Legal Project Management: A Tool for Corporate Counsel Topic #1

Transcription

1 Legal Project Management: A Tool for Corporate Counsel Topic #1 Ann Marie McDonald, PMP CCCA, NB Chapter, Law Firm Series, Part III November 30, 2012

2 Definitions Project : A temporary endeavour undertaken to create a unique product, service or result * Legal terms: a matter or a case Project Management : The application of knowledge, skills, tools and techniques to project activities to meet the project requirements * * Project Management Institute A Guide to The Project Management Body of Knowledge

3 PM in Action: PM divides projects into phases: Define scope of work what are the objectives Project plan defines tasks, team, stakeholders, milestones, deliverables, deadlines, communications, risks Budget / Cost Executing in accordance with project plan Monitoring and Control review against scope, budget, deadlines throughout Close post project review with client

4 PM Considerations: Key Project considerations: Scope, time, cost, quality, risk, communication, human resources Project plans : outline project blueprint Work breakdown structures: outline who will do the work & when

5 Application of PM to Legal Work Why? The economy Most legal projects have processes/steps A proven business approach to managing work LPM: applies structured format of PM to legal work Achieves better alignment between price & value of legal services Greater predictability on legal costs & results

6 LPM & Corporate Counsel Better budgeting More certainty on external legal spending Enhanced risk management Better RFP discipline Clarifies desired outcome at beginning Enhanced communication / collaboration between corporate counsel & outside counsel

7 Questions? Ann Marie McDonald McInnes Cooper s presentations are prepared for information only and are not intended to be either a complete description of any issue or the opinion of our firm. McInnes Cooper should be consulted regarding any situation to which any topic discussed herein might apply.

8

9 Risk Management: Identifying and Reducing Legal Liability Risks Topic #2 Matthew T. Hayes CCCA, NB Chapter, Law Firm Series, Part III November 30, 2012

10 Risk Management Risk exposure to the chance of injury or loss; a hazard or dangerous chance effect of uncertainty on objectives (CSA-ISO31000) Risk Management identification, assessment, and prioritization of risks coordinated activities to direct and control an organization with regard to risk (CSA-ISO31000)

11 Risk Process

12 Risk Identification Legal Risks Unrewarded Regulatory, Tax, Environmental, Health & Safety Rewarded Contract, Acquisitions, Business Activity

13 Risk Identification Identification of the Legal Risk Business Operations Regulatory Historical (claims history) Financial statements Experts Acts and regulations Permit inventory

14 Risk Identification Example Environmental Phase I Report - Inventory of hazardous substance - History of releases - Business operations - Property ownership - Inventory of contaminated property

15 Risk Analysis Causes and sources of risk Internal and external Positive and negative consequences Who bears the risk? Likelihood that those consequences can occur

16 Risk Evaluation Considers the results of the risk analysis What are significant risks? High probability - High Cost Low probability - Low Cost Select risk

17 Risk Treatment Take the risk to pursue the opportunity Avoid the risk Change the probability Change the consequence Share the risk

18 Risk Treatment Example - Insurance - Coverage Analysis does the coverage cover the risk? - Examples Typical exclusions for faulty workmanship, pollution, territorial limits, Errors & Omission - Reduce coverage duplication - Speciality policy Boiler & Machinery, E&O, Contractors E&O, D&O - Business Interruption insurance - Builders Risk

19 Risk Treatment Example - Contract - Indemnities Counter-party risk assessment - Agreements to insure Certificate of insurance, policy wording, and deductible(sir) Additional insured, waiver of subrogation, cross-liability, cancellation - Limitation of liability clauses - Liquidated Damages (New Brunswick) - Audit clauses - Protection of intellectual property - Control

20 Risk Treatment Internal Controls Team of experts approach Audit and outside experts Reporting structure Training Recognizing the risk

21 Questions? Matthew Hayes

22 McInnes Cooper s presentation s are prepared for information only and are not intended to be either a complete description of any issue or the opinion of our firm. McInnes Cooper should be consulted regarding any situation to which any topic discussed herein might apply.

