Panama Papers: What Attorneys Can Learn from History’s Largest Data Breach

Background

It is estimated that since its inception in 1977, MF has incorporated 250,000 businesses, largely in offshore jurisdictions. MF serves a wide range of clients, including politicians, celebrities and corporations. Incorporating “anonymous” businesses is entirely legal. There is, however, a stigma attached to “shell companies,” and several of the public figures associated with these businesses have already been embarrassed by exposé-style articles. The ICIJ has promised that additional, highly compromising articles will be published.

Following the disclosure of the breach, MF stated that it experienced an “e-mail server breach” at one if its data centers. It also has been reported that the documents were removed over the course of a year, beginning in early 2015. This followed a 2014 “whistleblower” data breach involving MF’s activities in Germany.

The details of how MF’s client data was removed, who removed it and why are not known and may never be made public. Regardless, the breach raises important questions that are relevant to any lawyer who uses a computer to create, store and access attorney-client materials:

    • After a whistleblower distributed client materials to the German government in 2014, what additional safeguards were implemented to protect client files? Does your firm regularly review security procedures? What process does your firm implement when computers, phones or remote storage devices are lost, stolen or decommissioned? What process does your firm follow if a data breach or virus is discovered in your system?
    • How long should client files remain on accessible servers? More than 11.5 million MF documents dating from 1977 forward were exposed by an “e-mail server breach.” Many of these documents surely predated MF’s current computer system. For whatever reason, “historical” documents were stored on the same servers that handled routine e-mail functions. What is your firm’s protocol for retaining “historical” documents on “active” servers?
    • Were notifications issued when non-active files were accessed? MF apparently had a policy of assuring that all documents for the 250,000 companies that it formed were readily available. But did the “primary” attorney on those files receive any type of notification when materials from their assigned clients were accessed? Did the system administrator receive notification when older files that had not been accessed for a significant period were suddenly downloaded? Does your firm have electronic notifications in place when files are accessed? Are sensitive files restricted to certain users? Are your files password protected?
  • News articles indicate that the breach was publicly disclosed only because a journalist contacted a representative of the Russian government who raised the possibility of a data breach with MF on March 28, 2016. MF notified their clients on April 1, 2016. ICIJ then issued a press release about the breach on April 3, 2016. The data breach(es) likely occurred over the course of several months, starting in 2015. When should the breach(es) have been discovered and disclosed to MF’s clients? Does your firm regularly monitor its access logs? Does your firm have a data breach response plan? Has your firm prepared a letter to advise a client of a discovered breach? Has your firm prepared a press release if a wider disclosure is necessary?

Lessons Learned

The MF data breach represents a sea change in the management of client data by law firms. The bar for safeguarding client data has risen. All attorneys must now consider the potential pitfalls of maintaining “historical” data on their servers, the implementation of notifications when files are accessed and protocols for issuing client disclosures when files are accessed. It is likely that MF will face considerable litigation over the undocumented data breach. Attorneys seeking to avoid litigation need to learn from MF’s failure and ensure that their data is protected.

© 2016 Wilson Elser

What Every Attorney Should Know About Their Client Database

logo

Do you, as a lawyer, have a client database? Do you have a program (any program) that keeps their names, addresses, and phone numbers on file?
If you do, fantastic!

If not, you should.

Creating (and constantly updating) a database is integral to retaining clients. For every person that you meet with, or even contacts you, you should be getting their information and create a database for mailings.

Why aren’t you sending them out a monthly newsletter to let them know what has been happening in the firm? You may be thinking that people don’t care, right? Well, it’s not entirely untrue. I won’t tell you that people are going to read your newsletters religiously (they might!) but if you keep them in the loop, there is no other lawyer in their minds when they start thinking about signing a contract.

Tell them about a few cases you’ve won, talk about a new employee, or how you’re redecorating your office. Keep everyone in your database (or your “herd”) in the loop.

By taking the time and putting in this effort, you’re becoming more trusted and beloved by members of your herd. Not only do they know what’s happening in your firm, but you are making a constant effort to reach out to them and contact them. It really does make a difference. What other attorney in your area is doing that?

