Avoiding The Lawyer’s Digital Nightmare CLE

Avoiding The Lawyer’s Digital Nightmare

June 2011

Avoiding The Lawyer's Digital Nightmare: How To Safeguard Your and Your Clients' Sensitive Information And Survive The Inevitable (?) Security Breach - LIVE IN DENVER

Program Description:

Often the soft underbelly of information security, attorneys and law firms, nonetheless, routinely receive from their clients' highly sensitive information ranging from Social Security numbers and health information to information about intellectual property under development and non-public financial projections. Legal professionals can no longer chuckle about piles of sensitive paper documents on office floors, refuse the minor inconvenience of password-protecting smart phones and other portable devices, or turn a blind eye to other critical information security practices. Clients are putting increasing pressure on their counsel to change their ways, and attorneys now are under legal and ethical obligations to do so.

At the core of this new information security regime is a complex web of laws and regulations under which clients must ensure that their lawyers and other service providers will adequately protect sensitive information received for purposes of providing services. While federal mandates - such as the HIPAA Security Rule and HITECH Act applicable to the health care sector and the Gramm-Leach-Bliley Act's Safeguards Rule applicable to the financial services sector - tend to be the most prescriptive, a significant majority of states, including Colorado, have enacted laws in this area as well. Of equal importance, Colorado and forty-five other states mandate that service providers notify their clients when a security breach puts the client's sensitive personal information at risk. At bottom, robust information security practices are critical for attorneys and law firms seeking to avoid the potential loss of clients, damage to reputation, administrative penalties, discipline, and civil litigation that can result from a security breach.

This half-day seminar features experts in the areas of privacy and data protection law, computer forensic investigations and information security, and security incident response. The presenters will explain the current and evolving state of the law, discuss current security threats to computing environments commonly used by legal professionals, describe best practices, provide practical recommendations for compliance, and help attendees to develop strategies to respond to a security breach when one inevitably does occur.

Agenda:

8:30 am - 9:00 am Registration

9:00 am - 12:00 pm Program

(10:20 am - 10:30 am Break)

I. Introduction/Overview

II. The New Information Security Legal Regime

A. Federal Legislation

1. HIPAA Security Rule & HITECH Act

2. Gramm-Leach-Bliley Act Safeguards Rule

B. State Legislation

1. Massachusetts' New Information Security Regulations

2. Protection Of Social Security Numbers

3. Proper Disposal Of Sensitive Information

C. Common Law Duties

D. Ethical Requirements

III. Best Practices That Will Put Your Organization Into Compliance

A. Controlling Access To Sensitive Information

B. Best Practices For Securing Sensitive Information

C. Safeguarding Personal Information On Portable Devices

D. What To Do About All Of That Paper

E. Meeting Client Demands For Proper Safeguards

F. Negotiating Agreements With Clients Regarding Information

IV. Security

A. Current Threat Estimate

B. Frequently Encountered Vulnerabilities

C. Understanding What Your IT Organization May/May Not Know About IT Security

D. Building a Culture of Security Consciousness

IV. What To Do When Your Organization Has A Security Breach Despite Your Best Efforts

A. Investigation And Forensics

1. The importance of independence - “a fool for a client”

2. Maximizing the protection of privilege

3. Who should be on the investigative team?

4. Who shouldn't?

5. Forensic acquisition of data

6. Defense-conscious investigation

7. Coordinating with breach counsel

8. Investigation v. Remediation

9. Preparing for defensive litigation

B. Security Breach Notification Laws

1. What is a “security breach”?

2. Who must be notified?

3. What must the notice say?

4. How should the notice be delivered?

5. Who bears the cost?

C. Security Breach Administration

1. Credit monitoring, fraud resolution and other services

2. Mailing administration

3. Call centers

Presented by Phil Gordon (Program Coordinator), Alex Holden, Richard Kam, Michael McGuire, and Bill Taylor

Faculty:

Philip L. Gordon, Esq.

LITTLER MENDELSON, P.C.

1200 17th St., Ste. 1000

Denver, CO 80202-5835

(303) 575-5858

[email protected]

Philip L. Gordon is a shareholder in the Denver office of Littler Mendelson, P.C., the nation's largest law firm representing only management in employment and labor law matters. Mr. Gordon chairs the Firm's Privacy and Data Protection Practice Group. He regularly counsels Fortune 500 companies, as well as medium-sized and small businesses, concerning compliance with the HIPAA Privacy and Security Rules, European data protection laws, and state data protection laws; security incident response and incident response planning; workplace monitoring of employee communications; background checks; and other privacy and information security issues. He also regularly defends employers in privacy-related litigation and in cases involving unfair competition and misappropriation of trade secrets.

Mr. Gordon speaks and writes extensively on the full range of workplace privacy and information security issues. He has given presentations to the International Association of Privacy Professionals (IAPP), the American Corporate Counsel Association, the National Retail Federation, the American Payroll Association, and the Ponemon Institute (a leading privacy “think tank”), among others. His articles have been published in a wide range of professional journals, including the Privacy and Security Law Report, World Data Protection Report, Employee Relations Law Journal, Executive Counsel, and Privacy Officers Advisor. His blog is located at www.workplaceprivacycounsel.com.

Mr. Gordon has taught privacy and information security law as an adjunct professor at the University of Colorado School of Law. He is a member of the Advisory Board of the Bureau of National Affair's Privacy and Security Law Report. He has served on the Educational Advisory Board and the Editorial Board of IAPP.

Mr. Gordon received his undergraduate degree from Princeton University and his law degree from the New York University School of Law. He served as a law clerk on the United States Court of Appeals for the Tenth Circuit.

