Presentation is loading. Please wait.

Presentation is loading. Please wait.

Regulations Impacting Law Firm Risk Management

Similar presentations


Presentation on theme: "Regulations Impacting Law Firm Risk Management"— Presentation transcript:

1 Regulations Impacting Law Firm Risk Management
August 22, 2007 Maureen Sirhall Matt Kesner

2 Goal Expose you to a few new risk management issues that arise because of data vs. paper We don’t claim to have all the answers Often the analogy to the pre-data world helps keep the discussion calm and rational Whether you are in Risk Management or IT, it is your job to mitigate these risks

3 Overview Corporate compliance schemes generally do not effect law firms. Yet. There are a number of laws, regulations, and bar association rules and opinions that do affect risk management in a law firm. International laws & standards regarding the handling of data are the biggest hurdle we face now

4 Not covered today E-Discovery
Advertising limitations & Web sites/ Limitations on SPAM Ancillary businesses

5 How do we define Risk Management?
Protection of the firm from risks associated with the practice of law Protection of the firm from business risks Protection of the firm from malpractice and liability claims Includes: Client intake process Conflicts Docket Control Records Management Ethical Screens

6 Common Sense or Regulation?
Common sense once prevailed Post-Enron era has shifted the balance to regulatory obligation Common sense now required to understand and interpret Federal requirements Do the laws that bind the clients also bind the law firms that represent them? Inconsistency among state laws, ethical rules and bar opinions further complicates successful risk management

7 FUDs Role—to ruin your day (Fear, Uncertainty and Doubt)
Sarbanes-Oxley (SOX) Gramm-Leach-Bliley(G-L-B) Health Insurance Portability & Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA) Fair/Accurate Credit Transactions Act (FACTA) IRS Circular 230 European Union Directive on Data Protection State laws, ethical rules & bar rules and opinions ISO & 27001, COBIT & ITIL

8 Summary SOX does not apply to lawyers GLB does not apply to lawyers
HIPAA does apply to lawyers and law firms FCRA/FACTA does apply to lawyers and law firms Simple rules if you collect credit reports or background checks EU & State laws and state bar rules and opinions do apply to data security breaches and lost data No consistency to laws/rules/opinions

9 Sarbanes-Oxley Sarbanes-Oxley: Internal Controls
SOX § 404 [15 U.S.C. § 7262] <http://SOX-404.notlong.com> Applies to public companies, those cos. planning to go IPO, and certain foreign cos. traded on a US stock exchange Section 404: SEC to make rules re: “responsibility of [public co.] management for establishing and maintaining an adequate internal control structure and procedures for financial reporting”

10 Graham-Leach-Bliley “Financial Services Modernization Act”
Financial institutions (broadly defined) must: disclose when they are sharing data—aka have a privacy policy notify [some annually] individuals of policies re: use of any non-public personal information; limit use and disclosure of such information; provide opt-out opportunity; and implement safeguards 15 U.S.C. §§ (1999) <http://uscode.house.gov/download/pls/15C94.txt>

11 G-L-B – FTC “Safeguard” Regs.
Security measures include: Designating coordinator[s] of program; Addressing risks to security/integrity of info.; Security program to control risks; Requiring service providers, by contract, to implement appropriate safeguards; Adapting program in light of material changes to businesses 16 C.F.R. Part 314 <http://www.ftc.gov/os/2002/05/67fr36585.pdf> <http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html>

12 Does G-L-B Apply to Law Firms?
NO, because: not “financial institutions;” no clear intent in G-L-B to cover attorneys; and attorneys heavily regulated by states that license them; and provide consumers with greater privilege protections. NYSBA, ABA v. FTC, 276 F. Supp. 2d (D.D.C. 2003) (denying FTC’s motion to dismiss) <http://www.dcd.uscourts.gov/ pdf>

13 Does G-L-B Apply to Law Firms? (con’t)
D.D.C. Case (c’t’d) REJECTED: FTC’s denial of exemption NYSBA, ABA v. FTC, 2004 WL (D.D.C ) (granting summary judgment to Plaintiffs, upon receipt of cursory administrative record) <www.dcd.uscourts.gov/02-810a.pdf> D.C. Circuit Appeal AFFIRMED (12/6/05) <http://pacer.cadc.uscourts.gov/docs/common/opinions/200512/ a.pdf>