23 Cloud Computing & BYOD: Issues for Corporate Counsel Nick Whalen (in coordination with David Fraser) CCCA, NB Chapter, Law Firm Series, Part III November 30, 2012

24 Cloud computing Distributed computing architecture in which data & applications reside on servers separate from the user & accessed via the Internet Applications & data generally accessible from anywhere, provided you are connected Numerous intended benefits + some downsides Several Cloud models

25 Back to the beginning? Personal Corporate

26 Legal Issues In Cloud Computing 1. Privacy 2. Contracting 3. HR

27 1. Privacy: Issues & Benefits Issues: - Loss of direct custody / control of information - Jurisdictional movement - Take it or leave it service agreements - Loss of portability Benefits: - Professional management - Data is not easily lost in Cloud

28 Forbidden Due to Privacy Issues? Risk Management: accountability & security - Understand where you stand now - Understand increased or decreased risks associated with cloud computing - Can increase in risk (if any) be managed? - Are you currently managing risk/will cloud computing help you better manage risk?

29 Managing Privacy Issues PIPEDA: - original custodian remains responsible for personal information regardless of management - cannot outsource or delegate (s ) : An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party

30 Jurisdiction Provincial Variances: MB, SK, ON, NB, NL, PE: do not limit public sector outsourcing NS, BC, ALTA: Public sector only QC: not prohibited; notification may be required No private sector laws prohibit using cloud computing OSFI Guideline B-10 regulates it as an outsourcing

31 USA Patriot Act Realities Canadian law mirrors most USA Patriot Act provisions (Anti-Terror, CSIS) Canada has a secret court allowing ex parte applications for warrants Canada has warrantless wiretap powers for international communications Significant Canada US cooperation

32 Privacy Diligence in the Cloud Original custodian should take a risk-based approach to fulfilling responsibilities to protect & safeguard personal information: - sensitivity of the information? risk to the data? role of jurisdiction in that risk?

33 2. Contracting Match diligence level to importance of what is being outsourced Ease of migration on / off the service Realistic assessment: Current situation vs. service being offered Benchmark against status quo vs. nirvana Improvements to costs/ privacy/ security/ service levels? Increased risks to privacy/ security/ control/ internal expertise/ IT morale? Mitigation?

34 Contracts Wish List

35 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service

36 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent

37 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent 3. Liquidated damages for any disclosure without consent; full indemnity only vs. limitations of liability re: privacy & security

38 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent 3. Liquidated damages for any disclosure without consent; full indemnity only vs. limitations of liability re: privacy & security 4. Obligation to cooperate with you in any regulatory investigations; will not deal with any regulators re: your information without your participation

39 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent 3. Liquidated damages for any disclosure without consent; full indemnity only vs. limitations of liability re: privacy & security 4. Obligation to cooperate with you in any regulatory investigations; will not deal with any regulators re: your information without your participation 5. Define scope of current implement of safeguards to protect information; commitment to provide improved security offered to other customers on same terms

40 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent 3. Liquidated damages for any disclosure without consent; full indemnity only vs. limitations of liability re: privacy & security 4. Obligation to cooperate with you in any regulatory investigations; will not deal with any regulators re: your information without your participation 5. Define scope of current implement of safeguards to protect information; commitment to provide improved security offered to other customers on same terms 6. Migration of your information at the end of term; no retention of your information

41 Contracts Wish List 1. Limited use of your data to your purposes only; data should be held in trust for customer; no IP grants except as needed to provide service 2. No disclosures without consent & obligation to resist orders to disclose information without consent 3. Liquidated damages for any disclosure without consent; full indemnity only vs. limitations of liability re: privacy & security 4. Obligation to cooperate with you in any regulatory investigations; will not deal with any regulators re: your information without your participation 5. Define scope of current implement of safeguards to protect information; commitment to provide improved security offered to other customers on same terms 6. Migration of your information at the end of term; no retention of your information 7. Disaster recovery plans

42 3. HR Issues Does Cloud require updated policies re: use of the company IT infrastructure? How do employee privacy expectations apply to a cloud resource? Employees may circumvent processes which are hard to learn, or decrease their ability to do perform tasks can this process be successfully ported to the cloud?

