Europe’s Cyber Security Directive Could Cost Organizations Billions

Europe’s Cyber Security Directive Could Cost Organizations Billions.

The Limestone Cops — Tips on Madoff Red Flags Never Escalated at SEC

It’s hard to believe that with all the resources poured into government following the adoption of Sarbanes Oxley Act in 2002, the escalation process in the SEC failed in the Madoff case. New reports show that junior SEC staff neglected to involve more seasoned enforcement officers and failed to stop what ended up to be a $65 billion Ponzi scheme. See SEC chiefs in dark as Madoff evaded junior staff.

The cost to all the investors has been devastating and the internal escalation process in the agency needs signicant remediation.

Whither Cloud Computing?

If you’ve heard of cloud computing and all the security issues that surround it, and if you’re wondering if you should trust the security of your sensitive and confidential data to a third party service provider, well, all I can say is that you’re like the old timer who hoards his wad of cash in crumpled bills under his mattress, believing that that’s the safest place for them simply because it’s within eyesight range. It’s an old school of thought that if you can see it, you can protect it. And although we have come a long way since the system of banking was invented and we accustomed ourselves to it, we’re still cavemen at heart who would prefer to keep our valuables close by.

Arguably the most valuable asset any enterprise has today is its data; without information, they’re nothing. And they must provide this data with the best safeguards there are in the business. This is why levels of security and passwords were invented, so that data is protected from prying eyes and the wrong hands. But your entire setup is only as strong as the weakest link, and here, it’s the human factor. If one employee can be tempted to compromise their principles and ethics, for money, revenge or any other reason, then it’s time to say goodbye to the usefulness of proprietary security measures. Human beings are also prone to errors, and because of that, we have data breaches through stolen and misplaced laptops or computers left unprotected through oversight.

Cloud computing is a pretty safe bet when you consider such issues – your data is not in your hands, which makes internal security lapses a moot issue. But there are other aspects that you must consider – the popularity and efficacy of the service provider you choose. Take Google for instance; the search engine giant is extremely popular, and as such, an attractive target for hackers. They know that if they target the cloud, they can bring down a host of sites with one blow. And so they’re going to try harder in their efforts to do so.

But organizations would be willing to stick with Google because they know what it’s capable of; they know that it has a reputation to live up to, and that there’s a certain aspect of trust involved when you’re putting all your eggs in one basket. Cloud computing is exactly that – putting all your eggs in one very protected basket. But if the basket does break, you’re in an unholy mess with egg all over your face! It’s a tricky proposition, deciding whether or not to go with cloud computing, a decision that your needs and budget must dictate.

The idea is still in its early stages, so we must wait and watch to see if any further security issues crop up. And crop up they will, because where there’s a target, you can bet your last dollar that there will be a hunter hidden in the bushes somewhere.

This post was contributed by Datakos guest author Holly McCarthy, who writes for the online college. Holly can be reached at hollymccarthy12@gmail.com.

Protecting Privilege — New Rule 502 mitigates the risk of inadvertent e-discovery disclosures

By Michael Kozubek

Published in the 2/1/2009 Issue of Inside Counsel.

Privilege review has been a major culprit in the skyrocketing cost of e-discovery. With hundreds of thousands of documents subject to discovery in numerous cases, attorney-client communications and work-product information frequently end up in the hands of the opposing party. Because the production of privileged documents during discovery waives the privilege, discovery teams scour through documents trying to ensure nothing slips through that could damage their case. Still, with the volume of electronically stored information, inadvertent disclosure is almost inevitable, with potentially devastating results.

“Cases have been lost in part because of inadvertent disclosures,” says Bobby Balachandran, CEO of Exterro, a legal hold and workflow software provider.

But that risk diminished when Rule 502 of the Federal Rules of Evidence (FRE 502), originally drafted by the Judicial Conference Committee on Rules of Practice and Procedure, recently became law. The new rule is designed to mitigate the expense of privilege review while protecting companies from potentially large liabilities arising from inadvertent disclosures of privileged communication.

The rule provides that privilege is not waived when privileged communications are inadvertently disclosed, provided the holder of the privilege took “reasonable steps” to prevent disclosure and to rectify the error.

Litigators celebrated the enactment of FRE 502 while warning that it is not a panacea and does not remove the need for sound e-discovery management practices.

“The new rule is welcome news for litigants,” says David Lender, a partner at Weil, Gotshal and Manges. “An inadvertent production will not result in the waiver of the privilege as long as reasonable steps are taken to preserve the privilege before production.”

