records and information governance: the legal landscape
TRANSCRIPT
Information Governance and the Legal Landscape
101Presented by John Isaza, Esq., FAI
2
AGENDA
Scope of Information Governance
The Generally Accepted Recordkeeping Principles and Impact on Lawyerso ABA Amendments – Ethical
requirementso Security and Privacyo Challenges for global firms
How to comply?
3
The Scope of Information Governance
PART 1
4
GARTNER DEFINITION OF INFORMATION GOVERNANCE
“an accountability framework to encourage desirable behavior in the
valuation, creation, storage, use, archival and deletion of information.”
flickr.com/greebile
5
SCOPE OF INFORMATION GOVERNANCE
6
WHO IS RESPONSIBLE FOR IG COMPLIANCE?
General Counsel
Risk Management Committee
/ Partners
IG Advisory Committee
Information Technology
Records Managemen
t
Knowledge Managemen
t
Practice Group
LeadersMarketing Administrati
on
7
The Generally Accepted Recordkeeping Principles
PART 2
8
WHAT ARE THE PRINCIPLES?
G
A
R
P
enerally
ccepted
ecordkeeping
rinciples
Information management and governance of records
creation, organization, security, maintenance and
other activities used to effectively support recordkeeping of an
organization.
9
T
A
I
P
C
A
R
D
ccountability
ransparency
ntegrity
rotection
ompliance
vailability
etention
isposition
A TIP CARD YOU SAY?
10
Principle of Accountability
An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability.
11
PRINCIPLE OF ACCOUNTABILITY
LEGAL CONSIDERATIONS
Supports ABA Model Rule 5.1
Responsibilities of Partners, Managers & Supervisory Lawyers
Oversight directive is key component of Rule 5.1 compliance
12
Principle of Accountability
FEDERAL SENTENCING GUIDELINES
• Per Section 2E5.3 deals with labor management reporting and ERISA
• Section 2E5.3 focuses on “falsification of documents or records… [and] failure to maintain proper documents”
• Assigned “Accountability” is critical to avoid harsher penalties under Section 2E5.3
13
The Principles
Principle of Transparency
The processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.
14
PRINCIPLE OF TRANSPARENCY
LEGAL CONSIDERATIONS
Supports ABA Model Rule 1.4(a)(4)
Availability of information is key component of Rule 1.4 compliance
A lawyer must "comply with reasonable requests for information."
15
The Principles
Principle of IntegrityA recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
16
PRINCIPLE OF INTEGRITY
LEGAL CONSIDERATIONS
Affects authentication of records in court
Note difference between discovery and admissibility in court
Chain of custody issues
Principle of Availability is critical to discoveryPrinciple of Integrity is critical to admissibility
17
Principle of IntegrityFEDERAL SENTENCING
GUIDELINES• Per Section 2E5.3 deals with labor
management reporting and ERISA• Section 2E5.3 focuses on
“falsification of documents or records… [and] failure to maintain proper documents”
• Integrity is critical to avoid harsher penalties under Section 2E5.3
18
FEDERAL SENTENCING GUIDELINES
Part J addresses recordkeeping considerations:• Does offense involve destruction,
alteration or fabrication?• Does offense involve essential
records?• What was scope, planning or
preparation of the offense?
19
FEDERAL SENTENCING GUIDELINES
Section 2E5.3 covers recordkeeping for:• Benefit Plans covered by ERISA• Documents required by Labor
Management Reporting and Disclosure Act• Provides sentencing guidelines for
falsification of documents or records or for failure to maintain proper documents
20
LEGAL HOLDS COME INTO PLAY
Principle of Integrity includes Legal Holds
Must prevent alteration of records and other ESI that are relevant to pending or anticipated litigation or investigation
Challenge with data maintained in the Cloud
21
The Principles
Principle of ProtectionA recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
22
PRINCIPLE OF PROTECTION
LEGAL CONSIDERATIONS
ABA Model Rule 1.6
The cornerstone of the attorney-client privilege
Duty to maintain confidentiality of information
Protection is critical to Rule 1.6 compliance
J-M v McDermott, Will & Emery – Duty to Protect Privilege
23
RECENT ABA AMENDMENTS
PHOTO COUTRESY OF ABANOW.ORGCommission on Ethics 20/20 created by then ABA President Carolyn B. Lamm in 2009 “to perform a thorough review of the
ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments”
•Not binding on lawyers unless and until adopted by States but expect high adoption by states.
