Laptop stolen from employee vehicle = 20 years of FTC Audits for Employer…

The news of data breaches has certainly become maddeningly commonplace in recent years.  Many industries have been slow to adopt even the most rudimentary controls about securing media that is highly portable, such as thumb drives, laptops, mobile devices, and the like.

Perhaps as antidote to that tardy adoption, the Federal Trade Commission (“FTC”) recently announced a settlement with a leading cord blood bank, related to claims that it failed to protect the security of customers’ personal information.  Moreover, the settlement stipulates that this cord blood bank’s inadequate security practices contributed to a breach that exposed the Social Security and financial information of nearly 300,000 consumers.

The FTC claims arose from an incident in December 2010, in which laptops, backup tapes, and other storage media were stolen from an employee’s personal vehicle.  The catch?  None of these storage media were encrypted in any fashion.

This lack of encryption appears to be the linchpin consideration in the FTC’s analysis of culpability.  The cord blood bank must now submit to an annual certification (by an external party) for the next twenty years.  This enforcement action by the FTC will undoubtedly raise the awareness of organizations slow to adopt the perspective that there is wisdom in having policies and procedures in place to safeguard sensitive data.  While these policies and procedures might — and perhaps ought to — vary from industry to industry, certain basics will likely be adopted over time, and I suspect that encryption will rise in adoption as a safeguard even more rapidly than it has in recent years.

For more on the FTC’s settlement announcement, please click here.

Please see the disclaimer associated with content published on (and associated with) this site.

Panel of Experts @ NACDL White Collar Criminal Defense College…

Described as a practitioner’s “boot-camp” program for those “wishing to gain key advocacy skills and learn substantive white collar law. The program will cover client retention, investigation in a white collar case, handling searches and grand jury subpoenas, and dealing with parallel proceedings. Participants will have the experience of negotiating a plea, making proffers, and examining which experts to hire and how to protect the client in this process. Interactive sessions with top white collar practitioners will allow the participants to learn trial skills such as opening statements, cross-examination, jury instructions, closing arguments, and sentencing – all in the context of a white collar matter.”

ForensicUpdate editor, Johnny Lee, will participate in a panel discussion on Saturday, January 11th about engaging experts and lessons learned from the trenches.  Please click here for more details.

Please see the disclaimer associated with content published on (and associated with) this site.

 

Excellent panel discussion on the Challenges of Managing Cross-Border Governance…

I recently had the pleasure of moderating a panel discussion on the Challenges of Managing Cross-Border Governance.  The event was sponsored by Thomson Reuters, as part of their ongoing series covering topics within the arena of Governance, Risk & Compliance.

Joining me on the panel were a trio of all-star attorneys from the Atlanta area: Scott Burton, Partner at Sutherland; Jason Poulos, Of Counsel at Wheeler Weinberg; and Dewitt Rogers, Partner at Troutman Sanders.  Each of these veteran attorneys shared their perspectives, ranging from the challenges of conducting investigations and litigation across multiple borders to the complexities and impacts of these issues as they relate to Corporate Governance and international Mergers and Acquisitions.

I thoroughly enjoyed myself, and I appreciate the opportunity to take part in such an informed discussion.  I hope that those who attended took as much away from the experience as I did.

 

Please see the disclaimer associated with content published on (and associated with) this site.

 

Upcoming AIIM Webinar on Information Governance…

ForensicUpdate editor will lead a presentation in late September on “Information Governance in our Social World.”  The webinar will be hosted by Autonomy and produced by AIIM.

The description for the webinar is as follows: “Information Governance is concerned with defining accountability for an organization’s information assets. If governance is implemented properly – that is, if there is GOOD governance – the organization’s information management should be compliant with any relevant legislation or regulations.

In addition to good governance, organizations need to be consistent with their departmental policies – the kinds of policies that are often sporadically enforced and/or are contradictory from one department to the next (i.e., HR or accounting retention or security policies that differ from IT’s practices).

