Cyber Security and Data Management

Similar documents
Electronic Discovery in Employment Cases: What Every Employer Needs to Know. Presented By: Shannon Cohorst Johnson

Federal Rules of Civil Procedure IT Obligations For

Circling the Wagons. How to Implement an Effective Litigation Hold. Copyright 2006 IE Discovery, Inc. All rights reserved.

2017 INVESTMENT MANAGEMENT CONFERENCE NEW YORK Big Data: Risks and Rewards for Investment Management

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Reducing ediscovery Cost and Risk with Intelligent Information Governance Dean Gonsowski, Esq.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Justice or a Game of Gotcha? Emerging Standards Concerning Preservation (and Spoliation) of Electronically Stored Information

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NYDFS Cybersecurity Regulations

Proposed Spoliation Rules Would Impact Apple-Samsung Trial

The Evolving Threat to Corporate Cyber & Data Security

CLEANING OUT THE DATA CLOSET

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Records Retention Policy

PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?

Legal Considerations and Case Studies

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

SAMPLE LITIGATION HOLD NOTICES

NY DFS Cybersecurity Regulations August 8, 2017

25 ESI and E-Discovery Terms. (in 75 minutes!) for Mediators

EU data security and privacy trends

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Incident Response and Cybersecurity: A View from the Boardroom

Data Breach Preparation and Response. April 21, 2017

Cybersecurity and Data Protection Developments

Archive Legislation: archiving in the United Kingdom. The key laws that affect your business

PROVIDING INVESTIGATIVE SOLUTIONS

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Enterprise Vault & e-discovery

Cyber Risks in the Boardroom Conference

3/13/2018. Legal Hold Notices, the Duty to Preserve, and Electronically Stored Information ( ESI ) What is Electronically Stored Information ( ESI )?

Hire Counsel + ACEDS. Unified Team, National Footprint Offices. ediscovery Centers

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

The Legal Health Record and E-Discovery: Where You Need to Be

Tech Data s Acquisition of Avnet Technology Solutions

Community Unit School District No. 1. School Board

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

E-DISCOVERY. The process in which electronic data is sought, located, secured, using it as evidence in a civil or criminal legal case.

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Cybersecurity and Nonprofit

SPRING-FORD AREA SCHOOL DISTRICT

Preservation, Retrieval & Production. Electronic Evidence: Tips, Tactics & Technology. Issues

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

GDPR: A QUICK OVERVIEW

Website Privacy Notice

ZEROING IN DATA TARGETING IN EDISCOVERY TO REDUCE VOLUMES AND COSTS

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Data Leak Protection legal framework and managing the challenges of a security breach

Data Subject Access Request Form (GDPR)

THE SEDONA CONFERENCE JUMPSTART OUTLINE :

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

How will cyber risk management affect tomorrow's business?

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Product Overview Archive2Azure TM. Compliance Storage Solution Based on Microsoft Azure. From Archive360

EU General Data Protection Regulation (GDPR) Achieving compliance

FOR FINANCIAL SERVICES ORGANIZATIONS

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Government Contracting. Tech-Savvy World. in a. October InterContinental Miami. Miami, Florida

Legal Developments in ediscovery: Implications for Security Management

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

From the Lab to the Boardroom; Forensics goes mainstream

Financial Regulations, Enforcement & Cybersecurity

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

The HIPAA Omnibus Rule

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Dealing with Security and Security Breaches

January 17, 2013 CLE 1 General Credit Presented to: Association of Corporate Counsel

Cybersecurity Considerations for GDPR

Keeping It Under Wraps: Personally Identifiable Information (PII)

Michael McCartney, President

Data Protection Policy

GDPR compliance. GDPR preparedness with OpenText InfoArchive. White paper

In Accountable IoT We Trust

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Bring Your Own Device (BYOD)

Privacy by Deletion: 5 Steps to Reducing Data Risk

Cybersecurity The Evolving Landscape

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

WE ARE COMMITTED TO PROTECTING YOUR PERSONAL DATA

Cyber Security Program

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

IRCH Methodology for Creating Legally-Defensible Retention Schedules

NIPPON VALUE INVESTORS DATA PROTECTION POLICY

Prohire Software Systems Limited ("Prohire")

Our Privacy Statement

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Public Records and Records Retention

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Transcription:

Cyber Security and Data Management THE EVOLVING LAW AND PRACTICE ON DELETING LARGE VOLUMES OF OLD DATA TO REDUCE CYBER RISK Presented by Avi Gesser, Davis Polk Litigation Partner Gabriel Rosenberg, Davis Polk Financial Institutions Group Partner Matthew Kelly, Davis Polk Litigation Associate October 11, 2017 Davis Polk & Wardwell LLP CLE CREDIT AVAILABLE WWW.CYBERBREACHCENTER.COM

Topics Overview Balancing preservation obligations and cyber risk Regulators expectations on data deletion and cyber risk Tools & techniques for effective data management: predictive coding, data analytics Practical challenges, including managing disassociated data (e.g., from former employees, closed litigation matters) 1

Data Management Is Essential For Effective Cybersecurity How are data management and cybersecurity connected? Cybersecurity is about the protection of sensitive information from bad actors Growth in volume of data means more data that is at risk Variety of storage locations provides more opportunities for cyberattacks 2

