Transcript PowerPoint Template - Fenwick & West LLP

Regulations Impacting Law
Firm Risk Management
August 22, 2007
Maureen Sirhall
Matt Kesner
Goal


Expose you to a few new risk management
issues that arise because of data vs. paper
•
We don’t claim to have all the answers
•
Often the analogy to the pre-data world helps
keep the discussion calm and rational
Whether you are in Risk Management or IT, it is
your job to mitigate these risks
Overview



Corporate compliance schemes generally do not
effect law firms. Yet.
There are a number of laws, regulations, and bar
association rules and opinions that do affect risk
management in a law firm.
International laws & standards regarding the
handling of data are the biggest hurdle we face
now
Not covered today

E-Discovery

Advertising limitations & Web sites/e-mail

Limitations on SPAM e-mail

Ancillary businesses
How do we define Risk Management?

Protection of the firm from risks associated with the
practice of law

Protection of the firm from business risks

Protection of the firm from malpractice and liability claims

Includes:
•
Client intake process
•
Conflicts
•
Docket Control
•
Records Management
•
Ethical Screens
Common Sense or Regulation?





Common sense once prevailed
Post-Enron era has shifted the balance to regulatory
obligation
Common sense now required to understand and interpret
Federal requirements
Do the laws that bind the clients also bind the law firms
that represent them?
Inconsistency among state laws, ethical rules and bar
opinions further complicates successful risk management
FUDs Role—to ruin your day
(Fear, Uncertainty and Doubt)
High FUD/low relevance

Sarbanes-Oxley (SOX)

Gramm-Leach-Bliley(G-L-B)

Low FUD/high relevance
Health Insurance Portability & Accountability Act
(HIPAA)

Fair Credit Reporting Act (FCRA)

Fair/Accurate Credit Transactions Act (FACTA)

IRS Circular 230

European Union Directive on Data Protection

State laws, ethical rules & bar rules and opinions

ISO 17999 & 27001, COBIT & ITIL
Summary

SOX does not apply to lawyers

GLB does not apply to lawyers

HIPAA does apply to lawyers and law firms

FCRA/FACTA does apply to lawyers and law firms
•

Simple rules if you collect credit reports or
background checks
EU & State laws and state bar rules and opinions
do apply to data security breaches and lost data
•
No consistency to laws/rules/opinions
Sarbanes-Oxley

Sarbanes-Oxley: Internal Controls
•
SOX § 404 [15 U.S.C. § 7262]
<http://SOX-404.notlong.com>


Applies to public companies, those cos. planning to go
IPO, and certain foreign cos. traded on a US stock
exchange
Section 404: SEC to make rules re: “responsibility of
[public co.] management for establishing and maintaining
an adequate internal control structure and procedures for
financial reporting”
Graham-Leach-Bliley

“Financial Services Modernization Act”

Financial institutions (broadly defined) must:
•
disclose when they are sharing data—aka have a
privacy policy
•
notify [some annually] individuals of policies re: use
of any non-public personal information;
•
limit use and disclosure of such information;
•
provide opt-out opportunity; and
•
implement safeguards
15 U.S.C. §§ 6801- 6810 (1999)
<http://uscode.house.gov/download/pls/15C94.txt>
G-L-B – FTC “Safeguard” Regs.

Security measures include:
•
Designating coordinator[s] of program;
•
Addressing risks to security/integrity of info.;
•
Security program to control risks;
•
Requiring service providers, by contract,
to implement appropriate safeguards;
•
Adapting program in light of
material changes to businesses
–16 C.F.R. Part 314
<http://www.ftc.gov/os/2002/05/67fr36585.pdf>
–<http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html>
Does G-L-B Apply to Law Firms?

