Data Sovereignty and the GDPR; Do You Know Where Your Data Is?


Blog02142019As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse. Continue reading

Advertisements

The Right to be Forgotten Versus The Need to Backup


Blog02072019A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR). Continue reading

The New California Privacy Law and Presumed Damages


CA 07142018_1At the end of June, California’s legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The new law provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold. The new law will come into effect on January 1, 2020, however, on January 1, 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019. Continue reading

The Need for Archiving and FRCP 37(e)


The December 2006 amendments to the Federal Rules of Civil Procedure (FRCP), specifically Rule 37, established when litigation can be reasonably anticipated, the duty of both sides is to immediately stop all alterations and deletions of all potentially relevant content and secure it – also known as a litigation hold and the duty to preserve.

Earlier this year, the Supreme Court approved new amendments to the FRCP which will become effective on December 1, 2015. The new Rule 37(e) reiterates the need to preserve electronically stored information (once litigation can be reasonably anticipated) but also creates a uniform standard for spoliation (destruction of evidence) and so, they hope, will provide greater predictability around the question of loss of ESI during litigation.

The new amended Rule 37(e) allows a court to respond when one party loses electronically stored information (ESI), which then prejudices the other party. Rule 37(e) empowers a court to take reasonable action to cure the prejudice, even if the loss of ESI was inadvertent. The new twist is now the burden to prove prejudice resulting from the missing/lost evidence as a result of willful or intentional misconduct falls on the innocent party before the most severe sanctions can be imposed, and then only if the prejudice shown cannot be mitigated through other remedies, e.g. additional discovery. To complicate matters further, even in cases when there is no demonstrated prejudice to the opposing party, the court can assume the ESI was unfavorable and enter a default judgment in the case. This means that the Judge has wide latitude to respond to parties who don’t take their eDiscovery responsibilities seriously.

The need for information governance and archiving

Many believe the amended Rule 37(e) highlights the need for corporations to get more control of all of their electronic data, not just that data considered a record. Information governance programs including on-going content archiving of those types of information most sought after in eDiscovery, namely email and other forms of communication, enables an organization to quickly find all potentially relevant content, secure it under a litigation hold, and begin the review process immediately – knowing the archive is the “copy of record” repository.

Many Judges look closely at the steps taken by the responding party when eDiscovery mistakes happen. Judges want to see that reasonable actions were taken and a good faith intent was present to reduce or stop eDiscovery mishaps including, regularly updated policies, on-going employee training, and the type of technology purchased. Judges understand that there is no such thing as Perfect; that mistakes happen, and many times it inadvertent.

Keeping everything forever is a mistake

Another related eDiscovery problem many companies find themselves facing is the issue of having too much data to search and review during eDiscovery. Many companies only manage what they consider to be “business records”, which averages 5% of all corporate data,  and leave the other 95% to be managed (or not) by individual employees. This huge unmanaged store of employee data, which is a popular target in discovery, dramatically drives up the cost of eDiscovery, while also driving up the potential of problems occurring during eDiscovery. Defensibly disposing of expired or valueless data will reduce the amount of data that must be pulled into an eDiscovery action reducing the cost and risk of problems later.

A centrally managed archive that proactively captures, for example, all communications (email, IM, social communications) and applies retention/disposition policies to all captured content can insure that expired or valueless data is defensibly disposed of, reducing the size of the overall discovery data set by as much 60%. Because it’s defensibly disposed of via automation and policy, questions of spoliation cannot be raised.

In fact, archiving your most important (and requested) content provides a great deal more granular data management capability then simply relying on individual employees – so you don’t run afoul of the new FRCP Rule 37(e).

InfoGov: Productivity Gains Equal Revenue Gains


Information Governance-101

A great deal has been written on lost productivity and the benefits of information governance. The theory being that an information governance program will raise employee productivity thereby saving the organization money. This theory is pretty well accepted based on the common sense realization and market data that information workers spend many hours per week looking for information to do their jobs. One data point comes from a 2013 Wortzmans e-Discovery Feed blog titled “The Business Case for Information Governance – Reduce Lost Productivity! that states employees spend up to nine hours per week (or 1 week per month or 12 weeks per year) looking for information. The first question to consider is how much of that time searching for information could be saved with an effective information governance program?

InfoGov Productivity Savings

Three months out of every year spent looking for information seems a little high… so…

View original post 804 more words

Defensible Disposal means never being accused of spoliation for hosting “Shred Days”


U.S District Judge Ronald Whyte in San Jose reversed his own prior ruling from a 2009 case where he issued a judgment against SK Hynix, awarding Rambus Inc. $397 million in a patent infringement case. In his reversal this month, Judge Whyte ruled that Rambus Inc. had spoliated documents in bad faith when it hosted company wide “shred days” in 1998, 1999, and 2000. Judge Whyte found that Rambus could have reasonably foreseen litigation against Hynix as early as 1998, and that therefore Rambus engaged in willful spoliation during the three “shred days” (a finding of spoliation can be based on inadvertent destruction of evidence). Because of this recent spoliation ruling, the Judge reduced the prior Rambus award from $397 million to $215 million, a cost to Rambus of $182 million.

Two questions come to mind in this case; 1) why did Rambus see the need to hold “shred days”?, and 2) did they have an information governance policy and defensible disposal process? As a matter of definition, defensible disposal is the process (manual or automated) of disposing of unneeded or valueless data in a way that will standup in court as reasonable and consistent.

The obvious answer to the second question is probably not or if yes, it wasn’t being followed, otherwise why the need for the shred days? Assuming that Rambus was not destroying evidence knowingly; the term “shred-days” still has a somewhat negative connotation. I would think corporate attorneys would instruct all custodians within their companies that the term “shred” should be used sparingly or not at all in communications because of the questionable implications.

The term “Shred days” reminds many of the Arthur Andersen partner who so famously sent an email message to employees working on the Enron account, reminding them to “comply with the firm’s documentation and retention policy”. The Andersen partner never ordered the destruction or shredding of evidence but because anticipation of future litigation was potentially obvious, the implication in her email was “get rid of suspect stuff”. The timing of the email message was also suspect in that just 21 minutes separated Ms. Temple’s e-mail message to Andersen employees on the Enron account about the importance of complying with the firm’s document retention policy from an entry in a record of her current projects in which she wrote that she was working on a case involving potential violations of federal securities laws.

The Rambus case highlights the need for a true information governance process including a truly defensible disposal strategy. An information governance process would have been capturing, indexing, applying retention policies, protecting content on litigation hold and disposing of content beyond the retention schedule and not on legal hold… automatically, based on documented and approved legally defensible policies. A documented and approved process which is religiously followed, and with proper safeguards goes a long way with the courts to show good faith intent to manage content and protect that content subject to anticipated litigation.