Continue reading →

CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case

The U.S. Department of Health and Human Services and the Federal Trade Commission today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.  The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act. OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.

At the same time, the FTC opened an investigation of CVS. OCR and the FTC conducted their investigations jointly. This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC. “OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR. “Such safeguards will benefit consumers everywhere.”

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal. Among other issues, the reviews by OCR and the FTC indicated that: * CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and * CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf. OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.

They can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Information about the FTC Consent Order agreement is available at http://www.ftc.gov .

Feds Set Sights on ‘Gatekeepers’ in Fraud Investigations

Joe Palazzolo
Legal Times

Federal law enforcement officials said Wednesday they are targeting lawyers, mortgage brokers, real estate brokers and other “gatekeepers” who perpetrated fraud that contributed to the current economic crisis — a clear warning shot as the federal government is pumping billions of dollars into the financial sector.

“They have the most to lose, they’re the most likely to flip, and they make the best examples,” said Neil Barofsky, the special inspector general for the Troubled Assets Relief Program, during a congressional hearing on fraud enforcement. Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., was even more blunt: “I want to see these people prosecuted,” he said. “Frankly, I want to see them go to jail.” The hearing was meant to underscore the need for more law enforcement resources amid an upsurge in mortgage and corporate fraud investigations.

Leahy and Sen. Charles Grassley, R-Iowa, have introduced a bill that would expand the scope of federal fraud laws and provide funding for more prosecutors and investigators. FBI Deputy Director John Pistole told the committee that mortgage fraud investigations nearly doubled in the last two years to more than 1,600 in 2008. The bureau, he said, has more than 530 corporate fraud investigations open, including 38 directly related to the current financial crisis.

Pistole said he could see that number potentially rising into the hundreds. But federal law enforcers could do much more with additional resources, he said, pointing to the Justice Department’s successes in the wake of the savings-and-loan crisis of the 1980s. At the time, 1,000 agents and forensic investigators and dozens of federal prosecutors were devoted to the effort, which produced more than 600 convictions and $130 million in restitution. Compared to the $160 million lost during the S&L crisis, the current situation is far more dire, with financial institutions globally reducing their assets by more than $1 trillion.  But the Justice Department’s focus on national security has diminished the fraud ranks.

Pistole said 240 agents, supplemented by investigators from other agencies, are working on fraud cases stemming from the economic crisis. Rita Glavin, acting head of the Justice Department’s Criminal Division, said the department was in discussions with Barofsky about how best to handle criminal referrals and prosecutions when his office uncovers wrongdoing. She also said the Justice Department’s fraud section had created a mortgage fraud working group, with a collection of other enforcement agencies. Sen. Sheldon Whitehouse, D-R.I., asked Glavin whether DOJ had any designs for a nationwide mortgage fraud taskforce. Then-Attorney General Michael Mukasey repeatedly rejected the idea, saying individual U.S. Attorneys’ Offices were better equipped to handle the work. Glavin said the department was studying the issue. “No decision has been made with respect to that,” she said.

Tough Times for Corporate Legal Departments

Lexakos asked law department leaders again about their concerns, priorities and resource allocation plans for 2009. This year’s benchmarking survey covers reporting metrics, outsource planning for IP and litigation, budget pressures, e-discovery, privilege waiver management in relation to new Federal Evidence Rule 502, and other compliance priorities.

In 2007 and 2008, Compliance Week, the leading publication and information service on corporate governance, risk and compliance, chose Lexakos as a conduit for gathering and analyzing compliance needs across all industries

On February 3, 2009, Compliance Week featured the results from Lexakos’ most recent strategic planning survey, with over 230 corporations participating. In addition to highlighting Lexakos’ relevance in the compliance arena, this coverage gives Lexakos an exclusive perspective of hundreds of companies’ needs and practices.   Here is an excerpt:

The new study of corporate law departments confirms what most general counsels already know: 2009 is going to be a rough year.

Forty percent of legal departments expect a decrease in their overall operating budget for 2009, compared to only 8 percent last year. At the same time, however, litigation activity is rising—particularly for the financial sector, besieged by investors unhappy with the sub-prime mortgage meltdown and victims of the Bernard Madoff Ponzi scheme.

Wolf “Even though budgets are being tightened, litigation is going up,” says Rick Wolf, CEO of the consulting firm Lexakos, which conducted the survey. “What it suggests to me is that they’re being asked to do more with less.”