NO, because:
•
not “financial institutions;”
•
no clear intent in G-L-B to cover attorneys; and
•
attorneys heavily regulated by states that
–license them; and
–provide consumers with
greater privilege protections.
NYSBA, ABA v. FTC, 276 F. Supp. 2d 110
(D.D.C. 2003) (denying FTC’s motion to dismiss)
<http://www.dcd.uscourts.gov/02-810.pdf>
Does G-L-B Apply to Law Firms? (con’t)

D.D.C. Case
•
(c’t’d)
REJECTED: FTC’s denial of exemption
–NYSBA, ABA v. FTC, 2004 WL 964173 (D.D.C.
2004) (granting summary judgment to Plaintiffs,
upon receipt of cursory administrative record)
<www.dcd.uscourts.gov/02-810a.pdf>

D.C. Circuit Appeal
• AFFIRMED
(12/6/05)
<http://pacer.cadc.uscourts.gov/docs/common/opinions/200512/04-5257a.pdf>
Does G-L-B Apply to Law Firms? (con’t)


D.C. Cir. Case
(c’t’d):
•
“Congress ‘does not . . . hide elephants in mouseholes.’ ” GLB shows no intent to regulate lawyers.
•
Even if a law firm is an “institution,” its business
is “the practice of the profession of the law,”
NOT “engaging in financial activities.”
•
Practice of law traditionally province of the states.
FTC did not file appeal
FUDs Role—to ruin your day
(Fear, Uncertainty and Doubt)
High FUD/low relevance

Sarbanes-Oxley (SOX)

Gramm-Leach-Bliley(G-L-B)

Low FUD/high relevance
Health Insurance Portability & Accountability Act
(HIPAA)

Fair Credit Reporting Act (FCRA)

Fair/Accurate Credit Transactions Act (FACTA)

IRS Circular 230

European Union Directive on Data Protection

State laws, ethical rules & bar rules and opinions

ISO 17999 & 27001, COBIT & ITIL
HIPAA – Health Care eInfo.



Health Insurance Portability & Accountability
Act
Privacy and security of medical information
Restrictions on disclosure, even to employer
(e.g., your law firm) providing coverage for
its employees
•
Statutes and Regs – including Security Rule
(compliance deadline 4/21/05 or 4/21/06) – linked at
<http://aspe.hhs.gov/admnsimp/index.shtml>
HIPAA—EPHI (con’t)

“Electronic Personal Health Care Info. (EPHI) . . .
RULES FOLLOW THE INFO., NOT THE PROVIDER”
•

Adam Hansen, “HIPAA in the Law Firm?” (Peer to
Peer May 2005) <www,HIPAA-Hansen-Article.notlong.com>
Enter into a Business Associate Agreement (BAA)
covering:
• Incident Response
•
Notification
•
Duration
•
Termination
Id.
HIPAA – EPHI

(con’t)
Because no set technology requirements, consider:
•
How info. protected at rest and in transit
•
Authorization/authentication schemes
•
[Not in article but encryption helps here too.]
<www.HIPAA-Hansen-Article.notlong.com>

As to client’s data . . .
LAW UNSETTLED re:
whether attorney-client privilege could preclude
claim of law firm liability as a “business associate”
•
Alex L. Bednar, HIPAA Implications for AttorneyClient Privilege, 35 St. Mary’s L.J. 871, 898-900,
909-10, 933-37, 944-47 (2004)
FCRA/FACTA

Added
to
the
Fair
Credit Reporting
<http://www.ftc.gov/os/statutes/031224fcra.pdf> . . .
Act

Fair/Accurate Credit Transactions Act (FACTA):
•
“Any person that maintains or otherwise possesses consumer
information, or any compilation of
consumer information, derived from consumer
reports for a business purpose[, must] properly
dispose of any such information or compilation.”
•
FACTA § 216, 15 U.S.C. 1681w(a)(1) (emphasis added)
<http://15USC1681w.notlong.com>

(FCRA)
Businesses – including law firms – must take
reasonable measures to dispose of sensitive info.
from credit reports and background checks
•
FTC’s June 1, 2005 Disposal Rule
<http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf#page=32>
FACTA Disposal Rules


Paper and electronic
Must implement– and monitor compliance with –
procedures.

(Incorporate policies into GLB Safeguards.)