If you think of any at all, it’s probably a very short list. Now think of how many attorneys their actually are in your area. The difference is staggering.

These simple things will make you stand out. You will be different and therefore you will come to mind much more quickly.

Those people will also become excellent marketing that you don’t have to pay for. Word of mouth is one of the best tools to have in your arsonal. Being referred by a client to their friends or family creates another level of marketing that you can’t buy.

Even for other ventures, your herd can be of great benefit to you!

Say you decide to put money into an ad that will run in a newspaper or magazine. Those are great marketing opportunities, I won’t lie, but before you hit the green button, maybe include the ad you want to run in a newsletter to your herd. Make an effort to constantly remind those who already love you what it is you do. Even ask for their opinions! They see your ad from another viewpoint and could even be able to give you some genuine feedback! Show your herd that they are still a priority and you want to keep them around.

This is only possible if you have a database.

Article by:

Ben Glass

Of:

Great Legal Marketing, Inc.

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

Government Sanctioned for Destruction of Documents

The National Law Review recently published an article by Eric W. Sitarchuk and Meredith S. Auten of Morgan, Lewis & Bockius LLPGovernment Sanctioned for Destruction of Documents:

 

U.S. district court decision may now allow defendants in False Claims Act cases to obtain sanctions where potentially relevant documents are lost or destroyed due to the government’s failure to issue a timely litigation hold.

In United States ex rel. Baker v. Community Health Systems, Inc., the U.S. District Court for the District of New Mexico upheld Magistrate Judge Alan Torgerson’s recommendation of sanctions against the federal government for failing to issue a timely and adequate litigation hold.[1]  The court held that sanctions were appropriate because the government’s actions resulted in the destruction ofelectronically stored information (ESI) that could have been helpful to Community Health Systems’ defense.

Untimely Litigation Hold

On April 29, 2005, relator Robert Baker filed a qui tam lawsuit under the False Claims Act (FCA) alleging that the defendant hospitals had engaged in Medicaidfraud. The government investigated for several years before deciding to intervene, filing its notice of intervention on February 20, 2009. Although the government issued a notice to the defendants to preserve documents in 2005, the government did not issue its own litigation hold to safeguard its internal documents until the day it intervened, by which time certain relevant ESI had been deleted or destroyed.

Magistrate Judge Torgerson applied the general spoliation rule that the duty to preserve documents arises once a party “‘reasonably anticipates litigation.'”[2] Under this standard, he rejected the government’s argument that it could not have reasonably anticipated litigation until it received permission from theDepartment of Justice to intervene in the case. Instead, Magistrate Judge Torgerson found that the “Government’s intervention was reasonably foreseeable after receipt of defense counsel’s letter rejecting the Government’s offer of settlement on September 5, 2008.”[3] Giving the government the “benefit of the doubt,” Magistrate Judge Torgerson came to the conclusion that litigation could be considered “imminent” on September 5, 2008, by applying the standard set forth by the U.S. Court of Appeals for the Tenth Circuit in Burlington Northern and Santa Fe Railway v. Grant.[4] The court agreed with Magistrate Judge Torgerson’s findings regarding the timing and adequacy of the government’s litigation hold.[5]

As a result of the untimely and inadequate litigation hold, the ESI of two key employees at the Centers for Medicare and Medicaid Services (CMS) was allowed to be automatically deleted and destroyed. The court agreed with Magistrate Judge Torgerson that sanctions were warranted, finding “overwhelming evidence” that the defendants were prejudiced because the lost documents went “directly to . . . one of their strongest defense theories.”[6]

Sanctions

Magistrate Judge Torgerson rejected the defendants’ harshest requests for sanctions, including an adverse inference that the destroyed documents would have been exculpatory, finding that, while the government’s culpability was more than negligent, it did not amount to bad faith or intentional misconduct.[7] However, Magistrate Judge Torgerson recommended sanctions that would require the government to produce certain documents withheld under work product or deliberative process privilege; to produce all emails from, to, or copying the CMS employees whose ESI was destroyed, regardless of any claim of work product immunity or privilege; to pay reasonable attorneys fees and costs associated with the defendant’s motion for sanctions; and to show cause why it should not be required to conduct further forensic searching for the missing ESI.[8] The court agreed that the recommended sanctions were appropriate, noting that the sanctions were “designed to prevent the Government to benefit from its apathetic conduct in preserving documents that were clearly meant to be preserved, when it had ample reason to believe the documents and ESI should have been preserved for some time prior to the litigation hold.”[9]

