Embed Size (px)
Citation preview
BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
Cybersecurity and Data Protection
April 6, 2010 Alan Charles Raul
2
AGENDA1. Contrast “Cybersecurity” and Plain Old “Information
Security”
2. Cybersecurity-- Background Perspectives
-- Current Policy Framework
-- Legislative and Executive Initiatives
-- Legal Considerations
-- Business Opportunities
3. Data Protection and Privacy-- Federal and State Data Security Regimes
-- International Issues (EU)
-- Cloud Computing
Tragedy of the Commons
• Cybersecurity incentives?
• Assume someone else responsible
• Needs new Manhattan Project?
3
Cybersecurity Legal Considerations
• FISMA contractor standards
• Security requirements of classified and non-classified government contracts
• Sarbanes-Oxley Section 404 internal control requirements
• State and international data security and breach requirements
• Potential liability for compromising third-party networks or data
4
5
Cybersecurity vs. Information Security
• Cybersecurity:
– Communications networks
– Critical infrastructures
– National security implications
– Possible sovereign involvement
– Potential catastrophic consequences
– Primarily IT function (to date)
• Information Security:
– Consumer (and HR) oriented and related to privacy
– Burgeoning legislation, regulation, compliance obligations
– Enforcement, litigation and reputational risks
Critical Infrastructure
• McAfee Report “In the Crossfire: Criticial Infrastrucure in the Age of Cyberwar”: more than 54% of 600 IT executives from critical infrastructure enterprises reported large scale attacks from organized crime, terrorists, nation-states
6
7
Cybersecurity “Wake-up Call”
• Intelligence Community “Annual Threat Assessment” for SSCI, Dennis Blair, U.S. Director of National Intelligence (2/2/10):– Cyber-attacks against Google were a "wake-up call"
about the vulnerabilities that could cripple the U.S. economy
• Cybersecurity was the very first threat addressed by DNI Blair– “I am here today to stress that, acting independently,
neither the U.S. Government nor the private sector can fully control or protect the country’s information infrastructure. Yet, with increased national attention and investment in cyber security initiatives, I am confident theUnited States can implement measures to mitigate this negative situation.”
8
President’s Cyberspace Policy Review
• Blair: “The increased interconnection of information systems and data inherent in these trends pose potential threats to the confidentiality, integrity and availability of critical infrastructures and of secure credentialing and identification technologies.”
• “We cannot protect cyberspace without a coordinated and collaborative effort that incorporates both the U.S. private sector and our international partners.”
• The President’s Cyberspace Policy Review:– leading from the top– building capacity for a digital nation– sharing responsibility for cybersecurity– creating effective information sharing and incident response– encouraging innovation– align the efforts of the Intelligence Community with its many
government and private sector partners. • “As Director of National Intelligence, . . . . I will also stay in touch with
private companies that provide network services so that we are both helping them stay secure and learning through their experience.”
White House
• Cyberspace Policy Review: American business lost $1 trillion in intellectual property due to cyber-attacks (2008-2009)
• Homeland Security Presidential Directive mandates public and private sectors share information to protect critical infrastructure (Information Sharing and Analysis Centers)
9
Agencies
• FCC working on Cybersecurity roadmap for ISPs in National Broadban Plan
10
International Cybercrime Issues
• Bill by Sens. Hatch, Gillibrand and Rep. Yvette Clark would require president to report on and penalize countries of “cyber concern” who fail to take action against cyber-criminals
– Analogy to U.S. trade measures against international intellectual property rights abusers
• Notable lack of coordination reported between EU and NATO on cybersecurity
11
China
• “Capability of the [PRC] to Conduct Cyber Warfare and Computer Network Exploitation“ (Northrop Grumman 10/09):
– China using maturing computer network exploitation capability to support intelligence collection against U.S. and industry
• Disciplined
• Standardized
• Sophisticated
• Deep knowledge of targeted networks
• Long term
12
Comprehensive National Cybersecurity Initiative (CNCI)
• National Security/Homeland Security Presidential Directive (1/08) – safeguarding Executive Branch data and anticipating future threats:
– DHS
– Defense Department
– Director of National Intelligence
– OSTP
– OMB
– Justice
– NSC
13
Einstein
• Deploy DPI sensors across federal civilian network to scan Internet content and identify malicious code
• Pursue development of intrusion prevention system to assess and block malicious code in real time
• OLC legal opinions analyzing and approving DPI under Wiretap and privacy laws
14
Legal Authorities
• Homeland Security Act
• FISMA
• Economic Espionage Act: misappropriation of intellectual property
• Computer Fraud and Abuse Act: hacking and computer crimes
• Electronic Communications Privacy Act
– Likely upcoming hearings on revisions
• Possible review for statutory framework under new Cybersecurity legislation
15
16
Rockefeller/Collins in WSJ 4/2/10:
• “If the nation went to war today in a cyberwar, we would lose. We're the most vulnerable. We're the most connected. We have the most to lose.” Former Director of National Intelligence Mike McConnell.
