Records and Information Governance: The Legal Landscape
•Télécharger en tant que PPTX, PDF•
0 j'aime•392 vues
Recommandé
Recommandé
Contenu connexe
En vedette
Records and Information Governance: The Legal Landscape
- 1. Information Governance and the Legal Landscape 101
- 2. o o o
- 12. • • •
- 17. • • •
- 18. • • •
- 19. • • •
- 20. Principle of Integrity includes Legal Holds Must prevent alteration of records and other ESI that are relevant to pending or anticipated litigation or investigation Challenge with data maintained in the Cloud
- 23. PHOTO COUTRESY OF ABANOW.ORG •
- 26. • •
- 27. • • • •
- 28. • • •
- 29. • •
- 30. • • • • •
- 31. • •
- 32. • • •
- 33. • • •
- 36. • • • • • •
- 39.
- 41. • • • • •
- 42. • • •
- 43.
- 44. •
- 46. ••
- 47. • • • • •
- 48.
- 49. • •
- 50. • •
- 52. • • •
Notes de l'éditeur
- In Slide Show mode, click the arrow to enter the PowerPoint Getting Started Center.
- Principle of AccountabilityAn organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability.
- Federal Sentencing GuidelinesPer Section 2E5.3 deals with labor management reporting and ERISASection 2E5.3 focuses on “falsification of documents or records… [and] failure to maintain proper documents”Assigned “Accountability” is critical to avoid harsher penalties under Section 2E5.3
- Principle of TransparencyThe processes and activities of an organization’s recordkeeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.
- Principle of IntegrityA recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
- Federal Sentencing GuidelinesPer Section 2E5.3 deals with labor management reporting and ERISASection 2E5.3 focuses on “falsification of documents or records… [and] failure to maintain proper documents”Integrity is critical to avoid harsher penalties under Section 2E5.3
- Part J addresses recordkeeping considerations:Does offense involve destruction, alteration or fabrication?Does offense involve essential records?What was scope, planning or preparation of the offense?
- Section 2E5.3 covers recordkeeping for:Benefit Plans covered by ERISADocuments required by Labor Management Reporting and Disclosure ActProvides sentencing guidelines for falsification of documents or records or for failure to maintain proper documents
- Principle of Integrity includes Legal HoldsMust prevent alteration of records and other ESI that are relevant to pending or anticipated litigation or investigation
- Principle of ProtectionA recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
- Not binding on lawyers unless and until adopted by States but expect high adoption by states.
- Model Rule 1.6 Confidentiality of Information(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. (Entirely new sub-section)
- Comments to Rule 1.6Lawyers must make reasonable efforts to prevent access or disclosure. Factors to consider: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.
- Model Rule 4.4 (b) Respect the Rights of Third-PartiesA lawyer who receives a document or electronically stored information relating to the representation of the lawyer’s client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender.
- Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), whose regulations govern privacy and data security issues related to health information (including data maintained by employee health plans); Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which imposes additional information security obligations on HIPAA covered entities and business associates of covered entities
- Also discuss how expert reports/expert banks may contain PII – firms need to manage this information’s security as well. HIPAA applies to law firms that accept affected health care information from their healthcare clientsHITECH extended regulations to professionals servicing healthcare industry, including lawyersEnforcement of penalties will take effect upon release of final set of rules (pending for 2 years)After that time, Security and Privacy rule violations could result in fines ranging from $50,000 to $1.5 million for a single violation
- State laws requiring the provision of privacy notices to individuals, such as the California Online Privacy Protection ActState information security breach notification laws, which are in place in over 45 states, Washington, D.C. and Puerto Rico; See, e.g., Cal. Civ. Code §§ 1798.29, 1798.82; N.Y. Gen. Bus. Law § 899-AA. State laws imposing minimum information security requirements, such as the Massachusetts Standards for the Protection of Personal Information; See, e.g., 201 Mass. Regs. Code §§ 17.01–17.05.
- State laws that regulate the collection, use and other processing of Social Security numbers (“SSNs”)State laws requiring the secure disposal of records containing certain personal information, e.g., California, Georgia, Indiana, Montana, New Jersey, New York, North Carolina, Texas, Utah, Vermont, Washington and Wisconsin (some states also regulate disposal of personal info, whether a client or employee
- Example - Massachusetts Standards for the Protection of Personal InformationOne of the most far-reaching personal information data security regulations in the countryImposes obligation on any entity having the described personal information of an individual (SSN, Driver License/State ID, Financial account information)Requires documented security program, with administrative, technical and physical safeguardsRaises the importance of law firms researching all states from which they might have an individual’s personal information and having defined policies and practices in place to ensure compliance
- E.g., Japan“Shall not provide personal data to a third party without obtaining the prior consent of the person.”See, Act on the Protection of Personal Information Art 23E.g., Austria“Authorisation shall be required for data exchange with recipients in third countries with an adequate level of data protection”
- Data Privacy Laws outside the USFor example, in the EU, personal information includes business contact information or memberships in trade groups or political organizations. One of the consequences of the EU restrictions on cross-border transfer of personal information are the limitations these requirements impose on a law firm’s ability to receive in the U.S. documents containing personal information from the EU. The issue is exacerbated further by the broad interpretation of the term “personal information” under EU data protection law.
- ABA Model Rule 1.15Safekeeping property requirement: “lawyer shall hold property of clients or third persons… separate from own property”Traditionally refers to money, but could “records” be considered “property?”Does compliance for a law firm include segregating client records from law firm records?