14 Does G-L-B Apply to Law Firms? (con’t)
D.C. Cir. Case (c’t’d): “Congress ‘does not hide elephants in mouse holes.’ ” GLB shows no intent to regulate lawyers. Even if a law firm is an “institution,” its business is “the practice of the profession of the law,” NOT “engaging in financial activities.” Practice of law traditionally province of the states. FTC did not file appeal

15 FUDs Role—to ruin your day (Fear, Uncertainty and Doubt)
Sarbanes-Oxley (SOX) Gramm-Leach-Bliley(G-L-B) Health Insurance Portability & Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA) Fair/Accurate Credit Transactions Act (FACTA) IRS Circular 230 European Union Directive on Data Protection State laws, ethical rules & bar rules and opinions ISO & 27001, COBIT & ITIL

16 HIPAA – Health Care eInfo.
Health Insurance Portability & Accountability Act Privacy and security of medical information Restrictions on disclosure, even to employer (e.g., your law firm) providing coverage for its employees Statutes and Regs – including Security Rule (compliance deadline 4/21/05 or 4/21/06) – linked at <http://aspe.hhs.gov/admnsimp/index.shtml>

17 HIPAA—EPHI (con’t) “Electronic Personal Health Care Info. (EPHI) RULES FOLLOW THE INFO., NOT THE PROVIDER” Adam Hansen, “HIPAA in the Law Firm?” (Peer to Peer May 2005) <www,HIPAA-Hansen-Article.notlong.com> Enter into a Business Associate Agreement (BAA) covering: Incident Response Notification Duration Termination Id.

18 HIPAA – EPHI (con’t) How info. protected at rest and in transit
Because no set technology requirements, consider: How info. protected at rest and in transit Authorization/authentication schemes [Not in article but encryption helps here too.] <www.HIPAA-Hansen-Article.notlong.com> As to client’s data LAW UNSETTLED re: whether attorney-client privilege could preclude claim of law firm liability as a “business associate” Alex L. Bednar, HIPAA Implications for Attorney Client Privilege, 35 St. Mary’s L.J. 871, , , , (2004)

19 FCRA/FACTA Added to the Fair Credit Reporting Act (FCRA) <http://www.ftc.gov/os/statutes/031224fcra.pdf> . . . Fair/Accurate Credit Transactions Act (FACTA): “Any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose[, must] properly dispose of any such information or compilation.” FACTA § 216, 15 U.S.C. 1681w(a)(1) (emphasis added) <http://15USC1681w.notlong.com> Businesses – including law firms – must take reasonable measures to dispose of sensitive info from credit reports and background checks FTC’s June 1, 2005 Disposal Rule <http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf#page=32>

20 FACTA Disposal Rules Paper and electronic
Must implement– and monitor compliance with – procedures. (Incorporate policies into GLB Safeguards.) FTC Comments: Use “wiping” utilities But can cheaply destroy media by "simply smashing the material with a hammer." <http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf#page=30> <http://www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm> <http://www.ftc.gov/opa/2005/06/disposal.htm>

21 FACTA Disposal Rules—Unanswered questions
As to client’s data, same concepts as above re: HIPAA (you probably should wipe) Different context IF client a G-L-B-covered financial institution Client must incorporate disposal policies into its G-L-B-mandated safeguards So, for those clients . . . Disposal obligation accompanies data now residing at law firm?

22 IRS Circular 230 Only applies if have attorneys practicing before IRS
Treasury Dep’t Regs Governing Practice of Attorneys, CPA’s, etc. before IRS Circular 230 Changes effective 6/20/05 31 C.F.R. §§ 10 to (2005) <www.irs.gov/pub/irs-pdf/pcir230.pdf> amending §§ and 10.52; adding §§ to <www.irs.gov/pub/irs-utl/td9165.pdf> Goals: “[I]mprove ethical standards for tax professionals” “[C]urb abusive tax avoidance transactions” <http://www.irs.gov/irs/article/0,,id=132445,00.html>

