safeguarding client info and file retention
TRANSCRIPT
SafeguardingClientInformationandFileRetentionRequirements
MichaelDowneyDowneyLawGroupLLC
August2017
SafeguardingClientInformation
2
3
1/8/17, 9(45 PMChinese Nationals Charged With Hacking Firms to Steal M A Info | The American Lawyer
Page 1 of 2http://www.americanlawyer.com/printerfriendly/id=1202775530918
NOT FOR REPRINT
Click to Print or Select 'Print' in your browser menu to print this document.
Page printed from: The American Lawyer
Chinese Nationals Charged With HackingFirms to Steal M&A InfoMark Hamblett, The Am Law Daily
December 27, 2016
Three Chinese nationals face federal charges for allegedly hacking into two major U.S. law firms ina scheme to trade on information about imminent mergers and acquisitions.
U.S. Attorney Preet Bharara of the Southern District of New York announced Tuesday that IatHong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in2014 and 2015 and accessing nonpublic information about pending deals. According to Bharara'soffice, the information was used in trades that reaped roughly $4 million in illegal profits.
The indictment unsealed Tuesday does not name the law firms, which are referred to as Law Firm1 and Law Firm 2. According to the charges, Law Firm 1 advised Intel Corp. on its 2015 acquisitionof Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMuneInc., which sold to Roche AG in 2014 for $8.9 billion.
The second major law firm advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree, the indictment states.
Based on those details the two firms appear to be Weil, Gotshal & Manges and Cravath, Swaine &Moore, firms where cyberbreaches previously were reported. Weil represented Intel in the Alterabuy and Cravath is identified in securities filings as Pitney Bowes lead deal counsel.
Representatives of both firms, reached Tuesday, declined to comment.
"This case of cyber meets securities fraud should serve as a wake-up call for law firms around theworld: you are and will be targets of cyber hacking, because you have information valuable towould-be criminals,” Bharara said.
In addition to infiltrating the two firms, Bharara said the defendants went after at least five other lawfirms between March and September 2015, trying to get unauthorized access to the firms' networksand servers on over 100,000 occasions.
4
5
6
7
DUTYofConfidentiality
8
Duty ofConfidentiality– Rule4-1.6
Alawyershallnotrevealinformationrelatingtotherepresentationofaclientunlesstheclientgivesinformedconsent,thedisclosureisimpliedlyauthorizedinordertocarryouttherepresentation,orthedisclosureispermittedbyRule4-1.6(b).
9
DutyofConfidentiality– MissouriRule4-1.6
• Informationfromanysource
• Relatingtorepresentation
• Limiton"revelation"• Limiton"use"inRule
4-1.8
Client
Mediareports Opposingcounsel
Pleadings
Adverseparty
Thirdparty
Lawyer
10
TheMythofPrivacy
"Therecanbenoreasonableexpectationofprivacyinatweetsentaroundtheworld."
Peoplev.Harris(N.Y.Crim.Court2012)
11
Internetvs.Privacy:"HelpfulVenndiagram"
ByDavidHoffman,availableathttp://bit.ly/bqU5vU
TheInternet Privacy
12
13
ProtectingInformationModel Rule1.6(c):"Alawyershallmakereasonableeffortstopreventtheinadvertentorunauthorizeddisclosureof,orunauthorizedaccessto,informationrelatingtotherepresentationofaclient."
14
15
WhatAre"Reasonable"Protections?
EvaluationofSafeguards• Factorstobeconsideredindeterminingthereasonableness
ofthelawyer’seffortsinclude,butarenotlimitedto,– thesensitivity oftheinformation– thelikelihoodofdisclosureifadditionalsafeguardsarenot
employed– thecost ofemployingadditionalsafeguards– thedifficulty ofimplementingthesafeguards (and)– theextenttowhichthesafeguardsadverselyaffectthelawyer’s
abilitytorepresentclients(e.g.,bymakingadeviceorimportantpieceofsoftwareexcessivelydifficulttouse)
16
Rule1.6(c)– TwoMoreCaveats• Aclientmayrequirethelawyertoimplementspecialsecurity
measuresnotrequiredbythisRuleormaygiveinformedconsenttoforgosecuritymeasuresthatwouldotherwiseberequiredbythisRule.
• Whetheralawyermayberequiredtotakeadditionalstepstosafeguardaclient’sinformationinordertocomplywithotherlaw,suchasstateandfederallawsthatgoverndataprivacyorthatimposenotificationrequirementsuponthelossof,orunauthorizedaccessto,electronicinformation,isbeyondthescopeoftheseRules.