How Did We Get Here? Pre-Crisis Caselaw Developed in ad-hoc, case-by-case manner. Decisions arose only where something had already gone wrong. Difficulty in deciding what to keep leads to extreme bias against deletion. Post-Crisis Litigation Entire industries subject to suit or investigation. Many retention policies (such as they were) suspended. Complex cases with long timelines prevent re-introduction of policies. Big Data Data storage gets cheaper; indexing/analysis tools more widely available. Enthusiasm for Big Data initiatives drives active accretion of data. Overall culture shift in favor of data retention. 3

Keeping Everything is No Longer Viable It s expensive It s tricky to protect It s unsearchable It s unhelpful for litigation 4

Changes to the Federal Rules on Electronic Discovery Advisory Committee Notes to FRCP Rule 37(e) read: The existing rule has not adequately addressed the serious problems resulting from the continued exponential growth in the volume of [ESI]. Federal circuits have established significantly different standards for imposing sanctions or curative measures on parties who fail to preserve electronically stored information. These developments have caused litigants to expend excessive effort and money on preservation in order to avoid the risk of severe sanctions if a court finds they did not do enough. Adverse inference sanctions only to be imposed where: A document existed and should have been preserved; The document was destroyed due to a party s failure to take reasonable steps to preserve it; The document cannot be restored or replaced through additional discovery; and The party that destroyed the document acted with intent to deprive another party of the information s use in the litigation 5

Changes to the Federal Rules on Electronic Discovery (cont.) Hefter Impact Tech. v. Sport Maska Inc., 2017 WL 3317413 (D. Mass. Aug. 3, 2017) Defendant wiped laptop containing responsive documents after litigation-hold was in effect. Spoliation sanctions under 37(e) were not appropriate because documents were deleted as part of a companywide policy to wipe computers of employees taking maternity leave. No evidence defendant wiped employee laptop with intent to deprive plaintiff of evidence. 6

Changes to the Federal Rules on Electronic Discovery (cont.) Martinez v. City of Chicago, 2016 WL 3538823, at *24 (N.D. Ill. June 29, 2016) Defendant not subject to spoliation sanctions for failure to preserve video evidence. No evidence of bad faith and court unwilling to infer bad faith based on speculation. Severe spoliation sanctions require more than negligence or gross negligence. 7

Changes to Regulations NY DFS Regulation 23 NYCRR 500.13 Obligates financial institutions to have: policies and procedures for the secure disposal on a periodic basis of Nonpublic Information [ ] that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. 8

Changes to Regulations (cont.) FTC s Five Key Principles to Protect Personal Information 1. Take Stock Know what personal information you have in your files and on your computers 2. Scale Down Keep only what you need for your business 3. Lock It Protect the information that you keep 4. Pitch It Properly dispose of what you no longer need 5. Plan Ahead Create a plan to respond to security incidents 9

Changes to Regulations (cont.) Regulation EU 2016/679 (GDPR) Core Principles (Article 5): Purpose limitation Data minimization Storage limitation Right to Erasure (Article 17): Places obligation on companies to erase personal data without undue delay once requested ECJ confirmed in 2014 the right to be forgotten (Google vs. Spain) 10

Why is it so hard to start? Starting the process requires: Time and money Clear ownership for the task (IT, legal, risk, compliance etc.?) Handling diffuse and diverse data sources Technical expert knowledge Reliable technical solutions Legal decisions throughout the process 11

Why Now is the Time to Start & How to Start How do you start? Get system in place for new data Start small Start with oldest data How do you start with recent data under holds and regulatory requirements? Search terms alone are too blunt Combine search terms and data analytics 12

How to Start Hold for Pets 100,000 100,000 20,000 No Hold/ Regulatory Obligations Keep Can Be Deleted 2012 2013 2014 2015 2016 2017 13

How to Start (cont.) Hold for Pets 100,000 20,000 100 Responsive Responsive 100 Responsive 100 100 Responsive Run Pet Search Terms 100 Responsive Responsive 200 2013 2014 2015 2016 2017 14

How to Start (cont.) 95,000 5,000 Dogs Cats Hamsters Fish Save Bucket Hit on Search Terms Delete Bucket Did Not Hit on Search Terms 15

How to Start (cont.) Most Pets 100 60 Review top of Delete Bucket for Responsive Documents Fido, Goose Run Analytics 40 Least Pets Cat Food Dog Collar Save Bucket Review Bottom of Save Bucket (Should be False Positives) Delete Bucket 0 16

How to Start (cont.) 50 100 Search Term Hits and Responsive Documents Identified in Garbage Bucket Review random sample in Garbage Bucket 50 Save Bucket 0 Delete Bucket 17

How to Start (cont.) 50 100 50 Save Bucket 0 Delete Bucket 18

How to Start (cont.) Complexities How do you handle custodians who are subject to multiple holds? How do you handle custodians who have multiple copies of the same emails? How can you group custodians together when doing this analysis? 19

How to Start (cont.) Risks/Challenges How susceptible are the holds to analysis by the analytics? Are topics too nebulous to be captured by linguistic algorithms? How rich is the data? What if something that should have been preserved is deleted? Combining search terms and data analytics using this protocol should mitigate most of these risks 20

Questions? Visit: www.cyberbreachcenter.com 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback