• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.

Big Data: Big Value or Big Trouble?

Like “the Cloud”, the term “Big Data” has many different definitions.  But no matter how you define it, Big Data is not a fad.

Some use the term to denote the incredible variety, velocity and volume of data that we are creating and using every day.  (Here is a very interesting infographic on that point).

Others use the term to represent huge data sets from which we can intelligently extract useful trends and business information.  In fact, the promise of Big Data is not just the ability to mine data for sales purposes, but also for customer and employee sentiment, and even the idea of “predictive compliance”.

Regardless, as with the Cloud, there is enormous potential value in Big Data — but there are also costs and risks that need to be weighed in the process.  Among these are the eDiscovery and security risks associated with keeping a significant amount of data past its (normally) useful life.  Our friend Barclay Blair has published some interesting thoughts on Big Data, the law and eDiscovery.

As in so many other areas, business will drive the need for big data initiatives; but compliance and legal need a voice in the process to adequately cover potential risks and issues.

Archiving To Help Solve BYOD

We have written before about the security, privacy, compliance and legal issues created by the Bring Your Own Device (BYOD) phenomenon.  And if BYOD seems difficult here in the US, it’s far more difficult in the EU with its stronger protection of personal data.  With BYOD, personal information is being mixed with corporate information on an employee-owned device, often with no real corporate oversight, creating all kinds of new problems.

The UK’s Information Commissioner’s office recently published guidance to assist organizations in dealing with BYOD concerns in the EU.  Of course, a main point is that having a clear and effective BYOD policy is a crucial step for any organization.  But one issue, along with its related advice, really caught our attention:

     “If copies of data are stored on many different devices. . . there is an increased risk that personal data will become out-of-date or inaccurate over time … [or] retained for longer than is necessary … [because] it is more difficult to keep track of all copies of the data.  Using devices to connect to a single central repository of data can help mitigate this risk.”   [Emphasis added].

Centralized archives, operating and retaining data according to company policies, serve this purpose.  For example, rather than having email (and attachments) stored on various email servers, in PST files and on devices for every custodian, it should be stored, maintained, accessed (and ultimately deleted) from a single instance email archive.  Each device can serve as a “window” to that centralized content so that it’s accessible as needed, and then deleted.  This avoids creating new instances of each message that are stored and managed for each individual device requiring access to the data.  And this same concept can be applied to documents from file systems, Sharepoint, even records management systems.

Not every organization will have to meet EU (or even EU-style) data requirements.  But centralizing and managing content is a solid best practice that will pay dividends no matter where you are located.

eDiscovery and Sharepoint

I am consistently surprised that the eDiscovery of Microsoft Sharepoint repositories does not strike more fear into organizations.  Sharepoint is complex, contains different types of documents/objects, can have rich metadata and is a key repository for business content.  Yet most organizations that we talk with state that they are not concerned with their ability to handle eDiscovery work on Sharepoint sites.

There are several potential reasons for this hands-off attitude:

- There are no significant reported cases where a party was sanctioned for failing to properly preserve or collect content from Sharepoint.  I did some of my own research in a few eDiscovery caselaw databases, and none of my searches located the word “sharepoint” in connection with a sanctions motion;

- Few litigants seem to be asking for Sharepoint content during discovery.  (Of course this is not a valid reason for organizations to ignore it.  The duty to preserve and produce ESI is not tied to whether the other party asks for the content.  But in reality, if both sides bury their heads in the Sharepoint sand, then no one knows whether relevant content is being ignored).

- Most organizations lack the tools and capabilities to discover from Sharepoint, at least beyond basic Office documents that might be stored in a site.  Whether Legal is aware that IT is not undertaking discovery of Sharepoint sites is a good question to ask.

What makes Sharepoint more complex than a fileshare, at least in eDiscovery?  Many different types of content can be stored in a site:  documents, email messages, OneNote files, webpages, community posts, microblogs, Lync IMs, and more.  Not all of this content is readily accessible, so eDiscovery teams may have difficulty in locating relevant content.  Even when found, the preservation and collection of that content can be difficult.

