white paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations



Similar documents
Export Control Basics

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

EXPORT CONTROLS COMPLIANCE

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Policy and Procedures Date:

Supplier Awareness. Export Control/ ITAR

Office of Export Enforcement Bureau of Industry and Security (BIS) U.S. Department of Commerce

Export Controls. How to Comply with Export Controls. By Kimberly Marshall

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Information Security Policy

Using Technology Control Plans in Export Compliance. Mary Beran, Georgia Tech David Brady, Virginia Tech

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Export Control Laws Training Presentation FLORIDA INSTITUTE OF TECHNOLOGY

HIPAA Employee Compliance Program TRAINING MANUAL

How To Register With The Credit Bureau

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

HIPAA Security Training Manual

Bossier Parish Community College

DATA SECURITY AGREEMENT. Addendum # to Contract #

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

INTANGIBLE TRANSFER OF TECHNOLOGY (ITT) : Regulatory Perspective. Presented by Hjh Nuraffiza Ahmad Strategic Trade Division SKMM

Export Control Training

HIPAA and Privacy Policy Training

New Privacy Laws Impacting the Health Care Work Place

COMPUTER & INTERNET. Westlaw Journal. Expert Analysis Software Development and U.S. Export Controls

Export Control Compliance Procedure Guide June 8, 2012

Export Controls and Cloud Computing: Legal Risks

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Caldwell Community College and Technical Institute

plantemoran.com What School Personnel Administrators Need to know

8.03 Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

PHI- Protected Health Information

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities.

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Information Technology Security Policies

International Trade Compliance Alert

13. Acceptable Use Policy

Harvard Export Control Compliance Policy Statement

INSTRUCTIONS FOR COMPLETING THE USPTO CERTIFICATE ACTION FORM

Department of Health and Human Services Policy ADMN 004, Attachment A

UNITED STATES OF AMERICA ) ) No. vs. ) ) Violation: Title 18, United States ) Code, Section 1832(a) DAVID JACOB NEWMAN ) COUNT ONE

Fair Credit Reporting Act Compliance Guide

Virginia Commonwealth University School of Medicine Information Security Standard

Approved By: Agency Name Management

MOBILE DEVICE SECURITY POLICY

HIPAA Education Level One For Volunteers & Observers

Minerals Technologies Inc. Summary of Policies on Business Conduct

HIPAA Security Alert

Fair Credit Reporting Act (FCRA) Basics. A Primer for U.S. Employers from Littler Mendelson, the Nation s Largest Workforce Law Practice

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse

COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT

BERKELEY COLLEGE DATA SECURITY POLICY

Estate Agents Authority

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

Standards of. Conduct. Important Phone Number for Reporting Violations

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

A Primer on U.S. Export Controls

Employers Guide to Best Practices. For Use of Background Checks in Employment Decisions. Copyright 2010 Lawyers Committee for Civil Rights Under Law

INSTRUCTIONS FOR THE ISSUANCE OF A SIKORSKY AIRCRAFT CONTRACTOR ACCESS PHOTO BADGE

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Global ediscovery Client Data Security. Managed technology for the global legal profession

E-Discovery in Practice: A Roadmap for Financial Institutions

HIPAA Orientation. Health Insurance Portability and Accountability Act

10 Steps to Establishing an Effective Retention Policy

HIPAA Compliance: Efficient Tools to Follow the Rules

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Insider Trading Policy

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

HIPAA Awareness Training

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

Information Security Policy

EXPORT CONTROLS AND RESEARCH AT WPI TRAINING PRESENTATION

Chapter RECORDS MANAGEMENT Sections:

Privacy Law Basics and Best Practices

Lawrence Police Department Administrative Policy. August A. Access to CJIS sensitive data is only available to authorized users.

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

I-9'S : COMPLYING WITH REGULATIONS

Transcription:

white paper Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations WWW.EPIQSYSTEMS.COM 800 314 5550

Mitigate Risk in Handling ediscovery Data Subject to the U.S. Export Control Laws and Regulations The corporate world continues to see exponential growth in the generation of electronic data as a bi-product of business activity. Along with this growth come a number of responsibilities associated with the duty to preserve, identify and transfer data, particularly when dealing with electronic discovery. In the context of document review and how data is delivered to an electronic discovery vendor, certain regulations need to be given careful consideration before that information changes hands. There are several domestic regulations to consider, such as the Health Information Portability Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA), each of which imposes special handling requirements for data. In addition, international regulations such as blocking statutes and data protection laws complicate data transfers across national boundaries. In this paper, however, we focus on one of the less understood regulations that aim to protect the transfer of knowledge relating to military technology. U.S. EXPORT CONTROL LAWS AND REGULATIONS 1 See 22 C.F.R. 120.9 (2007). The Export Administration Regulations ( EAR ), enforced by the United States Department of Commerce, and the International Traffic in Arms Regulations ( ITAR ), enforced by the United States Department of State, require that businesses in selected industries take steps to ensure the security of data that could assist in the development of military capability. Together EAR and ITAR are referred to as the U.S. Export Control Laws and Regulations ( Regulations ). Any corporation that conducts business in the aerospace, defense, automotive, chemical, engineering, construction and high tech industries is subject to these regulations. This means that these corporations must control their data sufficiently to avoid the export of this type of information outside the United States without a license and to prevent access by foreign persons. 1 02 white paper l EPIQ SYSTEMS

