Archives for eDiscovery

On the Ground in the EU: Key Takeaways on GDPR

GDPR data privacyOn May 25, the General Data Protection Regulation (GDPR) took effect in the EU, and the world has scrambled to demonstrate its compliance. With so much on the line, many companies have been turning to vendors experienced in multinational cross-border cases to better meet the standards and requirements of the new regulations. RVM’s clients are no exception, often having terabytes of data stored in physical and cloud servers around the world.

RVM recently completed its first in-country data privacy review since GDPR went into force. Our team was contracted by a U.S.-based multinational corporation that required onsite privacy culling to meet some of the guidelines set out in the new regulations. Through the process, RVM forensic engineers collected and reviewed custodian emails and file data in country by performing searches based on relevance and date. The data was exported to native and load-file formats for upstream hosting and review in the United States.

To ensure that the work being performed was in compliance with GDPR, RVM worked throughout the project with local and outside counsel – including Data Privacy Officers – to ensure all documentation and agreements were in place.

 

DOCUMENT, DOCUMENT, DOCUMENT

There are a lot of moving pieces with GDPR, so it is important that all parties have an understanding of the prescribed rules and work in hand with the data privacy officers to build a process that meets both the business and legal requirements. The more you can demonstrate in writing, the better. Some of the documentation, like data privacy agreements, should be in place before your team ever gets on site. Documenting each step in the process ensures the safety of both the vendor performing the work and the client, and it can affect your ability to complete a project on time.

Avoid GDPR Fixation

There is no question that GDPR is new and important. However, the EU is not the only place that has rules and laws governing data handling and privacy. Large projects may involve data stored or moved between multiple countries and multiple jurisdictions. Satisfying GDPR regulation is important, but companies need to be aware of other regulations that may differ from or even supersede those of the EU. For this reason it is critical to be in communication with client counsel, other data processors, and the data controller where you are working to ensure compliance in all relevant jurisdictions.

Ask Before You Move that Data

In this example RVM experts were able to satisfy the GDPR requirements for data export to a third country when it ingested data that originated in the EU into a review platform in the United States. Through GDPR data containing personal information cannot simply be transferred outside of the EU. It is critical to work with the client counsel, other data processors, and the data controller to complete all expected processes and identify and obtain consent where required to complete the project.

Data Privacy Laws Aren’t Just a European Concept

The air is hot and stale in his 8×8 cell in Colombia, and the constant sounds of prison unrest make sleeping difficult. For the last three months his company has consisted of a resident rat named Rata, who looks better fed than him, and his cellmate, Chismoso, who became a guest of the prison after he was caught transporting bags of drugs at the airport.

data privacy

Professionals who inappropriately collect and process personal data internationally face potential prison sentences.

As far as the Colombian government was concerned, Spencer Davis was also smuggling. But instead of plastic bags in a briefcase, Spencer’s contraband was stored in five hard drives. His firm was hired by an international bank’s U.S.-based attorneys to perform a forensic collection, data processing, and culling onsite. After processing the data for an onsite privilege review he was to transfer the data back to the United States for additional searching and hosting for review.

That’s when it happened. While searching Spencer’s carry-on luggage at the airport, security found the hard drives and asked what they were for. He explained the situation and showed them the data privacy and consent agreements he’d received from the bank’s compliance officer. What he didn’t know was that every database containing personal information created in Colombia must be registered with the federal government, and that consent for the processing of data must come freely from each individual – not from the data holder’s corporate legal team. Although Spencer was acting as an agent of his firm, he was still responsible for failing to comply with the law.

This seemingly small oversight was enough for the officers to arrest Spencer at the airport and him to be sentenced to 96 months in jail.


The above example story is fictitious, but the punishment – as harsh as it may appear – is a very real possibility for professionals who collect and process personal data internationally. With all the attention that the European Union has received, it is a good reminder that professionals must be aware of the legal requirements in any foreign jurisdiction in which they work.