FTC Comments:
•
Use “wiping” utilities
•
But can cheaply destroy media by "simply smashing
the material with a hammer."
<http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf#page=30>
<http://www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm>
<http://www.ftc.gov/opa/2005/06/disposal.htm>
FACTA Disposal Rules—Unanswered questions


As to client’s data, same concepts as above re:
HIPAA (you probably should wipe)
Different context
•
IF client a G-L-B-covered financial institution
–Client must incorporate disposal policies
into its G-L-B-mandated safeguards
•
So, for those clients . . .
–Disposal obligation accompanies
data now residing at law firm?
IRS Circular 230

Only applies if have attorneys practicing before IRS
•
Treasury Dep’t Regs Governing Practice of Attorneys,
CPA’s, etc. before IRS
–Circular 230
–Changes effective 6/20/05
> 31 C.F.R. §§ 10 to 10.88 (2005) <www.irs.gov/pub/irs-pdf/pcir230.pdf>
> amending §§ 10.33 and 10.52; adding §§ 10.35 to 10.38 <www.irs.gov/pub/irsutl/td9165.pdf>

Goals:
•
“[I]mprove ethical standards for tax professionals”
•
“[C]urb abusive tax avoidance transactions”
<http://www.irs.gov/irs/article/0,,id=132445,00.html>
IRS Circular 230 (con’t)


Treasury Dep’t (TD) got more tax-shelter-fighting
power from American Jobs Creation Act of 2004
So, TD amended its regs to require:
•
DISCLAIMER for ALL WRITTEN ADVICE
re: tax avoidance transactions; and
•
“PROMINENTLY DISCLOSED”
–“readily apparent to a reader of the written advice
. . depend[ing] on the facts and circumstances”
–“set forth in a separate section (and not
in a footnote) in a typeface that is the same size
or larger than the typeface of any discussion.”
31 C.F.R. § 10.35
<www.irs.gov/pub/irs-pdf/pcir230.pdf#page=26>
..
IRS Circular 230 (con’t)




DISBARMENT or SUSPENSION from practicing
before IRS are no longer the exclusive penalties.
CENSURE (“public reprimand”)
MONETARY PENALTY for rep.’s/advisor’s firm, up
to amount of gross income derived
To learn more:
•
18 U.S.C. § 330
•
31 C.F.R. §§ 10.50, 10.52 (as amended)
•
Richard A. Shaw, “Planning Tax Advice Under Circular 230
and the Jobs Act” (RIA Business Entities 3/1/05)
<http://www.higgslaw.com/engine/pubs/getdoc.aspx?id=69&dl=1>
Circular 230 take-aways

Exemplar
•
IRS Circular 230 Disclosure:
–To ensure compliance with requirements imposed by
the IRS, we inform you that any U.S. federal tax
advice in this communication (including attachments)
is not intended or written by Fenwick & West LLP to
be used, and cannot be used, for the purpose of
>(i) avoiding penalties under the Internal Revenue Code or
>(ii) promoting, marketing, or recommending to another party
any transaction or matter addressed herein.”

See generally ILTA Survey 2006
<www.zoomerang.com/reports/public_report.zgi?ID=L22DDZ4KTJ3Z
FUDs Role—to ruin your day
(Fear, Uncertainty and Doubt)
High FUD/low relevance

Sarbanes-Oxley (SOX)

Gramm-Leach-Bliley(G-L-B)

Low FUD/high relevance
Health Insurance Portability & Accountability Act
(HIPAA)

Fair Credit Reporting Act (FCRA)

Fair/Accurate Credit Transactions Act (FACTA)

IRS Circular 230

European Union Directive on Data Protection

State laws, ethical rules & bar rules and opinions

ISO 17999 & 27001, COBIT & ITIL
EU Directive on Data Protection

TITLE: “Directive 95/46/EC of the European Parliament and of the Council
of 24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data”
•

http://www.cdt.org/privacy/eudirective/
Broad definitions:
•
(a) 'personal data 'shall mean any information relating to an
identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
•
(b)'processing of personal data' ('processing') shall mean
any operation or set of operations which is performed upon
personal data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available,
alignment or combination, blocking, erasure or destruction;
EU Directive on Data Protection (con’t)