Implications

It is clear that “[t]he duty to preserve material evidence arises not only during litigation but also extends to that period before the litigation when a party reasonably should know that the evidence may be relevant to anticipated litigation.”[10] Baker provides greater clarity on the question of when the government’s duty to preserve documents arises in a qui tam action under the FCA. Exculpatory documents within the government’s control may be particularly susceptible to being lost or destroyed in FCA cases because the complaint may remain sealed for several years while the government decides whether to intervene. The decision in Baker signals that litigation may be reasonably foreseeable to the government long before it receives approval to intervene in a case and even before it requests permission to intervene, thus requiring that the government take action to preserve its documents even sooner to avoid sanctions. Baker may pave the way for other defendants in FCA cases to obtain sanctions where potentially relevant documents are lost or destroyed because the government fails in its duty to issue a timely litigation hold.


[1]. United States ex rel. Baker v. Cmty. Health Sys., Inc., No. 05-279 WJ/ACT (D.N.M. Oct. 3, 2012), available here.

[2]. Baker, slip op. at 7 (citing Zubulake v. UBS Warburg, LLC, 220 F.R.D. 212, 218 (S.D.N.Y. 2003)).

[3]. Id. at 7.

[4]. Id. at 7 (citing Burlington N. & Sante Fe Ry. v. Grant, 505 F.3d 1013 (10th Cir. 2007)).

[5]. Id. at 8.

[6]. Id. at 11.

[7]. Id. at 22, 29.

[8]. Id. at 10.

[9]. Id. at 14 (citing Reilly v. Natwest Mkts. Grp., Inc., 181 F.3d 253, 267-68 (2d Cir. 1999)).

[10]. Silvestri v. Gen. Motors Corp., 271 F.3d 583, 591 (4th Cir. 2001) (citing Kronisch v. United States, 150 F.3d 112, 126 (2d Cir. 1998)).

Copyright © 2012 by Morgan, Lewis & Bockius LLP

Search Warrant Basics

Recently The National Law Review published an article from Risk Management Magazine a publication of the Risk and Insurance Management Society, Inc. (RIMS) regarding Search Warrants in the Office:

When armed government agents enter your office, seize your computers and talk to your employees, the business day has gotten off to a rough start. It only gets worse when the news shows video of agents in raid jackets carrying your eye-catching, focus group-tested logo. As the days go on, you are busy reassuring customers, vendors and employees that despite early reports and comments made by the government and your competitors, it is all going to be fine and you are going to get back to business as usual.

Presented with this hypothetical situation, many adopt a similar response: it won’t happen to me. But any business that operates in a heavily regulated area or partners with any federal agency needs to appreciate that government inquiries are simply part of operating in that space. The FBI is not the only investigative agency; it is just as likely that the Environmental Protection Agency or the Health and Human Services Office of the Inspector General will be at the front desk with a warrant in hand and a team ready to cart away the infrastructure and knowledge of your business. Will you be ready?

Good planning as part of a regular annual review can help settle nerves, avoid costly mistakes, and put you in the best defensive position should that fateful day come when the feds show up at your door. Follow this five-part plan and you will be much better off.

Summon the Team

Just as the agents did the morning before the search, you need to assemble your response team. The government has specialized people with individual roles and you need to have the same type of team. Some people on your team are there because you want them there. Others make the team because they sit at the reception desk or close to the front door. Either way, they are now on the same team.

The point person on the team has to be the in-house counsel. The agent may not let the receptionist place a series of calls, but the receptionist should be permitted to call the in-house counsel to notify her of the situation. From that point on, the command center shifts from the front desk to counsel’s desk.

The next call should be made from the company’s general counsel to outside criminal counsel. A general litigation or M&A background may be well suited for the company’s general needs, but on this day, the needs are quite different. Outside criminal counsel needs to begin the dialogue with the agent and the prosecutor, and should send someone to the scene if possible.

