Forecast 2013-Is It E-Discovery Or Business Intelligence

© 2012 Cary J. Calderone, Esq

One thing I find baffling about data management is how applications are categorized.  I am not referring to classifications like private versus public cloud, or CRM versus Social.  But rather, the distinction between Business Intelligence and E-Discovery, and Record and Information Management.  BI has been popular and is viewed as a vitamin that can help boost sales and profits.  On the other end of the technology spectrum, we have RIM and E-Discovery.  When it comes to these unloved step-children of the corporate world, companies usually have to be dragged towards making the investment.  These are all pro-active and reactive tools for gleaning knowledge from your data.  But while RIM and E-Discovery are avoided, BI is relatively popular.  And, here is my argument:  Both types of applications are not really that different.  Let me explain.

The C-Level Nightmare-Do You Know What You Do Not Know?

Copyright ©  Cary J. Calderone 2011

Is this your CEO, CTO, or, General Counsel?

This post goes out to all those C-Levels who have not approved pro-active information management and DRED work because, "they can just search and find what they need when they have to."  For almost any attorney or e-discovery professional with experience, this cavalier attitude causes a  LOL moment.   We also call this approach, "head in the sand," or sometimes, "ignorance is bliss...until it's not."   After the 9-11  attacks, when the Department of Homeland Security was created, I remember Secretary of Defense, Donald Rumsfeld, speaking about 3 things: 1)  What you know as fact,  2)  What you do not know but can research and discover and, 3)  What you do not know, you do not know.  C-Levels who think they will just find what they need, when they have not tested their approach under the threat of pending litigation, are in the last category.  They do not know, what they do not know.   Not convinced?  Then please consider these items:

E-Discovery-Shall we do it ourselves or outsource? The answer is, Yes

Copyright © 2011 Cary J. Calderone

Sometimes customers and prospects can ask me difficult questions.  The question on whether to in-source or outsource E-Discovery is an easy question.  The answer is, Yes.  There is no company, or law firm, no matter how large or small, that should do all or none of their E-Discovery themselves.  Where should you draw the line between the two?  Now, that is a more challenging question.  Here are three factors to consider when deciding:

Social Network Applications Coming To Your Business-Will there be a Rypple effect?

Here's a scoop. Companies like Rypple are making “Facebook-style” applications to be used in your business. The Wall Street Journal Digital Edition has an excellent article by Dr. Terri Griffith on this phenomenon. ( full article) With over 600 million users on Facebook and LinkedIn combined, people around the globe now understand the power of status updates, and sharing comments, pictures, and videos, instantly online. Social business applications use an underlying philosophy of open and easy information exchange and are applying it to personnel matters, project management, and collaborative learning and team innovation. I mentioned these new social-style tools recently in a DRED meeting with a CEO, a corporate counsel, and 3 department managers who were in charge of data compliance, and the response was unanimous...”UGH!” How could they possibly manage all this data? But it doesn't have to be so bad and in fact, if implemented properly, these social business tools may actually improve the way your company manages your electronically stored information.

IQPC eDiscovery Panel-Global Issues

by Cary J. Calderone, Esquire

David C. Shonka, Esquire-Principal Deputy General Counsel, Federal Trade Commission
Benton Armstrong - Principal, Analytic and Forensic Technology, Deloitte Financial Advisory Services LLP

David Shonka stressed from the beginning, "if there is one takeaway best practice from this session-get local advice.  European Union directives are not the last bit of advice.  Each nation has its own interpretation of it.  Local law firms in Europe and Asia are much more sophisticated now and can offer better advice."

Initial considerations for global eDiscovery:

• Who has Jurisdiction?
• Who has control of the data?(maybe a 3rd party?) (Where is that party sitting?)
• Duplicate copies in the US?
• Where does the data sit?
• If you can get it, can you move it?  Lot of restrictions on transfer (personal and sensitive data)

(Source-Sedona Conference Framework for Analysis of Cross-Border Discovery Conflicts August 2008)

Companies are employing new mobile technologies to go in with a small data center to process out personal and private data, then you can negotiate for collection/transfer from that point.  For example, data sitting on server in Eastern Europe but it is Austrian employees' data.  It was treated as though they were doing a collection in the Czech Republic.  They ultimately collected what they needed but it was a very long and difficult process-got consent from the Data Privacy officer in the Czech Republic.  Since this is a relatively new phenomenon, they are being extra cautious. Multinational organizations need to anticipate this.

There can be problems when parties do not want to cooperate but ultimately they do.  Preservation process- while the consent process is going on the data is not preserved.  Employees delay and then 5000 deletions will occur just before the data is supposed to be preserved.

