Does your organization utilize Office 365 for email? Is your organization required to journal email for compliance, legal, or business requirements? Do your Attorneys complain about the time it takes to find information for an eDiscovery request? If the answer is yes to any of these questions, then keep reading. Continue reading
Uncategorized
Data Sovereignty and the GDPR; Do You Know Where Your Data Is?
As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse. Continue reading
The Right to be Forgotten Versus The Need to Backup
A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR). Continue reading
The New California Privacy Law and Presumed Damages
At the end of June, California’s legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The new law provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold. The new law will come into effect on January 1, 2020, however, on January 1, 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019. Continue reading
My Healthcare Data is Where?
According to IDC, healthcare data is one of the fastest growing segments of the digital universe – growing from 153 exabytes in 2013 to an estimated 2,314 exabytes in 2020, a 48% annual growth rate. So where will the healthcare industry put all of this critical and sensitive data and how long must it be held?
The Need for Archiving and FRCP 37(e)
The December 2006 amendments to the Federal Rules of Civil Procedure (FRCP), specifically Rule 37, established when litigation can be reasonably anticipated, the duty of both sides is to immediately stop all alterations and deletions of all potentially relevant content and secure it – also known as a litigation hold and the duty to preserve.
Earlier this year, the Supreme Court approved new amendments to the FRCP which will become effective on December 1, 2015. The new Rule 37(e) reiterates the need to preserve electronically stored information (once litigation can be reasonably anticipated) but also creates a uniform standard for spoliation (destruction of evidence) and so, they hope, will provide greater predictability around the question of loss of ESI during litigation.
The new amended Rule 37(e) allows a court to respond when one party loses electronically stored information (ESI), which then prejudices the other party. Rule 37(e) empowers a court to take reasonable action to cure the prejudice, even if the loss of ESI was inadvertent. The new twist is now the burden to prove prejudice resulting from the missing/lost evidence as a result of willful or intentional misconduct falls on the innocent party before the most severe sanctions can be imposed, and then only if the prejudice shown cannot be mitigated through other remedies, e.g. additional discovery. To complicate matters further, even in cases when there is no demonstrated prejudice to the opposing party, the court can assume the ESI was unfavorable and enter a default judgment in the case. This means that the Judge has wide latitude to respond to parties who don’t take their eDiscovery responsibilities seriously.
The need for information governance and archiving
Many believe the amended Rule 37(e) highlights the need for corporations to get more control of all of their electronic data, not just that data considered a record. Information governance programs including on-going content archiving of those types of information most sought after in eDiscovery, namely email and other forms of communication, enables an organization to quickly find all potentially relevant content, secure it under a litigation hold, and begin the review process immediately – knowing the archive is the “copy of record” repository.
Many Judges look closely at the steps taken by the responding party when eDiscovery mistakes happen. Judges want to see that reasonable actions were taken and a good faith intent was present to reduce or stop eDiscovery mishaps including, regularly updated policies, on-going employee training, and the type of technology purchased. Judges understand that there is no such thing as Perfect; that mistakes happen, and many times it inadvertent.
Keeping everything forever is a mistake
Another related eDiscovery problem many companies find themselves facing is the issue of having too much data to search and review during eDiscovery. Many companies only manage what they consider to be “business records”, which averages 5% of all corporate data, and leave the other 95% to be managed (or not) by individual employees. This huge unmanaged store of employee data, which is a popular target in discovery, dramatically drives up the cost of eDiscovery, while also driving up the potential of problems occurring during eDiscovery. Defensibly disposing of expired or valueless data will reduce the amount of data that must be pulled into an eDiscovery action reducing the cost and risk of problems later.
A centrally managed archive that proactively captures, for example, all communications (email, IM, social communications) and applies retention/disposition policies to all captured content can insure that expired or valueless data is defensibly disposed of, reducing the size of the overall discovery data set by as much 60%. Because it’s defensibly disposed of via automation and policy, questions of spoliation cannot be raised.
In fact, archiving your most important (and requested) content provides a great deal more granular data management capability then simply relying on individual employees – so you don’t run afoul of the new FRCP Rule 37(e).