The response team should also include the heads of IT, security and communications. The IT officer must make sure that, as the search is conducted, intrusion into the system can be minimized so that the business may continue operation. If the IT officer is not permitted to assist with the search, it is critical that he observes all actions taken by the government related to any IT matters. This observation may be valuable at some point in the future if computer records are compromised or lost. This is just as important for information that may tend to show some violation of the law as it is for information that may support defense or a claim of actual innocence. The Computer Crime and Intellectual Property Section of the Criminal Division has produced a manual for the search and seizure of computer records and an expert can help evaluate law enforcement’s compliance with its own approved procedures.

If your company is a manufacturer or scientific production company where the question at issue may be the quality, characteristics or integrity of a product, it is important that you demand an equal sample from the same source and under the same conditions as those taken by the seizing agents. This is important so that your own experts can review a similar sample for your own testing in defense. If this is not possible given the type of product seized, your outside counsel will work with prosecutors and agents to assert your rights to preserve evidence for future testing. Just as the IT expert can be a helpful observer, a technical expert who observes the government sampling can also provide valuable insight into issues related to the sampling that may make a world of difference at some time in the future.

The communications expert is the final member of the team, but no less significant. She can be an important point of contact for media inquiries that will inevitably follow. It is vital to be able to communicate to your customers that you are still performing your daily support and that, as you address this matter, you will never take your eye off the customer’s needs and deadlines. With a disciplined response, many companies will survive a search warrant and government investigation. This process will help ensure that your customers are there for you when you get through this difficult time.

Depending on the size of your company, all of the response team roles may be performed by one or two people. Think of the function of the tasks that need to be accomplished instead of job titles alone. The other factor that you must consider at the outset is what role will these people have in the case going forward. Try and identify people who can perform these tasks but will be outside the case itself. If you know that the company lab has been under investigation, the lab director may be a target of the investigation. If that is the case, you do not want to have that employee serving as your only witness observing the search. Instead, an ideal observer might be the outside counsel’s investigator.

Execute a Pre-Established Plan

An important part of this response is that you have a pre-established plan that can be taught and disseminated instantaneously. The first rule of any plan is to not make matters worse. In this case that means, “Let’s not have anyone arrested for obstruction.” If the search team has a signed search warrant for your address, they have a lawful right to make entry.

Challenging the search warrant is for another day and both state and federal laws prohibit interfering with the execution of a search warrant. This is the time to politely object to the search and document what is happening. With a copy of the search warrant in hand, outside legal counsel may be able to challenge the scope of the search, but that is not an area where the novice should dabble.

While your specialized team members perform their tasks, the company is generally at a standstill while the search continues. Let your team members work and have the rest of your employees go home. You are shut down for the time being just as you would be any other time your business is closed. You do not want to allow employees to wander the halls and interact with agents. Off-hand comments that make it into a law enforcement report may distort the facts and be difficult to explain later.

Make sure that company employees understand what is happening and what their rights are in this situation. It is important to avoid interfering with the actual lawful execution of a search warrant; it is also unlawful to tell your employees to not speak to the agents. If they know they have a right to meet with a company-retained counsel of their own and have a right to remain silent at this point, it may go a long way in calming nerves.

Assert Privilege

This is not a difficult matter to explain, but it is critical: if there are documents that are covered by the attorney/client privilege or any other similar privilege, it is critical that you assert that privilege. One reason for the receptionist to be allowed to call company counsel is that there are materials that are covered by the privilege.

It is critical to make privilege claims at this juncture so that the agents are aware of the assertion and that they formally recognize it. This may simply mean that they put those documents in a different box for review by a team subject to judicial review at a time in the near future or it may mean that the team will review the materials for immediate decisions to be made on scene. Whatever procedure the agents have established can be reviewed later, but if you do not assert privilege now, it changes the options available to you as the proceedings go forward

Record the Search

Given the concerns of civil liability, it is not uncommon for agents to make a video recording of their entry and departure from the scene. Their goal is to document any damage that may have been caused by the lawful execution of the warrant. The agents also want to be able to document their professional execution of the warrant in the event that claims are raised at a later point. But that tape is going to stay in their custody and not be available for your team to review as you prepare the defense.

