Cybersecurity: An Issue for Both Tech Service Providers and Clients, especially for Cloud, Mobil and Social Computing and the Internet of Things
November 12, 2012 by Bierce & Kenerson, P.C.
The security of the Internet and privacy are key to all Cloud Computing, Mobile Computing, Social Computing and the Internet of Things (with sensors and computers in cars and anything else electrical). Cybersecurity has profound implications for corporations, “critical infrastructure” and individuals that depend more on cybersecurity in the commercial, economic, social and personal.
According to cybersecurity experts, the vast majority of intrusions are not disclosed to authorities for “security reasons” or to avoid embarrassment and loss of brand value. Given the growing risks and dependencies, private companies will need to define their policies and potential goals and roles in participating, or not, in government cybersecurity programs. This defining moment continues despite the rejection of the U.S. Senate of a bill on “voluntary” sharing of private sector cybersecurity information with the U.S. Department of Homeland Security.
On August 2, 2012, the U.S. Senate rejected a bill that would have allowed professionals in the private sector – whether internal or outsourced – to share cybersecurity information with the authorities. Referred to as Cyber Intellegence Sharing Protecting Act (“CISPA”), the proposal would have allowed (without requiring) the private sector to share in “good faith” information on cybersecurity and cyber threats with the Department of Homeland Security. Following the rejection, rumors circulated that President Obama would establish an executive order to allow a public-private partnership for such cooperation (“opt-in”), but this has not happened yet.
Notwithstanding the rejection of this bill in the U.S., the topic remains a matter of global news. This article explores some legal issues for projects of “public-private partnership” to cybersecurity risks: voluntary disclosures of “good faith,” the “limitation of liability” for such disclosure, the scope of the rights of government use any information disclosed (including incidental extraneous private data) and legal disputes with foreign legal systems. Such issues continue worldwide, especially in Cloud Computing¹, inviting the private sector’s constant vigilance to prevent an Orwellian “cybervoracity” of government (or at least an accommodation) and to maintain confidence in the fundamental commitments of private security.
I. Possible American Approach: A Public-Private Partnership
Conflict of Interest between Governmental and Private Sector. Basically, the government has several fundamental interests in confronting cyberrisks from the private sector. Under CISPA, the government’s role is to protect the national defense and the “defense industrial base” as well as private “critical infrastructure” (transportation, banking, electricity, water and other utilities). Effective cybersecurity by government supports the continuity of government, economic prosperity and quality of life in general.
In the European Community (“EC”), the same principle applies. Within the EC, the Member States retain sovereign power to adopt legislative measures to restrict certain private rights to the extent that such restrictions are “necessary, appropriate and proportionate” in a democratic society to safeguard national security (i.e., the state security), defense, public security and the prevention, investigation, detection and prosecution of crime or use without prior permission required electronic systems of communication.
Whatever the place of its business, the private sector has interests that conflict with governmental roles. This is especially relevant in the protection of privacy. In general, as a matter of B2B and B2C business, each company collects and stores confidential information to third parties who rely on the company for not distributing it without permission. Any “voluntary” transfer “B2G” of this private information to the government bears the risk of government abuses (whether through negligence or intentional).
Guided by its multinational territorial footprint and the context of its activity, every private company defines its own policies for data protection, security and disclosure in accordance with the classification of data. The data can be subject to different legal regimes. Thus data can be broadly categorized as (i) internal trade secrets, (ii) external trade secrets (third party information that is confidential, received under contractual non-disclosure), (iii) information on employees, which in turn can be divided into a file and use a file regulatory labor law and private data, (iv) information on ordinary activities as transactions with customers (including personally identifiable information [PII], the information of the credit card and Demography, and (v) information relating to corporate compliance with the law (e.g., documents, accounting, tax and regulatory).
These classes have additional overlays for legal purposes. First, any information class may also be classified as “privileged” and therefore not disclosable in litigation. Second, foreign laws may apply (such as in the EU) to PII and agreements between data controllers and processors.
Prerequisites to the Limitation of Liability for Voluntary Information Disclosures of Cybersecurity. The CISPA bill would have granted a general exemption against any claim by any person for the disclosure of confidential information in connection with a voluntary exchange of information with government cybersecurity. Private companies would have unlimited immunity against all civil and criminal court proceedings against any entity in the U.S. or its officers, employees or agents acting in “good faith” who disclose information on their use of computer systems and cyber threats. This limitation of liability had been designed as an incentive for private sector entities to do what the law seeks to encourage them to do: a robust control of their own systems and networks and those of their corporate clients and sharing information on cyber threats and vulnerabilities to better protect their systems.
The “Good Faith. To avoid potential abuse, the bill would have limited this exemption to cases of” good faith. The proof of this “good faith” was an essential element to any legal exemption.
Any criterion of “good faith” would expose the private sector to uncertainty of costs and distractions. It would invite litigation in virtually all cases. This criterion was too vague, too vague and unpredictable subtleties charged in each case of “voluntary disclosure.” The courts would have to decide on the legitimacy and scope of liability in special cases, such as cases of “mixed intent” covering both “good faith” and “impermissible” purposes.
Continued intentions of cybersecurity. To identify the limitation of liability, the bill would require that private enterprise have a specific intent to support cybersecurity, particularly to monitor its systems or networks to identify and obtain information on cyber threats. Any other end would not justify immunity from prosecution by third parties. As the “good faith”, this limitation also suffers from ambiguity. As in the proof of a crime, tort intentions of the actor would be called into question.
New Risks of Businesses, Individuals and Government. The particular provisions of CISPA would have exposed all providers of information technology and information to costs, risk and confusion.
The Lack of Confidence Client. Such a law could undermine the trust between the corporation (or providers or managers of information systems (ISP’s, for example) and the client. In the absence of contractual waivers, a “voluntary” disclosure of confidential information to government would put suppliers, providers and managers in breach of their non-disclosure agreements. If the draft CISPA had been adopted as law, each provider and each licensee would have had to choose whether to obtain prior third party consents or rely upon governmental immunity for such disclosures. And outsourcers and other tech service providers would naturally want to be indemnified and compensated for any claim for such sharing with the government.
