February 25, 2010

Legal Tech 2010-Best Practices in Compliance and Email Management in the Cloud

by Cary J. Calderone, Esquire

The participants (listed at end) on this panel had many years of eDiscovery experience and came from a variety of backgrounds including legal, consulting and product vendor. This was like getting a "Quick Tips" guide to eDiscovery because they chose to a conversational approach instead of doing a lecture and presentation. They started off first, by agreeing with Malcolm Gladwell's keynote comment, "we are in massive information overload." Then they got right at some important distinctions for the new language describing eDiscovery and, in some cases, updated the definitions for some of the old labels. For example, they talked about the "Cloud" and basic definitions, but the panel thought it was necessary to be more specific now and gave examples:
  1. Public cloud-3rd party provider
  2. Private cloud-you set it up yourself
  3. Storage Cloud-as opposed to applications
  4. Infrastructure-the network behind the Cloud
The driving force behind the use of the Cloud is that "head count is expensive."
Peter Lesser believed that private cloud is the safest way to store and use data because then users keep it off their laptops, etc.

The panel drilled down on Infrastructure and asked about variables like:
  • International considerations.
  • Where is the data really stored?
  • What about Virtualization?
  • Can you identify and distinguish between "primary" and "backup" data?
Tom Gelbman commented that the de facto Policy might be just to keep everything forever.

They noted some of the really difficult questions. How are you going to apply your Retention Policy? Where is the data? For example, a Swiss based parent company with data kept in Arizona? Is it now subject to Arizona and US jurisdiction?

What happens when a broker-dealer uses Facebook but can't capture the Facebook data-that is a problem under the current rules. And, if Corporations think they are just going to shut these things down “they are delusional.” Between, Twitter feeds and text messages etc., even with policies in place, they may be unenforceable. "Behavior does not change because you have a policy." This author would disagree. I believe that you can change some behavior with a well designed policy and training but agree that just having a policy, is seldom enough.

They claimed that without some sort of auto-classification tool, the management of the data is impossible due to the volume. They also recognized the sobering fact that it is much easier to get money budgeted for eDiscovery than it is for Retention. No arguments from me! Oil changes and routine maintenance seem to get quickly cut from budgets, but once the car breaks down, you have no choice but to call the tow truck and prepare for a big bill from the mechanic. Is your company being "proactive," with litigation preparedness, or, will they have to be "reactive" and pay for the blown engine when litigation erupts?

Tom Allman's Cloud checklist:
  • Can you suspend all auto deletion and move the data to an eDiscovery location?
  • What about meta-data?
  • Do you have backups to the cloud?
  • Neither Google nor Microsoft will implement legal holds. There is no Microsoft product to stop users from deleting a message. Journaling is the only option. Do you have it?
  • Does the Cloud help with cleanup of the digital landfill? Yes, it can.
Rosenthal and Lesser noted that the move to the Cloud has a positive effect in that it “Forces companies to engage in legacy retirement programs.”

Allman added one of his favorite funny-but-true tips, If you have backup tapes that are 25 years old, make sure when you sell a division, all the tapes go with it!

Weiss believed for many instances of email, you keep it 10 years then delete it, because access to it becomes more and more difficult.

Rosenthal added that legacy program are linked to applications and clients. So how would you ever be able to sample, search and analyze the data?

They posed another great question: Can you determine the value of the data?
Lesser-Storage is getting cheaper every year but the cost of the people to organize it far outweighs the cost of storage.
Brian Weiss added that yes, storage is cheap, but retrieval is expensive. Moreover, to scale up to index large amounts of data is still very expensive.

The final thoughts or hopes were that in five years from now, there would be no applications stored locally on computers and there would be much better search tools.

We shall see!

Panel participants:
Tom Gelbmann, Managing Director, Gelbmann & Associates
Tom Y. Allman, Editor, The Sedona Principles
Peter Lesser, Director of Global Technology, Skadden, Arps, Slate, Meagher & Flom, LLP
John J. Rosenthal, Partner, Winston and Strawn, LLP
Barry Murphy, Principal, Murphy's Insights
Moderator:
Brian Weiss, VP eDiscovery and Information Governance, Autonomy


Legal Tech 2010-A couple of neat new DRED products even smaller businesses can afford.

by Cary J. Calderone, Esquire

Let me start by hedging a bit. I am not recommending these products. I played with only demonstration versions. I do not test and review products unless I have been specifically hired by a client to help them decide what product they should purchase for their particular needs. However, at this past Legal Tech Show I was happy to demo two new products that smaller companies could afford to use. This is good news because in the DRED space, most of the initial products released targeted large clients and installations and had pretty large price tags. It is hard to imagine a smaller business working with a product that starts at 300k to solve a retention or eDiscovery problem. The two products I noticed: 1)Legal Hold Pro by Zapproved and 2) BitFlare by SunBlock Systems.


These are both products that may help many smaller businesses. Legal Hold Pro allows a customer to track Legal Holds, and more importantly, all the communications around the Legal Hold (LH). There are many challenges with issuing LHs. The obvious issues involve when the LH should be issued and what it should cover. However, it is also critical that the LH is adequately communicated to the correct custodians and that you can validate the communication for compliance with your LH policy. Legal Hold Pro is a SaaS product (in the Cloud) that helps users track not only the initial distribution of the LH but also, subsequent updates. I think the best feature may be that it helps users remove the LH when it is no longer necessary. This is an issue that has not been discussed as much. Even those who are proficient at the initial LH process will admit that they are much more disorganized when it comes to removing the LH. And, if you are holding data, whether you need to be or not, it now may be subject to a new discovery request and/or a new LH. So the product may help you legally "clean house" a little better.

Similarly, BitFlare gives smaller companies the ability to lock down computers for LH or data forensic purposes. There are other forensic tools, some of them more affordable than others, but the focus of BitFlare is that a non-techy can follow simple instructions and secure data on a computer, in a fashion that Bitflare claims (I do not know if it has been tested in court) will preserve the chain-of-custody and accordingly, preserve its use as evidence. BitFlare is not a Cloud or SaaS product, but rather is a software product that comes on a bootable CD disc and can be run on any laptop or desktop computer (not sure about Operating System limitations).

They have an interesting pricing schedule. You can download the software for free and use it (provided you know how to burn an ISO cd) but then if you want the spreadsheet that lists the content on the computer, it will cost you $250. My hunch is they use this approach so when you think you might need contents for a LH you can lock it down. Then, and only if and when you need to analyze the data, you can pay $250 to see what is actually on the computer.

Once again, I have not used either of these products other than the demo versions, so you will need to test and verify that they will work for you. Still, it is very nice to see a few products capable of helping smaller companies tackle issues around DRED law. Let's hope this is just the beginning and there will be more affordable products to help companies become and stay DRED ready.

February 16, 2010

Legal Tech Keynote by Mark Howitson of Facebook-Social Media and eDiscovery

by Cary J. Calderone Esquire

I had the pleasure of listening to Mark Howitson (aka Howey), Deputy General Counsel of Facebook, Inc. deliver the keynote address on Day 2 of Legal Tech. He started off with some staggering facts about Facebook:
  1. Currently, ½ of all Americans over the age of 14 use Facebook.
  2. 350 million users have logged into Facebook, in just the last 30 days.
If you think this social networking thing might just be catching on, you are right!

Howey came to Legal Tech to talk about Social Media and eDiscovery or, as he described it, dealing with Social Media and the information that he provides for discovery requests.
He divided his presentation into two responsibilities of managing data at Facebook:

1) Social media and discovery
  • Social media is going to be all around us-There is already an application (Forceware) that uses the iPhone GPS to provide live location reporting
  • The technology is everywhere
  • The technology is here to stay
Howey mentioned things he can't and won't do. He distinguished between when the law “allows” disclosure versus what it “requires” for civil discovery and this is a critical distinction because Facebook is dealing with huge volume.

In this regard, Howey relies heavily on the
Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA) CA 18 USC 2701 for wire intercepts, and Section 2702a for “covered provider,”“remote computing,” and “electronic communications services.” He noted that there is an issue of when Facebook may provide information to a requester under Section 2702b and the substantial legal necessity of having “lawful consent.” Customer Records would be covered by Section 2702c for example, if a subpoena is asking about User X and all communications. In that instance, even with a subpoena, Facebook can only give basic subscriber information.

