Where Is My Ripcord? What Counsel and Compliance Officers Need to Do When They Find Out the Company s Data Has Been Shoved into the Cloud Tuesday, March 1, 2011 Web Seminar
Speakers Bob Owen (Moderator) Fulbright & Jaworski rowen@fulbright.com David Kessler Fulbright & Jaworski dkessler@fulbright.com Dan Regard Intelligent Discovery Solutions, Inc. dregard@idiscoverysolutions.com 2
Continuing Legal Education Information We have applied for one hour of California, Minnesota, Texas, and Virginia CLE and New York non-transitional CLE credit. Newly admitted New York attorneys may not receive non-transitional CLE credit. For attendees in other states, we will supply a certificate of attendance that may be used to apply for CLE credit with the applicable bar or other accrediting agency. Fulbright will supply a certificate of attendance to all participants who: 1. Participate in the web seminar by phone and via the web. 2. Complete our online evaluation, which we will send to you after the web seminar (required by some states). 3
Administrative Information Today s program will be conducted in a listen-only mode. To ask an online question at any time throughout the program, simply click on the question mark icon located on the tool bar in the bottom right side of your screen. We will try to answer your question during the session. Everything we say today is opinion. i We are not tdispensing i legal advice, and listening does not establish an attorneyclient relationship. This discussion is off the record. You may not quote the speakers without our express written permission. If the press is listening, you may contact us, and we may be able to speak on the record. 4
This Just In Google still working to restore Gmail service Company says e-mails are not lost, but many still without e-mail today By Sharon Gaudin March 1, 2011 11:46 AM ET Computerworld - Two days after tens of thousands of Google Gmail users discovered their e-mail, chat histories and contacts had disappeared from their accounts, the problem still is not fixed. 5
Situation You re involved in an employee interview related to a litigation. You find out that the employee has been using a web-based service to create and share certain business data. This is the first time you ve ever heard of this use, or even of this ISP. This ISP has never been vetted by IT, Legal or Compliance. What do you do now? Photos from historycommons.org, civilliberty.about.com, dvdnear.com 6
Photo from fireflyshipworks.com 7
Agenda Intro Is this Situation Realistic? Why is it Happening? Definition(s) Cloud Computing SLA Data Governance Credit Card IT Triage the Situation Litigation Reaction Plan Identification Preservation Collection Compliance Reaction Plan Security Retention and Disposal What Are the Long Term Plans? How Do I Guide the Cloud Information into Data Governance Best Practices? Here Is Your Ripcord 8
Types of Cloud Purpose Source Software Public Hardware Private Platform Hybrid 9
Case Examples Saleforce ($25 per month) Facebook (free) Base Camp ($49 per month) Sugarsync (freemium) Amazon Elastic Compute Cloud (EC2) ($1 per hour) Google Docs (free) 10
Basecamp Yes But Data Ownership Policy What about subpoena? Redundancy Physical Security Protected Billing Information What if I want to delete? Cyber is hard Least of my concerns 11
TRIAGE: Or Do I Need to Jump Out of the Plane? Find and Review Cloud Provider Agreement Emergency Preservation? Is it Relevant/Material? Is it Unique? Do I have automatic data loss? What are my self-help options? Can I extract? Can I change user behavior? Disclosure or Representation Gap Are our disclosures incomplete or inaccurate 12
ediscovery Life Cycle Volume Relevance 13
IDENTIFICATION: Measure the Data What do I want to measure? Content: Quantity, Quantity Business Purpose Materiality / Relevance Ownership Control (Right to Access) Security (Ability to Prevent Access) Jurisdiction (Physical Location) Privacy (Protected Data Status) How do I measure? Review the Contract Talk to the Business People who are using the Cloud Talk to the Cloud Provider Cloud Legal/Business Cloud IT 14
IDENTIFICATION: Review the SLA What Are Your Administrative Rights? How can you get a copy of your data? Are there cost clauses for preservation and collection? What happens at termination? 15
PRESERVATION and COLLECTION: Dynamic Data with Little (or No) Controls Copy (Administrative Rights) Confidential / Secretive Preservation Unknown Metadata How do you establish integrity of process? Who is Going to Pay for It? 16
COMPLIANCE Can you quickly repatriate? What do you mean by Delete? What is the CP s Disaster Recovery Plan? Can You Encrypt in Place? In Transfer? 17
After the Emergency Leave Upgrade Repatriate Substitute Adjust Future Behavior 18
Adjust Future Behavior Root cause Preferred outcome Enabled outcome Education Monitoring Photo from blogs4bauer.com 19
SLA Considerations Duration Termination Security Location Retention Access Subpoenas Administrative control 20
Recap of Takeaways A question of when not if Don t compound the problem Measure your data Consider your obligations Advise the appropriate stakeholders Take triage actions Take corrective actions Develop a long term policy 21
Questions? Bob Owen (Moderator) Fulbright & Jaworski rowen@fulbright.com David Kessler Fulbright & Jaworski dkessler@fulbright.com Dan Regard Intelligent Discovery Solutions, Inc. dregard@idiscoverysolutions.com 22
Continuing Legal Education Information If you are requesting CLE credit for this presentation, please record the number given during the program and respond to the survey that Fulbright will email within the next day. Completion of the above-mentioned survey is required in certain states to obtain CLE credit. If you are viewing a recording of this web seminar, most state bar organizations will only allow you to claim self-study CLE credit. Please refer to your state's CLE rules. If you have any questions regarding CLE approval of this course in your applicable bar, please contact your bar administrator. 23
JOIN US NEXT MONTH! Visit www.fulbright.com/fulbrightforum to view and register for our upcoming web seminars. Join us on April 5, 2011 Employer s Liability for Third-Party Retaliation: Just How Wide Is Title VII s Net and How Does an Employer Avoid Liability? 24
Thank you for your participation!