General Data Protection Regulation (GDPR) is the new buzz word in data privacy and consulting, having gone into full effect in the E.U. on May 25. The financial penalties for non-compliance are tremendous (up to the greater of €20 million or 4 percent of global annual revenue) and have on some level scared the business world “straight.” It’s made U.S.-based companies look at data privacy like never before. It even inspired the American public to petition politicians to take a new look at increased privacy laws at home.

As eDiscovery practitioners, consultants, and forensic experts, we mustn’t forget that GDPR only applies to organizations located within the European Union and foreign organizations that offer goods or services to, or hold data of E.U. citizens. More than 80 countries have data privacy laws, some of which were inspired by GDPR regulations. In spite of their similarities, however, there are still considerable differences that must be recognized and understood to avoid potentially steep penalties.

Countries throughout the world enforce similar data privacy regulations as the E.U., some of them much stricter and with more severe penalties. In the example country, Colombia, the right to intimacy, good name or reputation, and data protection, are all guaranteed by Article 15 of the country’s constitution. The Colombian Criminal Code allows offenders to be sentenced to prison terms of 48 to 96 months, and can levy fines equivalent to over $270,000 USD. Similar regulations exist in other countries, such as Hong Kong, Morocco, Japan, and Venezuela.

In Brazil, the Brazil Internet Act was passed in 2014, which created policies about collecting and using personal data via the internet. Brazil added an additional step by ruling that minors under 16 years of age could not legally give consent for the use of their personal information, and that young adults between 16 and 18 years of age required assistance from a legal guardian to give consent.

The Data Privacy Act of 2012 in the Philippines is the country’s first-ever overarching data privacy legislation, and was heavily influenced by Directive 95/46/EC of the European Union. The Act introduces the concept of ‘sensitive personal information’, a class of personal information which is subject to more stringent requirements for processing. Those found guilty of processing such data – even data stored outside the Philippines – without the proper consent may be subject to prosecution and jail time of two to seven years.

The goals of each of these countries’ policies are similar, but the mechanism by which appropriate consents can be given will vary depending on which country you are in. Further, transferring data from one country to another may compound the requirements, so never simply assume that everything is in place. Be proactive, ask difficult questions before, you begin collecting and processing data.

When working in any country or even at home on a foreign citizen’s data, it’s prudent to perform your due diligence and consult with a data privacy expert familiar with the laws of that country to ensure you’re in compliance with local and national data collection and processing law. It’s important to understand that consent is only valid when it is obtained freely and willingly from the appropriate party, and how the law defines the appropriate party may vary from country to country. The penalties for incomplete or inappropriate data privacy consent can include personal liability up to, and including, prison sentences.

eDiscovery in O365 is Easy, But Still Best Left to the Experts

By Sean King, Chief Operations Officer

I admit it. I do my own taxes.  I like the control I have in organizing my finances and filling out a ridiculously complex set of forms and fields. Honestly, I do my own taxes because the software that is available makes completing it much easier. But despite the “risk meter” shown by the software, every year after I complete the process and triple-check all of my information, I never feel confident I did it 100 percent correctly. I worry about the potential for an audit and the stiff penalties that accompany a failed audit.

A lot of technology that has rolled out in the last few years takes complex tasks and reduces them to everyday functions. With cloud-based solutions like Office 365, management of a company’s email and legal functions that relate to data management and information governance are becoming routine. As someone who has spent his career working with and around legal professionals, I wonder whether we realize the potential legal risk that presents.

Recently I moderated an RVM webinar, Office 365 – The Unseen Legal Risks, where we elaborated on some of those risks inherent in the implementation and use of Office 365. There is an expectation of compliance, process, and collaboration that has greatly expanded over the years as new technology, such as predictive coding and technology-assisted review (TAR), has become more acceptable in the mainstream, as noted in court opinions from matters like Moore v. Publicis Groupe (287 F.R.D 182 (S.D.N.Y. 2012) or in Winfield v. City of New York, 2017 US. Dist. LEXIS 194413 (S.D.N.Y. Nov 27, 2017) where Judge Parker directed the City to use TAR instead of linear review. This trend is further complicated by cloud-based systems like Office 365.