Data requirements:
•
Adequate and up-to-date
•
Process to correct
•
Kept no longer than necessary
•
Subject has given her/his consent
•
Processing is per a contract with or legal obligation of the
subject
•
Must disclose nature of processing
•
Right to review data
Our opinion: The data is the individuals, not the firm’s.
Can’t send data to third countries unless “third country in
question ensures an adequate level of protection.”
•
The United States does not meet this standard
EU Directive on Data Protection (con’t)


Our opinion: The data is the individuals, not the firm’s.
Can’t send data to third countries unless “third country in
question ensures an adequate level of protection.”
•

•
The United States does not meet this standard
BIG Problems for Int’l firms:
1.
Centralized IT infrastructure
2.
Centralized records systems & storage
3.
Disaster recovery sites
Smaller Problem for all firms:
1.
Gathering data
State laws, ethical rules, & bar opinions

Obligations concerning records management policies

Who owns the file?

Storage vs. destruction

What is confidential in an electronic world?

Notice and disclosure duties on data loss
Obligations concerning records
management policies

ABA Model Rule 1.15: requires firms to safeguard client’s
property

ABA Model Rule 1.16: requires firms to make files available to
other parties or to the client upon termination of representation.

ABA Model Rule 3.4(a): requires firms to allow other party’s
access to files that are considered to have evidentiary value.

ABA Model Rule 5.1: requires firms to have procedures that
insure that the firm’s lawyers
professional responsibility.
comply
with
the
rules
of
>http://www.abanet.org/cpr/mrpc/home.html

Many states have adopted and/or amended the ABA rules
incorporated and them into their codes or rules; all vary.
Who owns the file?

Controversial, with three schools of thought:
•
The most recent opinion states that the client owns the
complete file, without exception. (See Iowa Supreme Court
Attorney Disciplinary Board v. Don E. Gottschalk, 729
N.W.2d 812, Iowa Sup.Ct. 2007)
•
Other jurisdictions have ruled that the client is only entitled
to the “end product” documents and that the firms can deny
access to those documents that are considered “internal”.
(See Corrigan v. Armstrong, Teasdale, Schlafly, Davis &
Dicus, 824 S.W. 2d 92, Mo. App., 1992)
•
The minority view feels that the law firm is entitled to all
documents in the file, without question. (See Michigan
Ethics Op R-019 and Fl Op. 88-11)
Storage vs. Destruction

There is general agreement that the client’s interests must be
protected. The ABA addressed the issue in 1977. Informal
Opinion 1384 states:
– “Clients (and former clients) reasonable expect…that valuable and useful
information in the lawyers’ files, and not otherwise readily available to the
clients, will not be prematurely and carelessly destroyed, to the clients’
detriment.”
>http://www.abanet.org/cpr/ethicsearch/lawyer.html

In most jurisdictions the ethics authorities suggest retention
periods between 5 and 10 years. (AZ Ethics Op. 91-01, MI Ethics Op. R12, WV L.E.I. 2002-1)


However, documents may also be subject to independent legal
requirements, determined by the type of document.
Applicable statutes of limitations, which vary among jurisdictions,
must also be considered, even with closed cases.
What is confidential in an electronic world?

Unencrypted Messages’ OK
•
ABA requires “reasonable precautions to
prevent . . . information from coming into
the hands of unintended recipients. . . .
•
“[D]oes not require that the lawyer use
special security measures if the method
of communication affords a reasonable
expectation of privacy.
•
“Special circumstances, however,
may warrant special precautions.”
ABA Model Rules of Prof’l Conduct Rule 1.6(a), Comment, ¶ 17
(2002)
<http://www.abanet.org/cpr/mrpc/rule_1_6_comm.html>
What is confidential in an electronic world (con’t)