Join this webinar to learn the latest on how Information Governance will address all the multi repository and social media interfaces that impact your organization’s policies — including those that attempt to govern behavior within your organization as well as those that affect your customers and other partners and providers. Learn tips on how to improve your information governance programs for better compliance, better processes, and better information management.”

Please see the disclaimer associated with content published on (and associated with) this site.

 

ForensicUpdate Editor to join panel on “Information Security, Access Control and Forensics”…

The Metro Atlanta Chapter of the Information Systems Security Association (ISSA)® will host a panel discussion on information security and related topics in late August 2012.  The meeting will be held on August 30, 2012 from 6:30 PM – 9:00 PM at One Concourse Pkwy NE, 5th floor, Atlanta, GA 30328.  Panelists include Andre Maxwell (Principal at Information Security Xperts, Inc.), Kevin Morgan (Global IT Audit Manager at InterContinental Hotels Group), and Johnny Lee (Forensic Investigator and ForensicUpdate editor).

 

Please join us for a lively discussion of trends, technologies, and lessons learned from practitioners wrestling with these issues on a daily basis.  Audience participation is both welcome and encouraged.  We hope to see you there!  Click here for details.

“The ISSA is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.  The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity, and availability of information resources. The ISSA facilitates interaction and education to create a more successful environment for global information systems security and for the professionals involved. Members include practitioners at all levels of the security field in a broad range of industries such as communications, education, healthcare, manufacturing, financial, and government.”

Please see the disclaimer associated with content published on this site.

The Poisoned Well: Dreaded Pre-Trial “adverse inference” Jury Instruction in Apple v. Samsung

U.S. Magistrate Judge Paul S. Grewal granted plaintiff’s motion to issue a critical jury instruction related to the trial between tech giants Apple and Samsung…before the trial is even underway.  This ruling allows the jury to draw whatever inferences it wishes about the “lost evidence,” with Judge Grewal stating that the lost evidence was not only favorable to the plaintiff (Apple) but that the jury “…may choose to find it determinative, somewhat determinative, or not at all determinative in reaching your verdict.”

This ruling puts the defense team (Samsung) even more on the defensive in a suit meant to settle a host of substantial Intellectual Property and device design disputes.  Judge Grewal grounded his jury instruction upon the evidence submitted that the defendant had failed to avoid the auto-deletion of key email evidence.

Judge Grewal summarized the defendant’s lapse as a failure to recognize when its evidence-preservation duties arose (in Judge Grewal’s words, “especially during the critical seven months after a reasonable party in the same circumstances would have reasonably foreseen this suit”).  Simply put, the defendant “fell short of what it needed to do.”

This will be a much-watched case, and having the well “poisoned” so early in the case may have a profound effect upon the outcome.  Undoubtedly, this case will  be discussed a great deal in the eDiscovery literature as yet another object lesson on the importance of evidence preservation, including the related corollaries of records retention, data governance, and litigation holds.

Must Transactional Attorneys Preserve Evidence?

It is almost axiomatic in American jurisprudence that the duty to preserve arises for a party when that party “knows or reasonably should know” that litigation is foreseeable.  That said, a recent matter out of the federal courts in New York has raised a very interesting question about evidence preservation duties, as well as when and how they extend to certain parties — including their counsel.

Corporate and litigation counsel alike recognize their (somewhat nebulous) triggering event as the “reasonable anticipation” of a dispute arising, and they respond by issuing data preservation instructions to custodians to ensure that all potentially relevant information is retained for possible review and use in such a matter.  However, federal magistrate judge Joan Azrack has indicated that counsel for a party that destroys evidence might be sanctioned for failing to preserve — independent of a litigation hold — certain documents (including emails) that relate to “the lawyer’s negotiation and documentation of a loan agreement.”

What’s novel in this matter is not that this duty arises for counsel, but when and why.  The case (FDIC v. Malik) involves a suit brought by the FDIC, in its role as the receiver for a mortgage company, against the mortgage company’s attorneys (et alia) relating to a series of loan transactions.

