Leveraging IT in Times of Fiscal Restraint to Support Evolving Law Firm Business Models

April 28, 2011

Sentry CentersNew York, NY

Data Privacy and SecurityRisk Management and Competitive Advantage

Michael McGuire, CISO, Littler Mendelson

Andrew Rose, Global IT Risk Manager, Clifford Chance

Dave Cunningham, Managing Director, Hildebrandt Baker Robbins

2

Obligations That May Apply to Personally Identifiable and Sensitive Data

• HIPAA• HITECH Act• State/Local Breach Notification Laws• State/Local Encryption Laws• PCI• FTC Red Flags Rule• Model Rules• Ethical Obligations

3

Examples of data that is regulated by one or more privacy/security statutes• Name

• Social security number

• Last four of social security number

• Drivers license number

• Date of birth

• Passport information

• Health information

• Maiden name

• Electronic or digitized signature

• Physical or mental health conditions

• Information regarding provision of or payment for health care

• Financial information (electronic payroll deposit)

• Credit card or debit card information

• Government identification numbers

• Tax information

• Address or phone numbers

• Biometric information (fingerprint, voice print, etc.)

4

5

Anonymous and HB Gary

6

77

8

Ex-Sonsini Attorney Charged In $32M Insider Trading Case

• A former senior associate at Wilson Sonsini Goodrich & Rosati PC was arrested and charged in connection with allegations that he stole inside information from three firms that netted $32 million in a decades long insider trading scheme.

• Kluger regularly “stole and disclosed material, nonpublic information regarding anticipated corporate mergers and acquisitions on which his law firms were working,” according to a copy of the criminal complaint.

9

HIPAA Sanctions• $4.3 Million against health provider

– multiple “willful” failures to respond to patient requests for records

• $1 Million payment to avoid a penalty by Massachusetts Hospital– 192 patient paper records left on subway

10

Information Security Roles

Andrew RoseGlobal IT Risk Manager, Clifford Chance

Michael McGuireChief Information Security Officer, Littler Mendelson

11

ISO 27001 in a Nutshell...• Define the Scope• Do the Admin

– Create and communicate your IS Policy– Identify and value your assets– Complete the ‘Statement of Applicability’– Define your risk assessment process– Conduct a baseline risk assessment– Define and initiate an internal IT audit process

• Set up a Security Forum• Set up a Risk Treatment Plan (Live with it for a while)

• Stage 1 Audit (Live with it for a while longer)

• Stage 2 Audit

6-9 Months

2-3 Months

1-2 Months

12

Audits• SAS 70—Statement on Auditing Standards (SAS) No.

70, Service Organizations. It is an audit standard developed by the American Institute of Certified Public Accountants (AICPA).

• SSAE 16 SOC Reports—Statement on Standards for Attestation Engagements (SSAE) No. 16, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA)http://www.ssae16.org/

13

Components of TypicalInformation Security Program• Administrative controls

– Comprehensive, written information security program

– Education of employees

– Information classification

– Transfer and termination policies

– Service provider management

– Incident response program

– Personnel controls

• Physical controls– Access controls

• Badges• Locked areas

– Clean desk policies

– Cameras for sensitive areas

• Technical controls– Passwords

– Encryption• Data in transit• Data at rest• Data on backup media

– Vulnerability scans of systems that store PII

– Controls for removable media

– Firewalls and intrusion detection/prevention

– Virus prevent programs

– Deployment of security patches

– Secure deletion of data on media prior to disposal

14

Service Provider Management• Risk assessment process

– Identify vendors who will have access to PII

– Explore what level of controls vendor has

– Possible on-site risk assessment

– Bind by contract to maintain controls

15

Examples of Contractual Controls• Need to know access restrictions

• Encryption of PII in transit

• Encryption of PII when stored on portable devices

• No reuse of data

• No onward transfer of data

• Return or destruction of data

• Pre-approval of vendors who will gain access to data

• Information security training for staff with access to data

• Complex passwords

• Notification of security breaches

• Deployment of security patches

16

Questions

Michael McGuireChief Information Security Officer, Littler Mendelson

mmcguire@littler.com

Andrew RoseGlobal IT Risk Manager, Clifford Chance

andrew.rose@cliffordchance.com

Dave CunninghamManaging Director, Hildebrandt Baker Robbins

dcunningham@hbrconsulting.com

17

How to Engage Your Company’s IT Security Team• Work with internal security team to ensure they understand

use of HR data in litigation

• Security by design

• Engage law firms and inquire about controls

• Don’t send more data than is necessary

• Consider “easy” encryption options