As you may be aware, the heavy lifting in completing personal income taxes is the overall questionnaire. During this stage you enter in your family information, where you live, your W2 data, investments, etc. If you read or interpret the question wrong, the best tax calculator in the world won’t be able to help you.

Same thing with Office 365.

In Office 365, you need to create your rules and establish how your data will look. Companies who choose to go with an “out of the box” setup in their application may get a nasty surprise when it comes time to pull data for an investigation. One such example we learned about was how long Microsoft will store data. Your company policy may be to keep emails for one year, but if you’re not aware of your settings, you could be responsible for producing emails going back much farther.

There are other legal concerns as well, using a product that proudly associates with “the cloud,” which suggests that the data is in an unknown location. This could present jurisdictional concerns or GDPR compliance issues, as your responsibility for producing data or protecting privacy may hinge on the country or region in which your data is being stored. Just because your data is not in the United States does not protect it from the U.S. courts, and being an American company does not mean that your U.K.-based data is exempt from GDPR compliance.

Another important concern is whether like me and my taxes, companies are performing tasks that are perhaps best left to certified professionals. Typically, a company that receives a document request or subpoena will engage in a process overseen by a lawyer or outside counsel. But, with Office 365, it becomes easy for a company to bypass much of that process, believing that the risk is low. But, is that enough? What if I misinterpret or do not understand the function of search or analytics in O365 and do not get the right results?  Will I even know if it is right?  Do I know what O365 is NOT giving me, and should?  While it may seem easy, it may not be done correctly to meet discovery or evidentiary requirements.

RVM has written in the past about self-collection and the risks that it can entail. The logical interface and robust nature of O365 could lead even more companies down a road that we previously described as similar to driving with too little insurance: it may save in the short run, but in the long-term you’ll likely end up paying more.

Finally, Office 365 gives companies the ability to analyze and review documents.  As a litigation support professional, I recognize the power and effectiveness of this kind of technology, as have the courts who have started encouraging the use of analytics during document review. But, in the hands of someone lacking the proper training, such a tool becomes highly ineffective, resulting in potentially deficient production that can negatively impact summary judgments. The key question as we learned from Allan Johnson, from Actium LLP, was whether you are able to speak to the results you achieved and the process used to get those results. The best way to guarantee that is to ask about your O365 environment from your IT person or consultant and work with an experienced forensics professional familiar with O365.

We as professionals have a requirement and a duty to understand the technology that we use every day. I am concerned by the lack of understanding that companies exhibit about their Office 365 licensing, functionality, setup, and workflows. The courts will not accept ignorance as a legitimate rationalization for failing to meet the standards of legal competence, and most companies cannot afford the fallout from a negative ruling.

Doing your taxes on your own might be one thing, letting anyone do email collection and export might be a level of risk we should not take for granted.

 

Q&A with Jeanne Somma About Legalweek

On January 29, legal and IT professionals from all over the country will be heading to Legalweek, hosted by ALM.

Legalweek LogoFor us at RVM, attendance at Legalweek is a must. Where else can you network, exchange ideas, and leverage the expertise of representatives from a large swath of the legal profession including corporate counsel, law firms, corporate IT, or any of the myriad professions that work together to provide eDiscovery services? We pride ourselves on delivering products and services that meet or exceed our customers’ expectations, so it is critical that we maintain our up-to-the-minute understanding of the landscape, which we can do at Legalweek.

To get a better understanding of Legalweek and why it’s so important to firms like RVM, we spoke with RVM Director of Analytics and Managed Review, Jeanne Somma.