Metadata in eDiscovery is often a misunderstood issue, and Sharepoint has a lot of metadata.  For example, each user can define a set of metadata tags for use with documents.  This information is arguably not relevant in many cases, but it may be useful or important in locating relevant documents.  And since one cannot rule out relevancy before a case even begins, organizations need a plan to capture this information when necessary.

A more advanced but still important concern is with authentication and admissibility of the Sharepoint content.  The creator of a document can often be difficult to determine, even on a fileshare where the “owner” of that document may be clear (based on the directory structure).  In Sharepoint, the situation can be far murkier due to its collaboration capabilities.  For example, multiple parties may have contributed to a document but the identified owner and creator may not be part of that group.  (For some great background on these issues, download The Sedona Conference Commentary On ESI Evidence & Admissibility).

What can you do?

- Legal and IT should get together to discuss the organization’s Sharepoint deployment and determine whether it is (or should be) on the Data Map; and if so, how content can best be located, preserved and collected when necessary.  Microsoft has added some eDiscovery capabilities to Sharepoint 2013 but whether those features are sufficient, and how to handle prior versions of Sharepoint, remain a concern;

- The organization should consider (now!) policies relating to the retention of Sharepoint content.  This is a great step to take before the situation becomes too difficult to handle because Sharepoint adoption tends to grow very rapidly.

BYOD: Bring Your Own . . . Disaster?

While the “Bring Your Own Device” phenomenon seems to be gathering even more momentum, few organizations seem to be working on the compliance issues that BYOD can create.  BYOD is clearly an important technology wave, but without some thoughtful planning, this BYOD could easily turn into “Bring Your Own Disaster”.

BYOD can be loosely defined as employees using their own devices to access company resources and complete job-related tasks.  In the real-world, BYOD can be as simple as an employee using personal funds to purchase a cell phone for business use; or as complex as an employee-purchased tablet (or laptop!) with monthly wireless charges reimbursed by the company and access to the company network encouraged.   These devices can boost productivity but with an impact.  Some companies have found that several hundred applications — typically unapproved and many completely unknown to the company — are touching their network from employee smartphones.

BYOD creates concerns that need to be addressed, or at least considered.  In the more complex situations (usually with laptops or tablets), both corporate and personal data will probably be mixed on the device.  If a mixed use device contains illegal or infringing data, is the company responsible?  If a lawsuit or investigation requires access to the employee’s data, does the company have the right — or obligation — to collect relevant information from the device?  What if it has the obligation but not the right?   And what happens if data is clearly relevant to a company issue but also clearly personal to the employee — will the employee resist?

Specific regulations regarding data retention or security may also be triggered.  How does an employer insure that record content created on these devices, which may have never touched a corporate server, is retained for required retention periods?  Insuring compliance with regulations such as HIPAA (related to health information) and 17a-4 (broker-dealer communications) is unlikely without the company having some access to and knowledge of information created and/or stored on the device.  Outside the US, the problem can become more difficult because data privacy laws further limit the company’s access to the information.

What can you do?  Although the ultimate solutions will likely be technology based, start with policies.  Dust off your records retention, email retention, corporate network, cell phone, security and other related policies and read them with an eye on BYOD issues. Consider whether the company can or should mandate access to a personal device used for corporate purposes, or create an obligation granting access to the device if it has data necessary for the company’s regulatory requirements or legal requests.  There is not yet much guidance from the courts on whether this is sufficient, but putting these requirements in writing is a start.

Longer term solutions may be technology based.  Access to company resources via smartphone and tablets can be controlled through security applications installed on the device.  Applications (like EMC’s Syncplicity) can deliver the convenience and open collaboration of an application like DropBox but with corporate controls.  And some creative planning can insure that most email and documents available on a smartphone or tablet are also on a corporate network for easier access and retention.

But beware —  employees and employers may not see eye-to-eye on many of these concerns. For example  over 75% of employees said they would not give an employer access to see the apps installed on their device and would not permit a tracking application to identify their whereabouts.  

Like it or not, BYOD is here.  Giving it some consideration and planning now can help you ensure the productivity side of BYOD without the disaster.

Reflections From LegalTech

Last week marked the latest iteration of LegalTech New York, “the most important legal technology event of the year.”  