23 IRS Circular 230 (con’t) Treasury Dep’t (TD) got more tax-shelter-fighting power from American Jobs Creation Act of 2004 So, TD amended its regs to require: DISCLAIMER for ALL WRITTEN ADVICE re: tax avoidance transactions; and “PROMINENTLY DISCLOSED” “readily apparent to a reader of the written advice depend[ing] on the facts and circumstances” “set forth in a separate section (and not in a footnote) in a typeface that is the same size or larger than the typeface of any discussion.” 31 C.F.R. § 10.35 <www.irs.gov/pub/irs-pdf/pcir230.pdf#page=26>

24 IRS Circular 230 (con’t) DISBARMENT or SUSPENSION from practicing before IRS are no longer the exclusive penalties. CENSURE (“public reprimand”) MONETARY PENALTY for rep.’s/advisor’s firm, up to amount of gross income derived To learn more: 18 U.S.C. § 330 31 C.F.R. §§ 10.50, (as amended) Richard A. Shaw, “Planning Tax Advice Under Circular and the Jobs Act” (RIA Business Entities 3/1/05) <http://www.higgslaw.com/engine/pubs/getdoc.aspx?id=69&dl=1>

25 Circular 230 take-aways Exemplar IRS Circular 230 Disclosure:
To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice in this communication (including attachments) is not intended or written by Fenwick & West LLP to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein.” See generally ILTA Survey 2006 <www.zoomerang.com/reports/public_report.zgi?ID=L22DDZ4KTJ3Z

26 FUDs Role—to ruin your day (Fear, Uncertainty and Doubt)
Sarbanes-Oxley (SOX) Gramm-Leach-Bliley(G-L-B) Health Insurance Portability & Accountability Act (HIPAA) Fair Credit Reporting Act (FCRA) Fair/Accurate Credit Transactions Act (FACTA) IRS Circular 230 European Union Directive on Data Protection State laws, ethical rules & bar rules and opinions ISO & 27001, COBIT & ITIL

27 EU Directive on Data Protection
TITLE: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data”  http://www.cdt.org/privacy/eudirective/ Broad definitions: (a) 'personal data 'shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; (b)'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

28 EU Directive on Data Protection (con’t)
Data requirements: Adequate and up-to-date Process to correct Kept no longer than necessary Subject has given her/his consent Processing is per a contract with or legal obligation of the subject Must disclose nature of processing Right to review data Our opinion: The data is the individuals, not the firm’s. Can’t send data to third countries unless “third country in question ensures an adequate level of protection.” The United States does not meet this standard

29 EU Directive on Data Protection (con’t)
Our opinion: The data is the individuals, not the firm’s. Can’t send data to third countries unless “third country in question ensures an adequate level of protection.” The United States does not meet this standard BIG Problems for Int’l firms: Centralized IT infrastructure Centralized records systems & storage Disaster recovery sites Smaller Problem for all firms: Gathering data

30 State laws, ethical rules, & bar opinions
Obligations concerning records management policies Who owns the file? Storage vs. destruction What is confidential in an electronic world? Notice and disclosure duties on data loss

31 Obligations concerning records management policies
ABA Model Rule 1.15: requires firms to safeguard client’s property ABA Model Rule 1.16: requires firms to make files available to other parties or to the client upon termination of representation. ABA Model Rule 3.4(a): requires firms to allow other party’s access to files that are considered to have evidentiary value. ABA Model Rule 5.1: requires firms to have procedures that insure that the firm’s lawyers comply with the rules of professional responsibility. Many states have adopted and/or amended the ABA rules incorporated and them into their codes or rules; all vary.

