Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security and Electronic Discovery

Published byReynard Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security and Electronic Discovery"— Presentation transcript:

1 Information Security and Electronic Discovery
Mehmet Munur Dino Tsibouris (614) (614)

2 Trends for 2010 Increased federal and state regulation of information security Increased enforcement Increased costs to resolve a breach Increased “compliance complexity” as technology changes

3 Examples HITECH Act - Amendments to HIPAA by the Stimulus Act
Increased business associate requirements Enforcement Actions under HITECH Managing protected health information in the cloud

4 HITECH ACT Amends HIPAA New breach notification rules New penalties
Increased levels of minimum security State AG enforcement Business associates must comply

5 HITECH ACT Amends HIPAA
Covered entity must notify persons if a breach occurs Must notify DHS for publication if over 500 persons Vendors of PHR must notify individuals if breached

6 HITECH ACT Business Associate Requirements
Must comply with Security Rule regarding administrative, physical, and technical safeguards Develop policies Designate a security official Enforcement

7 HITECH ACT Business Associate Requirements
If your covered entity violates your BAA, you are violating HIPAA Must cure breach, terminate, or report to DHHS

8 HITECH ACT Business Associate Requirements
Does your contract allow for amendment to comply with changes in the law? Sample DHHS OCR contractual clause requires parties to amend to address changes in law

9 HITECH ACT Business Associate Requirements
If you have a breach, must notify HIPAA-covered entity Covered entity must then notify individuals

10 HITECH ACT Penalties Tier A – inadvertent - $100 per violation up to $25,000/yr Tier B – reasonable cause, not “willful neglect” - $1,000 per violation up to $100,000/yr

11 HITECH ACT Penalties Tier C – “willful neglect” ultimately corrected - $10,000 per violation up to $250,000/yr Tier D - “willful neglect” uncorrected - $50,000 per violation up to $1.5 M/yr

12 Connecticut Health Net Enforcement
Connecticut Attorney General - HIPAA Lost portable computer disk drive Involves privacy of 446,000 Connecticut enrollees Health information, social security numbers, and bank account numbers Failed to notify on time

13 Connecticut Health Net Enforcement
Health Net failed to Ensure the confidentiality and integrity of electronic protected health information Implement technical policies and procedures for electronic information systems Implement policies and procedures that govern the receipt and removal of hardware and electronic media

14 Connecticut Health Net Enforcement
Health Net failed to Implement policies and procedures to prevent, detect, contain, and correct security violations Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents Effectively train all members of its workforce

15 Medical Data in the Cloud
Data stored in the cloud more and more frequently Third-party contractors more common Security and background checks for companies a necessity Conduct audits or obtain results Ownership of data Prohibiting sales to others Return in appropriate format

16 HIPAA - Employee Snooping
UCLA employee Accesses system 323 times in 3 weeks Snoops on celebrity medical records Similar incident in 2008 UCLA reveals that 165 employees improperly viewed files in 13 years 15 fired for viewing octuplet mom’s records

17 Countrywide Breach Countrywide Financial Services Former employees
Downloaded and sold customer data Every week for 2 years 19,000 individuals notified of breach Class action settles for over $10 million

18 Massachusetts Data Security Regulations
Creates duty to protect personal data Applies to the personal information of MA residents Sophistication of safeguards increases with size and scope of business Requires encryption for transmission of personal data over public networks Effective date March 1, 2010

19 Electronic Discovery Overview of Electronic Discovery Sanctions
Requirements for Compliance Zubulake Revisited Case Examples

20 Electronic Discovery Basics of Electronic Discovery
Electronically Stored Information (ESI) is potentially discoverable Proportionality test Obligation to preserve Pending or threatened litigation Primary source should be active data Costs usually borne by producing party

21 Electronic Discovery Sanctions usually require: Clear duty to preserve
Culpable failure to Produce and Preserve Relevant ESI Reasonable Probability of Material Prejudice Due to Loss of ESI

22 E-Discovery Sanctions
Monetary Sanctions Shifting or Awarding Discovery Costs, Fines Adverse Inference or Inability to use Affirmative Defense Terminating Sanctions or Default Judgment

23 Electronic Discovery Compliance requires:
Records Retention Policies and Procedures Litigation Hold Procedures IT Policies, Procedures, and Systems for Preservation and Collection Search Production Destruction

24 Zubulake Revisited When the duty to preserve has attached, the following failures constitute gross negligence to Issue a written litigation hold Identify all of the key players and to ensure that their electronic and paper records are preserved

