Information Governance in an Era of Rapid Privacy and Data Security Change - PowerPoint PPT Presentation

1 / 49
About This Presentation

Information Governance in an Era of Rapid Privacy and Data Security Change


Information Governance in an Era of Rapid Privacy and Data Security Change Edward McNicholas SIDLEY AUSTIN LLP – PowerPoint PPT presentation

Number of Views:384
Avg rating:3.0/5.0
Slides: 50
Provided by: ofiiOrgsit9


Transcript and Presenter's Notes

Title: Information Governance in an Era of Rapid Privacy and Data Security Change

Information Governance in an Era of Rapid Privacy
and Data Security Change
What Can Go Wrong
  • ChoicePoint - FTC obtained record 10 million
    fine and 5 million restitution, plus substantial
    injunctive requirements 500,000 settlement with
    43 state AGs 12 million spent on security
    upgrades since 2005
  • TJX - computer intrusion and stolen customer
    transaction data leads to government
    investigations and scores of putative class
    actions around US and Canada (46 million
  • - 1.6 million job searches
    compromised by Trojan horse and phishing attacks
  • Telefonica Espana - fined 840,000 by the Spanish
    Data Protection Authority for sharing an
    individuals data with one of its subsidiaries
    for marketing purposes
  • Tyco Healthcare fined 30,000 (40,972) by the
    French Data Protection Authority (CNIL) for
    improper storage and cross-border transfer of
    employee data (April 2007)
  • Lilly FTC investigation started by single
    errant e-mail

The Cost of Getting Data Protection Wrong
  • Breaches and data incidents can be extremely
  • Hard costs
  • Cost of notifying affected individuals
  • Credit monitoring
  • Investigation and legal fees
  • Potential costs
  • FTC, State AG, and regulatory investigations
  • Class actions by data subjects
  • Litigation with business partners over hard costs
  • Legal defense fees
  • Brand/Reputation harm
  • Charges of deceptive / unfair business practices
  • Lost confidence / uncertainty in clients /
  • Lost profits / business partners

SEC Cybersecurity Guidance
  • SEC issued significant new guidance suggesting
    that public companies should evaluate disclosure
    of cybersecurity risks.
  • Several existing regulations could require
    disclosure of actual cyber-attacks, but
    that potential cyber-attacks should also be
    disclosed in some circumstances. 

Advanced Persistent Threat
  • Cyberattacks against Google were "wake-up call"
    about vulnerabilities that could cripple US
    economy (DNI)
  • Cybersecurity legislation will seek to
  • Enhance coordination and prioritization of
    federal research and development
  • Promote development of technical standards
  • Improve the transfer of cybersecurity
    technologies to the marketplace
  • Government contractors and companies involved in
    critical infrastructure should assess their
    technical and legal responses to cybersecurity
  • DOD advanced notice of proposed rulemaking for
    defense contractors

The Reality Facing Global Corporations
  • Broad complexity and wide variety of national
    (and sub-national) privacy and data security laws
    complicates compliance
  • Significant cultural and legal differences
    exist in the meaning and nuances of privacy and
    data protection
  • Achieving compliance with overlapping federal,
    state, national, sub-national and multilateral
    rules is complex and burdensome
  • Trend towards stricter, more prescriptive laws,
    with more complexity and greater enforcement
    appears likely

U.S. Governmental Response
  • States have responded with increased statutory
    protections for personal information
  • Congress has passed sector-specific privacy and
    information security laws
  • Omnibus privacy and information security actively
    under debate in Congress

Overview of U.S. Privacy Law
  • No comprehensive federal privacy statute
  • In U.S., privacy is regulated via
  • Federal sector-specific and ad hoc statutes and
  • FTC regulation and enforcement
  • State laws, AG enforcement actions and private
  • Industry self-regulation through company privacy
    policies, and association codes
  • Changes likely in Washington

Federal Legislation and Regulation
  • Gramm-Leach-Bliley Act of 1999 (GLBA)
  • Regulates privacy of personally identifiable,
    nonpublic financial information disclosed to
    non-affiliated third parties by financial
  • Requires administrative, technical, and physical
  • Health Insurance Portability and Accountability
    Act of 1996 (HIPAA) / Health Information
    Technology for Economic and Clinical Health Act
    of 2009 (HITECH)
  • HIPAA rules protect confidentiality and security
    of medical information in hands of covered
    entities and business associates such as
    healthcare poviders, hospitals,
    employer-sponsored health plans, etc.

