safeguarding client info and file retention

SafeguardingClientInformationandFileRetentionRequirements

MichaelDowneyDowneyLawGroupLLC

August2017

SafeguardingClientInformation

2

3

1/8/17, 9(45 PMChinese Nationals Charged With Hacking Firms to Steal M A Info | The American Lawyer

Page 1 of 2http://www.americanlawyer.com/printerfriendly/id=1202775530918

NOT FOR REPRINT

Click to Print or Select 'Print' in your browser menu to print this document.

Page printed from: The American Lawyer

Chinese Nationals Charged With HackingFirms to Steal M&A InfoMark Hamblett, The Am Law Daily

December 27, 2016

Three Chinese nationals face federal charges for allegedly hacking into two major U.S. law firms ina scheme to trade on information about imminent mergers and acquisitions.

U.S. Attorney Preet Bharara of the Southern District of New York announced Tuesday that IatHong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in2014 and 2015 and accessing nonpublic information about pending deals. According to Bharara'soffice, the information was used in trades that reaped roughly $4 million in illegal profits.

The indictment unsealed Tuesday does not name the law firms, which are referred to as Law Firm1 and Law Firm 2. According to the charges, Law Firm 1 advised Intel Corp. on its 2015 acquisitionof Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMuneInc., which sold to Roche AG in 2014 for $8.9 billion.

The second major law firm advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree, the indictment states.

Based on those details the two firms appear to be Weil, Gotshal & Manges and Cravath, Swaine &Moore, firms where cyberbreaches previously were reported. Weil represented Intel in the Alterabuy and Cravath is identified in securities filings as Pitney Bowes lead deal counsel.

Representatives of both firms, reached Tuesday, declined to comment.

"This case of cyber meets securities fraud should serve as a wake-up call for law firms around theworld: you are and will be targets of cyber hacking, because you have information valuable towould-be criminals,” Bharara said.

In addition to infiltrating the two firms, Bharara said the defendants went after at least five other lawfirms between March and September 2015, trying to get unauthorized access to the firms' networksand servers on over 100,000 occasions.

4

5

6

7

DUTYofConfidentiality

8

Duty ofConfidentiality– Rule4-1.6

Alawyershallnotrevealinformationrelatingtotherepresentationofaclientunlesstheclientgivesinformedconsent,thedisclosureisimpliedlyauthorizedinordertocarryouttherepresentation,orthedisclosureispermittedbyRule4-1.6(b).

9

DutyofConfidentiality– MissouriRule4-1.6

• Informationfromanysource

• Relatingtorepresentation

• Limiton"revelation"• Limiton"use"inRule

4-1.8

Client

Mediareports Opposingcounsel

Pleadings

Adverseparty

Thirdparty

Lawyer

10

TheMythofPrivacy

"Therecanbenoreasonableexpectationofprivacyinatweetsentaroundtheworld."

Peoplev.Harris(N.Y.Crim.Court2012)

11

Internetvs.Privacy:"HelpfulVenndiagram"

ByDavidHoffman,availableathttp://bit.ly/bqU5vU

TheInternet Privacy

12

13

ProtectingInformationModel Rule1.6(c):"Alawyershallmakereasonableeffortstopreventtheinadvertentorunauthorizeddisclosureof,orunauthorizedaccessto,informationrelatingtotherepresentationofaclient."

14

15

WhatAre"Reasonable"Protections?

EvaluationofSafeguards• Factorstobeconsideredindeterminingthereasonableness

ofthelawyer’seffortsinclude,butarenotlimitedto,– thesensitivity oftheinformation– thelikelihoodofdisclosureifadditionalsafeguardsarenot

employed– thecost ofemployingadditionalsafeguards– thedifficulty ofimplementingthesafeguards (and)– theextenttowhichthesafeguardsadverselyaffectthelawyer’s

abilitytorepresentclients(e.g.,bymakingadeviceorimportantpieceofsoftwareexcessivelydifficulttouse)

16

Rule1.6(c)– TwoMoreCaveats• Aclientmayrequirethelawyertoimplementspecialsecurity

measuresnotrequiredbythisRuleormaygiveinformedconsenttoforgosecuritymeasuresthatwouldotherwiseberequiredbythisRule.

• Whetheralawyermayberequiredtotakeadditionalstepstosafeguardaclient’sinformationinordertocomplywithotherlaw,suchasstateandfederallawsthatgoverndataprivacyorthatimposenotificationrequirementsuponthelossof,orunauthorizedaccessto,electronicinformation,isbeyondthescopeoftheseRules.