An Avalanche of Litigation. The legislative exemption from liability would have opened the floodgates to litigation against any company sharing of cybersecurity information with the government. Impugning the volunteer’s “good faith,” a plaintiff’s lawyer might impose significant legal costs, and get significant settlements, to protect classes of victims of the same violation of rights. Prior to dismissal, the volunteer would bear the costs of defense, preliminary hearings and pre-trial discovery. In the case of CISPA bill, such legal costs of the defense would be the responsibility of the accused until dismissal. In short, the private sector was always in danger of its first legal costs and distraction of management to defend against such lawsuits.
Class Action “Settlements.” In a class action lawsuit against a volunteer, the plaintiff’s bar might seek to impose, or threaten, substantial legal fees and risks. The defendant company’s “directors and officers’ liability” (and “errors and omissions”) insurance carrier might force the insured company to settle the claim.
Financial Claims against the Government. What would be the financial responsibility of the government to compensate for mistakes or abuse by the government according to a law allowing voluntary sharing and the government’s commitment not to misuse trade secrets or other confidential data? According to CISPA bill, if the government were abusing confidential information received in the name of cybersecurity, the government would have been liable for actual damages plus attorney fees. The bill would open the doors to litigation against the government voluntarily waiving its sovereignty for limited purposes by amending the Federal Tort Claims Act. What a gift for litigators to defend the interests of individuals and companies whose confidential information is compromised by faulty or abusive governmental disclosures! What a burden for the taxpayer and the National Treasury!
Risks of Governmental Abuses. Two types of governmental abuse can be anticipated in any public-private cybersecurity. First, citizens could neither know nor prove any abuses or breaches by government, even if (as provided in CISPA) the government were legally barred from using personal information for purposes other than cybersecurity. Nobody could say whether the voluntary disclosure of self-incriminating could “accidentally” found its way to the enforcement. Given the inability to discover or rectify any such abuses, a “public-private partnership for cybersecurity” would devalue the trust and confidence of customers, individuals, employees, providers, assignors, licenses and other in an enterprise’s value chain. An uncontrolled governmental surveillance would elicit fears of an omniscient “Big Brother.” In general, government information would be sufficiently protected, but personally identifiable information (PII) would not.
Second, the bill would have allowed governmental abuses of personal data (private or otherwise) inadvertently captured in the net of “voluntary” disclosures on cybersecurity. Under CISPA, the federal government could have used private information for other governmntal purposes, so long as, in receiving information, “at least one important goal” of the government’s use would have been cybersecurity or national security of the United States. This exception was a factor in the defeat of this bill because it would open the door to a Pandora’s box of unintended consequences for private enterprise.
Risk of Private Abuse. The CISPA bill would have allowed the private sector to share unlimited information with the government. There would have been no restriction as to the nature, volume or order of the data, so long as the “good faith” test were met. In the absence of such restrictions, any entity could freely disclose to the government a lot more information than needed, without “pruning” or segregation, without taking efforts to limit disclosures of “ancillary” information unnecessary to improve cybersecurity.
One can imagine scenarios of private companies “dumping” excess data onto governmental servers. For example, a hospital could transfer to the government certain sensitive data of the patient. The archive might include personal health information (“PHI”), without any effort to clean or delete PHI data. The government might use, or abuse, such PHI having an impact medical treatment, reimbursement of claims, hiring decisions, enforcement decisions unrelated to cybersecurity. This data would be at risk of piracy and other unauthorized uses.
Such an approach is beyond the scope of the measures necessary for the protection of privacy by law of the European Community and Canada, for example. So, a strictly American legislative “solution” would clearly impede international trade in data processing services to European and Canadian customers, among others.
Limitations of Sovereignty: Conflicts of Law. In an integrated world, the legal implications of any “voluntary disclosure” of cybersecurity information transcend national boundaries. The grant by one government (e.g., the U.S.) of immunity from liability does not grant the same immunity in all other jurisdictions. An American company would risk prosecution by foreign governments, its customers, suppliers and others in the supply chain. Such limitation of liability would raise legal issues of reciprocity, recognition and retaliation by any other government.
II. The European Sustainable Approach: A Public
Alternatives less intrusive. The American debate on the voluntary sharing of private information on cybersecurity and its impact on privacy rights invites a search for alternative, less intrusive and more balanced.
Inter-governmental advice. In the European Community, an approach to counseling “independently-owned” intergovernmental exists to address these questions, but gives primary governmental emphasis on the protection of privacy, not on cybersecurity. The Working Committee # 29 on the protection of privacy, protection of personal data and cloud computing is based on a consultative approach. It is an “independent body” whose secretariat is provided by the European Council. Reviews and papers issued by the “Article 29 Working Party (Art. 29 WP) is independent of the European Commission. The Art. 29 WP was established under Article 30 of Directive 95/46/EC of the European Parliament and the European Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data. Members of the Art. 29 WP are the authorities for the protection of private information of each member state and European institutions and the Commission of the EC. The Art. 29 WP has its own rules of internal procedure. Art. 29 WP has given its opinion to the Commission in February 2012 on Cloud Computing.
Trade Associations. In the United States, trade associations are empowered to organize a concerted action to advocate their common interests in the legislature. The “lobby” can therefore promote approaches fostering providers (the “processors”) or companies (the “data controllers”). In India, Nasscom advocates for service providers, but in the U.S. there appear to be no trade association for the outsourcing industry.
Adoption of Standards. National and international standards are already looking for transparency, the free exchange of data and the security of exchanges, processing and data carrier.
Alternatives more stringent.
International Conventions. International conventions can adopt new standards on the law of the Internet. Given the limitations of any individual country’s sovereignty to exculpate the private sector civil liability for breaches of obligations to privacy, heads of state could think of a diplomatic strategy for an international convention.
The contours of such a solution exist between countries in terms of “adequate protection” for the data privacy of the European Community. According to an agreement between the U.S. and the EC, a U.S. company that breaches its obligations (voluntarily undertaken under the “safe harbor”) becomes subject to judicial and administrative procedures of the U.S. government for breach of contract. According to agreements under the “binding corporate rules” (or standard contracts between providers and controllers), commercial companies doing business in several countries may elect to commit to respecting international standards under the Directive on Data Protection. Since the WTO has not tackled cybersecurity directly, it remains to be seen whether governments can mutually agree on substantive rights and obligations of citizens and commercial companies under such an international convention on cybersecurity. It might mean declaring a new Cold War between “blocks” of countries, targeting countries that lack basic standards or that support “rogue” operations or terrorist cells.
