PRIVACY IMPACT ASSESSMENT

Transcription

1 PRIVACY IMPACT ASSESSMENT Outsourced Litigation Support Services September 2013 FDIC External Service Table of Contents System Overview Personally Identifiable Information (PII) in OLSS Purpose & Use of Information in OLSS Sources of Information in OLSS Notice & Consent Access to Data in OLSS Data Sharing Data Accuracy in OLSS Data Security for OLSS System of Records Notice (SORN) Contact Us

2 System Overview The Federal Deposit Insurance Corporation (FDIC) Legal Division contracts with external vendors to provide legal support services and products in order to electronically process, host and store files and data that are part of the Legal Division's investigations, inspections, and litigation activities. The following vendors are categorized into the FDIC Outsourced Litigation Support Services system and perform a number of tasks on behalf of the Legal Division: Capital Legal solutions, LLC; Deloitte Discovery; Integreon Managed Solutions (Integreon); Innovative Discovery, LLC; L Discovery, LLC (L Discovery); and RenewData Corp (RenewData). This includes enforcement, bankruptcy, corporate, professional liability, and inherited litigation matters. The data collected from internal FDIC data sources as well as open or closed banks pursuant to litigation or investigations are processed and hosted by contractors and may include internal FDIC Electronically Stored Information (ESI) and/or paper records. Any potentially relevant data is placed on legal hold and preserved throughout the course of litigation. Specific services provided by the outsourced litigation vendors include: Document acquisition, preparation and unitization; scanning, redaction, text extraction or Optical Character Recognition (OCR), ESI processing, image rendering and database creation, as well as creation of production sets to opposing counsel and other entities (e.g, Congress); Electronic data acquisition and processing; Pre-trial and trial support (providing resources in support of litigation); Forensic services performed by certified forensic professionals (such services are also routinely provided by DIT Security staff); Managed legal review, i.e., providing licensed attorney staff to conduct relevance and privilege reviews of processed data; and Managed data hosting (provision of review application (web-based), and administrative user access control, etc.). The OLSS vendors primarily support large matters under the supervision of FDIC Legal Division attorneys. FDIC staff gather and provide the vendors with potentially relevant claims and enforcement case materials. Vendors do not download any ESI directly from FDIC Information Technology (IT) resources. FDIC attorneys also do not scan and upload any documents to vendor websites; rather, documents are securely shipped to the vendor or downloaded onto encrypted hard drives, CDs or DVDs and securely shipped for uploading to the externally hosted vendor web sites. Authorized users can connect to review applications (e.g., Relativity, Infodox, etc.) via secure sites. Users are granted access based on role and are only allowed to review and tag documents. They are not allowed to edit or delete documents. Permission to perform any other activities outside of reviewing and tagging must be expressly approved by the FDIC Legal Division. Personally Identifiable Information (PII) in OLSS OLSS maintains personally identifiable Information (PII) and non-pii information pertaining to borrowers/customers of failed financial institutions, Receivership payers/payees, failed bank officers/directors/employees, failed bank creditors or vendors, complainants, and bidders or investors. This information may include: full name, date of birth, social security number (SSN), employment status/history, home

3 address, home/work phone number, address, employee ID number, driver s license, vehicle identifiers, criminal information, legal documents, criminal information, investigation report and financial information. Purpose & Use of Information in OLSS The FDIC Legal Division obtains professional legal support services and products to electronically process and store files and data. These files contain a significant amount of PII and sensitive data that require examination, categorization, and appropriate utilization for the purposes of performing tasks associated with investigations, inspections, examinations, and litigation. Assistance is required from outside vendors to respond to information requests from many sources (e.g., Congressional and third-party subpoenas, audits) and to provide assistance to the Legal Division attorneys and other professional staff members in acquiring, organizing, analyzing and presenting evidence in conducting a lawsuit or investigation. Sources of Information in OLSS Data is automatically extracted and collected (either manually or through EnCase) 1 from various sources that store ESI in hardcopy or electronic format for secure transmission and/or shipment to the contracted legal service providers. Material is collected, scanned and redacted as appropriate, then copied onto secure DVD or thumb drives. The media is encrypted and delivered to the vendors. Examples of systems from which data may be retrieved by FDIC Legal or FDIC Division of Information Technology (DIT) Security, or other divisions/offices and shared with the vendors may include the following: Enterprise Vault (EV) 2 : communications (represents most of the data) FDIC desktops, laptops, server shares, and SharePoint sites Data Management Services (DMS): imaged data related to failed financial institutions; such data may be accessed and retrieved by FDIC Division of Resolutions and Receiverships (DRR Investigations and Customer Service personnel) and Legal Staff E-Discovery /Clearwell (EDEM): ESI-native files text and images Examination data: Examiner s, work-papers, Report of Examinations (hard copies) Consumer complaint information (e.g., FDIC call center data) OLSS may on occasion contain information imported or scanned into the system previously received from State Regulators or Federal agencies involved in certain legal matters. These entities may include the Federal Trade Commission (FTC), 1 The IMAC-EnCase E-Discovery module provides the FDIC Legal Division with an automated platform for identifying, collecting, and preserving electronically stored information (ESI). 2 Enterprise Vault is an archiving solution that is tightly integrated with Microsoft Outlook and part of the FDIC s +/rim initiative. Archiving is an automatic function that takes place on all messages that are older than 30 days.

