Embed Size (px)
Citation preview
Risk and File Management Issues Critical to In-House Practice
Davit Akman Jim Bunting Andrea Burke Steven Harris Gillian Stacey Natasha vandenHoven
October 17, 2011
Establishing and Reviewing Document and Data Systems to Manage Organization Risk (or "How to Avoid Becoming the Evening News")
33
Data Load and Overload
Corporate information storage is doubling on
an annual basis
4
Electronic vs. Paper Data
1 Terabyte50,000,00020,0001005,000,0002,000
502,500,0001,0005250,000100
1 Gigabyte50,0002050 Megabytes2,500 pages1 bankers box
= = Electronic bytes
5
Risk Management
Organizational Efficiencies
LitigationRisk Management
Statutory Compliance
Data
6
Business RiskInefficiency Managing or Finding Data
• Gartner Group: workers spend 40% of their time managing information
• IWF Wissen survey revealed that an average person spends 150 hours per year looking for lost information
• In 2007, it was estimated that it costs an organization employing 1,000 knowledge workers about $5.3 million per year for its workers to NOT find information they are looking for
The value of information is relative to your ability to find it
7
Business Risk• Impedes decision making• Costs of storage• Data security breaches
8
The Evening News• TORONTO | Fri May 27, 2011 4:13pm EDT (Reuters) -The personal information of more than 283,000 customers at Honda Canada has been breached, the company confirmed on Friday.
• CBC News Posted: Apr 4, 2011 9:52 AM ET Names and email addresses of Canadian and U.S. customers of Best Buy, some banks and other firms have been exposed in a data breach.
9
Business Risk –Data Security BreachesThe average cost per incident of a data security breach in 2010 was $7.2 million – PonemonInstitute LLC, U.S. Cost of a Data Breach Study• Hard Costs:
–Detection and forensics to analyse breach–Customer communications – breach notification–Fixing the problem – hardware, software, consultants–Fines–Litigation Costs–Damages
• Soft Costs:–Loss of customers–Loss of reputation –System downtime, loss of productivity as personnel diverted to deal with
crisis
10
Statutory & Regulatory ComplianceJust a Sample - Canada
• Income Tax Act (Canada)• Personal Information Protection and Electronic Documents Act (Canada)
• Personal Health Information Protection Act (Ontario)• Freedom of Information and Privacy Act• Employment Standards Act (Ontario)• Occupational Health and Safety Act (Ontario)• National Instrument 31-103 • Securities Act (Ontario)
11
Statutory & Regulatory ComplianceJust a Sample – U.S.
• Securities and Exchange Commission• National Association of Securities Dealers• Securities and Exchange Commission• New York Stock Exchange• Health Insurance Portability and Accountability Act• Food and Drug Act• Sarbanes-Oxley Act• Gramm-Leach-Billey Act
12
Statutory & Regulatory ComplianceJust a Sample – U.S. – cont'd
• Internal Revenue Service• Fair Labour Standards Act• Americans with Disabilities Act• Occupational Health and Safety Act• Title VII of the Civil Rights Act of 1964
13
The Evening News• December 2002 - Five Wall Street brokerage houses—Deutsche Bank, Goldman Sachs, Morgan Stanley, Salomon Smith Barney and U.S. Bancorp—were fined a total of more than $8 million by the SEC because these firms did not retain certain emails for SEC-mandated retention periods and for other infractions of SEC rules.
• Washington, D.C., May 10, 2006 - The Securities and Exchange Commission today filed a civil injunctive action against Morgan Stanley & Co. Incorporated for failing to produce tens of thousands of e-mails.
14
Litigation RiskRisks of Unnecessarily Retaining Too Much Information
• Increased discovery and storage costs• Increased litigation/regulatory investigation costs• Increased time for assessment/response• Increased government and litigation scrutiny• Increased odds that poorly worded or unhelpful documents will come to light
• Increased risks of sanctions, fines, losing litigation
15
The Evening News• NEW YORK (CNN/Money) November 1, 2004: 6:55 AM EST- Internal Merck & Co. e-mails and marketing materials show the drugmaker fought forcefully for years to keep safety concerns from destroying the sales of big-selling painkiller Vioxx, according to a published report.
• Arthur Andersen LLP: "Remind the engagement team of our documentation and retention policy."
• Marsh & McClennan: "I will give you clear direction on who (we) are steering business to and ... who we are steering business from."
16
Litigation RiskRisks of Destroying Documents Prematurely or on an Inconsistent or Ad Hoc Basis
Improper destruction or loss of documents or failure to preserve documents may lead to:• Judicial or Government sanctions• Adverse inferences being drawn in litigation• "Spoliation" of evidence charges or sanctions• Costs awards (against company and counsel)• Findings of gross negligence • Reputational harm
17
The Evening News• (Reuters) Mon Jan 7, 2008 10:10pm EST - A San Diego federal court on Monday ordered cell phone technology company Qualcomm Inc to pay $8.6 million to rival Broadcom Corp as sanction for failing to turn over hundreds of thousands of pages of evidence in a patent dispute.
• Coleman Holdings (Parent) v. Morgan Stanley (Fla. 2005) – Court issued adverse inference order based on various discovery abuses.
18
The Evening News – TJX News March 29, 2007 12:00 PM ET - TJX data breach: At 45.6M card numbers, it's the biggest ever*
Updated 11/30/2007 2:32 PM - TJX, Visa reach $40.9M settlement for data breach
For Release: March 27, 2008 - FTC Announces Settlement of Separate Actions Against Retailer TJX for Failing to Provide Adequate Security for Consumers’ Data
19
The Evening News – TJX Published: 24 Jun 2009 - TJX Companies Inc. agreed to pay $9.75 million, settling a lawsuit brought on by attorneys generals from 41 states.
