Privacy & Data Security

As in-house counsel, how would you like to tell your CEO: “While our customer lists, pricing information, and business processes are trade secrets, we can’t sue the independent contractor who stole them because we did not do enough to protect those trade secrets.”  Sound contrived?  Well, that is exactly the ruling one Massachusetts Superior Court judge recently issued in C.R.T.R., Inc. v. Lao. … Keep reading

In Part 1 and Part 2 I discussed four steps that I recommend employers follow in using criminal records.  Here in Part 3 and the last part of this series, I address the process of the handling of the documents.

 Step 5:  Handling Documents with CORI

Criminal records information obtained from any source is confidential, and employers must take precautions to insure that such information is protected from disclosure.  Because of the highly confidential nature of criminal records, the number of individuals who are authorized to request, access, receive and review such  information must be limited, and there are strict procedures for handling, storing and destroying criminal records information.  The new regulations provide for controls by:

  • Requiring the designation of a CORI Representative for an employer;
  • Requiring a Secondary Dissemination Log to track all distribution of CORI;
  • Limiting employer registration for CORI to one year increments; and
  • Limiting the validity of employee or applicant Acknowledgement Forms to 12 months from the execution date or the end of employment, whichever is sooner.
Keep reading

In my prior blog post, I provided the first two steps for an employer to obtain and use CORI in Massachusetts based on the new CORI regulations issued on May 25, 2012.  This post addresses the next two steps in this process.

These blog posts also address when an employer conducts its own CORI checks.  However, instead of conducting the background checks themselves, employers may request an outside consumer reporting agency to perform the background checks.  If you use or are an outside consumer reporting agency, please note that some of the requirements of the new regulations may be different than described in my blog posts.

Step 3:  Notifying Employee/Applicant of CORI

Once CORI is obtained by an employer, the employer must provide to the employee or applicant a copy of the obtained information and the source of the CORI before making any adverse employment decision based on the CORI, or even asking the employee/applicant questions regarding his/her criminal record.

If the employer intends to make an adverse employment decision based on the CORI, the employer is first required to:

  • notify the individual in writing of the potential adverse employment action;
  • provide a copy of the CORI, identifying
Keep reading

Because the role of most in-house counsel goes well beyond that of providing legal advice, whether communications with in-house counsel are privileged is a much more nuanced issue than it is with respect to communications with outside counsel.

General Principles Applicable to all Claims of the Privilege

1.  Not all communications with attorneys are privileged; only communications for the purpose of obtaining legal advice are privileged.  Thus, even conversations between a CEO and his or her General Counsel about the most sensitive and confidential aspects of their business are subject to disclosure unless they are for the purpose of obtaining legal advice.… Keep reading

While non-lawyers may not have heard of the term “spoliation,” most people intuitively know that destroying evidence related to an ongoing litigation is a bad thing to do.  Conversely, even many lawyers do not know the breadth of a company’s obligation to preserve evidence, particularly electronically stored information (which is quaintly referred to as “ESI”).  Further, knowing the basics of this obligation is critical because failing to preserve ESI can lead to monetary penalties, affirmative claims being dismissed and/or defenses being barred.

Perhaps the most common misconception about the obligation to preserve ESI is that a company runs no risk of punishment for having destroyed ESI pursuant to a document retention/destruction policy, as long as such policy (i) is objectively reasonable and (ii) was  implemented at a time when no litigation could have been anticipated.  Further, at first glance, Rule 37(e) of the Federal Rules of Civil Procedure would appear to support this notion:

Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.

While this rule seems simple enough, the … Keep reading