Archives for Information Governance

RVM Top 5: Reasons to Revise Your Data Retention Policy

Do me a favor. Take a look at your records retention policy.

I’ll wait.

Did you do it? It looks fine, right? All the language is there. The dates and times are in it, the “I’s” are dotted and the “T’s” are crossed. It must be good enough.

But how well is it really going to serve you in the event of a legal hold, and is it costing you money simply by its own inefficiency?

To help you better make that determination, we at RVM have compiled a thorough list of reasons why you may want to consider updating your policy, taking into consideration both the legal liabilities represented by the policy as well as its cost to your business operations.


You have retained data old enough to sit on your board and vote on a data retention policy.
Preserving records is important, and different agencies will have different reporting requirements. That said, making a determination about how long to retain your data and sticking to it will save a lot of headaches.

Determining who is responsible for managing a legal hold turns into a game of “not it!” among your leadership team.
Data may have many owners. But in the event of a legal hold or investigation, there’s no time for disorganization. Make the determination ahead of time who will take responsibility for coordinating a response.

Your data storage bills are bigger and more complicated than your quarterly tax statements.
You’re paying for all that data you’re storing. So why do you want to pay for data that you will never need?

“Where is our data?” is really more of a rhetorical question than one for which you have good answers.
Part of developing a record retention policy is identifying the locations of all the data – an important exercise that can ease the burden of collecting in the event of a legal hold.

The technology at the backbone of your policy, helping you maintain and organize your data is Microsoft Excel.
Excel is a great program, but responding to a legal hold or investigation is serious business, for which there are serious tools. The most efficient way to proceed is to utilize one of those tools.

eDiscovery in O365 is Easy, But Still Best Left to the Experts

By Sean King, Chief Operations Officer

I admit it. I do my own taxes.  I like the control I have in organizing my finances and filling out a ridiculously complex set of forms and fields. Honestly, I do my own taxes because the software that is available makes completing it much easier. But despite the “risk meter” shown by the software, every year after I complete the process and triple-check all of my information, I never feel confident I did it 100 percent correctly. I worry about the potential for an audit and the stiff penalties that accompany a failed audit.

A lot of technology that has rolled out in the last few years takes complex tasks and reduces them to everyday functions. With cloud-based solutions like Office 365, management of a company’s email and legal functions that relate to data management and information governance are becoming routine. As someone who has spent his career working with and around legal professionals, I wonder whether we realize the potential legal risk that presents.

Recently I moderated an RVM webinar, Office 365 – The Unseen Legal Risks, where we elaborated on some of those risks inherent in the implementation and use of Office 365. There is an expectation of compliance, process, and collaboration that has greatly expanded over the years as new technology, such as predictive coding and technology-assisted review (TAR), has become more acceptable in the mainstream, as noted in court opinions from matters like Moore v. Publicis Groupe (287 F.R.D 182 (S.D.N.Y. 2012) or in Winfield v. City of New York, 2017 US. Dist. LEXIS 194413 (S.D.N.Y. Nov 27, 2017) where Judge Parker directed the City to use TAR instead of linear review. This trend is further complicated by cloud-based systems like Office 365.

As you may be aware, the heavy lifting in completing personal income taxes is the overall questionnaire. During this stage you enter in your family information, where you live, your W2 data, investments, etc. If you read or interpret the question wrong, the best tax calculator in the world won’t be able to help you.

Same thing with Office 365.

In Office 365, you need to create your rules and establish how your data will look. Companies who choose to go with an “out of the box” setup in their application may get a nasty surprise when it comes time to pull data for an investigation. One such example we learned about was how long Microsoft will store data. Your company policy may be to keep emails for one year, but if you’re not aware of your settings, you could be responsible for producing emails going back much farther.

There are other legal concerns as well, using a product that proudly associates with “the cloud,” which suggests that the data is in an unknown location. This could present jurisdictional concerns or GDPR compliance issues, as your responsibility for producing data or protecting privacy may hinge on the country or region in which your data is being stored. Just because your data is not in the United States does not protect it from the U.S. courts, and being an American company does not mean that your U.K.-based data is exempt from GDPR compliance.