Howey is “itching for a fight” as he wants user information to be declared “content” and therefore completely protected from disclosure. The SCA was created in 1986 so Howey believes it is time that the Federal Court clarifies the rules with case law that involves present day fact patterns and current technology.

He discussed the Colgan Air case involving Workers Compensation (WC) for a flight attendant. The WC appeals board sanctioned Facebook $200 a day for not providing the data about the flight attendant to Colgan Air but the appeals board later backed off because they recognized that Facebook was never provided the required consent.

Howey really had the audience pondering the question of what is “lawful consent?” For example, was compelled consent of parolees adequate under the SCA? And what about students subject to random drug testing?

There was also a case from Bozeman, Montana where job seekers were wrongfully required to list their social network screen names so they could be searched! And he talked about another case in Houston where they where the interviewers asked for the interviewee's Myspace password in order to review their Myspace page. The interviewee sued and won.

He believed the way to circumnavigate this law would be for a interviewer to ask the applicant to, “be my friend on Facebook?” This would appear to be a lawful approach as long as it is not coerced.

2) Managing Discovery at a Communications Company

  • We now live in a world with chat and Wikis which need policies written and enforced company-wide.
  • Howey described the basic tenets of discovery when it came to corporate material, which is a “yes” for discovery, versus personal material and items protected by the SCA, which would be a “no.”
  • There are still some gray areas, like email notification about Facebook communication which is residing on your computer system. Is it covered by SCA or not?

As a basic precaution to protect your privacy, he mentioned, “don't connect your business email to your Facebook account.”

When it came to the second item, “Managing all this Content” he had the following suggestions:
  1. Fee arrangements with law firms
  2. Single discovery counsel for all firms (I found this interesting but would really like to know how this could work given conflicts of interests and competition amongst law firms)
  3. Flat fees that delineate responsibility
  4. Companies first need to cut a deal with their outside counsel.
He mentioned some innovative firms and thought it was “insane” to pay law firms full freight. Howey also believed that the days of rooms full of people and monitors doing document review should end. He championed leveraging technology to keep costs down.

One of the high points of the entire conference for me was that Ms. Zubulake of the seminal eDiscovery decisions was in the audience. I have personally been involved in many debates about the correct pronunciation of her name. To his credit, once Howey found out she was in the audience he asked her. It turns out the first syllable sounds like “zoo” and the last syllable rhymes with “cake.” Lawyers and judges who read this may now rejoice!

On balance, Howey gave a very fun and informative keynote. He provided some answers and supporting authority and most definitely raised awareness to many of the critical issues going forward with eDiscovery and Social Media.

February 2, 2010

European Union data: What are the rules?

by Cary J. Calderone, Esquire

Those who attended this session at Legal Tech learned some interesting things about data protection in the European Union (EU) from a very impressive panel of experts (bio information and links below). My first foray into this area, the conflicts between EU and US rules governing electronic data, began about 3 years ago. While researching this subject for a particular client, I learned that international corporations had virtually impossible responsibilities to balance and implement. It became apparent that most issues would remain unresolved even as the best of international companies made progress towards becoming compliant company-wide. I was very interested in hearing about the current state of the EU and US data rules.


Nigel Murray offered some background information:
  • January 28, 2010 was the 4th European Data Protection Day – they have made it a holiday!
  • The EU Data Protection Directive will be updated to reflect new technology.
  • EU Data Protection rules will be written so users know when their personal data may be stored and that they have the right to say “no!”
  • The European Union has 27 member countries-No Norway, Switzerland, or Lichtenstein.
  • Bulgaria, Romania, and Turkey are not in the EU, but they are trying to join.

Judge Peck began by describing why the EU and US rules are in conflict. He explained that in the US the standard for discovery is information that is “reasonably calculated to lead to the discovery of admissible evidence.” In the US, even a claim of Confidentiality is not a basis for refusing to disclose or produce data. Sensitive items relating to HIPAA, Social Security Numbers, or credit card information would be redacted in accordance with a protective order or agreement, but the information is discoverable. On the other hand, under EU rules, Privacy is a fundamental right and anything that contains personal information, broadly defined as anything that can be used to identify a person, (see Definition Personal Information) can not even be searched, let alone collected or disclosed without the individual user's un-coerced consent. Judge Peck commented that “in the ideal world, a US Judge does not want to have to worry about EU or Asian rules” but we are not in the "ideal" world.