September 25, 2007 Office Of The Privacy Commissioner Of Canada And Office Of The Information And Privacy Commissioner Of Alberta -Findings under the Personal Information Protection and Electronic Documents Act
* At the time
20
Organizing Chaos or Organizing OrganizationRecords Management System• Preliminary investigation • Analysis of business activity • Identification of recordkeeping requirements• Assessment of existing systems• Identification of strategies for recordkeeping• Design of a recordkeeping system• Implementation of a recordkeeping system• Post-implementation review
21
Records Management Systems… work better with:
An Information Retention and Destruction Policy
An IT Use Policy
22
Retention and Destruction PolicyA good policy will:• Address all types of business records, in any format• Comply with all legal requirements in applicable jurisdictions
• Be claims/litigation neutral• Provide for the suspension of records destruction for legal preservation – legal hold procedures
• Work synergistically with technology• Be reviewed and updated regularly• Be enforced – periodic auditing for compliance
23
IT Use PolicyA good policy will:• Outline the scope (network resources – applications and email, Internet use, Smartphones, social media)
• Provide a statement of philosophy and ownership• Provide a code of conduct: acceptable vs. unacceptable uses
• State the consequences of violation• State what the user’s expectation of privacy should be• Be reviewed and updated regularly• Be enforced
24
Data: Manage it or it can bury an organization • Records Management System• Retention and Destruction Policy• IT Use Policy
Internal Investigations: The Role of Corporate Counsel and Social Media in the Workplace: Some Highlights
26
Employment Investigations
• When do you investigate?
• Why do you investigate?
27
Employment Investigations
28
Employment Investigations
• Policies/Collective Agreement
• Investigation Obligations
29
Case Study:Multiplying Harassments
30
Investigations & Privilege
Employment Investigations
31
Scope of Mandate and Corporate Counsel's obligations• Narrow or Broad?• Whistle Blowing Obligations: Rule 2 (Rules of Professional Conduct)
32
Case Study:
33
Step One: Request from Management
Step Two: Report Requested by Counsel
Step Three: Convey Privilege to Participants
Step Four: Report Properly Marked
Step Five: Maintain Privilege Over Report
Checklist To Maintain Privilege
34
Investigations Checklist• Whose Conduct• Is an Investigation Warranted?• Investigator as Witness• Third Party Investigator• Cost Benefit Analysis• Broader Implications • Privilege• Mandate• Form of Deliverables
35
Conclusion
36
Social Media/Employment Highlights
37
Case Study:
+
Protecting Corporate Reputation
38
Case Study:
Employer's Right to Full Time and Attention
What In-House Counsel Need to Think About When Litigation is Anticipated
40
The Team
• Identify and appoint litigation quarterback
• Contact and retain outside litigation counsel ASAP
• Identify, assemble and integrate the right team members from within your company
41
The Team cont’d
• External team members
– Identify and retain experts early (consulting and testifying)
– Joint defence group; regulators; media relations company
42
The Strategy
43
The Strategy cont’dDevelop your litigation strategy as early as possible
– Business objectives?
– Choose your fight?
– Initiate or respond?
– Delay or expedite?
– Venue?
– Communication?
44
The Strategy cont’dYour litigation strategy should inform all aspects of the matter and your company’s conduct on a go forward basis
45
Insurance• Consider establishing protocols to deal with insurance notification
• Immediately notify insurer(s) upon learning of threatened, potential or actual litigation where your company and/or its officers, directors and/or employees may be or are named as defendants
• Late notice may be basis for refusing coverage
• If coverage denied: claim against insurer?
• If coverage confirmed: impact on ability to appoint and instructcounsel, engage in settlement discussions, etc.?
46
Document Management, Preservation and Collection
Importance of having robust records management and document systems in place
Document preservation, collection, processing and review processes should be developed in consultation with outside legal counsel
47
Document Management, Preservation and Collection cont’d
Identify all officers, directors and/or employees (and their assistants) with any knowledge/involvement –“custodians”
– Often an evolving list
Collect and review (key) documents– Timing?– External service providers?– Involvement of outside legal counsel?
48
Document Management, Preservation and Collection cont’d
Legal hold notice should be circulated as soon as reasonably possible once litigation is contemplated
Update and re-circulate notice as appropriate
Notice should go to– Custodians– Outside consultants/service providers/financial advisors– Directors– Outside legal counsel
• Track implementation and monitor compliance
49
CommunicationsYour litigation strategy will include a communications protocol as well as a public relations strategy
– Notify internal public relations/media person re threatened, potential or actual litigation, and update as appropriate
External communications– Consider retaining media relations company– Consider need to press release any particular litigation or stage of litigation
– Litigation advisory for external website, updated as appropriate– Verbally notify third parties (e.g., financial advisors), as appropriate
50
Communications cont’dInternal communications
– General internal advisories (basic information about litigation and its status)•No communications about the litigation
– Targeted internal advisories•For those with more direct knowledge/involvement
•Do’s and don’t’s of communications relating to the litigation– dangers of casual emails, pins, notes, etc.
•Reminders at appropriate times
51
Questions?
Contact Information
Gillian [email protected]
Andrea [email protected]
Steven [email protected]
Natasha [email protected]
Davit [email protected]
