Federal Discovery Response

Document Sample
Federal Discovery Response Powered By Docstoc
					 What Every Company
    Should Know
 About Data Security
 Electronic Discovery

            Todd L. Newton
Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.

Why data security is paramount to your
• Data security examples
• How the new amendments to the
  Federal Rules of Civil Procedure affect
  your business
• Tips for preparing for security
  breaches and electronic discovery
                       Data Security

• 49% of businesses have lost a laptop in the
  past twelve months
• 64% of businesses have never conducted a
  Inventory on customer or employee data
• 33% of businesses believe a data breach
  can put them out of business
• On average there is a Data Breach every
  three days
• A Data Breach will cost roughly “$182 per
  record exposed”*
*Ponemon Institute - 2006 Annual Study: Cost of a Data Breach
      Security Breach Costs

•   Value of stolen data
•   Cost of protecting affected victims
•   Cost of remedial security measures
•   Fines
•   Loss of good will and reputation
•   Lawsuits
            Case Study

         CardSystems Solutions
Issue: Security Breach
Effect: Records of 40,0000,000
  cardholders exposed, with millions of
  dollars in fraudulent purchases.
Outcome: Settlement with FTC included
  implementation of security program
  and independent audits.
            Case Study

      Department of Veterans Affairs
Issue: Stolen laptop
Effect: Records on 26,500,000 veterans
  exposed, including SSN.
Outcome: $7,000,000 spent notifying
  victims and $7,000,000 spent operating
  inbound call centers
              Case Study
         The TJX Companies, Inc.
Issue: Security breach
Effect: 46,155,000 customer records stolen,
  including credit card information and drivers
  license numbers. Stolen information used to
  buy over $1mm in merchandise.
Outcome: Ongoing. The FTC is investigating
  and TJX has settled the class action lawsuit.
  TJX has already spent $256 Million dealing
  with this breach, with costs expected to
  exceed $1 Billion.
             Case Study
Cause: ID thieves set up bogus accounts to
  illegally purchase client information
Effect: 163,000 customer records accessed,
  including names, addresses, Social
  Security numbers, credit reports and other
Outcome: FTC fines resulting in $10 Million in
  civil penalties, and another $5 Million to
  establish a consumer restitution fund.
  ChoicePoint has been subjected to more
  than 80 external audits over the past 24
            Case Study
Issue: Break in - Server Stolen
Effect: 970,000 customer records
  stolen, including names, addresses,
  and Social Security numbers.
Outcome: No formal complaints filed.
  AIG reported that the stolen computer
  was on an encrypted network and that
  the files were password-protected.
     Security Breach Prevention

• Periodic Security Audits
    – In-house audit by IT department
    – Third-party audit by independent
•   Crisis Response Plan
•   Enforced Security Policies
•   Password Management
•   Periodic Data Inventory
     Security Breach Response

•   Crisis Response Plan Implementation
•   Key Event Documentation
•   Preservation of All Pertinent Evidence
•   Law Enforcement Notification
•   Victim Notification
Federal Rules of Civil Procedure

• Summary of the major e-discovery
  1. Providing for early resolution of e-
     discovery issues
  2. Providing remedy for inadvertent
     disclosure of electronic data
  3. Addressing the issue of document
     deletion and sanctions
  4. Providing guidance on discovery of
     electronic data that is not readily
          E-Day Survival Tips

1)   Create, implement, and enforce a record retention
     policy covering both paper and electronic records,
     including email, voicemail, chats/instant
     messaging, word processing documents,
     spreadsheets, etc., when such records can be
     destroyed, when destruction must be suspended
     (“litigation hold”), and person who will enforce the

2)   As part of the policy, develop a litigation hold plan,
     including who will announce the hold, how the hold
     will be announced, when it will be announced, how
     it will be monitored and enforced and by whom
       E-Day Survival Tips
3) Inventory types of data/records generated
   and retained and what might be relevant to
   future litigation, where kept, for how long,
   etc. - ***including data held by 3rd parties
   and data generated by departing/former

4) Inventory network hardware and users,
   including locations where ESI kept,
   organization chart, etc.

5) Assemble a discovery team consisting of
   people from various departments, including
   legal, IT, management, outside counsel,
        E-Day Survival Tips
6) Devise discovery response plan, including
   responsibilities of discovery team
   members, how pertinent records will be
   located, logged, preserved, reviewed, and
   produced, how compliance will be
   monitored, how to minimize disruption to
   employees’ use of network, etc.

7) Designate a person as the 30(b)(6) who
   can testify re: company’s network, retention
   policies, coordination with legal
   department, role in implementing litigation
   hold, etc.
        E-Day Survival Tips

(8) Educate employees annually about
    retention policy, notifying
    management of key events that could
    lead to future litigation (thus triggering
    litigation hold), importance of
    compliance with litigation hold and
    severity of sanctions that could be
    imposed if hold violated, etc.
        E-Day Survival Tips

9) Limit access to disaster recovery tapes for
   “disasters” not as method of recovering
   inadvertently deleted items.
10) Bridge the gap between IT staff and legal
   team to ensure that legal team understands
   computer technology employed (how
   records created/retained, how backups
   performed, rotation cycles of backups,
   retention of legacy information, etc.) and
   that IT staff understands their role in
   collecting and preserving relevant records.
      E-Day Survival Tips

11)Consider whether 3rd party vendor
   should be enlisted to capture and
   process data if/when litigation

12)Document, document, document.
      Excellent Resources

•   The Sedona Guidelines: Best
    Practice Guidelines & Commentary
    for Managing Information & Records
    in the Electronic Age (Sept. 2005)
•   The Sedona Principles: Best
    Practices, Recommendations &
    Principles for Addressing Electronic
    Document Production (July 2005)
•   www.thesedonaconference.org
        Excellent Resource

•   The Federal Trade Commission &
    The Better Business Bureau:
    – Offers a variety of resources for a
      business dealing with a security breach
•   www.ftc.gov
•   www.bbb.org

            Todd L. Newton
Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C.
                    (501) 688-8881

Description: Federal Discovery Response document sample