A video record of the search may provide a key piece of support to the defense that could not possibly be understood on the day of the search. However, this process must be handled in a very unassuming manner and with a clear understanding by the agents that you are doing it, and that, in the event there are undercover officers who are masked, that you will make no effort to record them. In some states, recording voice without consent of all parties is a felony, so this is a matter that you must review with outside counsel when you are developing your procedures for search warrant response. Again, you do not want to do anything to make your situation worse.

Collect Your Own Intelligence

Just as the agents are trying to learn about your operations, they will be giving you valuable information about their own operations and the focus of their investigation. Your first tasks are to determine who is in charge, document the names of the agents in attendance and note all the agencies involved in the search. This is information that you can gather directly by politely asking for the names of the agents and observing the insignia of the agents’ uniforms or badges around their necks.

The other opportunity available to you in this unique situation is the opportunity to listen to the language the agents use, the apparent hierarchy of the agents, and the small bits of casual conversation that may give you valuable insight into the goals of the search. As the day wears on, the agents will feel more comfortable around your response team and they will talk more freely. This is not to suggest that your team should attempt to interrogate the agents, however, because that will open a two-way dialogue that may lead to statements that are difficult to explain or put in context. The suggestion is simply that you serve as an active listener.

Help Establish Rapport

Throughout the day, the agents are going to be forming opinions about your company and your employees. Use this time to make a good impression about your company. A professional, disciplined response in a time of crisis sends a very different message than the one sent by yelling obstructionists. Even though the agents have quite a bit of information about you as their target, it may have all been gathered from third parties. This may be your opportunity to impress them and to help them question the veracity of your accusers. Remember that there will be meetings about your company, your executives and their futures, and the only people in those meetings will be the agents and the prosecutors. You want their memories of this day to weigh in your favor.

Risk Management Magazine and Risk Management Monitor. Copyright 2012 Risk and Insurance Management Society, Inc.

The Inside Job: Can Employees Walk Out The Door With Your Company's IP?

Recently in The National Law Review was an article by Katie L. ClarkRohan Massey, and Hiroshi Sheraton of McDermott Will & Emery regarding IP Security:

With the economic downturn forcing redundancies, most employers are aware that the Q1 period brings an increase in employee movement. But have employers considered how much value could be walking out the door when an employee leaves? In today’s “knowledge economy”, businesses increasingly understand the value of intangible assets in the form of information.  Yet few businesses give thought to how and where those assets reside, or consider how much can be lost or passed to a competitor when employees move on.

The ease with which knowledge can be taken by employees has increased exponentially in recent times.  USB drives are now large enough to store literally millions of documents and cloud computing can provide limitless secure storage.  The increase in remote working also allows employees to download your documents and information in the privacy of their own homes.

There is also a growing international market for transferable knowledge, making the temptation even greater for employees to maximise their value to their new employer.  Emerging economies, with different laws, regulations, and cultural values, provide a ready market into which intellectual capital can be dispersed.

This issue affects every industry.  A number of high profile cases in the United States and China have seen former employees jailed for theft of trade secrets relating to consumer electronics and financial trading software, but every business has a wealth of internal knowledge that is used to give it a competitive advantage over its rivals.  Business plans, presentations, strategies, customer lists, market positioning, and protocols and procedures are all valuable assets that can find their way to new employers.

Most worryingly, this movement of information is not confined to “rogue” employees.  Many salespeople will claim that their address books of contacts belong to them, not to their employer.  Each type and level of employee and each type of business is likely to have a different understanding of what belongs to the company.  In addition, international cultural differences play an enormous role in determining where employees perceive the boundary to be between legitimate and illicit use of information.

So, how do you distinguish between what an employee is free to take away and what should remain with the business before it’s too late?  What procedures should be in place to maximise the intangible value retained by the business when employees move?  To what extent do data protection and privacy laws permit monitoring of employees’ activities?  What procedures are available when employees are suspected of taking valuable information and/or passing it to competitors?