Internal Governmental Surveillance. Instead of an approach to public-private partnership, one can imagine an approach to internal espionage by each government, augmented by governmental “guidance” or “best practices.” Such an approach exists in some countries, such as China and potentially in Canada (C-30), and would serve as an equivalent to generalized surveillance. As of early November 2012, the Canadian Parliament is currently considering a bill that would allow cyber espionage on Canadian internal communications, or sometimes requiring judicial authorization. The Canadian government would be able to take action in cyber espionage without judicial authorization, subject to a prior assessment of several public policy considerations:
a) “the extent to which the exemption is likely to harm the national security or enforcement of laws;
b) the fact that telecommunications service providers have the ability or inability to perform the obligations;
c) the fact that the costs of compliance with the obligations in question or not have unreasonable adverse effect on the business of the telecommunications;
d) that the obligations involved do not seriously impede the provision of telecommunications services to Canadians or the competitiveness of the Canadian telecommunications industry.”
III. Strategy Management in IT and Telecommunications
Cybersecurity legal issues affect classic businesses: merchants, SMEs and multinational service providers in the field of cybersecurity. But they affect most the trustworthiness of outsourcing service providers who depend on the Internet for their livelihood. The concept of “public-private” partnering for cybersecurity poses many challenging questions for the future of outsourcing and reliability of the global services supply chain, such as:
- What are the liabilities of outsourcing service providers for policies imposed by enterprise client?
- What terms would apply if the outsourcing service provider wished to engage in the voluntary sharing of confidential information with the government?
- Would it be more prudent to wait for a legal compulsion?
- Pending new legislation, how should data be configured and made accessible?
IV. An Inescapable Symbiosis.
In conclusion, the American legislative experience suggests that private-sector “voluntary” cooperation with police forces and national security would be a bad idea, either in the U.S. or elsewhere, for private companies and all private data providers.
In Europe, the mature age of the EU’s Directive on Data Protection (1995) and on Electronic Commerce (2002) demonstrates a balance that promotes freedom of privacy, which may yet protect government interests. Following this legislative experiment failure in the U.S., other countries will think long-term before embarking on a “partnership” with the private sector on cybersecurity.
Maybe the U.S. will rethink the structure of its multifarious and labyrinthine laws of privacy (with multiple enforcement agencies) to protect the consumer, the consumer finance, the sick, the employer or any other victim of unauthorized access to information systems, private individual European national defense or anyone. The rejection of this bill shows that they already travel a path for more privacy and the protection of trade secrets, but that balance is a dream of government services.
That said, the private sector would not exist in a case of full cyberwar. Technically, both public and private sectors are symbiotic and interdependent. For example, the Stuxnet virus, according to the newspapers, had been developed by one or two governments as a tool of espionage against Iran, but also infected the computer network Chevron Corp. trading in 2010, and in response to other international companies are targeted by cyber attacks. This mutual interdependence evokes a need for more “best practices” and more non-statutory collaboration between public and private sectors to protect both sectors. CISPA is dead, but not forever.
Revision of the EU Data Protection Directive?
October 2, 2010 by SKW Schwarz
On 1 July 2010, a hearing was held in Brussels regarding the necessity to revise the Data Protection Directive. The objective of the hearing was a discussion of the results of a consultation made by the Commission before by way of a questionnaire survey. The hearing concluded that a complete revision of the European Data Protection Directive can no longer be excluded. For example, massive aggravations were being discussed. Similar to the current drafts regarding employee data protection on a national level, it becomes more and more likely that the term “sensitive data” will be extended to cover also biometric/genetic data, family data and data regarding minors, as well as “data of a financial nature”. It was also discussed whether any form of data processing and use should be made subject to a prior consent by the data subject. “By way of mediation”, it was considered that implicit or implied declarations could also be sufficient.
In terms of the “right to forget”, deletion periods and procedures, as well as “profiling”, were discussed, with the latter term not being defined in detail. This could, however, cover decision support systems, which have varied areas of application. Finally, the necessity of regulations regarding data protection in “Cloud Computing” was discussed.
Practical tip: Data-processing enterprises ought to monitor the development at a European level closely in order to avoid “surprises”.
(Dr. Wulf Kamlah, Frankfurt a.M.)
E-Discovery and Legal Process Outsourcing: ESIM Process Design and Choices between Outsourcing vs. Insourcing
December 21, 2009 by Bierce & Kenerson, P.C.
State and federal rules of civil procedure and emerging common law of the discovery process impose significant costs on businesses that are engaged in litigation. Pre-trial “discovery” serves to narrow the issues in dispute by forcing the disclosure of records, including electronically stored information (“ESI”) for judicial economy, to narrow the scope of disputed issues for adjudication (such as through motions for partial summary judgment, admissions and prior inconsistent statements), and to speed the actual trial process. E-discovery has become a daily challenge for the General Counsel, the CIO, the COO and the Risk Management Department. They face a choice of policies, procedures and technologies for insourcing (such as by using forensic software and employed staff) or outsourcing for electronic records discovery management. This article explores some of the differences between insourcing and outsourcing in terms of ESI records management, legal requirements for protection and production of electronic records, project management in forensic record examination, litigation readiness, knowledge management, risk management, ethics and legal compliance.
I. E-DISCOVERY AS A SUB-PROCESS OF RECORDS MANAGEMENT.
Record and Information Management (“RIM”) Policies and ESI Management (“ESIM”). The demands of e-discovery highlight the challenges of developing and managing effective governance policies and procedures for information of all kinds, including ESI, and the challenge of adopting and updating an ESI management (“ESIM”) plan for “business as usual.” The International Standards Organization has developed a records management standard (ISO 15489-1, at www.iso.org). ARMA International (www.arma.org) has identified eight standards for records and information management (“RIM”), namely, accountability, integrity, protection, policy compliance, retrievability/ availability, retention, disposition and transparency.
Memory-storage devices have proliferated, challenging the company’s records custodian. In addition to computers, there are cell phones, cameras (stand-alone or in cell phones), scanners, facsimile machines, USB “key” drives, backup hard drives and other storage devices. All pose a challenge for a fully compliant response to an e-discovery request.