It is important to note that this case is still in process, so its implications (both for litigation- and for records-management) will be watched closely.  Of particular note here is the implication that document retention regulations (in this case, arising out of the attorney’s professional responsibility rules) can establish evidence-preservation obligations where the affected party is “a member of the general class of persons that the regulatory agency sought to protect in promulgating the rule.”  If we were to extrapolate this to organizations across the legal spectrum, this could represent a precedent of staggering influence to corporate America and the way it manages information.

 

Parting is such tweet sorrow…

With humble apologies to The Bard for the headline, a recent story picked up by the The Wall Street Journal chronicles the dismissal of a Chief Financial Officer for his candid and extemporaneous disclosures via Twitter and Facebook.  This is yet another in a long series of headline-grabbing stories related to the perils of un-checked social media gaffes.

The tweeter in question is Gene Morphis who, until quite recently, was the CFO of Francesca’s Holdings Corp.  Through its subsidiary, Francesca’s operates a chain of retail boutiques offering apparel, jewelry, accessories, and gifts to female customers.  The company was founded in 1999, is headquartered in Houston, and has a $1 billion market capitalization.

According to the The Wall Street Journal, Mr. Morphis “maintained a publicly viewable profile on Facebook, authored a blog called ‘Morph’s View’ and maintained a Twitter account under the handle ‘theoldcfo.’  Online, he discussed everything from Christmas to college basketball, and occasionally company doings.”  It was the last point in this list that brings him to our attention.

The Journal reports that Morphis posted information related to his dealings with Francesca’s board, an investor road show, earnings calls, and other corporate interactions.  Following an internal investigation led by outside counsel, the company has stated that it terminated Morphis “for cause” and that it is “disappointed by this situation but we expect our executives to comply with all company policies.”

While this specific fact pattern is not familiar to this editor, we can perhaps expect similar examples to come.  According to a recent survey from the Society for Human Resource Management, only two in five employers have formal social-media policies.  Perhaps just as telling, of those organizations with formal policies, one in three have taken “disciplinary action” against an employee in the past year.

The take-away?  Social media technologies represent a significant source of both benefit and risk to organizations today.  Examining these benefits and risks is becoming more and more crucial, and placing these benefits and risks within the context of existing compliance frameworks is becoming the only way to proportionally manage the same.

ForensicUpdate Editor to present on two CyberSecurity Panels…

This year’s AccessData User’s Conference will be help in Las Vegas. This conference brings together world-class instruction from real-world industry practitioners, and it provides a wealth of information related to cybersecurity, forensics, and eDiscovery.

This three-day conference will include luminaries from around the world, leading sessions and delving into the complexities related to acquiring, analyzing, and managing data in fast-paced environments and situations. There is a variety of break-out sessions and hands-on laboratories designed to improve the participants’ skills and to apply what they have learned.

ForensicUpdate editor, Johnny Lee, will participate in two panel discussions: “Data Governance and eDiscovery” and “Data Breaches.”  Click here for more details.

DLA Piper publishes global handbook on Data Privacy Laws…

The safeguarding of personal information by organizations has never been more difficult or more necessary.  This is true not merely because of the relatively unchecked trends of data proliferation and data portability but also because of the increasingly complicated legal and regulatory landscape.

Organizations of all sizes are struggling with this, but multi-national companies have a unique set of challenges in trying to identify —much less reconcile — the myriad of rules, regulations, and laws related to the protection of personal data.  This is what makes DLA Piper’s subject contribution such a welcome addition to the compliance literature.

The DLA Piper Information Law Team have published a handbook with “an overview of the applicable privacy and data protection laws and regulations across 58 different jurisdictions, including a section on enforcement.  Edited by Cameron Craig, Paul McCormack, Jim Halpert, Kate Lucente, and Arthur Cheuk, the DLA Piper 2011/2012 Data Protection Laws of the World Handbook is available here.”