What Every Company Should Know About Data Security and Electronic Discovery

1
What Every Company Should KnowAbout Data
Security and Electronic Discovery

• Todd L. Newton
• Mitchell, Williams, Selig, Gates Woodyard,
  P.L.L.C.

2
Topics

• Why data security is paramount to your company
• Data security examples
• How the new amendments to the Federal Rules of
  Civil Procedure affect your business
• Tips for preparing for security breaches and
  electronic discovery issues

3
(No Transcript)
4
Data Security

• 49 of businesses have lost a laptop in the past
  twelve months
• 64 of businesses have never conducted a
  Inventory on customer or employee data
• 33 of businesses believe a data breach can put
  them out of business
• On average there is a Data Breach every three
  days
• A Data Breach will cost roughly 182 per record
  exposed
• Ponemon Institute - 2006 Annual Study Cost of a
  Data Breach

5
Security Breach Costs

• Value of stolen data
• Cost of protecting affected victims
• Cost of remedial security measures
• Fines
• Loss of good will and reputation
• Lawsuits

6
Case Study

• CardSystems Solutions
• Issue Security Breach
• Effect Records of 40,0000,000 cardholders
  exposed, with millions of dollars in fraudulent
  purchases.
• Outcome Settlement with FTC included
  implementation of security program and
  independent audits.

7
Case Study

• Department of Veterans Affairs
• Issue Stolen laptop
• Effect Records on 26,500,000 veterans exposed,
  including SSN.
• Outcome 7,000,000 spent notifying victims and
  7,000,000 spent operating inbound call centers

8
Case Study

• The TJX Companies, Inc.
• Issue Security breach
• Effect 46,155,000 customer records stolen,
  including credit card information and drivers
  license numbers. Stolen information used to buy
  over 1mm in merchandise.
• Outcome Ongoing. The FTC is investigating and
  TJX has settled the class action lawsuit. TJX has
  already spent 256 Million dealing with this
  breach, with costs expected to exceed 1
  Billion.

9
Case Study

• ChoicePoint
• Cause ID thieves set up bogus accounts to
  illegally purchase client information
• Effect 163,000 customer records accessed,
  including names, addresses, Social Security
  numbers, credit reports and other information
• Outcome FTC fines resulting in 10 Million in
  civil penalties, and another 5 Million to
  establish a consumer restitution fund.
  ChoicePoint has been subjected to more than 80
  external audits over the past 24 months.

10
Case Study

• AIG
• Issue Break in - Server Stolen
• Effect 970,000 customer records stolen,
  including names, addresses, and Social Security
  numbers.
• Outcome No formal complaints filed. AIG reported
  that the stolen computer was on an encrypted
  network and that the files were
  password-protected.

11
Security Breach Prevention

• Periodic Security Audits
• In-house audit by IT department
• Third-party audit by independent contractor
• Crisis Response Plan
• Enforced Security Policies
• Password Management
• Periodic Data Inventory

12
Security Breach Response

• Crisis Response Plan Implementation
• Key Event Documentation
• Preservation of All Pertinent Evidence
• Law Enforcement Notification
• Victim Notification

13
Federal Rules of Civil Procedure

• Summary of the major e-discovery amendments
• Providing for early resolution of e-discovery
  issues
• Providing remedy for inadvertent disclosure of
  electronic data
• Addressing the issue of document deletion and
  sanctions
• Providing guidance on discovery of electronic
  data that is not readily accessible

14
Summary of Rule Changes

• E-discovery is addressed in a pretrial scheduling
  order
• A party has a duty to include in its initial
  disclosures electronically stored information
• In response to a discovery request, a party need
  not produce electronically stored information
  that is not reasonably accessible
• A new procedure exists for asserting privilege
  after production

15
Summary of Rule Changes

• The parties discovery conference is to include
  discussion of any issues related to e-discovery
• A party may answer an interrogatory requiring
  review of business records by providing access to
  electronically stored information
• A requesting party can specify the form of
  production, such as in paper or electronic form
  and the responding party may object
• Limited protection is provided against sanctions
  for failure to provide electronically stored
  information that has been destroyed pursuant to
  routine retention policy.

16
E-Day Survival Tips

• Create, implement, and enforce a record retention
  policy covering both paper and electronic
  records, including email, voicemail,
  chats/instant messaging, word processing
  documents, spreadsheets, etc., when such records
  can be destroyed, when destruction must be
  suspended (litigation hold), and person who
  will enforce the policy.
• As part of the policy, develop a litigation hold
  plan, including who will announce the hold, how
  the hold will be announced, when it will be
  announced, how it will be monitored and enforced
  and by whom

17
E-Day Survival Tips

• Inventory types of data/records generated and
  retained and what might be relevant to future
  litigation, where kept, for how long, etc. -
  including data held by 3rd parties and data
  generated by departing/former employees.
• Inventory network hardware and users, including
  locations where ESI kept, organization chart,
  etc.
• Assemble a discovery team consisting of people
  from various departments, including legal, IT,
  management, outside counsel, etc.

18
E-Day Survival Tips

• Devise discovery response plan, including
  responsibilities of discovery team members, how
  pertinent records will be located, logged,
  preserved, reviewed, and produced, how compliance
  will be monitored, how to minimize disruption to
  employees use of network, etc.
• Designate a person as the 30(b)(6) who can
  testify re companys network, retention
  policies, coordination with legal department,
  role in implementing litigation hold, etc.

19
E-Day Survival Tips

• (8) Educate employees annually about retention
  policy, notifying management of key events that
  could lead to future litigation (thus triggering
  litigation hold), importance of compliance with
  litigation hold and severity of sanctions that
  could be imposed if hold violated, etc.

20
E-Day Survival Tips

• Limit access to disaster recovery tapes for
  disasters not as method of recovering
  inadvertently deleted items.
• Bridge the gap between IT staff and legal team
  to ensure that legal team understands computer
  technology employed (how records
  created/retained, how backups performed, rotation
  cycles of backups, retention of legacy
  information, etc.) and that IT staff understands
  their role in collecting and preserving relevant
  records.

21
E-Day Survival Tips

• Consider whether 3rd party vendor should be
  enlisted to capture and process data if/when
  litigation commenced.
• Document, document, document.

22
Excellent Resources

• The Sedona Guidelines Best Practice Guidelines
  Commentary for Managing Information Records in
  the Electronic Age (Sept. 2005)
• The Sedona Principles Best Practices,
  Recommendations Principles for Addressing
  Electronic Document Production (July 2005)
• www.thesedonaconference.org

23
Excellent Resource

• The Federal Trade Commission The Better
  Business Bureau
• Offers a variety of resources for a business
  dealing with a security breach
• www.ftc.gov
• www.bbb.org

24
Questions?

• Todd L. Newton
• Mitchell, Williams, Selig, Gates Woodyard,
  P.L.L.C.
• (501) 688-8881
• tnewton_at_mwsgw.com
• mitchellwilliamslaw.com