David Cohen, co-chair of the e-discovery analysis and technology group at the law firm K&L Gates, has observed similar trends. “Corporate law departments are facing two realities. The first reality is that litigation does not go away in troubling economic times, and the cost of that litigation tends to go up, not down, every year,” he says. “General counsel are left on the horns of a dilemma: how to cut litigation costs in the face of no decrease in litigation, and often increasing e-discovery demands.”

Those pressures should lead in-house legal departments to prune back the volume of work they leave to outside law firms by doing more work themselves. But law departments are now under their own pressure to cut back on staff. “The result of all of that, paradoxically, is that lawyers are stretched even more thinly than they have been in the past, making it difficult to bring more work in house,” Cohen says.

As a result, law departments are getting more creative in how they cut costs and managing themselves more efficiently, Wolf says. For example, only 32 percent of law departments last year used a centralized litigation group; that number jumped to 49 percent for 2009. And while only 20 percent of respondents last year said their legal departments had a strategic plan for the year, that number soared to 57 percent this year.

Compliance Week ran a similar feature article on the Lexakos 2008 Strategic Planning Survey titled “Records Management: A Governance Crisis?”

For a copy contact information@lexakos.com.

New Data Breach, Privacy Bills in Congress

Richard Adhikari

One year after trying unsuccessfully to introduce legislation on data breaches and protection of individual privacy, California Senator Dianne Feinstein (D-Calif.) is trying again.

This week, she introduced Bills S.139, the Notification of Risk to Personal Data Act and S.141, the Social Security Number Misuse Prevention Act.

Bill S.139 would require federal agencies or businesses to notify both the media and victims whose personal data has been breached without unreasonable delay, although limited exemptions are allowed for law enforcement and national security reasons.

It says the U.S. Secret Service must be notified if more than 10,000 individuals’ records are breached, or the database breached contains more than one million entries, or is owned by the federal government, involves national security or law enforcement.

For more see internetnews.com.

Kill the Billable Hour? A British Response

As much as the legal sector experiences a change in momentum, such a change seems to be occurring now.

Last week, The Am Law Daily picked up on a piece penned by Cravath, Swaine & Moore‘s Evan Chesler in the latest issue of Forbes magazine, entitled “Time to Kill the Billable Hour.” Cravath’s presiding partner, in presenting an impassioned case for abandoning the practice of charging of clients by the hour, lent his voice to a growing debate.

In the United Kingdom, lawyers and clients have never had the same all-consuming obsession with hourly billing as their American peers. Still, over the last 20 years hourly rates have become the dominant currency here as well, and the tide slowly is turning — some British companies and firms are much further along in making the change.

Last summer, our London-based sibling publication Legal Week broke the story that commercial TV network ITV asked its outside law firms to abandon the billable hour and instead adopt alternative billing arrangements. General counsel Andrew Garard, who joined the company in the fall of 2007 from the London office of Dewey & LeBoeuf, said he wanted ITV to become the first major U.K. company to abandon this form of billing, and he initiated a review of the company’s outside legal providers.

By last November, Garard had finalized a list of approved outside counsel, a panel of nine firms, including Dewey, DLA Piper, Lovells, and Slaughter and May, that had committed to alternative billing methods. “None of the firms will bill us with reference to a measure of time on any matters,” Garard told Legal Week.

For more see law.com.

A Mark to Market Rule for Lawsuits?

The Financial Accounting Standards Board (FASB) has proposed a new standard for public disclosure of pending lawsuits. This raises interesting legal technology and management questions for general counsels.

Reporting Rights in the January 2009 issue of InsideCounsel reports on FASB Statements No. 5 and 141[R]. These now-delayed rules would lower

“the threshold for reporting the potential loss from a lawsuit from the current ‘probable’ to anything short of ‘remote.’ …. Currently, because many loss contingencies are reasonably possible rather than probable, companies usually deal with significant litigation by describing it and stating that an estimate of loss cannot be made. That’s a far cry from the detailed liturgy FASB’s original proposal mandated, a liturgy that critics say will not only fail to work as intended, but will prejudice companies in a variety of ways.”

It strikes me that you could view the proposed FASB standard as the moral equivalent of financial mark to market rules. Failure to mark financial assets to market contributed to the current economic crisis. If corporations now have to report more financial assets at market (rather than book) values, why not also the moral equivalent for lawsuits? I wish the article had analyzed whether the mark to market debate will affect the FASB rule-making.

For more see prismlegal.com.