Legal Requirements for Protection and Production of E-Records. Federal and state rules of civil procedure have evolved to include electronic records. See F.R.Civ. P. 26(b), 34 and 45 (subpoenas) and F. R. Evid. 901(a) (authenticity). State procedural rules have been adopted to implement the Uniform Rules Relating to Discovery of Electronically Stored Information issued by the National Conference of Commissioners on Uniform State Laws. [Copy available at http://www.law.upenn.edu/bll/archives/ulc/udoera/2007_final.htm]. Basic common law, statutory and civil procedure rules in e-discovery start with similar requirements:
- Protection: preservation of ESI through a “litigation hold” to prevent inadvertent loss when a third party demand has been made, or it has become reasonably foreseeable that such a demand will be made, and ensuring that the in-house attorney’s instruction is actually implemented (for example, avoiding the inadvertent over-writing of storage and backup tapes).
- Accountability: identifying the scope and “proportionality” of the e-discovery requirements in relation to the overall scope of the dispute.
- Cost allocation: allocating costs that are reasonable to the producing party and costs that are unreasonable to the requesting party.
- Cost management: using search terms and other cost-effective automated search technologies to get the reasonable or “agreed” coverage for the initial triage, fulfilling the approach that information technology can solve the problem of searching massive records databases using search technologies. See, e.g., Zubulake v. UBS Warburg, LLC, 2004 WL 1620866 (SDNY July 20, 2004, Judge Scheindlin) and other rulings in the same case, at 217 F.R.D. 309 (SDNY 2003), 216 FRD 280 (SDNY 2003) and 2003 WS 22410619 (SDNY Oct. 22, 2003).
- Integrity (authenticity and identification of the e-record): identifying appropriate methods and procedures for ESI production, including the appropriate level and nature of legal supervision of forensic inspections, to ensure authentication under F.R.Evid. 901(b) by using circumstantial information such as the file access permissions, file ownership, dates when the file was created and when it was modified, other metadata and hash values for the record when copied to a forensic computer for analysis.
- Accessibility: under the rules of evidence: identifying and managing risks of loss of evidentiary privileges by the mere use of electronic e-discovery tools and procedures.
- Accountability for Non-Compliance: identifying the sanctions for culpable conduct, mainly, “spoliation” (intentional or negligent destruction of evidence) or negligent collection done by the record custodian rather than by an automated process, such as:
judicial issuance of an instruction to the jury that the jury may validly draw a “negative inference” (or “adverse inference”) from the fact that the offending party could not produce the normally available documents in support of its legal arguments, resulting in a conclusion that, if the “lost” or “destroyed” records had been introduced into evidence, they would have supported a negative conclusion as to disputed factual matters; and judicial sanctions including an order to pay the reasonable expenses, including attorney’s fees, caused by the violation of discovery rules, where, for example, the adverse party incurred expenses to overcome the inability to access the “lost” or “destroyed” (spoliated) records.
Project Management in Forensic Record Examination. Within a holistic approach to ESIM, e-discovery tools and techniques can be identified along the continuum of “cradle-to-grave” (or more appropriately, “cradle to judge and jury”) progress. As a sub-process of electronic records management, an e-discovery process model can be used to identify the particular role or function of third-party software, in-house resources and an outsourcer’s resources. By looking holistically at the end-to-end chain of processes leading to satisfactory e-discovery compliance, under such a paradigm, the end-result, production and presentation of ESI, can be managed by effectively adopting either a total control at the “information management” level (when records are initially created and stored). The following is our own view of electronic discovery records management (“EDRM”) as a subset of an enterprise-wide holistic ESIM resource management paradigm for governance, risk management and compliance in e-discovery:
Litigation-Readiness: Converting “Business as Usual” IT into Information Management Operations for E-discovery. Information technology plays a strategic role in the enterprise’s ability to comply with e-discovery mandates. The enterprise’s legal department should team up with the IT department, the records management department and the line-of-business management to participate in the design – or re-design – of the enterprise’s information management operations and records management. E-discovery compliance features are now available through software that can troll the enterprise’s entire ESI, search for information according to a myriad of legal and business terms, technical parameters. In conjunction with the CIO and the records management department, the legal department can:
- Gap Analysis: Conduct a “gap analysis” to identify which features are missing from those that are recommended or required under the applicable rules of civil procedure and common law, particularly those policies and procedures that involve data collection, classification, accessibility, storage, retention and destruction.
- Strategic Access Plan: Develop a strategic access plan for the full life-cycle of “business as usual” and custody and control, including audit, of the company’s information and litigation-relevant information.
- Process Design using an ESIM Paradigm: Apply the e-discovery records management sub-process of the enterprise’s holistic ESIM model to identify and segregate functions that will be performed by in-house or captive resources and those for outside legal counsel and outsourcing service providers.
- Cross-Border Considerations: Integrate multinational and cross-border legal mandates into the design of the information technology and information management systems, at an early stage in the e-discovery process, to avoid breaches of foreign data protection and privacy laws when complying with U.S. judicial rules of procedure.
- Integration of Internal and External Resources: Develop policies and procedures for use of outside litigation support services providers and an array of personnel and technology resources both domestically and internationally to fulfill e-discovery compliance mandates, without adversely impacting the ongoing business operations.
Litigation-readiness must be added to the selection criteria for new IT initiatives such as “cloud computing” (here, the “software as a service” model, not the “variable IT computing-power as a service” model), internal and external social networks, Twitter and internal and external collaboration platforms such as wikis, e-rooms and Google Wave.
Knowledge-Management Readiness: Managing and Protecting Corporate Knowledge. “Knowledge management” refers to policies, procedures and technology that enable an enterprise to capture, organize, identify, re-use and protect the confidentiality of its trade secrets. Knowledge management (“KM”) procedures must also enable the enterprise to distinguish among sources of confidential information that may be trade secrets, copyrights or patents of third parties (including “freeware” and “open source” software) as well. Accordingly, CIO’s must adopt KM planning strategies that, in conjunction with legal and compliance departments, also serve regulatory and legal requirements. The IT infrastructure needs to identify all such trade secrets during the e-discovery process so that, if disclosable, they are subject to non-disclosure and non-use under appropriate protective orders.