17

WhereIstheData?

18

The"Cloud"

19

"DataFarms"

20

TermsofServiceGoogleDocs(8/2017)

21

SecureCommunications

• WhatsApp• Apple-AppleiMessagetexting(blue,notgreen)

• FaceTime

22

BeatingSecurity

23

InternetAccess

24

25

PrivatePublic

26PKI

EmailEncryption

27

“AlawyergenerallymaytransmitinformationrelatingtotherepresentationofaclientovertheInternet withoutviolatingtheModelRulesofProfessionalConductwherethelawyerhasundertakenreasonableeffortstopreventinadvertentorunauthorizedaccess…

28

…However,alawyermayberequiredtotakespecialsecurityprecautionstoprotectagainsttheinadvertentorunauthorizeddisclosureofclientinformationwhenrequiredbyanagreementwiththeclientorbylaw,orwhenthenatureoftheinformation requiresahigherdegreeofsecurity.”

SevenConsiderations1. Understandthethreat

2. Understandhowclientinformationistransmittedandstored

3. Understandandusereasonablesecuritymeasures

4. Determinehowclientinformationshouldbeprotected

5. Labelclientinformationconfidential

6. Trainaboutinformationsecurity

7. Conductduediligenceontechnology

29

30

“Thus,theuseofunencryptedroutineemailgenerallyremainsanacceptable methodoflawyer-clientcommunication.However,cyber-threatsandtheproliferationofelectroniccommunicationsdeviceshavechangedthelandscapeanditisnotalwaysreasonabletorelyontheuseofunencryptedemail.”

Attorney-ClientPRIVILEGE

31

Attorney-ClientPrivilege

• Confidential• communications• betweenanattorneyandhis[orher]client• concerningtherepresentationoftheclient• areprotectedbytheattorney-clientprivilege.

Diehlv.FredWeber,Inc. (Mo.App.E.D.2010)

32

DUTYofConfidentiality– Rule4-1.6

Client

Court Filings

Real Estate Records

Newspaper

Depositions

Pleadings

Opposing Party

Lawyer

Attorney-ClientPrivilege

• Confidential• communications• betweenanattorneyandhis[orher]client• concerningtherepresentationoftheclient• areprotectedbytheattorney-clientprivilege.

Diehlv.FredWeber,Inc. (Mo.App.E.D.2010)

34

Attorney-ClientPrivilege

Client Lawyer

Renditionof

LegalServices

35

"Necessary"Agents– Kovel

Client Lawyer

Agent

36

JointRepresentation

Client1 Client2

Lawyer

37

DeBoldv.Case (8th Cir.BAP2005)

“Whentwoormorepersons,eachhavinganinterestinsomeproblem,jointlyconsultanattorney,theirconfidentialcommunicationswiththeattorney,thoughknowntoeachother,willofcoursebeprivilegedinacontroversyofeitherorbothoftheclientswiththeoutsideworld,thatis,withpartiesclaimingadverselytobothoreitherofthosewithintheoriginalcharmedcircle.”

38

JointDefense/CommonInterestPrivilege

39

Client1 Client2

Lawyer1 Lawyer2

Attorney-ClientPrivilege

CommonInterest

40

AdverseinBusinessTransaction

Seller

Buyer

41

SharedInterestinEvaluatingLawsuit

Seller

Buyer

Plaintiff

42

WorkProductProtection– MORule56.01(b)(3)

• SubjecttotheprovisionsofRule56.01(b)(4),apartymayobtaindiscoveryofdocumentsandtangiblethingsotherwisediscoverableunderRule56.01(b)(1)andpreparedinanticipationoflitigationorfortrialbyorforanotherpartyorbyorforthatotherparty'srepresentative,includinganattorney,consultant,surety,indemnitor,insurer,oragent,onlyuponashowingthatthepartyseekingdiscoveryhassubstantialneedofthematerialsinthepreparationofthecaseandthattheadversepartyisunablewithoutunduehardshiptoobtainthesubstantialequivalentofthematerialsbyothermeans.Inorderingdiscoveryofsuchmaterialswhentherequiredshowinghasbeenmade,thecourtshallprotectagainstdisclosureofthementalimpressions,conclusions,opinions,orlegaltheoriesofanattorneyorotherrepresentativeofapartyconcerningthelitigation.