We are getting better and more sensitive to private data in the US but still not equal to the EU.  Convergence going on-don't think they will ever meet-but the realities of dealing with a global economy is forcing people to cooperate.  Reminder that under the EU directive, looking at data equals "processing" and there are different stages:

• Retention
• Disclosure 
• Onward transfer 
• Secondary use

There are also international collection considerations such as:

• Who collects?  Employees?  Can cause problems
• In what form?  Native or a forensic copy? Physical or logical?  Remote or direct connect?

Best practice from Benton Armstrong-"get all stakeholders together at the outset."Records Managers, Legal, IT from many if not all different offices and locations. Get the potential roadblocks out in the open early so you can plan for some of them. It will make the process much faster.

One positive thing I learned from this panel is that, since I first started this blog, the best practices for international eDiscovery have evolved. While certainly not simple and without potential pitfalls, there are now better operating procedures and protocols for negotiating this tricky area. I suspect as more and more global companies implement policies and procedures and have better trained and more experienced practitioners involved, the potential pitfalls will continue to dissipate.

What's that up in the Cloud Part 2? Do you have a Policy?

by Cary J. Calderone, Esquire

In the first article on the subject I presented an overview of some of the risks with moving your company data and/or applications to the Cloud (link to Part 1). This article is about moving to the Cloud whether you want to or not. Let me explain. Do you think you are in control of your companies' data? Maybe, or maybe not! Companies like Dropbox, Mozy and many others are offering free cloud storage to users. And, we are talking about free gigabytes of storage. Enough to hold far too much of your important, privileged and/or proprietary company information. These new product offerings are simple to use, and extremely easy to setup in a matter of a minute or two. This means that if you do not have a policy on storing your work product off site, like on USB flash drives or tapes, then you had better at least get one for Cloud storage. USB ports can be disabled. Stopping user access to all the Cloud storage sites would be very challenging. This means all a user has to do is download a small application, setup a folder on their desktop computer, and from that point forward, anything they place in that folder gets copied to the cloud. As a warning to all my potential clients, you do not want your first knowledge of this new technology coming after you have been served with a Request for Production in a lawsuit.
Now, personally I think this is the greatest thing since sliced bread, or, at least the greatest thing since free personal email accounts. I have setup test accounts with both Mozy and Dropbox. Having the latest copy of my draft blog post available on my netbook, my laptop, or my desktop machine, is a great time saver and backup mechanism. In the past, and even though I seldom need to share my information with another person, I have wasted countless hours and email storage space moving my data from one of my computers to another of my computers via USB or email. I no longer have to do this. Additionally, if I am ever away from one of my computers, I have the option of getting to my data by using any computer that has internet access. In conclusion, two quick words of advise: 1) If your company policies do not cover Cloud storage, they should. 2) If you are a lawyer making a discovery request or taking a deposition, you should know how to ask about this stuff.

Legal Tech 2010-A couple of neat new DRED products even smaller businesses can afford.

by Cary J. Calderone, Esquire

Let me start by hedging a bit. I am not recommending these products. I played with only demonstration versions. I do not test and review products unless I have been specifically hired by a client to help them decide what product they should purchase for their particular needs. However, at this past Legal Tech Show I was happy to demo two new products that smaller companies could afford to use. This is good news because in the DRED space, most of the initial products released targeted large clients and installations and had pretty large price tags. It is hard to imagine a smaller business working with a product that starts at 300k to solve a retention or eDiscovery problem. The two products I noticed: 1)Legal Hold Pro by Zapproved and 2) BitFlare by SunBlock Systems.

These are both products that may help many smaller businesses. Legal Hold Pro allows a customer to track Legal Holds, and more importantly, all the communications around the Legal Hold (LH). There are many challenges with issuing LHs. The obvious issues involve when the LH should be issued and what it should cover. However, it is also critical that the LH is adequately communicated to the correct custodians and that you can validate the communication for compliance with your LH policy. Legal Hold Pro is a SaaS product (in the Cloud) that helps users track not only the initial distribution of the LH but also, subsequent updates. I think the best feature may be that it helps users remove the LH when it is no longer necessary. This is an issue that has not been discussed as much. Even those who are proficient at the initial LH process will admit that they are much more disorganized when it comes to removing the LH. And, if you are holding data, whether you need to be or not, it now may be subject to a new discovery request and/or a new LH. So the product may help you legally "clean house" a little better.

Similarly, BitFlare gives smaller companies the ability to lock down computers for LH or data forensic purposes. There are other forensic tools, some of them more affordable than others, but the focus of BitFlare is that a non-techy can follow simple instructions and secure data on a computer, in a fashion that Bitflare claims (I do not know if it has been tested in court) will preserve the chain-of-custody and accordingly, preserve its use as evidence. BitFlare is not a Cloud or SaaS product, but rather is a software product that comes on a bootable CD disc and can be run on any laptop or desktop computer (not sure about Operating System limitations).