I cannot begin to give you a play-by-play of the event, but I can give you my view on three trends I saw from visitors to the EMC Booth, hallway discussions and meetings with customers and analysts: 

1.  Information Governance has arrived.  While many topics were of interest, including eDiscovery, privacy, security, compliance, iPads, etc., there’s a better realization that we cannot approach these issues individually.  The umbrella of Information Governance gives all of us — legal, IT, Records, Security, Compliance officers, “the business”, the executive suite, etc. — a better platform from which to work. 

2.  Machine Brains are promising.  While technology-assisted review for eDiscovery was a very hot topic, there’s a growing understanding that these machine classification technologies have a lot of promise in other areas.  Using machines to assist with archiving, data classification, retention, etc. is a significant area of interest.  (As an aside, I also thought I saw the beginnings of some healthy realization that these tools are not “push button” but require process, knowledge and some actual work).  

3.  Security, security, security.  All of us love our technology tools, whether an iPad, Nexus 7 or even a Blackberry.  And these tools do make us more productive and efficient.  But the security problems that we’ve always had are now that much worse with data residing in more locations and with significantly more access (legal or unlawful).  It’s not a disaster waiting to happen — it’s one that’s happening and waiting to be discovered.  (Again, it’s an issue that can best be addressed as part of a larger overall InfoGov program). 

If you were there, please add your comments below about what you took away from the show.  

 

 

Viva La Resolution!

Although I strictly avoid New Year’s Resolutions, January is often a good time to think about the year ahead.  Last year at this time I created a wish list hoping that we would all learn more about archiving, machine classification, social media and “the cloud”. 

While those topics remain very important this year, let’s start 2013 by focusing on an umbrella issue — “Information Governance”.  To me, very simply, Information Governance encompasses all of the things that we’ve focused on individually during the last several years in the information world — eDiscovery, archiving, retention policies, defensible deletion, security, records management, privacy, etc.  (Deb Logan of Gartner has a far more thoughtful definition). 

How do you “do” Information Governance?  That’s a very good question and I don’t know that anyone yet has a great answer.  The best thing that we can do, today, is to be better educated on the issues outside of our main focus area so that we can better understand the impact of our own initiatives.  For example, the legal department’s goal of making information more accessible and searchable for eDiscovery may impact privacy and even security concerns.  An IT goal to move email to the public cloud to save money may create compliance and eDiscovery nightmares.  And an initiative to delete “legacy” data could wreak havoc with records management policies.

For now, spend some time learning about what your colleagues are doing in their areas of expertise, across IT, legal, records, compliance, security, etc.  You may find that the big picture quickly becomes much clearer.  

P.S.  Hope to see you at the EMC booth at Legal Tech.  

 

Be Clear Before You Cloud!

Interest in cloud services remains extremely high, with IDC predicting a compound annual growth rate of almost 28%.   Yet “cloud” is a broad term, and when purchasing cloud services it is more important than ever to understand the details of an offering, particularly when considering email archiving.

Cloud archiving offers the opportunity for cost savings and a potential reduction in operational complexity.  But as with any offering, there are risks and downsides that are often ignored during the decision-making process:

-          If the system fails or is down, what are my rights?  In most cases, you will have an Service Level Agreement but the remedy if that SLA is not met is usually minimal.

-          If a regulator needs access to data or if I have an unexpected e-discovery requirement, how can I get the data that I need?  Some clouds will have tools but few companies determine in advance whether those tools are sufficient to meet their needs.

-          If the system is hacked or there is a security breach, what happens?  In most cases, any penalty for stolen or lost data remains with the company that owns the data, and the recourse against the provider is contractually limited.

-          If I find a better solution (or just don’t like this one next year), how can I move to another system?  Migrating your data from a cloud system is generally not an easy or inexpensive task.

For many, a managed service or private cloud may be the right answer.  In this model, the equipment and data center can still be owned by the customer, enabling it to maintain control and access whenever desired.  But with the day-to-day operation of the system managed by a skilled third party, at a set rate, operational costs and even complexity can be sharply reduced.

One size still cannot fit everyone.  So when looking at cloud solutions, make sure to understand all of your company’s requirements (have you talked with legal and compliance?) and get the answers before you decide.  It may save you a rainy day.

