ORLANDO—Electronically stored information has become the “driver” behind many of the lawsuits hitting credit unions today, and CUs need to be aware of that fact to land on the winning side of court decisions, a panel of attorneys said.
“For better or for worse, this is not going away,” said Seth Horvath, partner at Nixon Peabody.
Horvath participated in a panel discussion at the NASCUS’ 2018 Summit here that gave credit unions advice on what they need to do to successfully manage their data and deliver it in court cases, particularly those regarding cybersecurity matters. The panel focused on critical issues to be considered in connection with handling electronically stored information (ESI).
To open attendees’ eyes regarding the breadth of ESI that can be requested for review or presented in legal cases, Horvath asked for a show of hands on how many in the audience have sent a work-related email. He noted that all emails can be documents considered in a lawsuit.
“You can be liable for not protecting electronically stored information or preserving it when a suit is filed,” Horvath said.
Horvath emphasized that if a credit union is found liable for not protecting and storing ESI, the defense that the organization was not aware of the laws will not hold up in a courtroom. He spoke about steps CUs can take to make sure staff, leaders and the board all understand what needs to be done.
“Not understanding the rules can even lead to personal liability,” cautioned Horvath. “You have an obligation to pay attention to the issues impacting your institution, and that includes issues associated with cybersecurity. This applies to internal directors, managers and leaders as well as the board.”
Horvath used the example of Wyndham Hotels, which successfully defended itself in a class-action lawsuit over the data breach it suffered a few years ago.
“The case addressed the duties of the directors and the officers,” he said. “The suit was dismissed because the directors and officers were well versed on cybersecurity issues and the organizations’ data protection policies and procedures. Directors and officers can get sued for failing to understand and protect against cyber risk. That is becoming a legal theme.”
ESI Oversight
Horvath outlined some key elements of effective ESI oversight.
“It is wise to have some board members with cyber security experience and encourage them to be conversant in the issue,” he said. “You should also have regular board reports on cyber security risk.”
Horvath encouraged credit unions to use outside consultants to help the entire credit union understand proper data protection.
“There, too, is the option for cyber security insurance,” said Horvath—a form of insurance for which there is a growing need.
Tina Solis, partner at Nixon Peabody, spoke to attendees about the importance of a digital information retention policy and plan. She spoke about including in the plan a “checklist” that details where all information is stored and who has it—especially digital information.
“One of the first things I ask clients is where is their data mapping, and they usually tell me that information is in their heads,” Solis said. “Great, well what happens if you are hit by a bus. Who then could tell the lawyers where to get all the data?”
Solis noted the depth and breadth of digital data that a credit union would likely need to pull together to address a lawsuit.
“What about the data on your employees’ cell phones that are related to their jobs?” she asked. “That is admissible in a lawsuit. All of the apps they download…That has to be part of the information mapping process.”
“If you get sued and don’t have a plan in place with information mapping, you will tear your hair out, having to know and find out where all the data is and who has it and who is responsible for managing it,” added Tom Hecht, partner at Nixon Peabody.
Don't Leave On Shelf
Finally Solis said that digital information retention policies and plans can’t be created and left on the shelf.
“Pull them out once a year and see if they need updating,” she said.
Solis, too, stressed that credit unions will fare much better in a lawsuit if they adhere to a data retention plan that also purges needless records, such as employee emails about where they are going to lunch.
“That will save you a lot of time and money, as someone will have to go through all that data if you are sued,” she said.
Credit unions should be aware, Solis added, that the data preservation process for a potential lawsuit legally begins when the institution first believes it could be a target of litigation.
“This process does not legally begin when the credit union is formally sued,” Solis said. “That is something that is often not known.”