Violations can result in substantial penalties. Individual liability for the disclosure of controlled technical data to unauthorized foreign persons under the ITAR includes fines of up to $500,000 per violation for civil violations and up to ten years of imprisonment along with penalties of up to $1,000,000 per violation for criminal violations. Liabilities under the EAR may involve fines ranging from $10,000 to $120,000 for each civil violation and fines ranging from $50,000 to $1,000,000 for each criminal violation with 10 years of imprisonment. WHAT IS A FOREIGN PERSON? A foreign person is anyone who is not a lawful permanent resident of the United States (i.e., not a United States citizen or green card holder) or does not have refugee or asylum status. 2 WHAT IS EXPORT CONTROLLED DATA? In general, export controlled data includes specific information needed to develop, produce, maintain, manufacture, assemble, test, repair, operate, modify, process or otherwise use equipment or technologies that are on the control lists of the EAR or the ITAR. Export controlled data may take the form of blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories. 3 IMPLICATIONS FOR SERVICE PROVIDERS It is therefore critical for any business that possesses data subject to the U.S. Export Control Laws and Regulations to maintain strict protocols for any and all transfers of technical data, as the definition of export is quite broad under the Regulations. 4 This responsibility extends to any third party providing services to the 2 See id. 120.16. 3 See id. 120.10. 4 See id. 120.17.

owner of the data, including outside counsel and any electronic discovery company, so particular caution must be used when utilizing legal services such as data collection, litigation support or database hosting. Once an electronic discovery company has been contacted by a corporation or its outside counsel to provide legal services, certain key questions need to be asked to assess whether steps should be taken to ensure compliance with the Regulations. These questions include whether the client conducts business within the affected categories under the ITAR or EAR, and whether technical data may be included in the submitted data set. PROHIBITED ACTIVITIES Data subject to the Regulations must not be, inter alia, exported, provided or made accessible to foreign persons. This includes the following activities: sending a copy, providing access to the data, sharing it or disclosing it in any form, including written, verbal and visual. AVOIDING INADVERTENT EXPORT Data export is interpreted broadly, so it is critical to ensure that the data is appropriately secured with access provided only to authorized users who are not foreign persons. Accordingly, any employee assigned to the project should be required to sign a certificate stating that s/he: is familiar with the export control issues involved in the matter and understands the certification. is aware of his or her personal liability upon a disclosure of export controlled technical data to foreign persons. agrees to take reasonable measures to prevent unauthorized foreign persons from having access to or using any export controlled technical data. 04 white paper l EPIQ SYSTEMS

is required to contact a supervisor in connection with any type of disclosure of export controlled technical data including without limitation to any foreign person. ADDITIONAL RECOMMENDATIONS Identify the Data Ensure that protected data is always clearly identifiable by implementing the following measures: Require that the client clearly mark and identify any export controlled technical data. Secure physical data in a separate, access-restricted, enclosed, locked room. Clearly label the room as a secure, access-restricted space. Isolate the Data Additionally, implement the following measures to keep the data from being inadvertently viewed by a foreign person: Create a secure, separate database to hold the data. Take all commercially reasonable measures to secure the data. Implement a separate user account creation process that requires the human resources department to verify the non-foreign person status. Disable or monitor any remote access to the data. Identify Customer Service Group Clients who own export controlled data will need to communicate with the client services team regarding deliveries, data processing and other document review-related issues during the litigation. Customer service team members must not be foreign persons; therefore, identify U.S. nationals to serve as dedicated client service representatives.

Communicate Internally Electronic discovery service providers that deal with data subject to the U.S. Export Control Laws and Regulations should prepare and distribute memoranda and checklists to the entire company describing requirements regarding the data set, and regularly train and educate employees. As an example, the following is a list of recommended actions: Hire outside counsel to assist in developing compliance protocols. Designate a permitted list of vendor employees who are authorized to access the data. Make sure that each employee has passed a criminal background check. Require that any employee being given access to such data executes a document certifying his/her willingness to comply with the Regulatory requirements before being granted access to the data. Have each employee sign a copy and return it to the HR Administrator or legal department. Have the client or its outside counsel provide a list of client employees who can have access to the data. If the client wants to give additional employees access to the data, require the client or its outside counsel to update this list regularly and accordingly. Require that work on the project be done within a secured space with self-locking doors and with authorized access only. Disable any feature on workstations that can allow users to download information, such as USB ports, CD writers and floppy disk drives. Allow hardcopy printing to be performed only in access controlled spaces and require employees to shred printed documents. Escalate all questions to a supervisor, corporate legal department or outside counsel. 06 white paper l EPIQ SYSTEMS

CONCLUSION The risks of handling data subject to U.S. Export Control Laws and Regulations are substantial. However, by designing an appropriate infrastructure and implementing some of the protocols recommended herein, these risks can be mitigated. Such protocols require an investment of time, personnel and financial resources to ensure compliance. WWW.EPIQSYSTEMS.COM 800 314 5550

www.epiqsystems.com 800 314 5550 usa +44 (0) 20 7367 9191 UK Chicago Kansas City London Los Angeles Miami New York PhiladeLphia Portland Washington DC

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information