Another important concern is whether like me and my taxes, companies are performing tasks that are perhaps best left to certified professionals. Typically, a company that receives a document request or subpoena will engage in a process overseen by a lawyer or outside counsel. But, with Office 365, it becomes easy for a company to bypass much of that process, believing that the risk is low. But, is that enough? What if I misinterpret or do not understand the function of search or analytics in O365 and do not get the right results?  Will I even know if it is right?  Do I know what O365 is NOT giving me, and should?  While it may seem easy, it may not be done correctly to meet discovery or evidentiary requirements.

RVM has written in the past about self-collection and the risks that it can entail. The logical interface and robust nature of O365 could lead even more companies down a road that we previously described as similar to driving with too little insurance: it may save in the short run, but in the long-term you’ll likely end up paying more.

Finally, Office 365 gives companies the ability to analyze and review documents.  As a litigation support professional, I recognize the power and effectiveness of this kind of technology, as have the courts who have started encouraging the use of analytics during document review. But, in the hands of someone lacking the proper training, such a tool becomes highly ineffective, resulting in potentially deficient production that can negatively impact summary judgments. The key question as we learned from Allan Johnson, from Actium LLP, was whether you are able to speak to the results you achieved and the process used to get those results. The best way to guarantee that is to ask about your O365 environment from your IT person or consultant and work with an experienced forensics professional familiar with O365.

We as professionals have a requirement and a duty to understand the technology that we use every day. I am concerned by the lack of understanding that companies exhibit about their Office 365 licensing, functionality, setup, and workflows. The courts will not accept ignorance as a legitimate rationalization for failing to meet the standards of legal competence, and most companies cannot afford the fallout from a negative ruling.

Doing your taxes on your own might be one thing, letting anyone do email collection and export might be a level of risk we should not take for granted.


The Challenges of “Deleted” Data

shutterstock_308641526Some applications such as Snapchat became famous for allowing users send 10-second picture messages that were “deleted forever” after being opened for 60 seconds. In theory, this feature offered the opportunity to go off the grid; to send controversial messages without the risk of getting caught. In reality, those messages, also known as electronically stored information (ESI), left metadata behind even after deletion. The “deleted” messages were not “deleted forever” but could in fact be recovered.

Nothing is really deleted. Wherever there is metadata, there is discoverable data.

In the context of litigation proceedings, Fed. R. Civ. P. 26(b)(1) permits discovery of ESI regarding any non-privileged matter that is relevant to any party’s claim or defense, and proportional to the needs of the case. A “deleted” picture message may therefore become source for contention, and a party who intentionally used an application to avoid creating evidence may be held accountable in a motion for spoliation sanctions.

The doctrine of spoliation refers to the improper destruction of evidence relevant to a case. How do judges determine whether the spoliation of evidence is sanctionable? They look at three factors:

  • There was a duty to preserve evidence;
  • The spoliation was negligent or deliberate; and
  • The spoliation prejudiced the other party’s ability to present its case.

Additionally, the amended Fed. R. Civ. P. 37(e) applies specifically to ESI spoliation. The rule states that spoliation of evidence is sanctionable if there was a duty to preserve evidence, the spoliation was negligent or deliberate, and the lost information cannot be restored or replaced through additional discovery.

What this means in practice is that deleted evidence may not automatically give rise to sanctions if the same data exists somewhere else. Some legal experts expressed concerns about over-preservation of ESI in response to Rule 37(e). However, efforts to restore lost ESI should be proportional to the importance of the ESI to the claims of defenses, thus removing the over-preservation burden on the parties.

As new methods of communication are developed, the universe of potentially discoverable ESI continues to expand. Whether data is transferred through falsely-proclaimed “auto-deleting” applications, social media, text messages, chat rooms, emails, and any other kind of application or device that creates metadata, proper information governance plays an essential part in litigation, not only to avoid evidence spoliation and sanctions, but to know where relevant data resides. As a result, litigation holds need to clearly explain that all electronically transmitted data may be subject to preservation and eDiscovery.

What Happens to Sensitive Information When Employees Leave?

Confidential infoThe departure of employees may constitute a big security hole for company data. A recent survey showed that intellectual property theft is prevalent as former employees don’t feel like they’re committing a security breach, because they’re just taking what they consider “theirs”, or they’re simply ignoring company policies.