II. RISK MANAGEMENT
Risk of Spoliation by Employees and Contractors. According to one e-discovery service provider, a large majority of all corporate litigation is employment-related. If employees have access to change ESI, disgruntled or negligent employees pose a major risk of spoliation. Employees can unknowingly or intentionally destroy ESI evidence. Such actions can range from concealment (through downloading pirated software that deletes files on the employee’s web surfing history) to sabotage (actually deleting documents).
As a result, the legal department and the CIO need to develop IT-enabled solutions to prevent such acts. This article does not address this particular issue, but it highlights the need for appropriate design of the overall information management architecture as a preventive measure.
Risk Management. From the risk-management perspective, a proper defensive strategy will require an alliance between the company’s Legal Department, its Risk Management department and its IT department.
- IT Role. The IT department needs to work with the Legal Department to ensure a proper chain of custody and proofs of authenticity.
- Insurance. The Risk Management Department needs to help design and review the e-discovery process. Sanctions for spoliation have implications for coverages for directors and officers, employment practices, errors and omissions and general liability. The records manager needs to understand how the company’s Records Management (destruction) Policy meets e-discovery requirements.
- Legal Department. The in-house Legal Department must not only manage the e-discovery process. It must design and manage effective records management policies, educate all employees about the e-discovery process and its role in management of risks, knowledge and records.
III. BUSINESS MODELS: INSOURCING, CAPTIVES AND OUTSOURCING
Business Models for Insourcing. Before comparing outsourcing and insourcing, it is helpful to consider the different business models in which an internal e-discovery operation can be financed. These models can be summarized:
- Infrastructure Investment in a Complete e-discovery Toolkit. At the “high end,” the enterprise can make a capital investment in the essential tools of a fully “in-sourced” e-discovery operation. Such an investment will have significant payback for enterprises having a high volume of litigation with predictable volumes of e-discovery demands. Such enterprises will need to invest in all the people, process and technology necessary for the operation. If the operation is highly automated, it can be effectively managed onshore. If it requires substantial human review, part of the operation may be handled in offshore locations with remote access, security controls and other measures to prevent loss of confidentiality, competitive advantage and effectiveness. This leads to consider a captive e-discovery service delivery center. In this case, outsourcing can be a viable solution for that portion of the e-discovery process that requires supervised human review and analysis.
- Pay-Per-Use Pricing. Where litigation is more volatile in terms of volume and timing, a “pay-per-use” pricing for insourced use of third-party technologies can prove cost-effective. This pricing model provides some benefits to enterprises that have very few litigations, but a large volume of ESI for assembly, analysis, protection and disclosure.
- Consumption-Based Pricing. Consumption-based pricing reflects the volume of ESI being sorted and analyzed. This pricing model provides benefits for enterprises that want to allocate litigation costs to individual lines of business or affiliated companies, as a charge-back accounting principle that effectively rewards litigation-free business managers for staying away from the judicial system.
Relative Advantages of Insourcing.
- Industries Affected by Persistent Litigation. Several software tools exist that allow in-house counsel and the CIO to conduct the full forensic discovery using staff employees. Internalization of the discovery process makes economic sense where the company is constantly involved in litigation. Such companies typically include insurance companies, banks, consumer products manufacturers, and can include food service chains and franchisees. Other companies that are subject to class action claims for torts or securities law violations can fall into this category as well, impacting virtually any publicly traded company that has a volatile stock price.
- Control of Records Management; Cost Management. Software and IT services companies argue that insourcing can significantly reduce the costs of e-discovery. They argue that, by taking control of the forensic search, collection, analysis and processing of a company’s electronic records, companies have more flexibility and control over the manner in which these critical discovery processes are conducted. This control can translate into cost savings by enabling a closer supervision on-site by the internal lawyers.Cost savings must be compared to comparable external services.Cost savings that might arise from an easier ability to make small changes in the search criteria, for example, may result in a loss of the hard-wired “e-discovery plan” that serves as the basis of justifying to the court that the discovery disclosures comply with civil procedure to locate and disclose all relevant records.
- Protection of Trade Secrets and Intellectual Property. Insourcing, or using captives, can provide a significant level of additional protection for knowledge management, trade secrets and intellectual capital. Such protection comes at the cost of maintaining internally controlled resources. Outsourcers will claim that their security levels are higher than those in many global enterprises. Outsourcers offer personal non-disclosure covenants by individual employees. But there is always a risk, whether through insourcing or outsourcing, that the personnel having access to trade secrets, for example, might abuse their positions of trust through tipping a securities investor, selling the ideas to a competitor of the enterprise or other tortious conduct. Even a non-disclosure agreement does not constitute a valid non-competition covenant, and even non-competition covenants are unenforceable as a matter of public policy unless strictly limited in time, territory and scope, and (in California and some other jurisdictions) they may require additional payments of consideration. In short, neither insourcing nor outsourcing appears to have a clear advantage in this field, except that e-discovery managers who are employed by the enterprise might offer an advantage by having ongoing knowledge of what is (and is not) a trade secret for faster, better, “cheaper” claims to a protective order.
- Effectiveness of Coordination and Collection of ESI. The use of skilled internal people who know the company’s operations may be able to provide better collection and coordination of ESI. However, “professional” e-discovery service providers may have the advantage in skills at the beginning as the company’s internal personnel become familiar with the processes and technology of e-discovery. Hence, insourcing might follow outsourcing until the processes can be internalized.
- Reduction of Risks of Noncompliance with e-discovery Rules. Well-trained, well-supported internal personnel might be able to reduce risks of non-compliance in the typical e-discovery process.
Relative Advantages of Outsourcing e-discovery. Outsourcing of e-discovery processes may be costly, but it may be the best solution for several reasons. This requires an analysis of the relative merits. This “gating analysis” should include appropriate considerations of staffing, quality, ethical risks and speed.
