A Defensible Standard of Care: Six Million Reasons...

There are 6,000,000 reasons why Operational Risk at TD Ameritrade is in the Red Zone this week as a result of what seems to be a case of malicious code discovered last week, or over a year ago.

This author received a recent letter from TD Ameritrade regarding their so called pseudo "breach". And we quote:

"While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain information stored in one of our databases, including email addresses, to be retrieved by an external source."

What is absolutely amazing is the request to visit www.amtd.com for more information and a list of Frequently Asked Questions (FAQs) and an additional message from me, (The CEO Joe Moglia). The link to this message requires you to run Windows Media Player for what must be a sincere apology. However, the PR department must not know how many malicious code exploits are associated with .wmv files. Nor, how many people still do not have broadband connections as a consumer.

But that is not even the most fascinating aspect of this whole incident. The story gets even more disturbing if it is indeed true:

Scott Kamber of Kamber & Associates, a New York law firm that sued Sony BMG last year for its use of a rootkit, told InformationWeek on Monday that the lawsuit initially claimed that Ameritrade knew about the data breach last November. However, he says he now has information that the company knew about the ongoing breach a full year ago.

Kamber, who filed the suit this past May, had recently filed a preliminary injunction asking the court to compel Ameritrade to disclose the data breach and the compromised information to current and prospective customers. The company was given a two-week adjournment and made the public announcement during that recess.

"I am glad customers finally know of the compromise of their personal information," said Kamber. "I'm not pleased it took the company so long to do that."

Hillyer said she could not comment on ongoing litigation but said, "As soon as we discovered it, we stopped it. And as soon as we had gathered enough information, we notified our clients."

Ameritrade notified the FBI and the U.S. Securities and Exchange Commission last week, according to the spokeswoman.

It's apparent that the nexus of Information Security, Digital Forensics, eDiscovery, Legal Risk and Reputation Management have imploded in Bellevue, NE yet this will not be the last place we hear about this kind of incident. If a Rootkit is on a server there, you can be sure that there are others at a another broker or investment management firm near you.

Being vigilant about protecting privacy and doing the right thing with customers in the event of a breach has significant legal ramifications, that is for certain. What is less known at this point are the processes and corporate behavior that could be even more of a source of liability for TD Ameritrade. Who what how and why is now under investigation and will play out in a court room again soon.

The degree that any firm in the industry is "Litigation Ready" or has adequately prepared for this particular nexus between the elements of Information Security and the Law will determine the amount of Operational Risk they are potentially exposed to in incidents like this one. How can any firm prepare for an event similar to this?

1. Conduct a Litigation Readiness Audit of the firm.

2. Develop a strategic plan for achieving a "Defensible Standard of Care."

3. Train the stakeholders on Crisis, Command and Control.

4. Implement an early warning data analytics system to preempt potential threats.

Number four on this list pertains to something that is also in the authors letter. "As part of our effort to protect privacy, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft." Let's just hope these guys didn't load up a CD at their shop handed over to them by TD Ameritrade with 6,000,000 records of personal identifiable information on it.

True or false: A large corporate private sector company hires an outside counsel to investigate an employee suspected of fraud. The outside counsel hires a fraud examiner to look into the facts. The fraud examiners report to the outside counsel will assist in determining whether a crime has been committed. The report and the communications with the outside counsel are protected confidential work product and is privileged. If you don't know the answer, read on.

Organizations who realize that internal investigations can pose a tremendous risk of litigation are ahead of the Operational Risk Management curve. Being proactive about prudent strategy on how to address the potential internal employee fraud is imperative, especially if you plan to pursue litigation to try and recover the stolen assets.

The two primary areas of emphasis here for the purpose of what information is discoverable is the attorney-client privilege and the work product doctrine: This Texas case from the Texas Bar Journal article by Derek Lisk illustrates the point:

In yet another case in which one party sought to protect documents from an investigation on privilege grounds, the U.S. District Court for the Eastern District of Texas took a more expansive view of the privilege. In-house counsel for Electronic Data Systems (EDS) hired outside attorneys, who in turn hired a consulting firm, to independently analyze and report on alleged misuse and misappropriation of assets by an EDS employee, Mr. Steingraber. In the ensuing litigation, EDS objected to producing documents from the investigation.

Steingraber, like Seibu Corp., argued that the documents were not privileged “because they were made to facilitate a business decision rather than the rendition of professional legal services.” This court, however, sided with the party seeking to protect the documents, finding Steingraber’s interpretation of the privilege “unduly narrow” and disagreeing with Seibu Corporation to the extent it held otherwise. Among other things, the court said, “The fact that the attorneys may have been hired to facilitate a business decision does not mean that such a decision was devoid of legal consequences.” Because EDS hired the outside lawyers to contribute legal expertise, including contract interpretation, risk evaluation, witness interviews, and evidence evaluation, the communications between them were “for the rendition of legal services.”

The status of H.R. 3013 in the US House of Representatives is unknown as it goes to be debated in committees:

7/12/2007--Introduced.

Attorney-Client Privilege Protection Act of 2007 - Amends the federal criminal code to prohibit any U.S. agent or attorney, in any federal investigation or criminal or civil enforcement matter, from demanding, requesting, or conditioning treatment on the disclosure by an organization (or affiliated person) of any communication protected by the attorney-client privilege or any attorney work product.

Prohibits a U.S. agent or attorney from conditioning a civil or criminal charging decision relating to an organization (or affiliated person) on one or more specified actions, or from using one or more such actions as a factor in determining whether an organization or affiliated person is cooperating with the government.

The question on the table here is how much as a corporation do you want to cooperate to prosecute the employee? It may make sense as a corporation to waive some rights to help recover your losses. How you architect a process for engaging outside counsel, independent investigators and fraud examiners in order to mitigate Legal Risk is crucial. The information exchanged, obtained in the process and communicated between parties must be done correctly. Not only to protect the information under the new Federal Rules of Civil Procedure but to insure the integrity and trust of the information itself.

A Board of Directors that oversees the governance of hundreds or thousands of employees is going to be continuously subjected to corporate malfeasance and white collar crime matters. The rule of law within the halls of the organization must be clear and precise. The mechanisms for the company to cooperate with investigators may mean the difference between an employee that creates irreversible economic damage to the enterprise or even worse. Our national security.