• The information networks that nearly every American relies on are under constant attack by sophisticated cyber adversaries. These adversaries target our identities, our money, our businesses, our intellectual property, and our national security secrets. They often succeed. What's more, they have the potential to disrupt or disable vital information networks, which could cause catastrophic economic loss and social havoc. We are not prepared.
• President Barack Obama is right to call cyberspace a "strategic national asset." The challenge is that 85% of these assets are owned by private companies and individuals. The government cannot protect cyberspace alone—and neither can the private sector. Therefore, we need proactive collaboration.
GAO
• 2008 Report: “Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors”
• At least 34 federal laws, regulations, and mandatory standards to secure privately owned IT systems and data in critical infrastructure sectors
17
Critical Infrastructure Sectors• Agriculture and Food
• Banking and Finance
• Chemical
• Commercial Facilities
• Critical Manufacturing
• Dams
• Defense Industrial Base
• Drinking Water and Water Treatment Systems
• Emergency Services
• Energy
• Government Facilities
• Information Technology
• National Monuments and Icons
• Nuclear Reactors, Materials, and Waste
• Postal and Shipping
• Public Health and Healthcare
• Telecommunications
• Transportation Systems 18
19
Rockefeller/Collins Cybersecurity Act of 2010:• Create partnership with private companies to protect information networks• Create position of national cybersecurity adviser to coordinate government
efforts and collaborate with private businesses• New public awareness campaign to make basic cybersecurity principles and
civil liberty protections as familiar as Smokey Bear's advice for preventing forest fires
• Support significant new cybersecurity research and development • Create market-driven process to encourage businesses to adopt good
cybersecurity practices and innovate• Recognize companies that excel• Require companies that fall short in two consecutive independent audits to
implement remediation plans • Encourage government and private businesses to work together to protect
civil liberties, intellectual property rights, and classified information• Require President and private companies to develop and rehearse detailed
cyber-emergency response plans• Maintain private management responsibility for private networks• Comprehensive review of statutory and legal framework
20
Federal Legislation and Regulation
• No comprehensive federal security legislation
• Gramm-Leach-Bliley Act of 1999 (GLBA)– Regulates privacy of personally identifiable, nonpublic
financial information disclosed to non-affiliated third parties by financial institutions
– Requires written or electronic notice of: • categories of personal information collected• categories of entities to which information will be disclosed• consumer's opt-out rights• institution’s privacy policy
– Requires administrative, technical, and physical safeguards
– Allows states to pass stronger consumer privacy protections
21
More Federal Laws and Regulation
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– HIPAA rules protect confidentiality and security of medical information in hands of “covered entities” such as healthcare providers, hospitals, employer-sponsored health plans, etc.