- Staffing. One of the key benefits of outsourcing, and one of the key parameters in selecting the right outsourcing service provider, is the service provider’s staff. The best outsourcers have developed a methodology for human capital management in the specialized field of e-discovery and related disciplines. The outsourcer designs a service delivery platform, recruits, trains and tests its staff in generic functions (including project management, information technology and security) and then offers this staff for custom-training on the litigating company’s particular process and e-discovery requirements.Using a business company to provide litigation support can run afoul of ethics and disciplinary rules applicable to the litigating company’s (or its law firm’s) lawyers. Law society rule in England will be changed if and when a pending draft law is modified to permit competent non-lawyers to perform tasks that might be considered the practice of law. Under applicable ethics opinions of the American Bar Association and various city and state bar associations, the in-house lawyer or outside law firm cannot escape certain core ethical duties:
- to supervise the work of the outside service provider;
- to avoid assisting in the unauthorized practice of law (“UPL”)
- to ensure the protection of client confidences;
- to avoid waiving any rule permitting a claim of legal privilege (and to rectify innocent or mistaken disclosures, see e.g., Fed. R. Evid. 502);
- to avoid conflicts of interest;
- to protect against data loss, theft or other act or omission that might constitute sanctionable spoliation;
- to comply with the rules of court relating to e-discovery and management of ESI at all stages.
- Vendor selection involves finding the right fit for the particular litigating company’s legal, regulatory, compliance, privacy, legal ethics and security requirements.
- Service Level Metrics and Quality Considerations. Few internal employees want to live by performance metrics. Outsourcers live by “guaranteeing” service metrics and other quality parameters.
Offshoring Issues. In considering an offshore captive or an offshore LPO outsourcing, the company’s lawyers must evaluate special cross-border legal issues.
- Export Controls. By transferring any U.S. data abroad, the company may require a license from one or more branches of the U.S. government. While commercial information may be subject to a general export license that does not require any notification, filing or administration, some information (such as software or design information that may have dual civilian and military uses) may require a specific license. Similar issues arise where the company’s ESI includes trade secrets, pending patent applications and other information that is subject to a required export license.
- Data Protection. Data protection rules under HIPAA and other legislation may apply to the data being processed. Foreign LPO service providers must ensure compliance.
- Privacy. Privacy rights arise from many legal sources and different jurisdictions. Depending on the source of any personally identifiable information (“PII”), any transfer of company records to a foreign LPO service provider may violate applicable rules. This issue suggests a proactive approach in the design and implementation of the company’s overall information management systems.
- Third-Party Consent. The information in a company’s database may include information that is licensed under restrictive disclosure conditions or where a third-party’s consent is required by an applicable law. Third-party consent may be required.
- Client Consent. The information in a company’s data base may also require the client’s consent
- Political Risk. Foreign service providers come with a suite of political risks that could impair service quality, timeliness of service, confidentiality and other custody and control issues for the ESI and the foreign nationals accessing such ESI.
IV. PROJECT MANAGEMENT
Most effective e-discovery procedures will require effective integration of internal and external resources. The design, planning, implementation, performance, intermediate re-balancing and supervision of all resources remain, of course, in the hands of the company, and, in particular, in-house attorneys. The Legal Department (which is ultimately responsible) may wish to consult with “outsourcing lawyers” not merely with litigation counsel on achieving a flexible, cost-effective, efficient design, vendor selection and supervision, review of compliance with ethics rules and project management.
Evaluation Process. Companies evaluating an LPO solution for e-discovery (or any other LPO) should therefore carefully explore all relevant implications, design the program for compliance and quality of service, address special issues involving any cross-border data flows and other commercial, judicial rules, legal and ethical requirements.
Project Management Roles. Each LPO project requires thoughtful and careful attention to ensuring that all responsibilities of the different parties are aligned with their roles. Within the outsourcing model, there is room for designing and allocating roles and responsibilities to give in-house attorneys control of the process so that they can manage the ethical responsibilities. The introduction of the LPO service provider raises new questions whether the cost-controlling measures will impair (or improve) the quality of the outcome. External lawyers could also manage the service providers.
V. BUSINESS MODELS
- Business Models. Currently, most LPO e-discovery services are conducted under business models of insourcing (including contract attorneys), captives and outsourcing.
- New Models. Over time, companies and their legal counsel will become more familiar with the tools, alternatives and strategies for effective LPO, including identifying and assessing risks and evaluating a risk-benefit matrix. With greater maturity in capabilities, new business models for identifying and managing e-discovery processes, tools and personnel may evolve. The impact of cloud computing, platform-as-a-service, software-as-a-service, virtualization of both servers and client computing and mobile computing will challenge enterprises and their technology and legal service providers to integrate a holistic and global ESIM process to incorporate the EDRM subset as “business as usual.”
Outsourcing Law & Business Journal™: October 2009
October 29, 2009 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events. Insights by Bierce & Kenerson, P.C. www.biercekenerson.com […]Case Study for Legal Risk Management for “Cloud Computing”: Data Loss for T-Mobile Sidekick® Customers
October 29, 2009 by Bierce & Kenerson, P.C.
Telecom providers are increasingly outsourcing IT functions for “cloud computing.” A widespread data loss in mid-October 2009 by an IT outsourcer to a mobile telephony provider underscores the practical limitations of using the Internet as a data storage platform.
In this episode, subscribers to T-Mobile Sidekick® mobile devices were informed that their personal data – contact information, calendars, notes, photographs, notes, to-do lists, high scores in video games and other data – had almost certainly been lost. T-Mobile (a service of Deutsche Telekom AG) had outsourced the management of the “cloud computing” function for the Sidekick® devices to Microsoft’s subsidiary, Danger, Inc. While T-Mobile has offered a $100 freebie in lieu of financial compensation and some data was recovered, the case invites legal analysis of the liability of the any service provider – whether for mobile telephony or enterprise backup and remote storage – for “software as a service” (“SaaS”) or “cloud computing.”
Technological Framework for “Cloud Computing. “ “Cloud computing” means simply that data are processed and stored at a remote location on a service provider’s network, not on the enterprise’s network or a consumer’s home computer. Such data could be any form of digital information, ranging from e-mail messages (such as those stored by Google and Yahoo!) to databases, customer records, personal health information, employee information, company financial information, customer contracts and logistics information.
“Clouds” come in two flavors: public and private.
- In a public cloud, the general principles of the Internet apply, and data transmissions can flow between many different third-party computers before reaching the service provider’s servers. Amazon offers hardware in variable computing capacities in its “Elastic Compute Clouds” (or “EC2”) services. Similarly, Google offers an “Apps Engine.”