In 2012, McDermott will be running a number of IP- and employment-focused seminars to provide an overview of how intellectual property and employment laws can help your company to protect it, and the policies and procedures that can be used to mitigate value walking out the door.

© 2012 McDermott Will & Emery

Electronically Stored Information, Social Media and the Rules of Professional Conduct: Are you compliant with your duties of competence and diligence?

Recently published in The National Law Review was an article about Compliance and Diligence and Electronic Media by  Charles H. Gardner of  Much Shelist, P.C.:

Electronically Stored Information and its increasingly complex progeny, social media evidence (collectively, “ESI”) are quickly being woven into the fabric of discovery and the practice of law.  As the cases and rules of professional conduct discussed below demonstrate, lawyers who fail to thoughtfully investigate and use social media evidence (both that of their own client and that of the opposing party(ies)) are not engaged in best practices.

The American Bar Association (“ABA”) Model Rule of Professional Conduct 1.1 (Competence) states that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” (The Model Rules have been adopted in all of the fifty states, except California, and in the District of Columbia and the U.S. Virgin Islands). Comment 5 to Rule 1.1 provides, in part, that “[c]ompetent handling of a particular matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners. It also includes adequate preparation (emphasis added).” Further, the ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion No. 98-411(1998) states, “[w]e believe the ethical issues are the same whether [involving] substantial legal or procedural aspects of a client’s matter or [a lawyer’s] ethical duties in furtherance of the client’s matter.”

Much has changed since the ABA adopted the Model Rules of Professional Conduct and its predecessor guidelines. Electronic data and communication and social media communities such as Facebook, MySpace, and Twitter have become linchpins of society and discourse. As of December 2011, Facebook alone reported that it had 845 million monthly users and more than 483 million average daily users (http://newsroom.fb.com/content/default.aspx?NewsAreaId=22, last visited Feb. 12, 2012).

In the recent case of Griffin v. Maryland, 192 Md. App. 518, 535 (2010), the court opined, “[i]t should now be a matter of professional competence for attorneys to take the time to investigate social networking sites (emphasis added).” In addition, a 2010 study by the American Association of Matrimonial Attorneys found that an overwhelming eighty-one percent of the nation’s top divorce attorneys said that they have seen an increase in the number of cases in which social media evidence plays a role. Sixty-six percent of those attorneys cite Facebook as the primary source of such evidence. Accepting as an imminent practical reality that an attorney has or will soon have an affirmative duty to investigate social media evidence, what might the cost be to the attorney, the client, or both for failing to do so or, worse, failing to preserve such evidence?

Consider hypothetically the evidentiary value of photographs posted on a disability claimant’s social media page showing her rock climbing, for example. One can see just how persuasive ESI can be.  However, ESI can also be a minefield of professional liability. Consider the case of Lester v. Allied Concrete Company, Nos. CL08-150, CL09-223 (Va. Cir. Ct. Oct. 21, 2011) in which a Virginia attorney was found to have instructed his assistant to tell his client to remove a photograph from a social media website. Finding that the lawyer had violated Virginia’s equivalent of Model Rules 3.3 (Candor toward the tribunal), 3.4 (Fairness to opposing parties and counsel), 5.3 (Responsibilities regarding non-lawyer assistants), 8.4 (Misconduct) and rules of court regarding conduct that tends to defeat the administration of justice or to bring the courts or the legal profession into disrepute, the court sanctioned the attorney with a fine of $540,000. In addition, the court fined the client $180,000 for spoliation of evidence. For the twenty-first century practitioner, a well thought-out ESI discovery plan could mean not only the difference between success and failure in the matter at hand, but may also mean the difference between a grateful client and a client that brings a malpractice claim, a disciplinary complaint or both for ineffectiveness in investigation and preparation. However, case investigation and preparation are not the only source of risk for attorneys and judicial officers.