Alex Holden

Director of Enterprise Security/Senior Intelligence Investigator

Cyopsis IT Security, Forensics and Investigations

455 Sherman St., Ste. 205

Denver, CO, 80203

(720) 838-2271

[email protected]

Alex Holden serves as Cyopsis's Director of Enterprise Security/Senior Intelligence Investigator. He assists Cyopsis clients with IT security, investigative, and forensics issues, ranging from penetration testing and critical incident response to full‐scale security solutions. Mr. Holden is a nationally recognized expert in designing, maintaining, and auditing information security solutions. He has over 15 years' experience in computer security and networking, including development of several award winning security systems and enterprises. Mr. Holden designs, implements, and maintains companywide, end‐to‐end security solutions, working with all areas of a company to assess security risks, design policies to comply with SEC/FINRA, PCI, SOX, and HIPAA regulations, identify and fix security issues, and successfully lead the enterprise to pass internal and external IT security audits.

Prior to joining Cyopsis, Mr. Holden worked for 10 years as Chief Information Security Officer for a large brokerage firm. He also has extensive experience in Windows, Unix, and network administration and corporate governance. He has conducted over 160 security audits of companies in the financial, medical, retail, manufacturing, and other fields. These audits yielded an exceptional 100% success rate in penetration testing from data access to full system control and prevented ongoing and potential losses estimated at $8 billion USD. During his career, Mr. Holden has evaluated over 600 commercial software solutions and identified and reported to vendors over 1,250 vulnerabilities. He holds a number of IT certifications, including as a Certified Information Systems Security Professional (CISSP). Mr. Holden is a frequent speaker on IT security issues, teaches IT and business security education programs, and consults extensively with vendors, open‐source projects, and major media on cybersecurity and cybercrime.

Richard L. Kam

President and Co-founder

ID Experts

Lincoln Center One

10300 SW Greenburg Road, Suite 570

Portland, OR 97223

(800) 298-7558 x 105

[email protected]

Rick Kam is an expert in the area of privacy and information security. He has extensive experience leading organizations in the development of policy and solutions to address the growing problem of protecting PHI/PII and remediating privacy incidents and identity theft. Prior to founding ID Experts, Mr. Kam had 20 years of experience working for IBM Corporation in sales, management, and customer relationship management consulting. He is the chair of the research working group ANSI Identity Theft and Identity Management Standards Panel. He is also the chair of the Santa Fe Group Vendor Council ID Management working group and is a member of the Research Planning Committee for the Center for Applied Identity Management Research. Rick received his BA in Management and Marketing from the University of Hawaii in Honolulu, HI

Michael McGuire, Esq.

LITTLER MENDELSON, P.C.

80 S. 8th St.

Minneapolis, MN 55402-2136

(612) 313-7612

[email protected]

Michael is a Shareholder and member of the firm's eDiscovery group. Michael advises the Firm's lawyers and their clients on electronic discovery issues, including the preservation, collection, review, and production of electronically stored information. Littler is one of the first firms in the country to hire attorneys at the shareholder level to focus exclusively on working with clients in the challenging area of electronic discovery, reinforcing the firm's commitment to providing its clients with leading-edge solutions in this rapidly developing area. He is a frequent lecturer on technology and eDiscovery issues, including such topics as ethics rules applicable to eDiscovery, case law and industry standards, the complexities of using search and retrieval tools, and trends in eDiscovery. Michael has also been an adjunct professor on Internet Law at William Mitchell College of Law in Saint Paul, MN.

Prior to joining Littler, Michael was the Managing Director, Legal Operations for the mortgage division of GMAC. While at GMAC, he led the development of a cross-functional team insourced nearly all of their eDiscovery processes. Before joining GMAC, he was a partner in the litigation and corporate departments at the Minneapolis firm of Rider, Bennett. While at Rider, Bennett, Michael focused his practice on the legal issues arising from the intersection of technology and law, including electronic discovery, privacy and Internet issues. Michael has represented companies in both state and federal courts, and has served as trial counsel in jury trials, as well as mediations and arbitrations.

William L. Taylor

Managing Director/General Counsel

Cyopsis IT Security, Forensics and Investigations

455 Sherman St., Ste. 205

Denver, CO, 80203

(720) 838-2266

[email protected]

Mr. Taylor is co-founder, Managing Director, and General Counsel for Cyopsis IT Security, Forensics and Investigations. He leads cybercrime and forensic IT investigations, oversees electronic discovery efforts and serves as legal counsel for Cyopsis.

In private practice prior to founding Cyopsis, Mr. Taylor advised companies on data breach response, investigations of computer misuse and malicious intrusion, and compliance with a wide variety of data security and privacy statutes, including HIPAA, FERPA, ECPA, GLB, and the multiplicity of state data breach notification statutes. Mr. Taylor served as national class action defense counsel for a Fortune 500 company in connection with a large-scale data breach, represented individuals and media organizations in quashing legal process for confidential records and testimony, and acted as plaintiff's counsel in collecting damages from companies for violating client privacy rights and deceptive trade practices related to privacy of client records. In 2008, Mr. Taylor led the defense team in winning an acquittal in U.S. District Court for a federal agent charged with violating the Computer Fraud and Abuse Act. From 2002 to 2006, Mr. Taylor served as Chief of the Major Crimes Section for the United States Attorney's Office, District of Colorado, and acted as counsel to a task force of state and federal agencies investigating emerging transnational criminal organizations engaged in complex frauds, money laundering, and cybercrime.

Mr. Taylor graduated in 1991 from the Columbia University School of Law and earned his B.A., with distinction, from the University of Colorado in 1986. Mr. Taylor was an honors graduate of the basic and advanced Russian programs at the United States Department of Defense Language Institute.