- In a private cloud, one service provider (alone or with its subcontractors) controls the entire end-to-end transport, processing, storage and retrieval of data.
Cloud computing exposes users to some key vulnerabilities and added costs:
- The user depends on a high-performance Internet connection. Service level performance cannot be guaranteed except in private clouds.
- ‘Single points of failure” (“SPOC”) in data transmission, processing and storage, for which special security measures and redundancy may be required. Heightened security risks require extra resources.
- Loss of control over the public portion of a “public cloud” can impair performance through delays and data loss resulting from uncontrolled environments.
- Delays in data restoration may occur due to interruptions in data transmissions.
- Business continuity, resumption and data protection require special solutions.
- Passwords could be guessed at using social networking tools, but if the user accounts are maintained internally in a controlled network, the systems could use techniques to detect and eradicate misuses and abuses from users based on aberrational access profiles and unauthorized territorial access. In a public cloud, security tools such as data leak prevention (“DLP”) software, data fingerprinting, data audit trail software and other tools might not be effective.
Such vulnerabilities explain why “cloud computing” needs special controls if used as a platform for providing outsourced services.
In the October 2009 T-Mobile debacle, users relied on the telecom service provider to store and backup the data. Mobile telephony devices (other than laptops) were seen as tools for creating but not storing, significant volumes of data. Remote data storage was a unique selling proposition, or so one thought.
T-Mobile’s Technological Failure. In its website, T-Mobile exposed the technological sources of the failure of its “cloud computing” for mobile devices. It explained:
We have determined that the outage was caused by a system failure that created data loss in the core database and the back-up. We rebuilt the system component by component, recovering data along the way. This careful process has taken a significant amount of time, but was necessary to preserve the integrity of the data. SOURCE: T-Mobile Forums, Oct. 15, 2009 update.
Mitigating Damages: Public Relations Strategy for Restoring Customer Confidence and Maintaining Brand Goodwill. After some delay, without admitting any liability or damages, T-Mobile adopted a “damage control” strategy adopted from the usual “disaster recovery” process models:
Compensation. It offered any affected customers a $100 gift card for their troubles in addition to a free month of service.
Communication Outbound. It created and updated a Web forum for Sidekick users to get information about the nature of the problems, whether the data loss was irretrievable and the time to resume operations.
Communication Inbound. It provided an e-mail contact address so that it could respond to inquiries and thus identify and counteract rumors that might have been spreading.
Compliance. T-Mobile notified the public media since the “disaster” exposed it to the possibility that more than 5,000 consumers in any particular state might have had their personally identifiable information (“PII”) exposed to unauthorized persons such as hackers. Such notifications (along with other notices to individual customers and designated government officials) are mandated by state law in over 40 states.
Corrections and Control. It focused on remediation first, deferring problem resolution with any claims against its service provider Microsoft’s subsidiary Danger, Inc..
Confidentiality. It kept its communications with its failing provider confidential and focused on remediation.
Escaping Liability for Damages. Generally, telecom service providers disclaim liability in excess of a small amount. Further, service contracts contain exclusions of liability for consequential damages as well as force majeure clauses. Generally, such disclaimers and exclusions are enforceable. However, various legal theories might prevent a service provider from escaping liability for failed service delivery.
Legal Risks for Providers of “Cloud Computing” Services. T-Mobile consumers might assert various legal theories against T-Mobile for damages if their data are not fully restored, or if T-Mobile fails to act promptly and reasonably to mitigate damages to consumers.
False Advertising; Unfair and Deceptive Practices. State and federal laws prohibit false or deceptive advertising and unfair and deceptive practices. Enforcement of these laws is generally restricted to governmental agencies such as the Federal Trade Commission, the Federal Department of Justice and the state Attorneys General. Deception is a term of art and depends on the facts. In this case, the question is how solidly did T-Mobile portray the benefits of “cloud computing,” and did it warn against loss of data. If T-Mobile can show that it warned users of potential data loss and recommended that they back up their own data, such a warning might relieve it from liability. If T-Mobile represented that it would use reasonable security, backup and business continuity services, subscribers with lost data might have a claim of negligence or gross negligence.
Consumer Fraud. Under common law and state consumer protection laws, generally, a fraud occurs when the seller knowingly misleads or makes a false statement of fact to induce the consumer to make a purchase.A massive fraud is subject to a class-action claim in Federal court under Federal Rules of Civil Procedure.
Magnuson-Moss Warranty Act. Normally, an outsourcing services contract is not one that is associated with the maintenance of a product such as a telephone or a computer. If the service provider were also selling any equipment to the customer, and the customer were a “consumer,” and the service provider’s agreed to maintain or repair the consumer product, then the Magnuson-Moss Warranty Act, 15 U.S.C. § 2301 et seq. would apply. This risk explains why sellers of consumer products (mobile telephones) offer only limited warranties. The Magnuson-Moss Warranty Act is probably not a source of potential liability for T-Mobile, but that depends on the customer contracts.
Privacy Violations. Cloud computing providers may become liable to consumers or enterprise customers for failure to comply with applicable privacy statutes. Such statutes protect personal health information (under HIPAA), personal financial information (under the Gramm-Leach-Bliley Act), personally identifiable information (state and federal laws), financial information of a plan fiduciary under ERISA or other or simply confidential information that could be a trade secret or potentially patentable idea of an enterprise or its customers, suppliers or licensors. Export control laws and regulations governing trade in arms and “defense articles” are thus not good candidates for “cloud computing” except for “private clouds.”
Enterprises hiring third-parties to remotely process and manage their operational data are liable to third parties if any protected data is mishandled, depending on the exact wording of the law. Allocation of liability for privacy and security violations is typically a negotiated element of any outsourcing agreement.
Protecting Consumers in Cloud Computing. The legal framework for “cloud computing” needs to be well defined before it can become a reliable business model replacing networks or local workstations. Regardless of disclaimers in consumer contracts, providers of “cloud computing” services will need to adopt reliable, resilient storage backups, disaster recovery and business continuity services. Moreover, when hiring a “cloud computing” service provider (as T-Mobile did when it hired Microsoft/Danger, Inc.), the seller must ensure high standards by its subcontractors. Telecom outsourcing to IT providers requires special technical and legal controls to protect the consumer and the telecom carrier.
