What Every Company Should Know About Data Security and Electronic Discovery

1
What Every Company Should KnowAbout Data
Security and Electronic Discovery

• Todd L. Newton
• Mitchell, Williams, Selig, Gates Woodyard,
  P.L.L.C.

2
Topics

• Data security issues, case studies, etc.
• How the new amendments to the Federal Rules of
  Civil Procedure affect your business
• Tips for preparing for security breaches and
  electronic discovery issues

3
DATA SECURITY
4
(No Transcript)
5
Data Security

• 49 of businesses have lost a laptop in the past
  twelve months
• 64 of businesses have never conducted an
  inventory on customer or employee data
• 33 of businesses believe a data breach can put
  them out of business
• On average, there is a Data Breach every three
  days
• A Data Breach will cost roughly 182 per record
  exposed
• Ponemon Institute - 2006 Annual Study Cost of a
  Data Breach

6
Security Breach Costs

• Value of stolen data
• Cost of protecting affected victims
• Cost of remedial security measures
• Fines
• Loss of good will and reputation
• Lawsuits

7
Case Study

• CardSystems Solutions
• Issue Security Breach
• Effect Records of 40,000,000 cardholders
  exposed, with millions of dollars in fraudulent
  purchases.
• Outcome Settlement with FTC included
  implementation of security program and
  independent audits.

8
Case Study

• Department of Veterans Affairs
• Issue Stolen laptop
• Effect Records on 26,500,000 veterans exposed,
  including SSN.
• Outcome 7,000,000 spent notifying victims and
  7,000,000 spent operating inbound call centers

9
Case Study

• The TJX Companies, Inc.
• Issue Security breach
• Effect 46,155,000 customer records stolen,
  including credit card information and drivers
  license numbers. Stolen information used to buy
  over 1mm in merchandise.
• Outcome Ongoing. The FTC is investigating and
  TJX has settled a class action lawsuit. TJX has
  already spent 256 million dealing with this
  breach, with costs expected to exceed 1 billion.

10
Case Study

• ChoicePoint
• Cause ID thieves set up bogus accounts to
  illegally purchase client information
• Effect 163,000 customer records accessed,
  including names, addresses, Social Security
  numbers, credit reports and other information
• Outcome FTC fines resulting in 10 Million in
  civil penalties, and another 5 Million to
  establish a consumer restitution fund.
  ChoicePoint has been subjected to more than 80
  external audits over the past 24 months.

11
Case Study

• AIG
• Issue Break in - Server Stolen
• Effect 970,000 customer records stolen,
  including names, addresses, and Social Security
  numbers.
• Outcome No formal complaints filed. AIG reported
  that the stolen computer was on an encrypted
  network and that the files were
  password-protected.

12
OTHER EXAMPLES

• Sentry Insurance
• American Family Insurance
• New York Special Funds Conservation Committee
• Nationwide Health Plans
• Aetna
• AFLAC
• Anthem Blue Cross Blue Shield
• AllState

13
Security Breach Prevention

• Periodic Security Audits
• In-house audit by IT department
• Third-party audit by independent contractor
• Crisis Response Plan
• Enforced Security Policies
• Password Management
• Periodic Data Inventory

14
Security Breach Response

• Crisis Response Plan Implementation
• Key Event Documentation
• Preservation of All Pertinent Evidence
• Law Enforcement Notification
• Victim Notification

15
ELECTRONICDISCOVERY
16
Whats All The Buzz About?

• Amendments to the Federal Rules of
• Civil Procedure (and Some States
• Rules) Providing for the Disclosure of
  Electronically Stored Information as
• Part of the Discovery Process.
• Applies to parties as well as non-parties

17
Whats ESI?

• SIMPLY PUT, ANY INFORMATION STORED IN ELECTRONIC
  FORMAT INCLUDING INFORMATION ON STORAGE DEVICES
  (CDs, FLOPPY DISKS, FLASH DRIVES, ETC.) SUCH AS
  EMAIL, WORD DOCUMENTS, VOICEMAIL, INSTANT
  MESSAGES, SPREADSHEETS, ETC.