- Though the commission used the phrase, “[b]ecause of the sometimes bewildering pace of technological change,” the transition to widespread use of digital technology has been in effect since 1985, more than 25 years ago. This is hardly a “bewildering” pace of change, unless you have stayed in a cave and remained a Luddite. Now more than ever is the time to commit to understanding digital change and ensure that you can competently handle your client’s needs. Law Technology News, Aug 2012
- Model Rule 1.4 CommunicationA lawyer's regular communication with clients will minimize the occasions on which a client will need to request information concerning the representation. …Client telephone calls should be promptly returned or acknowledged. A lawyer should promptly respond to or acknowledge client communications
- Rule 5.3, Comments - amended to address outsourcing issues, including the use of cloud computing providers for the purpose of storing confidential client data.lawyers may use third party non-lawyer providers, including: “an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an Internet-based service to store client information. When using such services … a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.“The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality … (A) lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
- Rule 5.3, Comments - amended to address outsourcing issues, including the use of cloud computing providers for the purpose of storing confidential client data.lawyers may use third party non-lawyer providers, including: “an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an Internet-based service to store client information. When using such services … a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.“The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality … (A) lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
- Although advisory at this point, the Rule changes reflect the ABA acknowledgement that lawyers have emerging obligations in light of new technologyElectronic Communications and DocumentsCloudThird-Party VendorsESIShows trend to embrace and regulate lawyers’ use of technology with client files. Expect wide state adoption and further modifications of Rules with changing technology
- Federal Sentencing GuidelinesPer Chapter 1, Part A, Subsection 4 “regulatory offenses” are a “major issue”Criminal violations include “failure to… provide requested information”Compliance is key component of the Federal Sentencing Guidelines
- Principle of AvailabilityAn organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.
- General Considerations:The organization knows where information is, where official records should be maintained, and has conducted a comprehensive inventory of it’s electronically stored information (ESI)Establishes consistent classification schemasDefines standard document naming conventionsEstablishes a legal hold policy and supporting process workflows
- Legal considerationsLegal edicts similar to those applied to the principle of transparencySupports ABA Model Rule 1.4(a)(4)A lawyer must “comply with reasonable requests for information.”Availability of information is key component of Rule 1.4 compliance
- Federal Sentencing GuidelinesPer Chapter 1, Part A, Subsection 4 “regulatory offenses” are a “major issue”Criminal violations include “failure to… provide requested information”Availability of information is key component of the Federal Sentencing Guidelines
- Principle of RetentionAn organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
- Federal Sentencing GuidelinesPer Chapter 1, Part A, Subsection 4 criminal violations include “failure to keep accurate records…”Per Part J, Subsection 3: “if the offense… involved the destruction, alteration, or fabrication of a substantial number of records, documents, or tangible objects” then the sentence should be increasedRetention of information is key component of the Federal Sentencing Guidelines
- Policy and procedures needed, with RRSResult in proactive records managementTargeted suspension/restart of records destruction when neededAbility to retrieve subpoenaed recordsEfficient document review & productionManagement of documents across cases
- Principle of Retention includes Legal HoldsIrrespective of RRS, duty to retain records and other ESI that are relevant to pending or anticipated litigation or investigation
- Principle of DispositionAn organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.
- E.g., Australia (Privacy Act 1988 Schd 3, 4.2)“An organization must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed.”E.g., Belgium (BLG Dec 92 Prot Art 16.2)“The controller or his representative in Belgium, if any, must: ensure with due care that the data is kept up-to-date, and that incorrect, incomplete and irrelevant data, is rectified or erased.”
- Legal considerationsRetention regulations also apply hereL.A. County Bar requirement to obtain written instructions from client for criminal recordsQuery New York Bar requirement for “Confidential Material”Retain “permanent, including after termination” of relationshipWhat is considered confidential material?The term “material” is broader than “communication”How do you determine what to keep permanently?What is the effect on emails and other forms of confidential communications with client?
- Federal Sentencing GuidelinesPer Part J, Subsection 3: “if the offense… involved the selection of any essential or especially probative record, document or tangible object, to destroy or alter” then the sentence should be increasedDisposition of information is key component of the Federal Sentencing Guidelines
- Principle of Disposition includes Legal HoldsMust suspend destruction or alteration of records and other ESI that are relevant to pending or anticipated litigation or investigation
- A qualitative and quantitative measurementBy principleOverall or average across all principlesRating of an organization’s overall information governance of which records management is a componentSystematic process guiding the evaluation of an organization’s maturity with respect to recordkeeping activities.
- A rating of less than 5 may be acceptable because of:Organizational risk toleranceComparable with industry peers or competitorsPrevious level is not a prerequisite for the next
- The Principles as a key foundation of successTracks legal requirements such as Model Rules and Sentencing GuidelinesTracks international standards and requirementsThe Principles as a framework; NOT prescriptiveThe Principles are flexibleThe Principles principles are not right vs. wrongDifferent approaches to get there Strive for continuous improvementProgress over perfectionBe sure to have:Governance structuresPolicies neededProcesses defined to support policiesUse of technologies
- The Principles as a key foundation of successTracks legal requirements such as Model Rules and Sentencing GuidelinesTracks international standards and requirementsThe Principles as a framework; NOT prescriptiveThe Principles are flexibleThe Principles principles are not right vs. wrongDifferent approaches to get there Strive for continuous improvementProgress over perfectionBe sure to have:Governance structuresPolicies neededProcesses defined to support policiesUse of technologies
- Research all relevant regulations, laws, ethics requirements for jurisdictions in which the firm does business or from which the firm receives personal information for clients/employeesEstablish ultimate authority over risk and legal, e.g., General Counsel, Risk Committee, etc.Evaluate all policies, systems, and processes for complianceEvaluate shared or secondary use of client information – brief banks, expert banks, etc.Evaluate third-party vendor contracts and monitor ongoing complianceIf needed, implement technology, policy/process changes to meet requirements