Outsourcing Law & Business Journal™: May 2009
May 27, 2009 by Bierce & Kenerson, P.C.
OUTSOURCING LAW & BUSINESS JOURNAL (™) : Strategies and rules for adding value and improving legal and regulation compliance through business process management techniques in strategic alliances, joint ventures, shared services and cost-effective, durable and flexible sourcing of services. www.outsourcing-law.com. Visit our blog at http://blog.outsourcing-law.com for commentary on current events.
Insights by Bierce & Kenerson, P.C., Editors. www.biercekenerson.com
Vol. 9, No. 5 (May, 2009)
___________________________
1. Contingency Planning for your Supply Chain: Business Continuity in a Pandemic.
2. Humor.
3. Conferences.
___________________________
1. Contingency Planning for your Supply Chain: Business Continuity in a Pandemic. The risk of a pandemic has become a realistic possibility, following the SARS outbreak in China a few years ago and the “swine flu” outbreak in Mexico in 2009. Business contingency planning should include not only the possibility of a pandemic but also the impact of a pandemic upon the supply chain including business operations performed by independent contractors (such as outsourcers and suppliers) and affiliates (captives and joint ventures). In a pandemic, 40% of the population (both workforce and customer universe) could be idled. Now is the time to develop contingency plans and obtain updated contingency plans from those in your extended supply chain.For the full article, click here.
2. Humor.
Cloud Computing, n. (1) multi-nodal virtualization of servers across a network; (2) numbers crunched in heaven; (3) IT services provided by supernatural forces.
Pandemic, n. (1) viral inspiration for Software as a Service, Cloud Computing, Work at Home Agents, telecommuting and virtualization of the global enterprise and its supply chain; (2) human resource roulette.
3. Conferences
June 3, 2009, Global Sourcing Council (GSC)’s Conference on Global Sourcing After the Meltdown: In Search of Sustainability, New York, New York. Sustainability has become more then politically correct slogan in global PR campaign. Sustainability-driven leaders harness the market potential for green products and services, especially in the times of global crisis.
The 2009 Sustainability in Global Sourcing Summit will examine how corporate sustainability creates stockholder value through the supply chain, especially in the area of global social responsibility. This event will serve as a forum for thought leaders from the business, academic and political arenas to:
- Challenge the pre-recession assumptions of global growth based on short-term results driven by the quarterly reporting system Propose a framework of aligning economic growth with sustainable social development
- Redefine the role of global sourcing after the global crisis
This conference can earn you 11 CLE (Continuing Legal Education) credits. For more information, click here.
June 7-9, 2009, IQPC’s 3rd Annual Shared Services Exchange, Miami, Florida. This is an invitation-only gathering for VP and C-Level senior executives made up of highly crafted, executive level conference sessions, interactive “Brain Weave” discussions, engaging networking opportunities and strategic one-on-one advisory meetings between solution providers and delegates. With a distinguished speaking faculty from Coca-Cola, CIGNA, American Electric Power, AOL and Safeway, amongst others, the seats at the 2009 Exchange are limited and filling up quickly. We have limited complimentary invitations available for qualified delegates for a limited time. Please give us your reference ‘Outsourcing-Law’ when inquiring. There are solution provider opportunities also available for companies who want to be represented. You can request your invitation at exchange@iqpc.com or call us at 1866-296-4580. Visit our website.
July 27-29, 2009, IQPC’s 7 th Annual Procure-to-Pay Summit, Boston, Massachussetts. Leveraging current opportunities around corporate spend management whilst minimizing the impact on A/P, the 7th Procure-to-Pay Summit is expanding on its previous success and featuring new additions to the program, including: in-depth coverage of various AP optimization approaches: centralization, outsourcing and automation; new emphasis on strategic sourcing and global procurement; new techniques and tools for maximizing supplier relationships in procurement and efficiently expediting supplier payments in AP. For more information, please click here.
September 22-23, 2009, American Conference Institute’s 7th Annual Advanced Forum on E-Discovery and Document Management, Philadelphia, Pennsylvania. Be a part of the leading cross-industry e-discovery and information management forum for corporate counsel, litigators, and technology professionals. At a time when most companies are striving to reduce costs and trim staff, the burdens of e-discovery can be crippling. What’s more, court-imposed sanctions for e-discovery failures could very well place you on the losing side of bet-the-company litigation. Given the complexity, variety, and evolving nature of information management and communication technologies, it comes as no surprise that corporate and outside counsel often find themselves at a loss as to how to manage the e-discovery process. However, neither opposing counsel nor the courts are going to have any sympathy for those who stumble over e-discovery hurdles. Thus, it is imperative that you take the lead in ensuring that your company is well-positioned to manage the demands of e-discovery. For more information, please click here.
September 28-October 2, 2009, IQPC and SSON 13th Annual Shared Services & Outsourcing Summit, Chicago, Illinois. Join us at the 13th Annual Shared Services & Outsourcing Summit this fall, the can’t-miss event for all professionals involved with shared services and outsourcing, at every stage of adoption. This customizable program provides the key strategies that you can bring back to your organization, with areas of focus in:
- Planning & Launching Shared Services Finance Transformation Measurement & Process Excellence HR Transformation
- Smart Contracting for Mature BPO Deals
Our Shared Services series attendees agree – the content from just one event vastly accelerates experiential learning and provides the necessary networking opportunities to benchmark against peers. Visit the website for more information, including webcasts, podcasts, articles and other resources.
******************************************
FEEDBACK: This newsletter addresses legal issues in sourcing of IT, HR, finance and accounting, procurement, logistics, manufacturing, customer relationship management including outsourcing, shared services, BOT and strategic acquisitions for sourcing. Send us your suggestions for article topics, or report a broken link at: webmaster@outsourcing-law.com The information provided herein does not necessarily constitute the opinion of Bierce & Kenerson, P.C. or any author or its clients. This newsletter is not legal advice and does not create an attorney-client relationship. Reproductions must include our copyright notice. For reprint permission, please contact: publisher@outsourcing-law.com . Edited by Bierce & Kenerson, P.C. Copyright (c) 2009, Outsourcing Law Global LLC. All rights reserved. Editor in Chief: William Bierce of Bierce & Kenerson, P.C. located at 420 Lexington Avenue, Suite 2920, New York, NY 10170, 212-840-0080.