Unencrypted messages OK (con’t)
•
“[N]o greater risk of interception
or disclosure than other modes
of communication commonly
relied upon as having a reasonable
expectation of privacy.”
ABA Formal Op. 99-413 (1999)
www.abanet.org/cpr/fo99-413.html

Metadata can be problematic.
•
“Lawyers have a duty under DR 4-101 to use reasonable care
when transmitting documents by e-mail to prevent the
disclosure of metadata containing client confidences or secrets.”
NY Ethics Op. 782
www.nysba.org/Content/NavigationMenu/Attorney_Resources/Ethics_Opinions/Opinion_782.
htm
What is confidential in an electronic world (con’t)
•
To learn more:
–Terry L. Hill and Jennifer S. Johnson, “Impact Of Electronic
Data Upon An Attorney’s Client,” 54 FED'N DEF. & CORP.
COUNSEL. Q. 95, § V, at nn. 55-64 and accompanying text
(2004)
<http://fdcc.digitalbay.net/documents/hill-W04.htm>
–Reno v. Reno Police Protective Ass’n, 59 P.3d 1212,
n.28, 118 Nev. Adv. Op. No. 90 (12/26/02)
<http://Nevada-eEthics.notlong.com>
Statutory obligation to disclose data breaches
OVERVIEW . . . Goal is protection vs. Identity Theft . . .

STATES’ Statutory Notice Requirements . . .

32 States (+ 1 pending = Utah) as of 1/1/07
<www.pirg.org/consumer/credit/statelaws.htm#breach>

Trigger:
•
16 – “acquisition-based” (pro-consumer;
•
17 – “risk-based” (analysis must
show that degree of risk meets threshold)
based simply on loss of information)
<www.pirg.org/consumer/credit/statelaws.htm#breach>
Obligation to disclose data breaches (con’t)

Acquisition-based laws . . . Examples . . .
•
CA – SB 1386 – Civ. Code § 1798.82(a)-(b)
–When CA resident’s
UNENCRYPTED
personal data is ostensibly hacked, then:
> OWNER/LICENSOR of data must notify individual
> POSSESSOR of data must notify owner/licensor
<http://1798-82.notlong.com>
•
NY – Gen. Bus. L. § 89-aa(2)-(3); State Tech. Law §
208
–Same; based on SB 1386; effective 12/8/05
<http://www.cscic.state.ny.us/security/securitybreach/index.htm>
•
See also Gary Gentile, Universities vulnerable to ID thieves,
AP (12/17/06) <http://ucla-sec-breach-ap-article.notlong.com>
Obligation to disclose data breaches (con’t)

CA SB 1386/Civil Code 1798.29:
•
Applies to cos. doing business in CA
•
Personal Information: FIRST NAME/INITIAL
and LAST NAME AND at least one of:
–SOCIAL SECURITY NUMBER
–DRIVER’S LICENSE or CA ID NUMBER
–FIN. ACCOUNT # and SECURITY/ACCESS
CODE (PASSWORD) to account
•
Many ambiguities, e.g., “discovery,”
“notification,” timing of notification
and contents of notification.
More States’ Notice Statutes

Risk-based – Recent Examples:
•
Utah
–SB 69, codified at 13-42-101 to 301 (1/1/07)
<www.le.state.ut.us/~2006/bills/sbillint/sb0069.htm>
•
Ohio
–H.B. 104, codified at Rev. Code §§ 1347.12,
1349.19, 1349.191, 1349.192, et al. (2/17/06)
<www.legislature.state.oh.us/bills.cfm?ID=126_HB_104>

To learn more:
•
<www.pirg.org/consumer/credit/statelaws.htm#breach>
•
<http://Sec-Breach-WPost-6-1-05.notlong.com>
•
<http://Data-Breach-NYT-11-1-05.notlong.com>
Notice—Proposed Federal Legislation

Data Accountability and Trust Act
(DATA) – Stearns bill – H.R. 4127
•
Referred to Judiciary Committee 10/25/05
<http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.04127:>
•
AS AMENDED, got through Judiciary Comm.
and two other House committees by 6/2/06
<http://h4127rh.notlong.com>
•
But, before summer recess, full House vote postponed
<www.law.com/jsp/law/LawArticleFriendly.jsp?id=1155114329143>