17
WhereIstheData?
18
The"Cloud"
19
"DataFarms"
20
TermsofServiceGoogleDocs(8/2017)
21
SecureCommunications
• WhatsApp• Apple-AppleiMessagetexting(blue,notgreen)
• FaceTime
22
BeatingSecurity
23
InternetAccess
24
25
PrivatePublic
26PKI
EmailEncryption
27
“AlawyergenerallymaytransmitinformationrelatingtotherepresentationofaclientovertheInternet withoutviolatingtheModelRulesofProfessionalConductwherethelawyerhasundertakenreasonableeffortstopreventinadvertentorunauthorizedaccess…
28
…However,alawyermayberequiredtotakespecialsecurityprecautionstoprotectagainsttheinadvertentorunauthorizeddisclosureofclientinformationwhenrequiredbyanagreementwiththeclientorbylaw,orwhenthenatureoftheinformation requiresahigherdegreeofsecurity.”
SevenConsiderations1. Understandthethreat
2. Understandhowclientinformationistransmittedandstored
3. Understandandusereasonablesecuritymeasures
4. Determinehowclientinformationshouldbeprotected
5. Labelclientinformationconfidential
6. Trainaboutinformationsecurity
7. Conductduediligenceontechnology
29
30
“Thus,theuseofunencryptedroutineemailgenerallyremainsanacceptable methodoflawyer-clientcommunication.However,cyber-threatsandtheproliferationofelectroniccommunicationsdeviceshavechangedthelandscapeanditisnotalwaysreasonabletorelyontheuseofunencryptedemail.”
Attorney-ClientPRIVILEGE
31
Attorney-ClientPrivilege
• Confidential• communications• betweenanattorneyandhis[orher]client• concerningtherepresentationoftheclient• areprotectedbytheattorney-clientprivilege.
Diehlv.FredWeber,Inc. (Mo.App.E.D.2010)
32
DUTYofConfidentiality– Rule4-1.6
Client
Court Filings
Real Estate Records
Newspaper
Depositions
Pleadings
Opposing Party
Lawyer
Attorney-ClientPrivilege
• Confidential• communications• betweenanattorneyandhis[orher]client• concerningtherepresentationoftheclient• areprotectedbytheattorney-clientprivilege.
Diehlv.FredWeber,Inc. (Mo.App.E.D.2010)
34
Attorney-ClientPrivilege
Client Lawyer
Renditionof
LegalServices
35
"Necessary"Agents– Kovel
Client Lawyer
Agent
36
JointRepresentation
Client1 Client2
Lawyer
37
DeBoldv.Case (8th Cir.BAP2005)
“Whentwoormorepersons,eachhavinganinterestinsomeproblem,jointlyconsultanattorney,theirconfidentialcommunicationswiththeattorney,thoughknowntoeachother,willofcoursebeprivilegedinacontroversyofeitherorbothoftheclientswiththeoutsideworld,thatis,withpartiesclaimingadverselytobothoreitherofthosewithintheoriginalcharmedcircle.”
38
JointDefense/CommonInterestPrivilege
39
Client1 Client2
Lawyer1 Lawyer2
Attorney-ClientPrivilege
CommonInterest
40
AdverseinBusinessTransaction
Seller
Buyer
41
SharedInterestinEvaluatingLawsuit
Seller
Buyer
Plaintiff
42
WorkProductProtection– MORule56.01(b)(3)
• SubjecttotheprovisionsofRule56.01(b)(4),apartymayobtaindiscoveryofdocumentsandtangiblethingsotherwisediscoverableunderRule56.01(b)(1)andpreparedinanticipationoflitigationorfortrialbyorforanotherpartyorbyorforthatotherparty'srepresentative,includinganattorney,consultant,surety,indemnitor,insurer,oragent,onlyuponashowingthatthepartyseekingdiscoveryhassubstantialneedofthematerialsinthepreparationofthecaseandthattheadversepartyisunablewithoutunduehardshiptoobtainthesubstantialequivalentofthematerialsbyothermeans.Inorderingdiscoveryofsuchmaterialswhentherequiredshowinghasbeenmade,thecourtshallprotectagainstdisclosureofthementalimpressions,conclusions,opinions,orlegaltheoriesofanattorneyorotherrepresentativeofapartyconcerningthelitigation.