The case of In re: B. Carlton Terry, Jr., No. 08234 (N.C. Judicial Standards Commission, April 1, 2009) demonstrates how critical it is for attorneys to be savvy in social media and ESI discovery in general. In that family law case, the judge, plaintiff’s counsel and defense counsel were discussing Facebook in a meeting in chambers. Plaintiff’s attorney commented that she did not know what Facebook was and did not have time for it. Following the meeting in chambers, Judge Terry and defense counsel became friends on Facebook and discussed the case in some detail. Judge Terry also conducted independent investigation into plaintiff’s social media pages and quoted from them at the hearing. The judge did not inform plaintiff’s counsel of his actions until after he had entered an oral order. Plaintiff’s counsel immediately sought to and did have the judge’s order vacated. Judge Terry voluntarily disqualified himself and the case was remanded for a new hearing, costing the taxpayers a considerable amount. Ultimately Judge Terry was publicly reprimanded by consent in formal proceedings before the Judicial Standards Committee.

Had plaintiff’s counsel conducted a thorough, or even a rudimentary, ESI investigation, the wrongdoing on the part of defense counsel and the bench could have been addressed promptly which would have spared both Plaintiff and the taxpayers significant costs in having to try the same matter twice.

Furthermore, it is worth noting that the rules of professional conduct apply equally to in-house counsel and transactional attorneys as to litigators. In the more casual in-house and transactional business environments, the line between clients and business colleagues can become easily blurred. These attorneys should be especially mindful of their professional responsibilities and the implications that their actions may have on their organization in the event that litigation ensues.

Following are six simple and practical suggested steps towards developing a strong ESI discovery plan and investigation process:

  1. Educate yourself about social media and ESI in general. If you do not know where to look, you could be lost in a search engine “black hole”. Not only can you place yourself ahead of the pack in the legal community, you will also be able to communicate with your children and grandchildren!
  2. Draft a written ESI discovery plan that includes an immediate request for a discovery hold on ESI.  Be systematic and judicious in your requests. And be mindful of Model Rule 1.3 (diligence).
  3. Draft and circulate acknowledgement forms to all personnel in your organization and obtain their signatures.  These documents should educate your personnel about sound social media practices and emphasize ethical concerns as well as the legal liability to the organization, to you and to the employee, who could also face appropriate discipline for violating company policy.  Be mindful of Model Rule 5.3 (responsibilities regarding non-lawyer assistants). And, with respect to employees, be mindful of the limitations imposed by the National Labor Relations Act when drafting your policies and acknowledgement forms.
  4. Instruct your client that ESI is evidence and that the client should not tamper with or destroy such evidence until the case is completely resolved, including during the time allowed for appeals and in appellate proceedings, if any.
  5. Check your client’s social media pages.  Know what you are up against.
  6. Conduct a thorough review of any and all available ESI of the other party.  Be careful to abide by the “no contact” rules.  For example, do not send a surreptitious friend request to gain access to another party’s ESI, but rather, look only at what is publicly available to you and obtain proper warrants for any additional information.  And be prepared to argue to the court why the evidence is relevant and why it should be produced and admitted.

If you are not making diligent and competent use of ESI, you place yourself and your client at a severe disadvantage and you are arguably breaching your ethical obligations. The immediate future is a rare opportunity to be on the cutting edge of developing law.  With a little knowledge and a reasonable amount of follow-through, you can set yourself apart in the new media frontier by making sound use of the bountiful resources that new media technologies have brought to the practice of law.


Charles H. Gardner is Special Counsel to the Intellectual Property & Technology group at Much Shelist, P.C. and head of its social media practice.  Mr. Gardner is a frequent writer and lecturer on the topic of social media and new media technologies. He has been featured in Crain’s Chicago Business and The Chicago Daily Law Bulletin and will be leading a CLE seminar on the “Laws of Social Media” (tailored for house counsel and business executives) on February 21, 2012.* Before joining Much Shelist, Mr. Gardner served as Director of Legal and Business Affairs for Harpo Studios, Inc. Mr. Gardner has a juris doctorate from Loyola Law School, Los Angeles (Entertainment Law Review) and a bachelor’s degree from the University of California, Berkeley.  He is admitted to practice law in California, New York, Illinois, the District of Columbia and before the United States Supreme Court.

*For more information and/or for complimentary registration, please call or e-mail Mr. Rodney Abstone at CLS Executive Search at (312) 251-2564 or email rabstone@clsexecutivesearch.com. 

© 2012 Much Shelist, P.C.