Q: What makes Legal Week the “IT” place to be?
Legal Week is the perfect storm. It’s one of the biggest legal conferences in the U.S. and comes right at the perfect time. I know that I’m always focused on growing professionally and also finding ways to grow our business come January, and LegalTech really provides the right concentration of knowledge and technology to help me chart a course for the rest of the year. It’s also a conference that, if attended correctly, provides a way to tailor your experience to your needs. There are so many education programs, technology demonstrations, and chances to network that it’s like a live action choose-your-own-adventure eDiscovery style.
Q: What are you looking forward to seeing or hearing while you’re there?
Last June I joined RVM to head up the Analytics and Managed Review service lines. As part of that role I have been focused on the best use of all of the analytics tools and processes we have in house – especially as it comes to offering our clients what I think of as the next-generation managed review process meant to offer the most cost-effective and defensible experience in the market. That said, I am really looking forward to exploring what new analytics tools are out there, or how analytics technology has grown from last year in order to keep providing the most forward thinking services to our clients. As data volumes grow and technology quickens its pace, we can’t afford to accept that we are good enough. We need to keep ourselves at the forefront, and having all this access to knowledge during the conference will really help to achieve that.
Q: What do you see as RVM’s role at Legalweek?
RVM’s focus has always been on building relationships and providing outstanding customer service. We are excited to discuss the innovations RVM is rolling out in 2018 and really want to focus on having those discussions on a personal level. Our goal is always to give our customers an individualized and personal experience. So, while my colleagues and I are at the event we’ll be working on our connections – making time for existing relationships and making new ones – as well as improving our understanding of the issues in the market that affect our customers so we can provide more effective consultations. On the 29th (the first day of Legalweek) RVM will be hosting a private dinner with our leading corporate counsel and law firm eDiscovery clients to discuss the current state of eDiscovery and what we see happening in 2018.

Look for Jeanne and other members of the RVM team who will be on the ground at Legalweek to get their take on the show and on what 2018 holds in store for eDiscovery.

 

Leading Technology Through Strategy

As 2017 comes to a close we at RVM are taking stock of the changes we’ve seen this year and honing our strategies to remain on the forefront of analytics and technology application in eDiscovery in 2018. eDiscovery has undergone immense change as technology has evolved to tackle growing data sources and foster the needs of the attorneys wading through them. While that evolution has resulted in improved workflows adoption of these workflows has thus far been slow.

Technology Options

There are myriad technology options – a seemingly unending list of interesting tools that promise to push our industry into the future. It would be easy to race right to artificial intelligence (AI) and push ourselves into the sphere of the futurists. However, as we discussed in our recent webinar “Demystifying Analytics, Automation, and Predictive Coding in eDiscovery” there is no one-size-fits-all solution for the best application of technology and analytics, and the focus should be on the project process and goals – not the technology.

The webinar was designed to make attorneys comfortable with the many ways analytics can be used to accomplish your matter’s goals in the most efficient and — more importantly — defensible way. We also wanted to highlight that the courts are quickly adapting to these changes and embracing counsel’s use of technology up to and including predictive coding. The most pertinent decisions are summarized in our webinar materials. Full versions of those cases can be found in the Sedona Conference TAR Case Law Primer.

Those thoughts were echoed in a recent article for LegalTech News entitled “eDiscovery Leaders Look to Methodology, Not AI, to Update Toolkits.”

Applying the Technology

The article recognizes industry experts who agree that parties have become more comfortable with the technical aspects of eDiscovery and seem more willing to utilize technology to accomplish their goals. They see increased adoption of technology-assisted review (TAR) and predictive coding on the rise, and the courts support this evolution. The continued and thoughtful use of technology will make for better case outcomes, but the process needs to match the goals. The article’s author, Ralph Losey, points out that “Software improvement by vendors should be a constant process, but that is usually beyond the direct control of lawyers. What we can control is the methodology.” We agree with this sentiment.