24
Recent ABA Amendments – Rule 1.6
CONFIDENTIALITY OF INFORMATION
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. [Entirely new sub-section]
26
Recent ABA Amendments – Rule 4.4
RESPECT THE RIGHTS OF THIRD-PARTIES
A lawyer who receives a document or electronically stored information relating to the representation of the lawyer’s client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender.
27
Privacy and Information
SecurityHEALTH INFORMATION
• Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), whose regulations govern privacy and data security issues related to health information (including data maintained by employee health plans);
• Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which imposes additional information security obligations on HIPAA covered entities and business associates of covered entities
28
IMPACT OF HIPAA & HITECH ON LAW FIRMS?
• HIPAA applies to law firms that accept affected health care information from their healthcare clients
• HITECH extended regulations to professionals servicing healthcare industry, including lawyers
• Enforcement of penalties will take effect upon release of final set of rules (pending for 2 years)
• After that time, Security and Privacy rule violations could result in fines ranging from $50,000 to $1.5 million for a single violation
29
Privacy and Information
SecuritySTATE LAWS AND INFORMATION
• State laws requiring the provision of privacy notices to individuals, such as the California Online Privacy Protection Act
• State information security breach notification laws, which are in place in over 45 states, Washington, D.C. and Puerto Rico; See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82; N.Y. Gen. Bus. Law § 899-AA.
• State laws imposing minimum information security requirements, such as the Massachusetts Standards for the Protection of Personal Information; See, e.g., 201 Mass. Regs. Code §§ 17.01–17.05.
30
Privacy and Information
SecuritySSN AND PERSONAL INFORMATION
• State laws that regulate the collection, use and other processing of Social Security numbers (“SSNs”)
• State laws requiring the secure disposal of records containing certain personal information, e.g., California, Georgia, Indiana, Montana, New Jersey, New York, North Carolina, Texas, Utah, Vermont, Washington and Wisconsin (some states also regulate disposal of personal info, whether a client or employee)
31
IMPACT ON LAW FIRMS
• Example - Massachusetts Standards for the Protection of Personal Information
• One of the most far-reaching personal information data security regulations in the country
• Imposes obligation on any entity having the described personal information of an individual (SSN, Driver License/State ID, Financial account information)
• Requires documented security program, with administrative, technical and physical safeguards
• Raises the importance of law firms researching all states from which they might have an individual’s personal information and having defined policies and practices in place to ensure compliance
International Considerations
for Protection
32
JAPANAUSTRIA
• E.g., Japan“Shall not provide personal data to a third party without obtaining the prior consent of the person.”See, Act on the Protection of Personal Information Art 23
• E.g., Austria“Authorisation shall be required for data exchange with recipients in third countries with an adequate level of data protection”
33
DATA PRIVACY LAWS - INTERNATIONAL
Data Privacy Laws outside the US
• In the EU, personal information includes business contact information or memberships in trade groups or political organizations.
• EU restrictions on cross-border transfer of personal information may impose on a law firm’s ability to receive in the U.S. documents containing personal information from the EU.
• The issue is exacerbated further by the broad interpretation of the term “personal information” under EU data protection law.
34
PRINCIPLE OF COMPLIANCE
LEGAL CONSIDERATIONS
ABA Model and local bar rules go to compliance
Various bar requirements address retention requirements
ABA Model Rule 1.15ABA Model Rule 1.15
• Safekeeping property requirement: “lawyer shall hold property of clients or third persons… separate from own property”
• Traditionally refers to money, but could “records” be considered “property?”
• Does compliance for a law firm include segregating client records from law firm records?
35
Recent ABA Amendments – Rule 1.1COMPETENCE
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
36
Recent ABA Amendments – Rule 1.4COMMUNICATION
A lawyer's regular communication with clients will minimize the occasions on which a client will need to request information concerning the representation. A lawyer should promptly respond to or acknowledge client communications
39
WHAT DO THE ABA CHANGES MEAN?
• Although advisory at this point, the Rule changes reflect the ABA acknowledgement that lawyers have emerging obligations in light of new technology
• Electronic Communications and Documents• Cloud• Third-Party Vendors• ESI
• Shows trend to embrace and regulate lawyers’ use of technology with client files. Expect wide state adoption and further modifications of Rules with changing technology
41
The Principles
Principle of AvailabilityAn organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
43
PRINCIPLE OF AVAILABILITY
LEGAL CONSIDERATIONS
Legal edicts similar to those applied to the principle of transparency
Supports ABA Model Rule 1.4(a)(4)
Availability of information is key component of Rule 1.4 compliance
A lawyer must "comply with reasonable requests for information."