43

Rule56.01(b)(3)Parsed

§ [A]partymayobtaindiscoveryofdocumentsandtangiblethingsotherwisediscoverableunderRule56.01(b)(1)and

§ preparedinanticipationoflitigationorfortrial§ byorforanotherpartyorbyorforthatotherparty'srepresentative,

includinganattorney,consultant,surety,indemnitor,insurer,oragent,§ onlyuponashowing

– thatthepartyseekingdiscoveryhassubstantialneedofthematerialsinthepreparationofthecaseand

– thattheadversepartyisunablewithoutunduehardshiptoobtainthesubstantialequivalentofthematerialsbyothermeans.

44

FRCPRule26(b)(3)(A)Parsed• DocumentsandTangibleThings.• Ordinarily,apartymaynotdiscover• documentsandtangiblethingsthat• arepreparedinanticipationoflitigationorfortrial• byorforanotherpartyoritsrepresentative(includingthe

otherparty'sattorney,consultant,surety,indemnitor,insurer,oragent)

45

Work-ProductProtection

Alawyer'sinvolvementisnotrequired

46

Attorney-ClientPrivilege

Work-ProductProtection

47

OpinionWorkProduct– FullProtection

§ Inorderingdiscoveryof[workproduct]whentherequiredshowinghasbeenmade,thecourtshallprotectagainstdisclosureofthementalimpressions,conclusions,opinions,orlegaltheoriesofanattorneyorotherrepresentativeofapartyconcerningthelitigation.

48

WaiverofPrivileges

§ MarthaStewartisbeinginvestigatedforinsidertrading

§ StewartprepareschronologyofeventsaroundImClonestocksale– Stewartsendschronologytoherlawyers– Stewartthensendschronologytoherdaughter

§ Isattorney-clientprivilegewaived?§ Iswork-productprotectionwaived?

49

Waiver

§ Attorney-ClientPrivilege– Expresswaiver– At-issuewaiver– Disclosure

• WorkProduct– Expresswaiver(byclientorfirm)

– At-issuewaiver– Disclosure– whereinconsistentwithpurposeorlitigationadvantage

50

Crime-FraudException

• Key– communicationsarenot(really)forthepurposeofgivingorreceivinglegaladvice,buttocommitacrime

• USv.Williams(8th Cir.2013)– defendantaskedlawyertosmugglecellphoneintoprison

51

AccessingThird-PartyInformation

52

53

Rule4-4.4RespectForRightsOfThirdPersons

(a)Inrepresentingaclient,alawyershallnotusemeansthathavenosubstantialpurposeotherthantoembarrass,delay,orburdenathirdperson,orusemethodsofobtainingevidencethatviolatethelegalrightsofsuchaperson.

(b)Alawyerwhoreceivesadocumentrelatingtotherepresentationofthelawyer'sclientandknowsorreasonablyshouldknowthatthedocumentwasinadvertentlysentshallpromptlynotify thesender.

54

InadvertentProduction

• OldRule– recipientofmetadata– Notify producingpartyofproductionofprivilegedinformation

– Refrain fromreviewingprivilegedinformation– Abide byproducingcounsel'sinstruction– atleastuntilacourtordersotherwise

55

NewRule4-4.4(b)

Alawyerwhoreceivesadocumentrelatingtotherepresentationofthelawyer'sclientandknowsorreasonablyshouldknowthatthedocumentwasinadvertentlysentshallpromptlynotifythesender.

InreEisenstein (Mo.4/5/2016)• EisensteinrepresentedHusbandindivorce• HusbandaccessedWife'semailwithoutpermission,andgave

EisensteindocumentsincludingquestionsWife'sattorneyhadpreparedfordirectexamination

• EisensteindidnotproducethedocumentsreceivedfromWife'semail,untilgivingthemtoopposingcounselasexhibitsduringtrial

56

ConsequencesinEisenstein

• Eisensteinwasfoundtohaveusedimproperlyobtainedinformation(violatingRule4-4.4)andconcealingdocumentswithevidentiaryvalue(violatingRule4-3.4)

• Eisensteinreceivedanindefinite(minimum6month)suspension

57

ImproperAccess– Rule4-4.4(a)

• Inrepresentingaclient,alawyershallnotusemeansthathavenosubstantialpurposeotherthantoembarrass,delay,orburdenathirdperson,orusemethodsofobtainingevidencethatviolatethelegalrightsofsuchaperson.