43
Rule56.01(b)(3)Parsed
§ [A]partymayobtaindiscoveryofdocumentsandtangiblethingsotherwisediscoverableunderRule56.01(b)(1)and
§ preparedinanticipationoflitigationorfortrial§ byorforanotherpartyorbyorforthatotherparty'srepresentative,
includinganattorney,consultant,surety,indemnitor,insurer,oragent,§ onlyuponashowing
– thatthepartyseekingdiscoveryhassubstantialneedofthematerialsinthepreparationofthecaseand
– thattheadversepartyisunablewithoutunduehardshiptoobtainthesubstantialequivalentofthematerialsbyothermeans.
44
FRCPRule26(b)(3)(A)Parsed• DocumentsandTangibleThings.• Ordinarily,apartymaynotdiscover• documentsandtangiblethingsthat• arepreparedinanticipationoflitigationorfortrial• byorforanotherpartyoritsrepresentative(includingthe
otherparty'sattorney,consultant,surety,indemnitor,insurer,oragent)
45
Work-ProductProtection
Alawyer'sinvolvementisnotrequired
46
Attorney-ClientPrivilege
Work-ProductProtection
47
OpinionWorkProduct– FullProtection
§ Inorderingdiscoveryof[workproduct]whentherequiredshowinghasbeenmade,thecourtshallprotectagainstdisclosureofthementalimpressions,conclusions,opinions,orlegaltheoriesofanattorneyorotherrepresentativeofapartyconcerningthelitigation.
48
WaiverofPrivileges
§ MarthaStewartisbeinginvestigatedforinsidertrading
§ StewartprepareschronologyofeventsaroundImClonestocksale– Stewartsendschronologytoherlawyers– Stewartthensendschronologytoherdaughter
§ Isattorney-clientprivilegewaived?§ Iswork-productprotectionwaived?
49
Waiver
§ Attorney-ClientPrivilege– Expresswaiver– At-issuewaiver– Disclosure
• WorkProduct– Expresswaiver(byclientorfirm)
– At-issuewaiver– Disclosure– whereinconsistentwithpurposeorlitigationadvantage
50
Crime-FraudException
• Key– communicationsarenot(really)forthepurposeofgivingorreceivinglegaladvice,buttocommitacrime
• USv.Williams(8th Cir.2013)– defendantaskedlawyertosmugglecellphoneintoprison
51
AccessingThird-PartyInformation
52
53
Rule4-4.4RespectForRightsOfThirdPersons
(a)Inrepresentingaclient,alawyershallnotusemeansthathavenosubstantialpurposeotherthantoembarrass,delay,orburdenathirdperson,orusemethodsofobtainingevidencethatviolatethelegalrightsofsuchaperson.
(b)Alawyerwhoreceivesadocumentrelatingtotherepresentationofthelawyer'sclientandknowsorreasonablyshouldknowthatthedocumentwasinadvertentlysentshallpromptlynotify thesender.
54
InadvertentProduction
• OldRule– recipientofmetadata– Notify producingpartyofproductionofprivilegedinformation
– Refrain fromreviewingprivilegedinformation– Abide byproducingcounsel'sinstruction– atleastuntilacourtordersotherwise
55
NewRule4-4.4(b)
Alawyerwhoreceivesadocumentrelatingtotherepresentationofthelawyer'sclientandknowsorreasonablyshouldknowthatthedocumentwasinadvertentlysentshallpromptlynotifythesender.
InreEisenstein (Mo.4/5/2016)• EisensteinrepresentedHusbandindivorce• HusbandaccessedWife'semailwithoutpermission,andgave
EisensteindocumentsincludingquestionsWife'sattorneyhadpreparedfordirectexamination
• EisensteindidnotproducethedocumentsreceivedfromWife'semail,untilgivingthemtoopposingcounselasexhibitsduringtrial
56
ConsequencesinEisenstein
• Eisensteinwasfoundtohaveusedimproperlyobtainedinformation(violatingRule4-4.4)andconcealingdocumentswithevidentiaryvalue(violatingRule4-3.4)
• Eisensteinreceivedanindefinite(minimum6month)suspension
57
ImproperAccess– Rule4-4.4(a)
• Inrepresentingaclient,alawyershallnotusemeansthathavenosubstantialpurposeotherthantoembarrass,delay,orburdenathirdperson,orusemethodsofobtainingevidencethatviolatethelegalrightsofsuchaperson.