32 Who owns the file? Controversial, with three schools of thought:
The most recent opinion states that the client owns the complete file, without exception. (See Iowa Supreme Court Attorney Disciplinary Board v. Don E. Gottschalk, 729 N.W.2d 812, Iowa Sup.Ct. 2007) Other jurisdictions have ruled that the client is only entitled to the “end product” documents and that the firms can deny access to those documents that are considered “internal”. (See Corrigan v. Armstrong, Teasdale, Schlafly, Davis & Dicus, 824 S.W. 2d 92, Mo. App., 1992) The minority view feels that the law firm is entitled to all documents in the file, without question. (See Michigan Ethics Op R-019 and Fl Op )

33 Storage vs. Destruction
There is general agreement that the client’s interests must be protected. The ABA addressed the issue in Informal Opinion 1384 states: “Clients (and former clients) reasonable expect…that valuable and useful information in the lawyers’ files, and not otherwise readily available to the clients, will not be prematurely and carelessly destroyed, to the clients’ detriment.” In most jurisdictions the ethics authorities suggest retention periods between 5 and 10 years. (AZ Ethics Op , MI Ethics Op. R-12, WV L.E.I ) However, documents may also be subject to independent legal requirements, determined by the type of document. Applicable statutes of limitations, which vary among jurisdictions, must also be considered, even with closed cases.

34 What is confidential in an electronic world?
Unencrypted Messages’ OK ABA requires “reasonable precautions to prevent information from coming into the hands of unintended recipients “[D]oes not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. “Special circumstances, however, may warrant special precautions.” ABA Model Rules of Prof’l Conduct Rule 1.6(a), Comment, ¶ 17 (2002) <http://www.abanet.org/cpr/mrpc/rule_1_6_comm.html>

35 What is confidential in an electronic world (con’t)
Unencrypted messages OK (con’t) “[N]o greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy.” ABA Formal Op (1999) Metadata can be problematic. “Lawyers have a duty under DR to use reasonable care when transmitting documents by to prevent the disclosure of metadata containing client confidences or secrets.” NY Ethics Op. 782

36 What is confidential in an electronic world (con’t)
To learn more: Terry L. Hill and Jennifer S. Johnson, “Impact Of Electronic Data Upon An Attorney’s Client,” 54 FED'N DEF. & CORP. COUNSEL. Q. 95, § V, at nn and accompanying text (2004) <http://fdcc.digitalbay.net/documents/hill-W04.htm> Reno v. Reno Police Protective Ass’n, 59 P.3d 1212, n.28, 118 Nev. Adv. Op. No. 90 (12/26/02) <http://Nevada-eEthics.notlong.com>

37 Statutory obligation to disclose data breaches
OVERVIEW Goal is protection vs. Identity Theft . . . STATES’ Statutory Notice Requirements . . . 32 States (+ 1 pending = Utah) as of 1/1/07 <www.pirg.org/consumer/credit/statelaws.htm#breach> Trigger: 16 – “acquisition-based” (pro-consumer; based simply on loss of information) 17 – “risk-based” (analysis must show that degree of risk meets threshold)

38 Obligation to disclose data breaches (con’t)
Acquisition-based laws Examples . . . CA – SB 1386 – Civ. Code § (a)-(b) When CA resident’s UNENCRYPTED personal data is ostensibly hacked, then: OWNER/LICENSOR of data must notify individual POSSESSOR of data must notify owner/licensor <http:// notlong.com> NY – Gen. Bus. L. § 89-aa(2)-(3); State Tech. Law § 208 Same; based on SB 1386; effective 12/8/05 <http://www.cscic.state.ny.us/security/securitybreach/index.htm> See also Gary Gentile, Universities vulnerable to ID thieves, AP (12/17/06) <http://ucla-sec-breach-ap-article.notlong.com>

39 Obligation to disclose data breaches (con’t)
CA SB 1386/Civil Code : Applies to cos. doing business in CA Personal Information: FIRST NAME/INITIAL and LAST NAME AND at least one of: SOCIAL SECURITY NUMBER DRIVER’S LICENSE or CA ID NUMBER FIN. ACCOUNT # and SECURITY/ACCESS CODE (PASSWORD) to account Many ambiguities, e.g., “discovery,” “notification,” timing of notification and contents of notification.