InfoGov: Productivity Gains Equal Revenue Gains
A great deal has been written on lost productivity and the benefits of information governance. The theory being that an information governance program will raise employee productivity thereby saving the organization money. This theory is pretty well accepted based on the common sense realization and market data that information workers spend many hours per week looking for information to do their jobs. One data point comes from a 2013 Wortzmans e-Discovery Feed blog titled “The Business Case for Information Governance – Reduce Lost Productivity!” that states employees spend up to nine hours per week (or 1 week per month or 12 weeks per year) looking for information. The first question to consider is how much of that time searching for information could be saved with an effective information governance program?
InfoGov Productivity Savings
Three months out of every year spent looking for information seems a little high… so…
View original post 804 more words
Defensible Disposal means never being accused of spoliation for hosting “Shred Days”
U.S District Judge Ronald Whyte in San Jose reversed his own prior ruling from a 2009 case where he issued a judgment against SK Hynix, awarding Rambus Inc. $397 million in a patent infringement case. In his reversal this month, Judge Whyte ruled that Rambus Inc. had spoliated documents in bad faith when it hosted company wide “shred days” in 1998, 1999, and 2000. Judge Whyte found that Rambus could have reasonably foreseen litigation against Hynix as early as 1998, and that therefore Rambus engaged in willful spoliation during the three “shred days” (a finding of spoliation can be based on inadvertent destruction of evidence). Because of this recent spoliation ruling, the Judge reduced the prior Rambus award from $397 million to $215 million, a cost to Rambus of $182 million.
Two questions come to mind in this case; 1) why did Rambus see the need to hold “shred days”?, and 2) did they have an information governance policy and defensible disposal process? As a matter of definition, defensible disposal is the process (manual or automated) of disposing of unneeded or valueless data in a way that will standup in court as reasonable and consistent.
The obvious answer to the second question is probably not or if yes, it wasn’t being followed, otherwise why the need for the shred days? Assuming that Rambus was not destroying evidence knowingly; the term “shred-days” still has a somewhat negative connotation. I would think corporate attorneys would instruct all custodians within their companies that the term “shred” should be used sparingly or not at all in communications because of the questionable implications.
The term “Shred days” reminds many of the Arthur Andersen partner who so famously sent an email message to employees working on the Enron account, reminding them to “comply with the firm’s documentation and retention policy”. The Andersen partner never ordered the destruction or shredding of evidence but because anticipation of future litigation was potentially obvious, the implication in her email was “get rid of suspect stuff”. The timing of the email message was also suspect in that just 21 minutes separated Ms. Temple’s e-mail message to Andersen employees on the Enron account about the importance of complying with the firm’s document retention policy from an entry in a record of her current projects in which she wrote that she was working on a case involving potential violations of federal securities laws.
The Rambus case highlights the need for a true information governance process including a truly defensible disposal strategy. An information governance process would have been capturing, indexing, applying retention policies, protecting content on litigation hold and disposing of content beyond the retention schedule and not on legal hold… automatically, based on documented and approved legally defensible policies. A documented and approved process which is religiously followed, and with proper safeguards goes a long way with the courts to show good faith intent to manage content and protect that content subject to anticipated litigation.
Defensible Disposal and Predictive Coding Reduces (?) eDiscovery by 65%
Following Judge Peck’s decision on predictive coding in February of 2012, yet another Judge has gone in the same direction. In Global Aerospace Inc., et al, v. Landow Aviation, L.P. dba Dulles Jet Center, et al (April 23, 2012), Judge Chamblin, a state judge in the 20th Judicial Circuit of Virginia’s Loudoun Circuit Court, wrote:
“Having heard argument with regard to the Motion of Landow Aviation Limited Partnership, Landow Aviation I, Inc., and Landow & Company Builders, Inc., pursuant to Virginia Rules of Supreme Court 4:1 (b) and (c) and 4:15, it is hereby ordered Defendants shall be allowed to proceed with the use of predictive coding for the purposes of the processing and production of electronically stored information.”
This decision was despite plaintiff’s objections the technology is not as effective as purely human review (their objections can be seen here).