– Rules control use of patient information for marketing purposes
• Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
– Addresses the privacy and security concerns associated with the electronic transmission of health information
– HITECH “breach notification” regulations require health care providers and other HIPAA covered entities to promptly notify affected individuals (and possibly the HHS Secretary and the media) of a breach
22
More Federal Laws and Regulation
• HITECH: breach notification extended to “Covered Entities” and “Business Associates”– Covered Entities must notify individuals whose
“unsecured protected health information” has been or is reasonably believed to have been accessed, acquired, or disclosed due to a “breach
– Business Associates must notify Covered Entities of breaches or be subject to HIPAA penalties
– Obligation applies to breaches discovered 30 days after Secretary publishes interim final regulations• Interim final regulations published in August 2009
– Secretary of HHS issues annual guidance on technical safeguards
23
More Federal Laws and Regulation
• E-Government Act (2002) recognized importance of information security to economic and national security interests
• Title III of the E-Government Act is Federal Information Security Management Act of 2002 (FISMA)
• FISMA
– Requires each federal agency to develop, document, and implement an agency-wide program to provide information security
– Mandates standards and guidance from National Institute of Standards and Technology (NIST)
24
More Federal Laws and Regulation
• Federal Trade Commission (FTC)– FTC is de facto federal privacy enforcement authority;
FTC Act § 5 (15 U.S.C. § 45)– FTC charged with preventing "unfair methods of
competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce" • FTC enforces against companies that engage in the
“deceptive” practice of failing to adhere to their own privacy and/or information security policies
– FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data
– FTC also enforces Gramm-Leach-Bliley Act; Fair Credit Reporting Act; and Children's Online Privacy Protection Act
OMB - FISMA
• “threats to cyberspace pose some of the most serious economic and national security challenges of the 21st century for the United States. The group of State and non-state actors who target U.S. citizens, businesses, and Federal agencies is growing.” (FY 2009 FISMA Report; 3/2010)
• Security awareness training prevalent across Government for employees and contractors
• In September 2009, OMB established a task force to develop new, outcome-focused metrics for information security performance for Federal agencies
25
International Treaty
• Convention on Cybercrime (ratified by U.S. in 2006, entered into force 1/1/07) seeks to harmonize, promote domestic law enforcement powers, and foster cooperation regarding computer and Internet crimes:
• Copyright infringement
• Computer-related fraud
• Child pornography
• Network security violations
26
27
Data Breach Statutes• Data breach notification laws are pervasive
– 45 states, DC, Puerto Rico, and the Virgin Islands have breach notification requirements
– Some states also require reporting to government agencies
• Key terms
– Applies to unencrypted information
– Risk of harm to owner of personal information
– Notify Attorney General and/or state regulators if affects large number of people
• Encryption remains a key issue
– Creates safe harbor from the state data breach notice laws
– Laptops, portable media (such as USB drives)
– Wireless transmission; transmission over public network
OMB- FISMA
• Cybersecurity expenditures reported for 2009 President’s Budget: approximately $6.8 billion
• Information Systems Security Line of Business (ISSLOB):
– interagency effort managed on behalf of OMB by Department of Homeland Security (DHS)
– identifies common information security needs across Federal Government
– delivers product and service solutions to improve information security program performance, reduce costs, and increase efficiency
28
Contractor Oversight
• Agencies are required to have FISMA controls over their contractor-operated systems.
– to standardize requirements, Federal Acquisition Regulations (FAR) has several clauses that should be included in contracts
– agencies should have policies and procedures around contractor oversight
29
Key Issues for 2010• New information security performance metrics will be used in
FISMA reports to OMB and Congress
• OMB roadmap for future reporting under FISMA
• OMB developing situational awareness standards for Federal government
• OMB will oversee implementation of Federal identity management scheme outlined in Homeland Security Presidential Directive 12 (HSPD-12)
– “Policy for a Common Identification Standard for Federal Employees and Contractors” to improve the security of Federal facilities and information systems
– Agencies required to follow specific technical standards and business processes for Personal Identity Verification (PIV) smartcard credentials including a standardized background investigation to verify employees’ and contractors’ identities
30
Major Incidents
• Federal Government faced two major incidents in 2009: Conficker worm and July 4th distributed denial of service (DDOS) attacks
• Conficker compromised vulnerable systems, including previously patched vulnerabilities; later variants deployed countermeasures to preclude detection by security applications and block updates
– Estimated that over 1.7 million machines are currently infected
• DDOS attacks began on the July 4th weekend in 2009
• Lessons learned about readiness and responsiveness of federal agencies:
– Communications – reaching out across Federal Government is a daunting task
– Capabilities –agencies did not have capability to review infrastructure for relevant vulnerabilities or infection status
– Outdated assumptions – traditional response methods did not work
31
32
Massachusetts Data Security Standards• Regulation 201 CMR 17.00 (effective March 1, 2010)
• Requires anyone that owns, licenses, stores or maintains resident’s personal information to develop and implement a written comprehensive information security program
– Secure access control measures and user authentication protocols
– Encrypt personal information during transmission and storage
– Reasonable monitoring of systems for unauthorized use
– Education and training of employees on computer security
– Assign passwords
– Etc.