4 Securities and Exchange Commission (SEC), U.S. Department of Justice (DOJ), U.S. Attorneys' Office, and Federal or local Law Enforcement. OLSS may also contain information imported or scanned into the system received from parties involved in legal matters, such as assuming institutions, Servicers, Bank and Law Firm retained vendors, FDIC outside counsel, and other individuals or entities relevant to the respective legal matter or resolution of the matter. Notice & Consent Individuals do not have the opportunity to "opt out" of providing their data and/or consenting to particular uses of their information. Information contained in OLSS is not collected directly from the individual. Rather, the data is received from a variety of internal FDIC sources and FDIC insured banks, and is necessary for processing and resolving FDIC legal matters and requests pursuant to investigation, litigation discovery, subpoenas, and/or inspections. Access to Data in OLSS Authorized internal FDIC users include Legal Division attorneys and paralegals, RMS examiners or investigators and DRR investigators supporting Legal investigations or litigation, the contractor system administrator, and FDIC Outside Counsel. Legal Division attorneys, paralegals, and FDIC Outside Counsel require access to the information to review records for potential relevance to an investigation or matter in litigation, or to respond to discovery or subpoena and other document requests. System administrators require access to this information for maintenance purposes only; this includes adding users to the system, performing system upgrades, and troubleshooting users' system problems. In these situations, the data itself is not reviewed by the system administrator. Outsourced Information Service Provider Staff have access to confidential and sensitive information within OLSS. Confidential information can be found in hard copies and electronic copies of documents as well as in databases. As a result, access to data and secure contractor facilities are restricted to FDIC staff and those contractor employees who have been authorized to have access to the data and facilities. Other non-fdic entities that may access OLSS include Outside Counsel, Contractor personnel, FDIC expert witnesses, and Opposing Counsel. Opposing Counsel may also have a very limited/controlled access to subsets of data within the OLSS databases. They have the ability to view and tag items; however, they would not be able to print or download data from OLSS. ESI containing PII may be produced to external parties, including Opposing Counsel or the courts. In such cases, PII would be redacted prior to production, and/or would be produced subject to a court-issued protective order. On occasion, material may be shared with other federal or state agencies including, but not limited to, the Department of Justice (DOJ), the Office of the Comptroller of the Currency, the Federal Bureau of Investigations (FBI), FDIC Office of Inspector General (OIG), and other law enforcement agencies or bank regulatory agencies.

5 Consumer complaint information may be shared with agencies such as the Federal Trade Commission (FTC) or the Consumer Financial Protection Bureau (CFPB). Data Sharing Other Systems that Share or Have Access to Data in the System: No other systems currently have access to or share data with OLSS. System Name System Description Type of Information Processed N/A N/A N/A Data Accuracy in OLSS Data is collected directly from individuals and/or from financial institutions and/or existing FDIC records. As such, the FDIC and its vendors rely on the individuals and/or financial institutions and/or existing FDIC records for accuracy of data. As necessary, an authorized user checks the data for completeness by reviewing the information, verifying whether or not certain documents or data is missing, and as feasible, updating this data when required. The OLSS vendors also work with the FDIC to verify the integrity of the data in conjunction with inputting it into the system or using it to support any projects. Data Security for OLSS The Contract Oversight Manager (OM) is responsible for ensuring that sufficient safeguards and controls are in place to avoid the unauthorized or unintended release of personal data by the vendors. The Program Manager (PM) maintains overall responsibility for OLSS and is accountable for establishing the criteria, procedures, controls, and responsibilities to prevent a compromise of the integrity of the data being collected. All contractors must abide by the terms and provisions. System of Records Notice (SORN) OLSS operates under the following FDIC Privacy Act SORNs, , Financial Institution Investigative and Enforcement Records, and , Insured Bank Liquidation Records.

6 Contact Us To learn more about the FDIC s Privacy Program, please visit: If you have a privacy-related question or request, Privacy@fdic.gov or one of the FDIC Privacy Program Contacts. You may also mail your privacy question or request to the FDIC Privacy Program at the following address: 3501 Fairfax Drive, Arlington, VA