40 More States’ Notice Statutes
Risk-based – Recent Examples: Utah SB 69, codified at to 301 (1/1/07) <www.le.state.ut.us/~2006/bills/sbillint/sb0069.htm> Ohio H.B. 104, codified at Rev. Code §§ , , , , et al. (2/17/06) <www.legislature.state.oh.us/bills.cfm?ID=126_HB_104> To learn more: <www.pirg.org/consumer/credit/statelaws.htm#breach> <http://Sec-Breach-WPost notlong.com> <http://Data-Breach-NYT notlong.com>

41 Notice—Proposed Federal Legislation
Data Accountability and Trust Act (DATA) – Stearns bill – H.R. 4127 Referred to Judiciary Committee 10/25/05 <http://thomas.loc.gov/cgi-bin/bdquery/z?d109:h.r.04127:> AS AMENDED, got through Judiciary Comm and two other House committees by 6/2/06 <http://h4127rh.notlong.com> But, before summer recess, full House vote postponed <www.law.com/jsp/law/LawArticleFriendly.jsp?id= > Trigger is risk-based, though on more consumer-friendly end of spectrum See also S (“Personal Data Privacy and Security Act of 2005”) <http://thomas.loc.gov/cgi-bin/query/z?c109:S.1789.RS:>

42 Practical Consideration: Encryption
Most proposed Federal legislation and many state laws are more lenient where the data is encrypted. Laptops Desktops BlackBerries? Phones?

43 Best Practices: Example
OMB Security Guidelines for Federal Gov’t Issued June 23, 2006; compliance by August 7, 2006 Encrypt all data on mobile computers/ devices unless data marked “non-sensitive” Allow remote access only with two-factor authentication “Time-out” function for remote access after 30 minutes Log all computer-readable data extracts and verify sensitive data is erased within days unless use is still required <www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf> Frankly more important to teach good data practices.

44 Statistics on Breaches
“A third of IT managers report data breaches: survey” (Network World 4/11/07) <www.networkworld.com/news/2007/ survey-data-breaches.html> Computer Associates Study (July 5, 2006) 642 large companies surveyed 84% experienced a security incident 38% internal breach Security breaches increased 17% since 2003 40% don’t take IT security risk management seriously 37% security spending is too low Where to? Identity and Access Management (IAM) technology <http://www3.ca.com/Press/PressRelease.aspx?CID=90751>

45 Data Breach: Financial Impact
Data Loss Cost Calculator <http://www.tech-404.com/calculator.html>

46 ISO 17999 & 27001, COBIT & ITIL Data system best practices
Most of “records” is now “data” VERY high standards ISO certification now requested/required by some clients COBIT & ITIL practices Very few US firms measure up De facto compliance schemes

47 ISO & 27001 International Org. for Standardization (ISO) Protocol (as revised 6/20/05) Process for establishing, implementing, operating, monitoring, reviewing, maintaining and improving Detailed set of non-mandatory standards for developing security policies, including: Security Policy + Organization Access Control Incident Management Business Continuity Management Compliance <http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html> <http://www.encase.com/corporate/downloads/whitepapers/ISO17799.pdf>

48 COBIT COBIT = CONTROL OBJECTIVES FOR INFORMATION + RELATED TECHNOLOGY
Issued by IT Governance Institute (ITGI) Reference framework for: management; users; and IS audit, control + security practitioners. Increasingly internationally accepted. <http://COBIT.notlong.com> (registration required) To learn more: “Aligning COBIT, ITIL and ISO for Business Benefit” <http://Aligning.notlong.com>

49 COBIT (con’t) Provides tools to assess an enterprise’s IT capability for IT processes in 4 domains: Planning + Organization Acquisition + Implementation Delivery + Support Monitoring

50 ITIL Information Technology Infrastructure Library
European effort to create library of best IT practices Aligning IT services with business Best Practices, not a Methodology Provides guidance re: Service Desk Incident Management Problem Management Change Management Configuration Management <http://www.itil.co.uk/>

51 ISO, COBIT & ITIL Summary/Comparison
Service Support and Service Delivery ISO 17799:2000 Security requirements COBIT Control objectives Management guidelines (metrics) Audit guidelines ITIL Basic Concepts Activities Cost/Benefit Planning for Implementation

52 ISO, COBIT & ITIL final thoughts
Are these the future standards for malpractice actions? How to insure or at least buy Insurance for compliance?

53 Thank You For questions, comments or suggestions, please contact us:
Maureen Sirhall – Matt Kesner –


Download ppt "Regulations Impacting Law Firm Risk Management"

Similar presentations


Ads by Google