• Personal information is defined as:
– first name or initial and last name, plus SSN, driver’s license number or other state-issued identification number, or credit or debit card number or other financial account number (with or without required PIN or code)
– Applies to electronic or paper data
33
E.U. Impacts
• E.U. Data Protection Directive (1995)
– Limits on collection, processing, transfer, and export to U.S.
– E.U. countries prohibit or restrict transfers of personal information to the United States unless certain compliance mechanisms in place
– E.U. standards (derived originally from U.S. and OECD fair information principles) call for (among other things):• Notice of collection and use of personal information• Choice (consent) to uses of information • Access to information to review, correct or expunge• Integrity/security of data• Enforcement/redress of privacy rights
34
More E.U. Impacts
• Safe Harbor
– Requires notice, choice, onward transfer, access, security, data integrity, and enforcement
– Annual Self-Assessments/Certification
– Annually, safe harbor participants must (1) confirm that their certification is current; and (2) perform a self-assessment (or hire a third party to do so) of their compliance
• Blocking Statutes: France, Switzerland, etc.
35
Social Networking
• Should an employer have an employee social networking policy?
– Monitoring off-duty networking?• Use common sense and appropriate discretion
• Only official postings are authorized; other participation is personal
• Principles of client confidentiality apply unabated in social media
• Where individual is identified, appropriate professional standards apply
• Comply with applicable terms and conditions of use
• Eschew any discriminatory, harassing, or infringing conduct
• Personnel may not misrepresent their identity
• More than incidental social networking during work day is inappropriate
• Should the employer use social networking media itself?
36
Cloud Issues• White House Cybersecurity Coordinator Howard Schmidt:
– “Cloud computing makes a lot of sense, but we need to make sure that the policies…the legal framework is in place”
– “The spotlight will shift to authentication, encryption, service level agreements and legal requirements”
– Schmidt has been working on requirements for secure cloud computing architectures
• Privacy and data security issues
– E-discovery
– What law governs when your data is in the clouds?
– Data retention
– Legal uncertainty
• The “storage of data on remote computers may also raise privacy and security concerns for consumers” (David Vladeck, FTC's Consumer Protection Bureau)
• FTC considering EPIC petition regarding Google’s provision of cloud computing services
• Microsoft Cloud Computing Initiative
– The “Cloud Computing Advancement Act”
– Suggests modernizing ECPA
– Deter hacking via the CFAA
37
Offshore Outsourcing• Very few special restrictions against off-shoring; but federal and state
regulators are sensitive to off-shore providers
– Enhanced due diligence and oversight is appropriate
• E.U. restrictions on international transfers of data can be a hurdle to outsourcing:
– E.U. released new standard contractual clauses (e.g., re: subcontractors and sub-processing) to control international transfers of personal data for outsourcing
• Now, if a data importer (i.e. the data processor located outside the E.U.) plans to sub-contract processing operations on behalf of the E.U. data exporter/controller, the importer/processor must obtain “prior written consent” of the data exporter/controller
• The written contract will impose the same obligations on the sub-processor as those imposed on the data importer
38
Federal Communications Commission (FCC)
• FCC solicited comments on cloud regulation for National Broadband Plan – portability of data, transparency & privacy
• FTC and others commented the FCC should examine cloud privacy
39
Federal Trade Commission (FTC)• FTC is investigating privacy and security implications of
cloud computing
– 2009 FTC filing with the FCC states:
“The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers“
FTC indicated to the FCC that it was pursuing an investigation on cloud computing services
• “Storage of data on remote computers may raise privacy and security concerns for consumers.”