43 BYOD: Bring Your Own Device Use of personal devices for company business / connected to company IT infrastructure Some level of BYOD is inevitable Not just fanboys Increases costs: $170k per 1000 devices* * Aberdeen Group, CIO magazine, April 2012

44 BYOD: Legal Issues Discoverability Employee forfeiture of certain rights Rights to destroy data on device Rights to copy data on device Recent case law re: employee privacy expectation: R. v. Cole, 2012 SCC 53

45 BYOD: Policy Considerations Employees typically responsible for technical support, warranties & repairs to BYOD hardware Employer may manage data plans to leverage group discounts IT s right to wipe the device Impact of sharing BYOD or sale of BYOD by employee Devices meet specified technical standards & requirements to enforce password & encryption rules Scope: Smartphones, tablets, all personal computing devices? IT s right to access all data on the device Reasonable expectations of loyalty & good faith service vs. employee s reasonable expectation of privacy & ownership in data on own device.

46 R. v Cole, 2012 SCC 53 Teacher with work-issued laptop computer; policy allowed incidental personal use of laptop computer During routine maintenance tech found hidden folder with nude / partially nude photographs of underage female student Notified principal & copied photos to a CD; principal seized laptop & copied temporary Internet files onto a second disc, then handed laptop & 2 discs over to police Police - without a warrant reviewed contents, created a mirror image of the hard drive for forensic purposes & charged teacher with possession of child pornography & unauthorized use of a computer Defence: searches violated Charter s.8

47 R. v Cole: Police search Computers reasonably used for personal purposes whether found in the workplace or the home contain information that is meaningful, intimate, & touching on the user s biographical core Canadians reasonably expect privacy in information contained on work computers, at least if personal use is permitted / reasonably expected Workplace policies & ownership are relevant but not determinative Court must consider the totality of the circumstances to determine whether privacy is a reasonable expectation in the particular situation A reasonable though diminished expectation of privacy is still a reasonable expectation of privacy protected by Charter s. 8 thus is subject to state intrusion only under the authority of a reasonable law

48 R. v Cole Statutory duty to maintain a safe school environment & by necessary implication a reasonable power to seize & search school-board issued laptop Police could not rely on same power Court did not consider intricacies of employer search & seizure; could imply commercial workplaces without a statutory duty involving vulnerable groups may not enjoy blanket search & seizure power OK for school to report findings to police BUT police could & should have obtained a warrant Information remained subject to accused s reasonable and subsisting expectation of privacy

49 R. v Cole: BYOD Lessons Heightened privacy expectation in BYOD s vs. workplace device Government employers: Policy permitting unreasonable search & seizure will offend employee s Section 8 rights Non-government employers: collection, use & disclosure of private internet search histories & non-work related information on BYOD hardware may not be reasonable & doing so would violate PIPEDA If no duty akin to maintain a safe school environment, may be no corresponding right to intrude on workplace privacy of employees, even in workplace owned computers Policies explicitly addressing balance risk of information theft vs. employee rights more likely to be upheld

50 Questions? Nick Whalen David Fraser

51 McInnes Cooper s presentations are prepared for information only and are not intended to be either a complete description of any issue or the opinion of our firm. McInnes Cooper should be consulted regarding any situation to which any topic discussed herein might apply.

52 Avoiding & Managing Disputes: Tools for Corporate Counsel Eric LeDrew CCCA, NB Chapter, Law Firm Series, Part II November 30, 2012

53

54

55

56 Managing Disputes

57 Managing Disputes While Working DRB Model Board Mandatory referral Likely NOT binding

58 Managing Disputes After Work Finished Comprehensive Dispute Resolution System in every contract

59

60

61

62 Questions? Eric LeDrew

63 McInnes Cooper s presentations are prepared for information only and are not intended to be either a complete description of any issue or the opinion of our firm. McInnes Cooper should be consulted regarding any situation to which any topic discussed herein might apply.