25 Zubulake Revisited Cease the deletion of or to preserve the records of former employees that are in a party's possession, custody, or control Preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources

26 Pinstripe Inc. v. Manpower Inc.
Defendant failed to distribute litigation hold notice Possibly relevant s destroyed 700 s recovered from recipients Significant cost to defendant + $30K to outside vendor Court finds lack of intentional conduct Court awards sanctions of $2,500

27 Southeastern Mechanical Services v. Brody
Plaintiff SMS alleges spoliation for deleted laptop and Blackberry data Defendant argues that laptop s were stored on server Blackberries wiped Blackberries contained data other than s Blackberries contained data before being synchronized with the server

28 Southeastern Mechanical Services v. Brody
Court finds bad faith in deletion of Blackberry data Lack of , text messages, telephone records was suspicious Court finds employees, not the corporations culpable Court issues adverse inference

29 Arista Records v. Usenet
Copyright Infringement Case 7 hard-drives wiped Employees sent abroad on vacations Employees allowed to take laptops with them Failing to preserve Court finds bad faith, but declines to award default judgment Instead, court takes away affirmative defense

30 Lawson v. Sun Microsystems
Defendant produces hard-drive ESI includes privileged documents and password protected documents Plaintiff accesses privileged, password protected documents Plaintiff’s behavior mitigated by both parties actions Sanctions of $54K , 25% to attorney

31 Starbucks v. ADT Starbucks seeks archived emails
ADT argues that s are not accessible Archived s stored in a Plasmon System Exaggerates production costs at $834K Starbucks obtains two estimates at $17K and $26K

32 Starbucks v. ADT Court ordered an immediate plan to make copies of the archived discs to an appropriate searchable storage medium Court ordered the production of relevant s Court ordered the parties to confer and agree on fees

33 Doppes v. Bentley Motors
Foul odor from $214K Bentley Arnage Bentley fails at numerous times to produce documents Destroys relevant s Fails to provide court ordered access Trial court only issues monetary fines, jury instructions Appeals court reverses, issues terminating instructions

34 Conclusion Proper record retention policies
Identify all key people and documents Preserve all relevant ESI IT Policies, Procedures, and Systems Proper and searchable archive technology Written litigation holds

35 Questions & Answers Mehmet Munur Dino Tsibouris
(614) (614)

Download ppt "Information Security and Electronic Discovery"

Similar presentations

Dino Tsibouris Mehmet Munur (614) 360-1160 (614) 360-1160 Information Security: Changes in the Law, Cost,

Dino Tsibouris Mehmet Munur (614) (614) Information Security: Changes in the Law, Cost,
Zubulake v. UBS Warburg LLC “Zubulake IV”

Zubulake v. UBS Warburg LLC “Zubulake IV”
The Evolving Law of E-Discovery Joseph J. Ortego, Esq. Nixon Peabody LLP New York, NY Jericho, NY.

The Evolving Law of E-Discovery Joseph J. Ortego, Esq. Nixon Peabody LLP New York, NY Jericho, NY.
United States District Court for the Southern District of New York, 2004 District Justice Scheindlin Zubulake v. UBS Warburg LLC Zubulake V.

United States District Court for the Southern District of New York, 2004 District Justice Scheindlin Zubulake v. UBS Warburg LLC Zubulake V.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.

Considerations for Records and Information Management Programs in Light of the Pension Committee and Rimkus Consulting 2010 Decisions.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Litigation Holds: Don’t Live in Fear of Spoliation Jason CISO – University of Connecticut October 30, 2014 Information Security Office.

Litigation Holds: Don’t Live in Fear of Spoliation Jason CISO – University of Connecticut October 30, 2014 Information Security Office.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Dino Tsibouris (614) 360-1160 Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.

Dino Tsibouris (614) Information Security – Changes in the Law, Cost, and Complexity of Responding to Breaches.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.

HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues

Privacy, Security, Confidentiality, and Legal Issues
Ronald J. Shaffer, Esq. Beth L. Weisser, Esq. Lorraine K. Koc, Esq., Vice President and General Counsel, Deb Shops, Inc. © 2010 Fox Rothschild DELVACCA.

Ronald J. Shaffer, Esq. Beth L. Weisser, Esq. Lorraine K. Koc, Esq., Vice President and General Counsel, Deb Shops, Inc. © 2010 Fox Rothschild DELVACCA.

Similar presentations

Ads by Google