Federal Trade Commission (FTC)
  • FTC is de facto federal privacy enforcement
    authorityFTC Act 5 (15 U.S.C. 45)
  • FTC charged with preventing "unfair methods of
    competition in or affecting commerce and unfair
    or deceptive acts or practices in or affecting
  • FTC enforces against companies that engage in the
    deceptive practice of failing to adhere to
    their own privacy and/or information security
  • FTC enforces against companies that engage in the
    unfair practice of failing to provide adequate
    security for consumer data
  • FTC enforces Gramm-Leach-Bliley Act Fair Credit
    Reporting Act Children's Online Privacy
    Protection Act

FTC Investigative Demand
  • All policies adopted or statements made regarding
    the collection, disclosure, use and protection of
    personal information
  • All documents sufficient to identify and describe
    in detail all systems and/or databases that
    collect, maintain, store, transmit or otherwise
    handle personal information
  • Any risk assessments conducted to identify risks
    to the security and confidentiality of personal
  • All documents that set forth, assess, evaluate,
    question, challenge, contest or recommend changes
    to the security procedures, practices, policies,
    and defenses with respect to personal information
  • All service providers that receive, maintain,
    process or otherwise are permitted to access
    personal information
  • All documents that reflect, concern or relate to
    incidents of possible unauthorized access to
    personal information
  • EU Privacy safe harbor compliance documentation

Communications Privacy
  • Electronic Communications Privacy Act (ECPA)
  • ECPA governs interception (wiretap), access to
    and disclosure by government and/or private
    entities of contents of communications, or
    transactional and routing information related to
    communications, by providers of communications
    services and remote computing services
  • Computer Fraud and Abuse Act (CFAA)
  • Prohibits hacking or accessing computers in
    violation of, or in excess of, authorization
  • Telecommunications Act
  • Every telecommunications carrier has a duty to
    protect the confidentiality of proprietary
    information of, and relating to, other
    telecommunication carriers, equipment
    manufacturers, and customers

Data Breach Statutes
  • Data breach notification laws are pervasive
  • 46 states, DC, Puerto Rico, and the Virgin
    Islands have breach notification requirements
  • Some states require reporting to government
  • Triggers Vary
  • Risk of harm
  • Pure acquisition
  • Encryption remains a key issue
  • Creates safe harbor from state data breach notice
  • Laptops, portable media (such as USB drives)
  • Wireless transmission transmission over public

Massachusetts Data Security Standards
  • Regulation 201 CMR 17.00 (effective March 1,
  • Requires anyone that owns, licenses, stores or
    maintains residents personal information to
    develop and implement a comprehensive written
    information security program
  • Requirements passed through to vendors
  • Personal information is defined as
  • Name plus SSN, drivers license number or other
    state-issued identification number, or credit or
    debit card number or other financial account
  • Applies to electronic or paper data

Massachusetts Data Security Regulations
  • Collect only minimum personal information
  • Retain information only as long as necessary for
    purpose originally collected
  • Limit access to those with need to know
  • Promptly deactivate user name/password of
    terminated employee authorized to access personal
  • Encrypt personal information
  • in transmission over Internet
  • on all wireless transmissions
  • on portable storage media
  • Develop policy to regulate when and how personal
    information may be transported, stored and
    accessed off-site
  • Develop policies for telecommuting
  • Passwords required
  • Monitor access to personal information and review
    audit trails

Other State Issues To Watch
  • Social Security Number Protection laws that
    require special limitations on the collection,
    use and display of SSNs
  • State Unfair and Deceptive Acts and Practices
    (UDAP) Statutes
  • Secure Disposal Laws that require businesses to
    dispose of personal data records securely
  • Privacy Torts Privacy invasions, negligence,
    misappropriation, defamatory speech, trespass to
    chattel, stalking, etc.
  • RFID bills that prohibit the nonconsensual use or
    reading of RFID chips Missouri criminal law
    against employers requiring implants
  • Medical or Genetic Privacy restrictions on the
    use of test results and the use, disclosure and
    protection of biometric data
  • Employee Surveillance DE and CT have notice
  • Locational Privacy restrictions on use of
    GPS-enabled devices
  • Behavioral Tracking and Advertising

Privacy in Congress
  • Cybersecurity
  • Senators Kerry and McCain have lead on privacy
  • fair information principles-based, omnibus
    privacy bill
  • right for data subjects to receive a clear and
    concise notice of uses that they might not
    reasonably anticipate
  • opt-out of unanticipated uses of PII opt-in
    consent required for uses of sensitive PII or
    third party transfer
  • mechanism for individuals to access and correct
  • new Commerce Office of Commercial Privacy Policy
  • enforcement by state Attorneys General and FTC

White House
  • 2011 as Year of Privacy?
  • Chartering of inter-agency Subcommittee on
    Privacy and Internet Policy as part of National
    Science and Technology Councils Committee on
  • Focus on commercial privacy policy issues
  • Address global privacy policy challenges and
    pursue coordinated policy around the globe
  • Promote favorable environment for cross-border
    information flows
  • Coordinate Administration positions on privacy
    and Internet legislation
  • No privacy czar inter-agency committee
  • White House Leadership

Federal Trade Commission Preliminary Staff
  • Protecting Consumer Privacy in an Era of Rapid
    Change A Proposed Framework for Businesses and

FTC Vision of Privacy by Design
  • Promote consumer privacy throughout the
    organizations and at every stage of the
    development of the products and services.
  • Incorporate substantive privacy protections into
    practices, such as
  • data security,
  • reasonable collection limits,
  • sound retention practices, and
  • data accuracy.
  • Maintain comprehensive data management procedures
    throughout the life cycle of products and

Doubly Broad Applicability
  • All commercial entities that collect consumer
    data in both offline and online contexts,
    regardless of whether such entities interact
    directly with consumers
  • For any data that can be reasonably linked to a
    specific consumer, computer, or other device

Three Key Principles
  • Privacy by Design
  • Internal safeguards by commercial entities
  • Comprehensive business privacy programs
  • Simplified Choice
  • Just in time notice and consumer choice
  • Standardized exceptions to the notice and
  • Do Not Track (national analog to Do Not Call)
  • Greater Transparency
  • Consumer access to, and ability to correct,
    personal data
  • Prominent notification and express affirmative
    consent required from consumers before a company
    uses consumer data in a materially different
    manner than notified at collection

Department of Commerce Green Paper
  • Commercial Data Privacy and Innovation in the
    Internet Economy A Dynamic Policy Framework
  • Draft White Paper (December ?)

Fair Information Practice Principles (FIPPs)
  • Transparency
  • Individual Participation
  • Purpose Specification
  • Data Minimization
  • Use Limitation
  • Data Quality and Integrity
  • Security
  • Accountability and Auditing

Privacy Impact Assessments (PIAs)
  • PIAs would require organizations to identify and
    evaluate privacy risks arising from the use of
    personal information in new technologies or
    information practices
  • The report contemplates that such PIAs would be
    prepared in sufficient detail and made public
  • Purposes
  • create consumer awareness of privacy risks in a
    new technological context
  • help organizations to decide whether it is
    appropriate to engage in the particular activity
    at all, and to identify alternative approaches
    that would help to reduce relevant privacy risks

Commercial Privacy Policy Office
EU Impacts
  • EU Data Protection Directive (1995)
  • Limits on collection, processing, transfer, and
  • EU member states prohibit or restrict transfers
    of personal information to the United States
    unless certain compliance mechanisms are in place
  • EU standards (derived originally from U.S. and
    OECD fair information principles) require
  • Notice of collection and use of personal
  • Choice (consent) to uses of information
  • Access to information to review, correct or
  • Integrity/security of data
  • Enforcement/redress of privacy rights
  • Member states differ significantly in approach

EU International Data Transfer Restrictions
  • Articles 25 and 26 of the Data Protection
    Directive prohibit transfer of personal data to
    countries outside EEA that do not ensure an
    adequate level of protection
  • Possible means for dealing with data transfers
    outside the EU include
  • Consent but consent must be informed and freely
  • Model Contracts
  • US Safe Harbor
  • Binding Corporate Rules
  • Article 26(1)(d) transfer necessary or legally
    required on important public interest grounds or
    for establishment, exercise or defence of legal
  • Hague Convention compliance with request under
    Hague Convention provides formal basis for
    transfer of personal data but some EU Member
    States have not signed Convention or have signed
    with reservations regarding civil discovery