Trigger is risk-based, though on more
consumer-friendly end of spectrum

See also S. 1789 (“Personal Data
Privacy and Security Act of 2005”)
<http://thomas.loc.gov/cgi-bin/query/z?c109:S.1789.RS:>
Practical Consideration: Encryption

Most proposed Federal legislation and many
state laws are more lenient where the data is
encrypted.
•
Laptops
•
Desktops
•
BlackBerries?
•
Phones?
Best Practices: Example

OMB Security Guidelines for Federal Gov’t
•
Issued June 23, 2006; compliance by August 7, 2006
–Encrypt all data on mobile computers/
devices unless data marked “non-sensitive”
–Allow remote access only
with two-factor authentication
–“Time-out” function for remote
access after 30 minutes
–Log all computer-readable data extracts
and verify sensitive data is erased within
90 days unless use is still required
<www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf>

Frankly more important to teach good data practices.
Statistics on Breaches

“A
third
of
IT
managers
report
data
breaches:
survey”
(Network World 4/11/07) <www.networkworld.com/news/2007/041107-survey-data-breaches.html>

Computer Associates Study (July 5, 2006)
•
642 large companies surveyed
–84% experienced a security incident
–38% internal breach
•
Security breaches increased 17% since 2003
•
40% don’t take IT security risk management seriously
•
37% security spending is too low
•
Where to? Identity and Access Management (IAM) technology
<http://www3.ca.com/Press/PressRelease.aspx?CID=90751>
Data Breach: Financial Impact
Data
Loss Cost Calculator <http://www.tech-404.com/calculator.html>
ISO 17999 & 27001, COBIT & ITIL



Data system best practices
•
Most of “records” is now “data”
•
VERY high standards
ISO 17999 certification now requested/required
by some clients
COBIT & ITIL practices
•

Very few US firms measure up
De facto compliance schemes
ISO 17999 & 27001

International Org. for Standardization
Protocol (as revised 6/20/05)
(ISO) 17799
•
Process for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving
•
Detailed set of non-mandatory standards for developing
security policies, including:
–Security Policy + Organization
–Access Control
–Incident Management
–Business Continuity Management
–Compliance
<http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html>
<http://www.encase.com/corporate/downloads/whitepapers/ISO17799.pdf>
COBIT

COBIT = CONTROL OBJECTIVES FOR
INFORMATION + RELATED TECHNOLOGY
•
Issued by IT Governance Institute (ITGI)
•
Reference framework for: management; users;
and IS audit, control + security practitioners.
•
Increasingly internationally accepted.
<http://COBIT.notlong.com> (registration required)

To learn more:
•
“Aligning COBIT, ITIL and ISO
17799 for Business Benefit”
<http://Aligning.notlong.com>
COBIT (con’t)

Provides tools to assess an
enterprise’s IT capability for
34 IT processes in 4 domains:
•
Planning + Organization
•
Acquisition + Implementation
•
Delivery + Support
•
Monitoring
ITIL

Information Technology Infrastructure Library
•
European effort to create library of best IT
practices
–Aligning IT services with business
–Best Practices, not a Methodology
–Provides guidance re:
>Service Desk
>Incident Management
>Problem Management
>Change Management
>Configuration Management
<http://www.itil.co.uk/>
ISO, COBIT & ITIL Summary/Comparison

Service Support and Service Delivery
•
ISO 17799:2000
–Security requirements
•
COBIT
–Control objectives
–Management guidelines (metrics)
–Audit guidelines
•
ITIL
–Basic Concepts
–Activities
–Cost/Benefit
–Planning for Implementation
ISO, COBIT & ITIL final thoughts


Are these the future standards for malpractice
actions?
How to insure or at least buy Insurance for
compliance?
Thank You
For questions, comments or suggestions, please
contact us:
•
Maureen Sirhall – [email protected]
•
Matt Kesner – [email protected]