58
WhyImproper
• Illegal– maybeincriminatingclient– Evidencemaybebarred– Lawyermaybedisqualified
• Permitted– mayusedocuments
59
FileRetention
60
FileOwnership
• “Theclient’sfilesbelongtotheclient,nottotheattorneyrepresentingtheclient.Theclientmaydirectanattorneyorfirmtotransmitthefiletonewlyretainedcounsel.”InthematterofCupples,952S.W.2d226,234(Mo.banc1997).
61
Retention– OrdinaryClientRecords
Rule4-1.22
62
SixYears– UnlessWrittenConsent• Alawyershallsecurelystoreaclient'sfileforsixyearsaftercompletionor
terminationoftherepresentationabsentotheragreementbetweenthelawyerandclientthroughinformedconsentconfirmedinwriting.Suchinformedconsentconfirmedinwritingmaybemadebetweenthelawyerandtheclientatanypointduringthesixyearsaftercompletionorterminationoftherepresentation.Iftheclientdoesnotrequestthefilewithinsixyearsaftercompletionorterminationoftherepresentation,thefileshallbedeemedabandonedbytheclientandmaybedestroyed.
• ThesixyearclientfileretentionrequirementshallapplytoallclientfileswherethecompletionorterminationoftherepresentationoccursonorafterJuly1,2016.AllclientfileswherethecompletionorterminationoftherepresentationoccurspriortoJuly1,2016,shallbegovernedbythepreviouslyrequired10years.
63
BewareSpoliation• AlawyershallnotdestroyafilepursuanttothisRule4-1.22if
thelawyerknowsorreasonablyshouldknowthat:(a)alegalmalpracticeclaimispendingrelatedtotherepresentation;(b)acriminalorothergovernmentalinvestigationispendingrelatedtotherepresentation;(c)acomplaintispendingunderRule5relatedtotherepresentation;or(d)otherlitigationispendingrelatedtotherepresentation.
64
KeepItemsWith“IntrinsicValue”
• Itemsinthefilewithintrinsicvalueshallneverbedestroyed.
• AlawyerdestroyingafilepursuanttothisRule4-1.22shallsecurelystoreitemsofintrinsicvalueordeliversuchitemstothestateunclaimedpropertyagency.Thefileshallbedestroyedinamannerthatpreservesclientconfidentiality.
65
RememberWhatYouDestroy• AlawyerdestroyingafilepursuanttothisRule4-1.22shall
maintainthewrittenrecordoftheclient'sconsentofdestructionforatleastsixyearsaftercompletionorterminationofemployment.Clientfiles,exceptforitemsofintrinsicvalue,maybemaintainedbyelectronic,photographic,orothermediaprovidedthatprintedcopiescanbeproduced.Theserecordsshallbereadilyaccessibletothelawyer.
66
Dissolution– MustProtectRecordsUpondissolutionofalawfirm,thelawyersshallmakereasonablearrangementsforthemaintenanceofclientfiles.Uponthesaleofalawpractice,thesellershallmakereasonablearrangementsforthemaintenanceofclientfiles,whichincludeswrittennoticetoaclientastothelocationoftheclient'sfile.
67
Retention– TrustAccountRecords
Rule4-1.15(f)
68
SixYears– NoMatterWhatCompleterecordsofclienttrustaccountsshallbemaintainedandpreservedforaperiodofatleastsixyearsafterthelaterof:
(1) terminationoftherepresentation,or
(2) thedateofthelastdisbursementoffunds.
Clienttrustaccountrecordsmaybemaintainedbyelectronic,photographic,orothermediaprovidedthattheyotherwisecomplywithRules4-1.145to4-1.155andthatprintedcopiescanbeproduced.Theserecordsshallbereadilyaccessibletothelawyer.
69
RequiredTrustAccountDocumentation(Missouri)
(1) receiptanddisbursementjournals
(2) client-specificledgers
(3) feeagreementsandsimilardocuments
(4) accountingstatementsshowingdisbursementsmade
(5) billsandexpensessenttoclients
(6) disbursementrecords
(7) check-bookregistersandbankstatementsortheequivalents
(8) electronictransferrecords
(9) accountreconciliations
(10)credit-cardtransactioninformation
70
Dissolution– MustProtectRecords
Upondissolutionofalawfirmorofanylegalprofessionalcorporation,thepartnersshallmakereasonablearrangementsforthemaintenanceofclienttrustaccountrecords.Uponthesaleofalawpractice,thesellershallmakereasonablearrangementsforthemaintenanceofclienttrustaccountrecords.
71