18
Why Is That A Potential Problem?

• BECAUSE THE VOLUME OF ELECTRONIC INFORMATION IS
  SIGNIFICANTLY GREATER THAN TRADITIONAL PAPER
  DOCUMENTS

19
Why Is That A Potential Problem?

• AVERAGE NUMBER OF EMAILS PER EMPLOYEE PER DAY 25
• SIZE OF FLOPPY DISK 1.44 MEGABYTES OR 720 TYPED
  PAGES
• 90 OF INFORMATION BEING CREATED TODAY IS CREATED
  ELECTRONICALLY
• SIZE OF CD-ROM 650 MEGABYTES OR 325,000 TYPED
  PAGES
• ONE GIGABYTE 500,000 TYPED PAGES

20
Why Is That A Potential Problem?

• EXAMPLES -CONT-
• LARGER CORPORATIONS STORE BACKUP INFORMATION IN
  TERABYTES (1 MILLION MEGABYTES)
• 1 TERABYTE 500 MILLION TYPED PAGES

21
Who Should Be Concerned About E-discovery?

• Fortiva.com Survey
• 94 of persons responsible for email policy did
  not feel that their companies were prepared to
  meet FRCP amendments.
• 45 reported having no retention policies.
• 45.6 reported that their companies did not have
  an official email retention policy and that users
  keep their emails as long as they want to keep
  them.
• KM World, May 2007

22
What Are The Costs of Failing To Produce ESI?

• FEISTY COURTS AND STEEP PENALTIES

23
Key Cases

• Linnen vs. A.H. Robins Co., Inc., et al.
• Holding Court rejected Wyeths argument that
  restoration and production of backups unduly
  burdensome This is one of the risks taken on by
  companies which have made the decision to avail
  themselves of the computer technology now
  available to the business world. To permit a
  corporation such as Wyeth to reap the business
  benefits of such technology and simultaneously
  use that technology as a shield in litigation
  would lead to incongruous and unfair results.

24
Key Cases

• Zurich American Insurance Co. vs. Ace American
  Reinsurance Co.,
• Holding A sophisticated reinsurer that operates
  a multi-million dollar business is entitled to
  little sympathy for utilizing an opaque data
  storage system, particularly when, by the nature
  of its business, it can reasonably anticipate
  frequent litigation.

25
OTHER CASES

• United States v. Philip Morris USA, Inc.,
• (requiring defendant to pay 2.75 million for its
  noncompliance with company document retention
  policies and court order addressing evidence
  preservation)

26
OTHER CASES

• In Re Prudential Insurance Company of America
  Sales Practices Litigation
• (requiring defendant to pay 1 million fine after
  finding that destruction of pertinent documents
  hindered the administration of justice)

27
Tips for Surviving E-Day

• Create, implement, and enforce a record retention
  policy covering both paper and electronic
  records, including email, voicemail,
  chats/instant messaging, word processing
  documents, spreadsheets, etc., when such records
  can be destroyed, when destruction must be
  suspended (litigation hold), and person who
  will enforce the policy.

28
Tips for Surviving E-Day

• 2) As part of the policy, develop a
  litigation hold plan, including who will
  announce the hold, how the hold will be
  announced, when it will be announced, how it will
  be monitored and enforced and by whom.

29
Tips for Surviving E-Day

• Devise a discovery response plan, including
  responsibilities of discovery team members, how
  pertinent records will be located, logged,
  preserved, reviewed, and produced, how compliance
  will be monitored, how to minimize disruption to
  employees use of network, etc.

30
Tips for Surviving E-Day

• 4) Designate a witness who can testify re
  companys network, retention policies,
  coordination with legal department, role in
  implementing litigation hold, etc.

31
Tips for Surviving E-Day

• 5) Educate employees on annual basis concerning
  retention policy, notifying management of key
  events that could lead to future litigation (thus
  triggering litigation hold), importance of
  compliance with litigation hold and severity of
  sanctions that could be imposed if hold violated,
  etc.

32
Excellent Resources

• The Sedona Guidelines Best Practice Guidelines
  Commentary for Managing Information Records in
  the Electronic Age (Sept. 2005)
• The Sedona Principles Best Practices,
  Recommendations Principles for Addressing
  Electronic Document Production (July 2005)
• www.thesedonaconference.org

33
Excellent Resource

• The Federal Trade Commission The Better
  Business Bureau
• Offer a variety of resources for a business
  dealing with a security breach
• www.ftc.gov
• www.bbb.org

34
Questions?

• Todd L. Newton
• Mitchell, Williams, Selig, Gates Woodyard,
  P.L.L.C.
• (501) 688-8881
• tnewton_at_mwsgw.com
• mitchellwilliamslaw.com