58

WhyImproper

• Illegal– maybeincriminatingclient– Evidencemaybebarred– Lawyermaybedisqualified

• Permitted– mayusedocuments

59

FileRetention

60

FileOwnership

• “Theclient’sfilesbelongtotheclient,nottotheattorneyrepresentingtheclient.Theclientmaydirectanattorneyorfirmtotransmitthefiletonewlyretainedcounsel.”InthematterofCupples,952S.W.2d226,234(Mo.banc1997).

61

Retention– OrdinaryClientRecords

Rule4-1.22

62

SixYears– UnlessWrittenConsent• Alawyershallsecurelystoreaclient'sfileforsixyearsaftercompletionor

terminationoftherepresentationabsentotheragreementbetweenthelawyerandclientthroughinformedconsentconfirmedinwriting.Suchinformedconsentconfirmedinwritingmaybemadebetweenthelawyerandtheclientatanypointduringthesixyearsaftercompletionorterminationoftherepresentation.Iftheclientdoesnotrequestthefilewithinsixyearsaftercompletionorterminationoftherepresentation,thefileshallbedeemedabandonedbytheclientandmaybedestroyed.

• ThesixyearclientfileretentionrequirementshallapplytoallclientfileswherethecompletionorterminationoftherepresentationoccursonorafterJuly1,2016.AllclientfileswherethecompletionorterminationoftherepresentationoccurspriortoJuly1,2016,shallbegovernedbythepreviouslyrequired10years.

63

BewareSpoliation• AlawyershallnotdestroyafilepursuanttothisRule4-1.22if

thelawyerknowsorreasonablyshouldknowthat:(a)alegalmalpracticeclaimispendingrelatedtotherepresentation;(b)acriminalorothergovernmentalinvestigationispendingrelatedtotherepresentation;(c)acomplaintispendingunderRule5relatedtotherepresentation;or(d)otherlitigationispendingrelatedtotherepresentation.

64

KeepItemsWith“IntrinsicValue”

• Itemsinthefilewithintrinsicvalueshallneverbedestroyed.

• AlawyerdestroyingafilepursuanttothisRule4-1.22shallsecurelystoreitemsofintrinsicvalueordeliversuchitemstothestateunclaimedpropertyagency.Thefileshallbedestroyedinamannerthatpreservesclientconfidentiality.

65

RememberWhatYouDestroy• AlawyerdestroyingafilepursuanttothisRule4-1.22shall

maintainthewrittenrecordoftheclient'sconsentofdestructionforatleastsixyearsaftercompletionorterminationofemployment.Clientfiles,exceptforitemsofintrinsicvalue,maybemaintainedbyelectronic,photographic,orothermediaprovidedthatprintedcopiescanbeproduced.Theserecordsshallbereadilyaccessibletothelawyer.

66

Dissolution– MustProtectRecordsUpondissolutionofalawfirm,thelawyersshallmakereasonablearrangementsforthemaintenanceofclientfiles.Uponthesaleofalawpractice,thesellershallmakereasonablearrangementsforthemaintenanceofclientfiles,whichincludeswrittennoticetoaclientastothelocationoftheclient'sfile.

67

Retention– TrustAccountRecords

Rule4-1.15(f)

68

SixYears– NoMatterWhatCompleterecordsofclienttrustaccountsshallbemaintainedandpreservedforaperiodofatleastsixyearsafterthelaterof:

(1) terminationoftherepresentation,or

(2) thedateofthelastdisbursementoffunds.

Clienttrustaccountrecordsmaybemaintainedbyelectronic,photographic,orothermediaprovidedthattheyotherwisecomplywithRules4-1.145to4-1.155andthatprintedcopiescanbeproduced.Theserecordsshallbereadilyaccessibletothelawyer.

69

RequiredTrustAccountDocumentation(Missouri)

(1) receiptanddisbursementjournals

(2) client-specificledgers

(3) feeagreementsandsimilardocuments

(4) accountingstatementsshowingdisbursementsmade

(5) billsandexpensessenttoclients

(6) disbursementrecords

(7) check-bookregistersandbankstatementsortheequivalents

(8) electronictransferrecords

(9) accountreconciliations

(10)credit-cardtransactioninformation

70

Dissolution– MustProtectRecords

Upondissolutionofalawfirmorofanylegalprofessionalcorporation,thepartnersshallmakereasonablearrangementsforthemaintenanceofclienttrustaccountrecords.Uponthesaleofalawpractice,thesellershallmakereasonablearrangementsforthemaintenanceofclienttrustaccountrecords.

71

MichaelDowneyDowneyLawGroupLLC

(314)961-6644(844)961-6644tollfree

mdowney@DowneyLawGroup.com

ThankYou