A few legal cases were discussed by the panel to show that the trend has been, if data is in the US, then Courts have been very hesitant to use EU Data Protection rules to keep it out.

Other observations:
  • Within EU jurisdictions, moving data from country to country also causes problems. If it seems odd to us in the US, remember that the US does not have a history of countries crossing borders to expand their empires.
  • There are times when cooperation can work. George Rudoy described one instance when the representatives of a company made him take a drink with them to show that his data collection would be used for only legitimate purposes. It may have been water. It may have been vodka. His willingness to participate reassured them.
  • Maura Grossman shared that no matter what your risk profile, it would be a best practice to establish relationships and get input from local counsel. She explained that there are many data protection rules where the exception for litigation is specific to litigation in that country. If your matter is filed in another country, even another EU country, the exception simply does not apply.
  • Consent is sometimes an option but not always. There are stringent standards to follow for gaining consent, and in some cases, consent of the individual is irrelevant.
  • Another best practice is to be “super-surgical” in targeting requests at specific data, and keeping the scope of the request bound by the borders of that particular country. What makes this very tricky is that it is not just moving data that causes a problem. Merely accessing the data can violate the rules! If data is hosted in Germany, a lawyer violates the rules if he accesses the data from his office in NY.
  • If a corporation has been freely operating with its worldwide data in an “open” fashion i.e., journaling all email communications in the US then Judge Peck believes it is more likely a US Judge will not protect that information from disclosure under EU data protection rules. Judge Peck says that “if it is here”, it comes in subject to comity with foreign countries.
  • George Rudoy and Browning Marean echoed that we should follow local rules and implement the safest technology we can.
  • Nigel Murray also stresses that it is critical to have “local boots on the ground.”
  • Maura Grossman pointed out that there are some very specific and important differences in the International community. For example, before heading to China to take a deposition she learned that American lawyers are not allowed to take depositions in China. She would have been jailed!
  • Browning Marean mentioned that the Pension Committee (Judge Scheindlin) case reminds us that failure to issue a Legal Hold when litigation is reasonably anticipated is gross negligence. He also added that Legal Holds are more effective when created and dispersed internally than when an outside law firm issues them.
The panel considered quite a few other issues that make EU data discovery more complicated, like:
  • Where is the data housed?
  • What if it is in another country in a cloud?
  • Who controls the data in a parent-subsidiary situation?
  • What is considered “reviewing or accessing the data?”

In conclusion, the rules are still evolving and for now, you need very competent and probably local advise to perform a risk/reward analysis to determine what you may or may not do with EU and other "non-US" data. After 3 years of following this tricky legal area, I had hoped there would be a few more straight answers and solutions, but not yet.

Panel Members:
George I. Rudoy, Director, Global Practice Technology & Information Services, Shearman & Sterling
Nigel Murray, Managing Director, Trilantic
Honorable Andrew J. Peck, Magistrate Judge, Southern District of New York
Browning E. Marean, Partner, DLA Piper LLP
Maura Grossman, Counsel, Wachtel, Lipton, Rosen and Katz
Senior Master Steven Whitaker, Senior Master of the Senior Court of England and Wales
Chris Dale, E-Disclosure Information Project
Vince Neicho, Litigation Support Manger, Allen & Overy LLP

Legal Tech 2010 Begins-First Keynote

By Cary J. Calderone, Esquire

This is the first post from Legal Tech 2010 in New York. Russell Stalters delivered the first keynote entitled "Don't build your E-Discovery Program on a Digital Landfill." Mr. Stalters discussed some of the very real-world issues that occur when companies try to manage their data better.
More and more, companies realize their attorneys and IT professionals do not have the necessary skills to manage data from the other's perspective. They often lack an understanding of the technology, law or the business reasons and realities around information management. Mr. Stalters believes companies would be wise to create a new C level position specifically in charge of RIM. Others have commented that Discovery Counsel or Information Czar types of positions are critical to success but he insists that they be at the C Level to get the job done well. He claims that even CIO's have had a different focus than what is necessary to apply best practices to managing information company-wide. He gave a brief overview of the Greenfield approach and how it can be employed. In conclusion, he never mentions the word "easy" but he insists that a fully compliant and functioning system can be achieved.