The survey highlighted that:

  • More than 1 in 4 respondents said they took data when leaving a company;
  • 15 percent of respondents said they are more likely to take company data if they are forced out of their job (fired or laid off), rather than leaving on their own;
  • Of those who take company data, 85 percent report they take material they have created themselves and don’t feel this is wrong;
  • While a majority takes their own documents, 25 percent of respondents report taking data that they did not create; and
  • About 95 percent of respondents said that taking data that they did not create was possible because either their company did not have policies or technology to prevent data stealing, or that if companies did have policies in place, they ignored them.

Companies need to be aware of the risks associated with employees transitioning over to new positions in a different company, sometimes a competitor, and make sure the security measures they implemented are strong enough to dissuade individuals from taking company data. The technology a company uses to prevent the use of sharing tools such as DropBox, GoogleDrive, even web based email can make a big difference in the long run.

Company data is easy to track if secure tools are in place. RVM Enterprises, Inc. developed a new product, the RVM TracerTM, which can be used as part of the exit interview process or as a tool to periodically check to see whether or not company documents have left with an employee.

Adopting effective procedures to address ESI issues can dramatically improve security awareness, risk assessment and treatment. RVM can help you determine how best to approach these important issues.

How to Ensure Confidential Information Stays Confidential

The lifespan of electronically stored information (ESI) lifespan will exceed any employee’s tenure in a company. When an individual decides to transition—for whatever reason—recent statistics show that 50 percent of employees take information when leaving. More alarming news is that 40 percent of these former employees will use that information at their new jobs, and 37 percent use cloud-based storage without permission from their employer, based on a 2012 survey from the Ponemon Institute.Confidential pic

The potential of an employee walking out the door with a client contact list or other piece of intellectual property is a problem that could warrant a costly investigation, but what if you’re not sure? Not only do forensic investigations prove to be expensive, but they might not lead to any concrete evidence that the departing employee has actually stolen confidential information. Even taking the time to debate whether or not to investigate can be costly.

So how do you ensure confidential information stays confidential? No need to grow gray hair. RVM has developed a new reliable and cost-efficient product to address this very concern. The RVM TracerTM, can be used as part of the exit interview process to quickly determine whether or not an employee has taken company documents. In minutes, the RVM Tracer creates reports that include items such as a listing of documents created and saved on a computer desktop, cloud based folders or external drives, as well as the browser history and a history of installed applications, saving time, money and potential future legal costs.

In an era where sensitive data grows exponentially, and has become rampant on every electronic device, ESI tracking, preservation and retrieval has had a huge impact on eDiscovery. Adopting effective procedures to address ESI issues can dramatically improve security awareness and risk assessment and treatment.

RVM Takes First Place as Best End-to-End eDiscovery Provider

The New York Law Journal has announced that RVM Enterprises, Inc., a leader in the eDiscovery industry, has been recognized as a top service provider in six categories across its service offerings, garnering three first place rankings and three second place rankings.

RVM took first place as the Best End-to-End eDiscovery Provider, by the 2015 New York Law Journal Reader Rankings. RVM was selected as a

result of votes cast by more than 8,400 legal professionals who read the New York Law Journal. RVM was one of over 500 firms in more than 100 categories listed on the official ballot. Voters were also given the option of writing in any firms not seen listed; adding another 300 to the list of contestants.

“We are thrilled to be recognized in the top 2 in six categories across the full range of RVM’s services.  I am extremely proud that the readers of the New York Law Journal, our clients, have bestowed RVM with the honor of being named the Best End-to-End eDiscovery Provider,” said Vinnie Brunetti, Chief Executive Officer of RVM Enterprises, Inc.  “RVM has a long history of serving a diverse corporate clientele with expansive global operations and eDiscovery demands. RVM will continue to strengthen our relationships by expanding service lines and RVM’s geographic footprint to better serve our clients’ needs and interests.”

RVM recently widened its US presence to cover the nation by opening its Los Angeles office complete with a forensics lab, technical personnel, project management, and an attorney document review center. RVM’s also recently expanded its presence in Cleveland to better serve the growing demands of its clients with a state-of-the-art Document Review Center.  

RVM’s extraordinary growth has been recognized by many organizations. It has been ranked on the Inc. 500|5000 for five consecutive years and has been recognized by the WPO as one of the 50 fastest growing women-led businesses around the globe.