44
Principle of AvailabilityFEDERAL SENTENCING
GUIDELINES
Per Chapter 1, Part A, Subsection 4 “regulatory offenses” are a “major issue”
Criminal violations include “failure to… provide requested information”
Availability of information is key component of the Federal Sentencing Guidelines
45
The Principles
Principle of Retention
An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
46
PRINCIPLE OF RETENTION
LEGAL CONSIDERATIONS
Thousands of regulations across the globe dictate retention requirements
Must consider:• Directly regulating statutes and
regulations• Statutes of limitations• Standards• Professional organization
requirements• Client records
47
Principle of RetentionFEDERAL SENTENCING
GUIDELINES• Per Chapter 1, Part A,
Subsection 4 criminal violations include “failure to keep accurate records…”• Per Part J, Subsection 3: “if the
offense… involved the destruction, alteration, or fabrication of a substantial number of records, documents, or tangible objects” then the sentence should be increased• Retention of information is key
component of the Federal Sentencing Guidelines
48
Records Management Policy
Policy and procedures needed, with RRS
Result in proactive records management
Targeted suspension/restart of records destruction when needed
Ability to retrieve subpoenaed records
Efficient document review & production
Management of documents across cases
49
CRITICAL IMPORT OF LEGAL HOLDS
• Principle of Retention includes Legal Holds irrespective of RRS, duty to retain records and other ESI that are relevant to pending or anticipated litigation or investigation
50
The Principles
Principle of Disposition
An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.
51
INTERNATIONAL CONSIDERATIONS FOR DISPOSITION
BELGIUM AUSTRALIA
• E.g., Australia (Privacy Act 1988 Schd 3, 4.2)“An organization must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed.”
• E.g., Belgium (BLG Dec 92 Prot Art 16.2)“The controller or his representative in Belgium, if any, must: ensure with due care that the data is kept up-to-date, and that incorrect, incomplete and irrelevant data, is rectified or erased.”
52
PRINCIPLE OF DISPOSITION
LEGAL CONSIDERATIONS
Retention regulations also apply here
L.A. County Bar requirement to obtain written instructions from client for criminal recordsQuery New York Bar requirement for "Confidential Material"
• Retain “permanent, including after termination” of relationship
• What is considered confidential material?• The term “material” is broader than
“communication”• How do you determine what to keep
permanently?• What is the effect on emails and other
forms of confidential communications with client?
53
Principle of DispositionFEDERAL SENTENCING
GUIDELINES
Per Part J, Subsection 3: “if the offense… involved the selection of any essential or especially probative record, document or tangible object, to destroy or alter” then the sentence should be increased
Disposition of information is key component of the Federal Sentencing Guidelines
54
LEGAL HOLDS ARE AGAIN CRITICAL
• Principle of Disposition includes Legal Holds
• Must suspend destruction or alteration of records and other ESI that are relevant to pending or anticipated litigation or investigation
56
12
34
5
THE MATURITY MODEL APPLIED TO EACH PRINCIPLE
SUB-STANDARD
RED
IN DEVELOPMENT
ORANGE
ESSENTIAL
AMBER
PROACTIVEBLUE
TRANSFORMATIONALGREEN
A rating of less than 5 may be acceptable because of:
• Organizational risk tolerance• Comparable with industry peers or
competitors
Previous level is not a prerequisite for the next
57
How to Comply?
PART 3
58
Principles as Best Practices
• The Principles as a key foundation of success Tracks legal requirements such as ABA
Model Rules and Sentencing Guidelines Tracks international standards and
requirements• The Principles as a framework; NOT
prescriptive• The Principles are flexible
59
Principles as Best Practices
• The Principles are not right vs. wrong Different approaches to get there Strive for continuous improvement Progress over perfection
• Be sure to have: Governance structures Policies needed Processes defined to support
policies Use of technologies
60
Create a
Roadmap• Research all relevant regulations, laws,
ethics requirements for jurisdictions in which the firm does business or from which the firm receives personal information for clients/employees
• Establish ultimate authority over risk and legal, e.g., General Counsel, Risk Committee, etc.
• Evaluate all policies, systems, and processes for compliance
• Evaluate shared or secondary use of client information – brief banks, expert banks, etc.
• Evaluate third-party vendor contracts and monitor ongoing compliance
• If needed, implement technology, policy/process changes to meet requirements
61
FINAL RECOMMENDATIONS
Bottom line: Possession, custody and
control
Conduct a Principles-
based Assessment
Create a Steering
Committee
First lines of defense
Create and implement a records and information
management (RIM) program
Create and follow a Retention Schedule
Robust Legal Holds
processes
62
John J. Isaza, Esq., FAIInformation Management Partner, Rimon,
PC
www.RimonLaw.com