28 July 2008

ESI Risk: Seizing Electronic Evidence...

In this issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. A few years ago the tobacco giant was slapped with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.


In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.


Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

For more help on this subject see: Best Practices for Seizing Electronic Evidence.

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

01 July 2008

Directors Q & A: Outside Counsel Risk...

Every Board Member needs to ask "Six Legal Questions" of corporate management because the answers will help you determine what law firms your company should fire, or even consider hiring. This special report by Randy Myers in Corporate Board Member highlights the Operational Risk of litigation and whether you are prepared for offense, defense and the next reputation scandal:

  1. How well do our outside law firms know our business?
  2. Are we prepared to handle litigation against us in the best way?
  3. Under what circumstances should we consider suing another company?
  4. When should we use a big law firm? When are we better off with a small one?
  5. What clues can tell us if our outside lawyers are no longer right for us?
  6. How well will we stand up to scrutiny?

We have to highlight the commentary on #6 (H. Rodgin Cohen, partner and chairman of New York City-based Sullivan & Cromwell LLP)

Directors must let the compliance office and general counsel know that they are to be informed anytime the company is put under investigation, Cohen says; government regulators and prosecutors expect the board to take a role in such matters. Having a clear policy in place is critical, says attorney Matthew Powers.

There is no cookbook recipe to prepare a company for an investigation. But what directors have to do, says Cohen, is approach any such inquiry with the understanding that in today’s environment, with laws and regulations being rigorously enforced, fighting a government investigation is almost always a bad idea. Companies must be seen as cooperative, he says, which means that they must conduct thorough investigations of their own when alerted to potential wrongdoing and provide the government with whatever it requests. If problems are uncovered, they should move quickly to take remedial action, implement policies and procedures to prevent further troubles, and penalize the people responsible. “If the company fails to take action,” Cohen warns, “it must expect that it will receive harsher punishment.”

He says it makes sense to report suspected violations of the law voluntarily when an internal examination uncovers them. “You’re really rolling the dice if you don’t, because if the government later finds out, it will have no confidence in you. And remember, the government has two ways to find out—on its own or from someone inside the company.” If the government decides it needs to find out on its own, he says, any penalties are likely to be much more painful.


Firing your long time outside firm is not easy and like any third party supplier who has been embedded for years or decades, "Breaking Up is Hard to Do." Every Corporate General Counsel's greatest fear. Have you every received advice that the negative results of an internal investigation needs to be buried, hushed up or even worse, ignored in hopes that nothing will happen?

Corporate Governance is taking on a new resonance in a politically charged election year here in the United States. The Democrats are gearing up for more oversight, investigation and compliance laws focused on areas that the Republicans have been long to scrutinize. Laws that have been gathering momentum in the halls of Capitol Hill are targeting some of the industry sectors that have benefited the most from the Defense Industrial Base windfall.

In a global survey by Fulbright & Jaworkski LLP, 40% of US companies had at least one lawsuit with $20M. or more at risk. 60% had one or more plaintiff class actions pending and 36% say that the government regulators have stepped up their visits.

So if you are on the Board of Directors and you want to be proactive on the upcoming front for litigation, where do you look? The Accounting department. Sales and Marketing. Information Technology. Legal Department. The easy answer may be, who has the most laptops? Brian Krebs talks about the Data Breach problem from The Washington Post blog:

The San Diego-based Identity Theft Resource Center tracked 342 data breach reports from Jan. 1 to June 27. Nearly 37 percent of reports came from businesses -- an increase from almost 29 percent last year.

Data breach reports from health care providers (14.9 percent of the total) and banks (10 percent) continued to rise, while the share of breaches from educational institutions (21.3 percent of the total) government entities and the military (17 percent) declined for the third year in a row, the ITRC found.

Hacking was the least-cited cause of data breaches in the first six months of 2008 (11.7 percent of the total). Instead, lost or stolen laptops and other digital storage media remain the most frequently cited cause of data breaches, accounting for more than 20 percent of all reported cases, the ITRC found. The inadvertent posting of personal and financial data online prompted roughly 15 percent of the data breach disclosures.

The nexus of data, plaintiff law suits and your outside counsel (3rd party suppliers) will be the Board of Directors #1 priority in the next few years. This is the vortex of Operational Risk in the 21st century.