– David Vladeck, FTC's Consumer Protection Bureau
40
Personal Health Information
• HIPAA/HITECH
– HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information
– HITECH “breach notification” regulations require health care providers and other HIPAA covered entities to promptly notify affected individuals (and possibly the HHS Secretary and the media) of a breach
– HITECH now applies certain HIPAA and HITECH security and privacy requirements to business associates (BA)
Covered Entities must enter BA agreement with cloud provider to store records containing PHI
– HIPAA/HITECH security and breach notifications obligations apply in cloud
41
BA Agreements for Cloud Providers
• HIPAA's requirements could conflict with cloud provider's standard terms of service
• Customized BA agreements may be necessary or appropriate
• HIPAA prohibits entities from transmitting PHI over open networks or downloading it to public or remote computers without encryption
42
HIPAA Security Rule
• Security Rule requires covered entities to establish detailed administrative, physical and technical safeguards to protect electronic PHI
– Implement access controls
– Encrypt data
– Set up audit controls for electronic PHI
• For example, detailed activity logs to see who had access, what data was accessed, what IP addresses entered the site
– Data back-up procedures
• Must maintain exact copies of electronic PHI
– Disaster recovery mechanisms
• For example, Amazon’s EC2 offers Availability Zones, which are distinct locations engineered to be insulated from failure in other zones
43
Federal Government Use of Cloud Computing
• Unique data privacy and security issues raised by federal government’s increasingly widespread use of cloud computing
– Will government's cloud providers assume quasi-law enforcement roles?
– Will GSA vendors have immunity for privacy or security breaches?
– Will vendors have to process and store U.S. government data only in the U.S. to enhance security and avoid potential conflicts with foreign or international law?
44
Federal Information Security Management Act
• Federal Information Security Management Act of 2002 (FISMA)
– Requires each federal agency to develop, document, and implement agency-wide program to provide information security
• Cloud providers Microsoft and Google are seeking FISMA compliance accreditation from the National Institute of Standards and Technology (NIST)
45
Office of Management and Budget (OMB)• OMB and the CIO council are working on policies to
make cloud computing easier for agencies
– Centralizing security certifications so vendors don't have to repeat lengthy and costly security checks
• WH CIO Vivek Kundra (Sept. 15, 2009):– “Apps.gov is an online storefront for federal agencies to
quickly browse and purchase cloud-based IT services, for productivity, collaboration, and efficiency. Cloud computing is the next generation of IT in which data and applications will be housed centrally and accessible anywhere and anytime by a various devices (this is opposed to the current model where applications and most data is housed on individual devices). By consolidating available services, Apps.gov is a one-stop source for cloud services – an innovation that not only can change how IT operates, but also save taxpayer dollars in the process.”
46
Cloud Computing and the Fourth Amendment
• Relationship of cloud to 4th Amendment expectation of privacy?
– Smith v. Maryland, 442 U.S. 735 (1979) (no privacy expectation for records of phone numbers dialed)
– US v. Miller, 425 U.S. 435 (1976) (no privacy expectation for bank records including checks/deposit slips)
– Warshak panel opinion (reversed en banc) questioned reasonableness of assuming lost expectation of privacy for data turned over to service providers
• Or is cloud computing a modern version of a safe deposit box, storage locker or personal computer hard drive?