They have an interesting pricing schedule. You can download the software for free and use it (provided you know how to burn an ISO cd) but then if you want the spreadsheet that lists the content on the computer, it will cost you $250. My hunch is they use this approach so when you think you might need contents for a LH you can lock it down. Then, and only if and when you need to analyze the data, you can pay $250 to see what is actually on the computer.

Once again, I have not used either of these products other than the demo versions, so you will need to test and verify that they will work for you. Still, it is very nice to see a few products capable of helping smaller companies tackle issues around DRED law. Let's hope this is just the beginning and there will be more affordable products to help companies become and stay DRED ready.

Legal Tech Keynote by Mark Howitson of Facebook-Social Media and eDiscovery

by Cary J. Calderone Esquire

I had the pleasure of listening to Mark Howitson (aka Howey), Deputy General Counsel of Facebook, Inc. deliver the keynote address on Day 2 of Legal Tech. He started off with some staggering facts about Facebook:

1. Currently, ½ of all Americans over the age of 14 use Facebook.
2. 350 million users have logged into Facebook, in just the last 30 days.
   

If you think this social networking thing might just be catching on, you are right!

Howey came to Legal Tech to talk about Social Media and eDiscovery or, as he described it, dealing with Social Media and the information that he provides for discovery requests. He divided his presentation into two responsibilities of managing data at Facebook:

1) Social media and discovery

• Social media is going to be all around us-There is already an application (Forceware) that uses the iPhone GPS to provide live location reporting
  
• The technology is everywhere
  
• The technology is here to stay

Howey mentioned things he can't and won't do. He distinguished between when the law “allows” disclosure versus what it “requires” for civil discovery and this is a critical distinction because Facebook is dealing with huge volume.

In this regard, Howey relies heavily on the Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA) CA 18 USC 2701 for wire intercepts, and Section 2702a for “covered provider,”“remote computing,” and “electronic communications services.” He noted that there is an issue of when Facebook may provide information to a requester under Section 2702b and the substantial legal necessity of having “lawful consent.” Customer Records would be covered by Section 2702c for example, if a subpoena is asking about User X and all communications. In that instance, even with a subpoena, Facebook can only give basic subscriber information.

Howey is “itching for a fight” as he wants user information to be declared “content” and therefore completely protected from disclosure. The SCA was created in 1986 so Howey believes it is time that the Federal Court clarifies the rules with case law that involves present day fact patterns and current technology.

He discussed the Colgan Air case involving Workers Compensation (WC) for a flight attendant. The WC appeals board sanctioned Facebook $200 a day for not providing the data about the flight attendant to Colgan Air but the appeals board later backed off because they recognized that Facebook was never provided the required consent.

Howey really had the audience pondering the question of what is “lawful consent?” For example, was compelled consent of parolees adequate under the SCA? And what about students subject to random drug testing?

There was also a case from Bozeman, Montana where job seekers were wrongfully required to list their social network screen names so they could be searched! And he talked about another case in Houston where they where the interviewers asked for the interviewee's Myspace password in order to review their Myspace page. The interviewee sued and won.

He believed the way to circumnavigate this law would be for a interviewer to ask the applicant to, “be my friend on Facebook?” This would appear to be a lawful approach as long as it is not coerced.

2) Managing Discovery at a Communications Company

• We now live in a world with chat and Wikis which need policies written and enforced company-wide.
• Howey described the basic tenets of discovery when it came to corporate material, which is a “yes” for discovery, versus personal material and items protected by the SCA, which would be a “no.”
• There are still some gray areas, like email notification about Facebook communication which is residing on your computer system. Is it covered by SCA or not?

As a basic precaution to protect your privacy, he mentioned, “don't connect your business email to your Facebook account.”

When it came to the second item, “Managing all this Content” he had the following suggestions:

1. Fee arrangements with law firms
2. Single discovery counsel for all firms (I found this interesting but would really like to know how this could work given conflicts of interests and competition amongst law firms)
3. Flat fees that delineate responsibility
4. Companies first need to cut a deal with their outside counsel.

He mentioned some innovative firms and thought it was “insane” to pay law firms full freight. Howey also believed that the days of rooms full of people and monitors doing document review should end. He championed leveraging technology to keep costs down.

One of the high points of the entire conference for me was that Ms. Zubulake of the seminal eDiscovery decisions was in the audience. I have personally been involved in many debates about the correct pronunciation of her name. To his credit, once Howey found out she was in the audience he asked her. It turns out the first syllable sounds like “zoo” and the last syllable rhymes with “cake.” Lawyers and judges who read this may now rejoice!

On balance, Howey gave a very fun and informative keynote. He provided some answers and supporting authority and most definitely raised awareness to many of the critical issues going forward with eDiscovery and Social Media.