
International
Forrester “Global Heat Map” shows privacy
and data protection by country.
LAW FIRM EVOLVED
PC
Challenges for Global Firms
EU Broad view of data privacy requires special
International data privacy laws impact US law firms
exporting the information across borders
LLP structure vs. Verein structure and impact of
international requirements
LAW FIRM EVOLVED
PC
Create a Roadmap
Research all relevant regulations, laws, ethics requirements for
jurisdictions in which the firm does business or from which the
firm receives personal information for clients/employees
Establish ultimate authority over risk and legal, e.g., General
Counsel, Risk Committee, etc.
Evaluate all policies, systems, and processes for compliance
Evaluate shared or secondary use of client information – brief
banks, expert banks, etc.
Evaluate third-party vendor contracts and monitor ongoing
compliance
If needed, implement technology, policy/process changes to
meet requirements
LAW FIRM EVOLVED
PC
John J. Isaza, Esq., FAI Information Management Partner, Rimon, PC
949-715-7010
www.RIMonLaw.com