International Privacy
Argentina Cyprus Lithuania Lithuania Netherlands Netherlands Netherlands Italy Italy Spain Spain Spain
Tunisia Malta Estonia Estonia Austria Austria Austria Denmark Denmark France France France
Slovakia Czech Republic Czech Republic Czech Republic Czech Republic Ireland Ireland Ireland Finland Finland Germany Germany Germany
Iceland Greece Greece Slovenia Slovenia Slovenia Suisse Suisse Poland Poland Poland
Latvia Liechtenstein Liechtenstein Liechtenstein Liechtenstein Sweden Sweden Sweden Japan Japan Portugal Portugal Portugal
Luxembourg Belgium Belgium Belgium
Singapore Mexico Mexico Israel Israel Israel Israel Romania Romania Romania
Dubai Dubai Hungary Hungary Hungary
Chile South Africa Norway
Paraguay Hong Kong Canada Canada Canada
Russia Australia Australia Australia United Kingdom United Kingdom United Kingdom United Kingdom
Korea Korea New Zealand New Zealand New Zealand New Zealand New Zealand New Zealand
Taiwan United States United States United States United States
Malaysia Serbia
Bosnia China China China China
Africa Many Latin American countries Many Latin American countries Many Latin American countries Many Latin American countries
Most Asian countries Most Asian countries Most Asian countries

Uncertainty in the Clouds
  • Not specifically regulated but a plethora of
    divergent laws and enforcement approaches apply
    around the world
  • Many laws relating to data privacy are outdated
    and it is unclear how they will be applied in
    Cloud circumstances
  • Laws of multiple jurisdictions may apply to
    transactions involving a single data set
  • Transferring data to a Cloud provider may lead to
    ambiguity regarding data protections
  • Liability for, and uncertainty about duties for
    responding to, data breaches, unauthorized
    access, loss of data, demands for access to data

Top Cloud Issues to Consider
  • Where Are the Data? Territorial jurisdiction
  • Privacy/Security Requirements
  • Incident Response and Control
  • Outages / Disaster Recovery
  • Service Levels / Speed
  • Termination / Migration to a Different Provider
  • Insurance / Indemnification / Risk Shifting
  • Government and Litigant Access to Information

Threat of Cloud Balkanization Complying with EU
Privacy Law?
  • Leading EU Parliamentarians are concerned about
    the US governments ability to seek and obtain
    information without notice to data subjects in
    the name of national security
  • Does the Commission consider that the U.S.
    PATRIOT Act thus effectively overrules the E.U.
    Directive on Data Protection? What will the
    Commission do to remedy this situation, and
    ensure that E.U. data protection rules can be
    effectively enforced and that third country
    legislation does not take precedence over E.U.
    legislation?Essentially what is at stake is
    whether Europe can enforce its own laws in its
    own territory, or if the laws of a third country

Beginning of a Digital Trade War?
  • Bloomberg (9/13/11) Deutsche Telekom Wants
    German Cloud to Shield Data From U.S.
  • Deutsche Telekom AG's T-Systems information
    technology unit is pushing regulators to
    introduce a certificate for German or European
    cloud operators to help companies guard data from
    the U.S. government.
  • The Americans say that no matter what happens
    I'll release the data to the government if I'm
    forced to do so, from anywhere in the world,'
    Clemens said. Certain German companies don't
    want others to access their systems. That's why
    we're well-positioned if we can say we're a
    European provider in a European legal sphere and
    no American can get to them.
  • Clemens said A German cloud would be a safe

CNIL (French DPA)
  • CNIL has facilitated the use of outsourcing
    services performed in France on behalf of
    non-European companies (15 March 2011)
  • Exempts required notification to CNIL for
    processing performed in the field of human
    resources and clients and prospects management by
    French service providers acting on behalf of
    companies established outside the European Union.
  • CNIL wants to be realistic and pragmatic in
    applying the French law to such situations
    ensure a high level of protection of personal
    data while, at the same time, generating
    practical solutions in order not to hamper the
    development of service provisions propositions by
    French companies.
  • CNIL decided to exempt from declaration the
    processing of human resources, client management
    and prospects files. This exemption relates to
    the processing performed by French service
    providers on behalf of data controllers
    established outside the EU.
  • CNIL wishes to encourage a reflection on how to
    improve and make more effective the rules
    relating to the national applicable law. The
    revision of the EU Directive, currently in
    progress, certainly provides a unique opportunity
    to embark on this path.