– If so, cloud users could argue their data is subject to Fourth Amendment and protected against warrantless searches
47
Electronic Communications Privacy Act (“ECPA”)
• Remote Computing Service (RCS) is “provision to the public of computer storage or processing services by means of an electronic communication system”
• Electronic Communication Service (ECS) is “any service which provides users the ability to send or receive wire or electronic communications”
– Access to ECS generally requires warrant (unless stored at a provider for >180 days, in which case treated as RCS)
– Easier access to RCS: subpoena with notice to user or a court order
• Cloud providers may also be able to voluntarily turn over content:
– Rights or Property of Carrier. As necessarily incident to the rendition of the service or protection of the provider’s rights/property
– Exigent Circumstance. If provider believes in good faith that emergency involving danger of death or serious physical injury requires disclosure without delay
– Child Pornography. To the quasi-governmental National Center for Missing and Exploited Children
48
Microsoft Cloud Computing Initiative
• Microsoft’s “Cloud Computing Advancement Act”:
– Modernize ECPA to make clear that Fourth Amendment protections apply to the cloud
– Boost CFAA penalties and jurisdiction
– Reconcile conflict of law issues by seeking a multilateral framework by treaty or similar international instrument
49
PATRIOT ACT AND NSLs
• NSL: letter request for information held by third party issued in connection with authorized counterterrorism or counter-intelligence investigation (no notice)
– NSLs allow access to records from internet service providers, phone companies, banks, credit card companies and other financial entities
• Section 215 of PATRIOT Act: authorizes access to business records relevant to counter-intelligence or counter-terrorism with FISA court order (no notice)
BEIJING
Suite 608, Tower C2 Oriental Plaza No. 1 East Chang An Avenue Dong Cheng District Beijing 100738 China T: 86.10.6505.5359 F: 86.10.6505.5360
BRUSSELS
Square de Meeûs, 35 B-1000 Brussels Belgium T: 32.2.504.6400 F: 32.2.504.6401
CHICAGO
One South Dearborn Chicago, Illinois 60603 T: 312.853.7000 F: 312.853.7036
DALLAS
717 North Harwood Suite 3400 Dallas, Texas 75201 T: 214.981.3300 F: 214.981.3400
FRANKFURT
Taunusanlage 1 60329 Frankfurt am Main Germany T: 49.69.22.22.1.4000 F: 49.69.22.22.1.4001
GENEVA
Rue de Lausanne 139 Sixth Floor 1202 Geneva Switzerland T: 41.22.308.00.00 F: 41.22.308.00.01
HONG KONG
Level 39 Two Int’l Finance Centre 8 Finance Street Central, Hong Kong T: 852.2509.7888 F: 852.2509.3110
LONDON
Woolgate Exchange 25 Basinghall Street London, EC2V 5HA United Kingdom T: 44.20.7360.3600 F: 44.20.7626.7937
LOS ANGELES
555 West Fifth Street Los Angeles, California 90013 T: 213.896.6000 F: 213.896.6600
NEW YORK
787 Seventh Avenue New York, New York 10019 T: 212.839.5300 F: 212.839.5599
PALO ALTO
1001 Page Mill Road Building 1 Palo Alto, California 94304 T: 650.565.7000 F: 650.565.7100
SAN FRANCISCO
555 California Street San Francisco, California 94104 T: 415.772.1200 F: 415.772.7400
SHANGHAI
Suite 1901 Shui On Plaza 333 Middle Huai Hai Road Shanghai 200021 China T: 86.21.2322.9322 F: 86.21.5306.8966
SINGAPORE
6 Battery Road Suite 40-01 Singapore 049909 T: 65.6230.3900 F: 65.6230.3939
SYDNEY
Level 10, 7 Macquarie Place Sydney NSW 2000 Australia T: 61.2.8214.2200 F: 61.2.8214.2211
TOKYO
Sidley Austin Nishikawa Foreign Law Joint Enterprise
Marunouchi Building 23F 4-1, Marunouchi 2-chome Chiyoda-Ku, Tokyo 100-6323 Japan T: 81.3.3218.5900 F: 81.3.3218.5922
WASHINGTON, D.C.
1501 K Street N.W. Washington, D.C. 20005 T: 202.736.8000 F: 202.736.8711
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
World Offices
51
Contact Information
Alan Charles RaulSidley Austin LLP1501 K Street, NW
Washington, DC [email protected](202) 736-8477
www.sidley.com/infolaw
Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, HongKong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership(Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delawarelimited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delawaregeneral partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa ForeignLaw Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm.
This presentation has been prepared by Sidley Austin LLP as of September 11, 2007, for informational purposes only and does notconstitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.
