1. Simplifying Law Firm Information Security Compliance - An Executive Briefing Prepared by: David Cunningham, Managing Director Meg Block, Managing Director March 2010 Excerpt with a Focus on Encryption

4. Regulatory Summary March 1, 2010 $5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties “ Personal information about a resident of the Commonwealth” of Massachusetts State of Massachusetts Massachusetts Data Privacy Law February 17, 2010 $100 - $50,000 per incident; $1.5M max per year. “ Protected Health Information” aka PHI Health and Human Services HIPAA / HI-TECH Voluntary (replaces Data Transfer Agreements) Up to $12,000 per day for violations Personal information transferred to or from 27 Members States of the European Union US Dept of Commerce / Federal Trade Commission Safe Harbor 60 days in advance of any intended sale or transfer to a foreign person of ownership or control Per violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment “ Export of technical data and classified defense articles”, as defined by the US Munitions List US Department of State ITAR None at this time Currently not applicable to law firms due to ABA objections, but the FTC is appealing Personal identifying information (PII is PHI plus credit card, tax ID, insurance claim, background checks, etc.) Federal Trade Commission Red Flags Rule Regulation Governing Body Information Addressed Penalties Law Firm Compliance Date ISO 27001 International Standards Organization (ISO) Determined by company and its auditor via Statements of Applicability None Voluntary

9. Massachusetts Data Privacy Law * Answers are excerpts from the Commonwealth of Massachusetts’ FAQ Regarding 201 CMR 17.00 “ You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information.” Backup Tapes Yes, “but only those portable devices that contain personal information of customers or employees and only where technically feasible. The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iPhones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.” Portable Devices “ You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information.” Third Parties “ If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.” E-Mail with Personal Information Asset Encryption Expectations*