Our aim for 2018 is to continue to be on the cutting edge of technology application for our clients, by coupling it with strategic consulting in order to leverage the right technology and process to meet a client’s goals. Without the process, the technology will not succeed on its own.

Keeping in Step with eDiscovery

Like many people, I am obsessed with my fitness tracker.

Not only do I participate in weekly challenges with friends and strangers alike to see who takes the most steps per day, but I also rely on the heart rate monitor to initiate breathing exercises in order to alleviate stressful situations (hello airplane turbulence!). And, while my collection of non-smart watches gathers dust in the dresser, I’ve added classier bands to accessorize my tracker. Through a smartphone app I can generate a report on how many miles I’ve walked, stairs I’ve climbed, calories I’ve burned and when I’m active or inactive. And for those who haven’t hopped on the fitness band-wagon, the handy iPhone can often collect all the same data as a wearable.

smart watch

The Gartner research company forecasted earlier this year that “8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020.”  That’s a lot of information!

So what’s the takeaway from this story? Evidence.

Since the advent of email, litigators have been required to think literally out of the box for discoverable evidence. And, as technology advances, attorneys are increasingly expected to be “sufficiently versed in matters relating to their clients’ technological systems to discuss competently all issues relating to electronic discovery.” Gone are the days when a simple forensic collection of email and loose files from the company network were sufficient.

In 2014 a Canadian law firm set a legal precedent in a personal injury case by using data from a Fitbit fitness tracker to prove that their client suffered detrimental effects from an accident that resulted in decreased physical activity. In that case, the key data came from a Fitbit, but the same principles can apply to data from apps, social media accounts and more. Already criminal law practitioners are looking to use data from pacemakers, key fobs, interactive smart speakers and electronic personal assistants such as Amazon’s Alexa or Apple’s Siri. Connectivity is the new norm, and as a result lawyers have an ever-expanding pool of potentially relevant information to sift through.

Having an acute awareness of these new potential sources of electronically stored information (ESI) is only the first step in staying on top of your eDiscovery game. Amendments to Rule 902 of the Federal Rules of Evidence, set to take effect December 1, 2017, give preferential treatment to ESI “collected in a forensically sound manner,” which preserves the audit history and maintains a strict chain of custody. So resist the urge to have your client self-collect.

Going into the holiday season, amid the flood of advertisements for the latest gadgets and gizmos, keep in mind those very same devices could hold critical evidence for a future case!

###

Corporate Counsel Magazine Recognizes RVM as a Top Provider in Litigation Services

The votes are in, results counted and RVM Enterprises, Inc., a leader in the eDiscovery industry, takes the top spot in six of Corporate Counsel Magazine’s “Best of Corporate Counsel” annual supplement, it announced today.  RVM was recognized as a top service provider in nine categories across its service offerings in total.

Corporate Counsel Magazine Recognizes RVM as a Top Provider in Litigation Services

RVM took first place in the following categories:

  • Best End-to-End Litigation Consulting Firm,
  • Best Technology Assisted Review eDiscovery Solution,
  • Best Managed eDiscovery & Litigation Support Service Provider,
  • Best Data & Technology Management eDiscovery Provider,
  • Best Data Recovery Solution Provider,
  • Best Information Governance Solution.

It was also recognized in the areas of Expert Witness Provider, Managed Document Review Services, and End-to-End eDiscovery Provider. Voting was conducted via online ballot and was limited to those working within in-house corporate legal and compliance departments. In total, 1500 votes were cast. The results are published in Corporate Counsel’s special supplement, Best of Corporate Counsel.

“We are thrilled to be recognized in nine categories across the full range of RVM’s services. RVM is honored to have ranked first in six of those categories, and remains focused on enhancing and innovating our services,” said Vincent Brunetti, Chief Executive Officer of RVM Enterprises, Inc. “I am extremely proud that our clients, the readers of Corporate Counsel, have bestowed RVM with this honor.”