Activating Your Information Management Shield

We talk with companies every day about how they can be better at managing their enterprise information.  Good policies, with technology to enable and enforce them, can help insure that records and compliance information are retained for the right amount of time, while also enabling the deletion of stale and useless information which has outlived its retention period.  Good information management processes insure that protected information is stored in the right place, operational efficiencies are enhanced by focusing on useful information and the e-Discovery process is easier and more efficient.

Many organizations know that they should implement information management initiatives, but often have difficulty in providing concrete reasons to the business.  If your organization is looking for more reasons why good information management is valuable, two recent cases provide some great reasons:

  • If you have an information governance policy, it may help you to defeat a claim for sanctions even if data has been deleted; and
  • If you don’t have an information governance policy, and you delete data that was subject to compliance requirements, the lack of a policy can help to establish the bad faith necessary to award sanctions.

Diligence As A Shield

In Danny Lynn Electrical & Plumbing, LLC v. Veolia Es Solid Waste Southeast, Inc., 2012 U.S. Dist. LEXIS 62510 (M.D. Ala. May 4, 2012), the plaintiff requested sanctions for the defendants’ alleged failure to properly implement a litigation hold.  Specifically, the plaintiff claimed that defendants had deleted nine email accounts and kept in place an auto-delete function which removed email from the trash after 10 days.  They also alleged that the defendants improperly sent notifications to employees on legal hold that they should continue to delete email messages to comply with email account size limitations.

The court found it significant that the defendants had deployed an email archive to capture all of its email messages.  (Interestingly, the court did not discuss or make any findings about how the archive had been setup, configured or managed).  In addition, in finding that there was no bad faith (a requirement in the 11th Circuit), the court found it important that defendants “began using a software system that archives all emails”:

The court’s impression is that the defendants have expended great effort to insure that the plaintiffs receive information from both their live and archived email system by providing document review technology and allowing access to its database.  All of these factors added up to the court finding that no sanctions were warranted.

Lack of Diligence Can Be A Final Straw

The flip side to the protection offered by information management can be found in FDIC v. Malik, 2012 U.S. Dist. LEXIS 41178 (E.D.N.Y. Mar. 26, 2012) where the court also considered a spoliation motion for the deletion of emails.  The email messages related to a law firm’s prior representation of a mortgage company.

In determining whether bad faith was present to enable sanctions, the court noted that the subject email messages were required to have been preserved not initially for litigation hold, but under compliance requirements — professional responsibility and ethical rules.  The court found that retention under the compliance requirement was especially important to this case:

A regulation requiring retention of certain documents can establish the preservation obligation necessary for an adverse inference instruction where the party seeking the instruction is ‘a member of the general class of persons that the regulatory agency sought to protect in promulgating the rule.  The court held off on a final decision pending an evidentiary hearing.

Being Proactive With Information Management

We all know that litigation holds are difficult to implement and are almost never perfect.  Sometimes something bad actually does occur– a custodian is inadvertently omitted, a handful of emails are lost.  But more often, nothing bad happens at all.  Still, even in those cases it can be difficult (and time-consuming and expensive) to fight off the other side’s claim that something “must have been lost.”  A good information management policy, with tools and education to enable it, can go a long way towards showing good faith and protecting your organization from harm.

Machine Learning For Document Review: The Numbers Don’t Lie

Jim Shook

Jim Shook

In light of Magistrate Judge Andrew Peck’s recent decision in Da Silva Moore v. Publicis, much has been written and discussed about the idea of using machine learning techniques to automatically classify documents during review, a process sometimes known as “predictive coding” or even “computer assisted review”. (Although these terms may actually imply different technologies and processes this article adopts Judge Peck’s umbrella use of the term “predictive coding”). This article explores some of the key issues around this promising intersection of law and technology.

What Is Predictive Coding? How is It Used?