RVM Launches Los Angeles Office

RVM Enterprises, Inc. has opened an office in Los Angeles, California.  A leader in the eDiscovery industry, RVM has been the preferred provider of eDiscovery services and data solutions to leading corporations and Am Law 100 firms for nearly two decades. RVM will provide its full range of services in the new state-of-the-art facility in Los Angeles.

RVM’s extraordinary growth has been recognized by many organizations. It has been ranked on the Inc. 500|5000 for 4 consecutive years and has been recognized by the WPO as one of the 50 fastest growing women-led businesses around the globe. A leader in technology, RVM has achieved Orange-level Relativity Best in Service recognition every year since 2010. Additionally, it was the first to achieve Equivio’s Partner STAR certification. Headquartered in New York, RVM has offices in Chicago, Cleveland and Los Angeles. RVM’s presence in Los Angeles will help serve the growing demands of its clients.

RVM’s services include Forensic Data Collection, Data Processing and Production, Data Hosting, Advanced Data Analytics, eDiscovery Strategic Consulting, Information Governance Consulting, Litigation Readiness, and Managed Document Review.

“As RVM continues grow, it will stand by its reputation of providing exemplary customer service within the eDiscovery industry,” said Vinnie Brunetti, CEO of RVM Enterprises, Inc. “The opening of the LA office has extended our reach to the West Coast and will enable RVM to consistently provide the first class level of service RVM clients have come to expect around the country.” Mr. Brunetti added, “RVM has been extremely successful with the expansion of its Structured Review division in New York and I’m happy that we can now bring that experience, value-add, and cost savings to our clients on the West Coast with our experienced staff and state-of-the-art review center and forensic lab.”



RVM Adds HIPAA Compliance to its Extensive List of Security Measures and Certifications

RVM is committed in its efforts to ensure the confidentiality, integrity and availability of all protected electronic information, and as such, RVM is pleased to announce the inclusion of HIPAA Compliance to its extensive list of security measures and certifications. As of January 02, 2015, RVM is able to provide attestation to HIPAA Compliance through both internal and third-party audit processes.

“By augmenting our existing Information Security Management System (ISMS) to incorporate safeguards for Protected Health Information (PHI) we ensure that our clients’ data is managed safely and in compliance with Federal Healthcare laws and regulations, specifically the 2013 HIPAA Omnibus Rule,” said Geoffrey Sherman, RVM’s Chief Technology Officer.

As law firms and healthcare providers strive to comply with the HIPAA Omnibus Rule they must ensure that their business associates meet or exceed the data safeguards required for dealing with protected health information (“PHI”). These safeguards are including but not limited to data privacy, security, and breach notification procedures specific to PHI. Failure to comply with HIPAA rules may result in civil penalties that can reach up to $25,000 for violations observed. It should also be noted that PHI privacy breaches are subject to penalties of up to $1.5 million where the timely reporting and breach management procedures in compliance with HIPAA regulations are not met.


Health care privacy concerns are governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Clinical Health Act (“HITECH”) of 2009. This legislation was passed by Congress to encourage the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information. It serves to improve efficiency and effectiveness of Medicare, Medicaid, and the health care system.  HIPAA places requirements on health care providers known as covered entities and business associates including requirements to comply with privacy, security, and transaction standards.  The Privacy Rule established under HIPAA is a set of national standards for the protection of certain health information.  The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirements of HIPAA.  The purpose of the Privacy Rule is to establish standards which respect to the confidentiality of an individual’s health information or PHI by entities which are subject to HIPAA.  Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to compliance activities and civil money penalties.

About RVM

RVM provides data solutions and eDiscovery services to leading global financial institutions, corporations and Am Law 100 firms.  RVM is dedicated to innovation in technology to address the ever-changing business models in today’s legal and corporate environments. RVM is proud of receiving certification as a women’s business enterprise by the Women’s Business Enterprise National Council (WBENC).

RVM’s services include forensic data collection, data processing and production, data hosting, advanced data analytics, eDiscovery strategic consulting, information governance consulting, litigation readiness and managed document review.

Ultimately, RVM may from time to time have access to PHI by virtue of RVM’s data solution and or eDiscovery services to a health care provider or its business associate.