Google All Governments Seek Data
  • Google statistics on the number of requests it
    receives for the personal data of its users from
    governments around the world
  • Governments of France, Germany, Italy, Spain, the
    United Kingdom, and the Netherlands all submitted
    significant numbers of requests for user data
  • Other government requests do not seem
    disproportionately more circumspect or privacy
    protective than the number of requests received
    from the U.S. government
  • Accordingly, it not useful or accurate to single
    the United States out as significantly more
    intrusive on the Internet than other governments

Government Access National Security
  • US and European governments have similar
    approaches to the balance between privacy and
    national security
  • USA PATRIOT Act provides the FBI access to any
    business record with a court order, and expands
    the governments ability to obtain records
    pursuant to a National Security letter probable
    cause warrant or equivalent typically required
    for acquisition of communications or sensitive
  • EU Data Protection Directive Article 13
    specifically exempts national security from
    otherwise applicable privacy protections
  • EU Treaty of Lisbon, which ensured personal data
    protection in the EU, expressly allows member
    countries to impose derogations on personal
    privacy where necessary for national security
  • Specific European countries, such as the
    Netherlands and Spain, have created carve-outs in
    personal data privacy protections for activities
    conducted under the rubric of national security
    or certain law enforcement activities.
  • Some Europeans have exaggerated the differences
    between US and EU law regarding governmental
    access to personal data for national security

Corporate Cloud Strategies
  • Recognize that Cloud legal issues concern B2B as
    well as consumer (privacy) issues
  • Take stock of where in the world your data are
    (conduct data inventory and track flows of)
    personal information, IP and trade secrets, HR
    data, other valuable information assets
  • Engage in careful contracting preserve control,
    reduce risk of disclosure, assign security
    obligations and enforcement costs
  • Affirmatively deny consent to interception or
    disclosure of data conveyed by/through Cloud
    provider to governments or litigants
  • Require notification of breach/disclosures/request
    s for data
  • Deny access unless specifically authorized in
    advance or compelled by law (in which case
    notification is requested)
  • Require maximum possible resistance to disclosure
  • Determine access controls and encryption protocols

Privacy Challenges in Social Media
  • Internal Challenges
  • Mosaic leakage
  • Whistle-blowers
  • Employee leakage
  • External challenges
  • Customers
  • Hacktivists
  • Hackers
  • Journalists
  • Regulators

German Ban on Like Button
  • From a German law perspective, any company
    operating a Facebook fanpage and using Facebook
    Insight as a service may well be considered to
    have a data processing relationship with Facebook
  • Schleswig-Holstein DPA Thilo Weichert ordered
    businesses to remove the Facebook  like button
    from their websites and shut down so-called fan
  • Weichert emphasized that the wording in the
    conditions of use and privacy statements of 
    Facebook  do not meet the legal requirements for
    compliance of legal notice, privacy consent, and
    general terms of use

Privacy in Social Media Google Buzz
  • FTC charged that Google used deceptive tactics
    and violated its own privacy promises to
    consumers when it launched a social network by
    pulling information from Gmail accounts
  • Buzz settlement is the first to require
    implementation of a comprehensive Privacy by
    Design program to protect the privacy of
    consumers information, including
  • Risk assessment to identify reasonably-foreseeable
    risks and assess the sufficiency of safeguards
  • Regularly test or monitor the effectiveness of
    the programs key privacy controls and procedures
  • Settlement mandates a compliance and reporting
    program, including biennial assessments and
    reports from a qualified, independent third-party

NLRA Claims
Whether it takes place on Facebook or at the
water cooler, it was employees talking jointly
about working conditions . . . and they have a
right to do that. -- Lafe Solomon, GC of the
NLRB, on the Facebook firing case
  • NLRA claims challenge employer decisions and
    policies that interfere with employees right to
    engage in concerted activity.
  • NLRA protects all employees regardless of union
  • Recently, NLRB has issued complaints against
    employers in the context of social networking.
  • The NLRB has also issued advice memoranda
    addressing social networking issues.