At a simple level, predictive coding is just a technological “lever” that allows a (relatively) small amount of review work – usually by humans — to be leveraged across a much larger set of documents. Let’s say Continue reading

Getting Legal to Support Your Email Management Project

Electronic Archives are one of the least understood – and yet one of the best – technologies available to the enterprise for improved operations, compliance and eDiscovery.  Yet while most IT Jim Shookprofessionals are familiar with the benefits of Email Archiving, many see only the operational improvements that an archive can bring.  So when they need to enlist in-house counsel’s assistance to approve the policies for the archive, they often miss the benefits to the legal department, making it more difficult to convince legal to help.  In fact, discussing the benefits of the archive is a critical step.  Many lawyers still misunderstand the purpose of Email Archiving, incorrectly viewing it as a tool to save everything forever – something they are almost always against.

If you’re having difficulty getting legal on board with your archiving project (or if you’re a lawyer and want to better understand how archives can help you), here are three significant areas that are improved with a good email archive deployed as part of an overall Email Management initiative.

Electronic Discovery

Electronic discovery is the process of identifying, holding, collecting, analyzing and producing electronic stored information (“ESI”) to meet the requirements of litigation, investigation or open records / FOIA requests.  Email messages are the most frequent – and arguably the most important – locations for ESI.  Email is also one of the most expensive and risky sources of ESI because most companies do not effectively manage their email.  This often forces enterprises, under the risk of sanctions for deleting data that is relevant to a lawsuit (a penalty known as “spoliation”), to search in virtually unlimited locations for email and then to process and review huge volumes of messages.  Some enterprises have no established process for eDiscovery and are forced to retain backup tapes of email servers and fileshares as a stopgap measure, at enormous risk and expense.  Worse still – some companies simply pretend to meet their obligations through a quick search of a few mailboxes on the email server, knowing that email is stored in other locations they cannot efficiently search, and then cross their fingers to hope for the best.

Almost all of this difficult and risky process can be avoided with an effective Email Archive operating as part of an overall Email Management initiative.  With a good archive, the enterprise’s eDiscovery team can quickly search through just one location for all email, substantially reducing cost and risk.  An effective Email Management program can further cut downstream cost and risk by enabling the defensible deletion of email messages that do not need to be retained.  (If you have not already begun, you will also want to consider how you handle other ESI repositories for eDiscovery).

Compliance

Good compliance programs today include processes related to the company’s electronic information, especially email.  Companies of any size or reach are subject to anti-corruption legislation such as the Foreign Corrupt Practices Act (FCPA) in the US and the UK Bribery Act.  Regulators also place demands on ESI retention and review, in addition to normal records retention requirements.  And regardless of whether we like it, email is a location where many of our records are received and maintained.

A centralized archive for email – with the ability to enforce company mandated retention policies – can be a big win for compliance. An effective email sampling process can help to insure compliance with high-risk requirements like the FCPA, UK Bribery Act and even Sarbanes-Oxley.  An archive with user-directed archiving capabilities enables a strong foundation for complying with records management and regulatory retention requirements.  Similarly, with these controls in place, the enterprise can feel more comfortable with deleting expired content, knowing that it’s not subject to any further retention requirements.  And for concerns on privacy and sensitive data, an issue that grows each day, an archive can help to insure that sensitive data does not leave the company’s firewalls without being encrypted.

Operational

Companies without archives often retain all of their email on their server, and the archive will drive savings through reducing top-tier storage requirements, shrinking backup windows and sizes, and substantially improving the efficiency of the email servers.  Companies with mailbox size quotas have different issues – and with an archive they can quickly move to eliminate local email caches (typically PSTs or NSFs) that are unmanaged, insecure and can lead to disaster in eDiscovery matters.  Users can have virtually unlimited mailbox sizes with no noticeable impact on their day-to-day work – even when working remotely or on an airplane.

Although operational improvements may not be your legal department’s main focus, your lawyers want the company to be more efficient, and helping them to understand these improvements is also an important step.

What’s Next

If your enterprise does not yet have an Email Management initiative, get legal and IT together to talk about the benefits.  You will need help from legal in drafting and authorizing appropriate policies.  (In determining best practices for policies and archiving, your legal counsel might be interested in The Sedona Conference’s guidance on Email Management).  If you have already started, check to make sure that legal fully understands the benefits, has provided appropriate retention policies, is actively part of an efficient eDiscovery process, and that someone is verifying that users are maintaining information subject to regulatory frameworks.

Follow

Get every new post delivered to your Inbox.

Join 1,770 other followers