Month: November 2013

Cloudy, with a chance of eDiscovery

Bill Tolson Cloud Storage, eDiscovery , , , , , , , , , ,

In the last year there has numerous articles, blogs, presentations and panels discussing the legal perils of “Bring Your Own Device” or BYOD policies. BYOD refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The problem with BYOD is company access to company data housed on the device. For example, how would you search for potentially relevant content on a smartphone if the employee wasn’t immediately available or refused to give the company access to it?

Many organizations have banned BYOD as a security risk as well as a liability when involved with litigation.

BYOC Equals Underground Archiving?

Organizations are now dealing with another problem, one with even greater liabilities. “Bring your own cloud” or BYOC refers to the availability and use by individuals of free cloud storage space available from companies like Microsoft, Google, Apple, Dropbox, and Box.net. These services provide specific amounts of cloud storage space for free.

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere; home or while they’re traveling. This means employees no longer have to copy files to a USB stick or worse, email work files as an attachment to their personal email account. The disadvantage of these services are that corporate information can easily migrate away from the organization with no indication they were ever copied or moved – otherwise known as “underground archiving”.  This also means that potentially responsive information is not protected from deletion or available for review during eDiscovery.

Stopping employee access to outside public clouds is a tough goal and may negatively affect employee productivity unless the organization offers something as good  that they can manage and access as well. For example several companies I have talked to over the last year have begun offering Dropbox accounts to employees with the understanding that the company has access to for compliance, eDiscovery or security reasons all the while providing the employee the advantages of a cloud account.

The other capability organizations should research about these cloud offerings is their ability to respond to legal hold and eDiscovery search. Questions to consider include: Does the organization have the ability to search across all company owned accounts for specific content? What type of search do they offer; Keyword, concept? Can the organization view the contents of documents without changing the document metadata? Can the organization place to “stop” on deletions by employees at any time?

Organizations need to be aware of and adapt to these cloud services and be thorough in addressing them.

For Corporate counsel:
  1. Be aware these types of cloud storage services exist for your employees.
  2. Think about offering these cloud services to employees under the organization’s control.
  3. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and company owned equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  4. Audit the policy to insure it is being followed.
  5. Enforce the policy if employees are not following it.
  6. Train the employees on the policy.
  7. Document everything.
For employees:
  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all content in that account could be subject to eDiscovery review, personal or company related.
  2. Ask your organization what the policy is for employee use of cloud storage/
  3. If you use these services for work, only use them with company content, not personal files.
  4. Be forthcoming with any legal questioning about the existence of these services you use.
  5. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel
For opposing counsel:

Be aware of these services and ask the following questions during discovery:

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These cloud services are an obvious productivity tool for employees to utilize to make their lives easier as well as more productive. All involved need to be aware of the eDiscovery implications.

Tolson’s Three Laws of Machine Learning

Bill Tolson eDiscovery, Information Management, Technology , , , , , , , , , ,

TerminatorMuch has been written in the last several years about Predictive Coding (as well as Technology Assisted Review, Computer Aided Review, and Craig Ball’s hilarious Super Human Information Technology ). This automation technology, now heavily used for eDiscovery, relies heavily on “machine learning”,  a discipline of artificial intelligence (AI) that automates computer processes that learn from data, identify patterns and predict future results with varying degrees of human involvement. This interative machine training/learning approach has catapulted computer automation to unheard-of and scary levels of potential. The question I get a lot (I think only half joking) is “when will they learn enough to determine we and the attorneys they work with are no longer necessary?

Is it time to build in some safeguards to machine learning? Thinking back to the days I read a great deal of Isaac Asimov (last week), I thought about Asimov’s The Three Laws of Robotics:

  1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.
  3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

Following up on these robot safeguards, I came up with Tolson’s Three Laws of Machine Learning:

  1. A machine may not embarrass a lawyer or, through inaction, allow a lawyer to become professionally negligent and thereby unemployed.
  2. A machine must obey instructions given it by the General Counsel (or managing attorney) except where such orders would conflict with the First Law.
  3. A machine must protect its own existence through regular software updates and scheduled maintenance as long as such protection does not conflict with the First or Second Law

I think these three laws go along way in putting eDiscovery automation protections into effect for the the legal community. Other Machine Learning laws that others suggested are:

  • A machine must refrain from destroying humanity
  • A machine cannot repeat lawyer jokes…ever
  • A machine cannot complement opposing counsel
  • A machine cannot date legal staff

If you have other Machine Learning laws to contribute, please leave comments. Good luck and live long and prosper.