Employment Privacy Issues
  • Duty to investigate sites where it knows of facts
    or has reliable objective evidence that would
    lead a reasonably prudent person to investigate a
    prospective or current employee
  • Past history or recent threats of violence
  • Complaints of harassment, sexual or otherwise
  • Knowledge of other conduct such as involvement
    in racist or hate groups that could create
    liability for the company
  • Employer responsible for employee posts on
    his/her blog during non-work hours on non-work
    equipment? It depends . . .
  • The nature of the post
  • Whether the employee clearly identified himself
    or herself as an individual (as opposed to an
    employee of the company)
  • Whether the individual truly acts as an
    individual, with no apparent nexus to the

Employment Privacy Issues To Monitor or Not To
  • Steps Forward
  • Steps to Avoid
  • Use to screen in and screen out applicants
  • Bona fide qualifications
  • Honesty in resume
  • Get FCRA Consent
  • Obey terms of use
  • Use consistent approach
  • Use non-decision maker
  • Investigate when prudent
  • Private sites
  • Protected groups
  • Protected activities (wages, hours, safety)
  • Consumption Statutes
  • Lifestyle Discrimination
  • California prohibits discrimination for any

Corporate Strategies Assessment
  • Factual assessment
  • Map how personal data is collected, stored and
  • Cultural assessment
  • Assess privacy training and employee awareness
  • How does privacy fit within the goals of the
  • Legal assessment
  • Analyze existing policies and procedures
  • Review vendor contractual provisions
  • Find a transborder data flow solution
  • Review website policies
  • Labor Unions / Workers councils
  • Registrations with DPAs
  • Security assessment
  • Document information security vulnerabilities and
  • Third party service providers and their policies

Mind the Common Compliance Gaps
  • The ability to deliver on privacy and security
    compliance obligations is often outpaced by
    market, technological, and organizational
  • Vendors, Vendors, Vendors
  • New Technologies
  • Analog Problems in a Digital World
  • People, People, People
  • Wireless and Slippery Devices
  • Organizational Commitment

Shift to Information Governance
  • Paradigm shift in which privacy becomes merely a
    part of information governance
  • Duties of privacy officers expanding or being
  • Information Security
  • Privacy
  • Marketing
  • Customer Sales
  • Records Management
  • eDiscovery

Key Insights
  • The issue is information governance collection,
    use, sharing, security, eDiscovery, retention and
  • Focus on data security, particularly due
    diligence over Internet systems and service
  • Clear legal obligations will generally lag
    industry standards, reasonable practices, and new
  • Include privacy in the design of new projects
  • Ensure board and senior management involvement

Ten Items to Worry About
  • Locational privacy geo-located ubiquitous mobile
    web devices
  • Security Will cybersecurity overwhelm privacy?
  • Children Protecting digital natives, without
    breaking the web
  • Smart grid Will appliances become surveillance
  • Face recognition Will useful apps enable mass
  • Privacy Notices Are privacy policies useful?
    What is next?
  • Anonymization Is everything on a spectrum of
  • Analyzing social media Birds of a feather.
  • Droit a l'Oubli Is forgetting censorship?
  • Conflicts in the cloud Is the global web

  • Edward McNicholas
  • Partner
  • Sidley Austin LLP
  • 1501 K Street, NW
  • Washington, DC 20005
  • (202) 736-8010

This presentation has been prepared by Sidley
Austin LLP as of November 14, 2011, for
educational and informational purposes only. It
does not constitute legal advice. This
information is not intended to create, and
receipt of it does not constitute, a
lawyer-client relationship. Readers should not
act upon this without seeking personalized advice
from professional advisers. Sidley Austin LLP, a
Delaware limited liability partnership which
operates at the firms offices other than
Chicago, London, Hong Kong, Singapore and Sydney,
is affiliated with other partnerships, including
Sidley Austin LLP, an Illinois limited liability
partnership (Chicago) Sidley Austin LLP, a
separate Delaware limited liability partnership
(London) Sidley Austin LLP, a separate Delaware
limited liability partnership (Singapore) Sidley
Austin, a New York general partnership (Hong
Kong) Sidley Austin, a Delaware general
partnership of registered foreign lawyers
restricted to practicing foreign law (Sydney)
and Sidley Austin Nishikawa Foreign Law Joint
Enterprise (Tokyo). The affiliated partnerships
are referred to herein collectively as Sidley
Austin, Sidley, or the firm.
Write a Comment
User Comments (0)