This decision comes on top of a new RAND Institute for Civil Justice report which highlights a couple of important points. First, the report estimated that $0.73 of every dollar spent on eDiscovery can be attributed to the “Review” task. RAND also called out a study showing an 80% time savings in Attorney review hours when predictive coding was utilized.
This suggests that the use of predictive coding could, optimistically, reduce an organization’s eDiscovery costs by 58.4%.
The barriers to the adoption of predictive coding technology are (still):
- Outside counsel may be slow to adopt this due to the possibility of loosing a large revenue stream
- Outside and Internal counsel will be hesitant to rely on new technology without a track record of success
- Additional guidance from Judges
These barriers will be overcome relatively quickly.
Let’s take this cost saving projection further. In my last blog I talked about “Defensible Disposal” or in other words, getting rid of old data not needed by the business. It is estimated the cost of review can be reduced by 50% by simply utilizing an effective Information Governance program. Utilizing the Defensible Disposal strategy brings the $0.73 of every eDiscovery review dollar down to $0.365.
Now, if predictive coding can reduce the remaining 50% of the cost of eDiscovery review by 80% as was suggested in the RAND report, between the two strategies, a total eDiscovery savings of approximately 65.7% could be achieved. To review, lets look at the math.
Starting with $0.73 of every eDiscovery dollar is attributed to the review process
Calculating a 50% saving due to Defensible Disposal brings the cost of review down to $0.365. (assuming 50% of documents to be reviewed are disposed of)
Calculating the additional 80% review savings using predictive coding we get:
$0.365 * 0.2 (1-.8) = $0.073 (total cost of review after savings from both strategies)
To finish the calculations we need to add back in the cost not related to review (processing and collection) which is $0.27
Total cost of eDiscovery = $0.073 + $0.27 = $0.343 or a savings of: $1.0 – $0.343 = 0.657 or 65.7%.
As with any estimates…your mileage may vary, but this exercise points out the potential cost savings utilizing just two strategies, Defensible Disposal and Predictive Coding.
With Upcoming Legislation, Cloud Storage is Looking Brighter
Back on December 30, 2009 I blogged about how cloud storage could have a problem catching on with larger enterprises because of a lesser known provision in the Patriot Act called the National Security Letters.
Under the provisions of the Patriot Act, these National Security Letters, a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense, can be used to require “carriers” to turn over records and data concerning individual customers (corporate customers) if asked to do so by the Federal government. The letters do not require the government to get a court order, so in effect the regulation allows the government to access that information on demand.
So the question was; how many GCs of large corporations will steer their companies away from this potential legal risk?
I have found out that the congress is working on changing how this provision of the Patriot Act can be applied to better protect organization’s data stored in the cloud.
On March 30, 2009 H.R 1800, the National Security Letters reform Act of 2009, was introduced and is currently in committee. The summary of the Bill is below:
Prohibits a national security letter (letter) (a request for information sought by the Federal Bureau of Investigation (FBI) in connection with a criminal investigation) from being issued unless the issuing official certifies specific facts providing reason to believe that the information or records sought pertain to a foreign power or agent thereof. It prohibits a letter from being issued in connection with an investigation of a U.S. person solely upon the basis of activities protected by the First Amendment to the Constitution. It prohibits: (1) a letter from containing unreasonable requirements or requiring privileged matter; or (2) disclosing to a person that the FBI has sought or obtained access to information under a letter for 30 days after receipt of the FBI’s request for such information. It authorizes judicial review for the modification or revocation of a letter. Provides limited uses of information acquired through a letter. It allows persons against whom evidence obtained from a letter is to be used to file a motion to suppress. It provides a civil cause of action for the misuse of letters. It requires the authority to issue letters to revert, five years after the enactment of this Act, to that provided by law on October 25, 2001. It requires the Attorney General to: (1) undertake minimization and destruction procedures with respect to information acquired through letters; and (2) report semiannually on the number and use of letters. It requires the disposal of wrongly acquired information. And it revises requirements relating to claims of emergency in connection with certain letters.
With these new protections (if H.R. 1800 is passed into law eventually) on how the National Security Letters can be used, I believe many of the larger organizations will embrace these new protections and speed up their adoption of cloud storage offerings.
eDiscovery101 