Author Archives: X1

X1 Announces Strategic Product Integration with Relativity

Today we are announcing some exciting news. Our X1 enterprise eDiscovery solution now integrates with Relativity, the industry leading e-discovery platform. X1 Insight & Collection, a component of the X1 Distributed Discovery platform, allows enterprises to search across and collect from up to thousands of custodians in hours, now with direct upload into Relativity, including RelativityOne, utilizing Relativity’s import APIs.

The X1 and Relativity integration addresses several pain points in the existing e-discovery process. For one, there is currently an inability to quickly search across all unstructured data, meaning users have to spend the weeks or even months that are required by other cumbersome solutions. Additionally, using ESI processing methods that involve appliances that are not integrated with the collection significantly increase cost and time delays. And with such an  inefficient process there is simply no way for attorneys and legal professionals to gain immediate visibility into data, often leaving them to wait weeks before they have a chance to assess the data, post- collection.

The X1/Relativity integration directly addresses these challenges. Among the substantial benefits of this integration is the dramatic increase in speed to review, flowing directly from the custodian into Relativity on-premise or into the cloud-based RelativityOne platform. And this integration significantly reduces or completely eliminates inefficient ESI processing. X1 will search, cull and de-duplicate data at the point of collection and now integrates with the Relativity ingestion API, rendering inefficient and expensive processing appliances obsolete.

Organizations will be given real time early case assessment within minutes of initial search instead of taking days and weeks for this insight.  All of this is achieved with a truly repeatable end-to-end process for enterprises. The combination of X1 and Relativity provides a full and complete e-discovery platform.

“Collecting enterprise ESI can be one of the most daunting parts of the e-discovery process,” said Drew Deitch, senior manager for strategic partnerships at Relativity. “We’re excited to bring XI into the App Hub, where it will offer users another great way to access, search, process, and import enterprise data into Relativity.”

Finally, with this integration providing a complete platform for efficient data search, discovery and review across the enterprise, this also enables organizations to very effectively address numerous information governance use cases such as GDPR compliance, identifying and removing PII and conducting IP data audits.

To see X1 in action, we have a 7-minute demonstration video including this integration with Relativity available here.

Leave a comment

Filed under Best Practices, ECA, eDiscovery, eDiscovery & Compliance, Information Governance, Preservation & Collection, Uncategorized

Data Discovery “Is the Foundation of GDPR Compliance”

Recently, I attended a very informative Microsoft GDPR Summit in Redmond, Washington. Microsoft invited their key compliance partners to brief them on Microsoft’s strong support for GDPR compliance within their Office 365 ecosystem, and to engage them in their strategy. The summit featured a slate of legal, compliance and technology experts who provided compelling insight into the GDPR, including challenges and opportunities for organizations as the May 25 enforcement date approaches.

Enza Iannopollo, a featured keynote speaker from Forrester, is an industry analyst with a deep focus on information security, data privacy and GDPR compliance. She noted that per a recent Forrester security survey, only about 30 percent of organizations report GDPR readiness. In her talks with major organizations, Iannopollo sees a strong if not belated commitment as they scramble to achieve readiness ahead of May 18. In terms of what it takes to effectuate GDPR compliance, Iannopollo presented a slide which simply stated the following: “Data Discovery and classification are the foundation of GDPR compliance.” Iannopollo said this is because the GDPR effectively requires that an organization be able to identify and actually locate, with precision, personal data of EU data subjects across the organization.

The speakers identified both a proactive and reactive requirement of data discovery under the GDPR. Iannopollo commented that a robust data discovery capability is needed to produce an intelligent data map, to classify and actually remediate non-compliant data. This data audit process should done at the outset, and also routinely executed on a recurring basis.

For reactive capabilities, Microsoft deputy general counsel John Payseno noted in a separate session that once GDPR enforcement comes online on May 25, 2018, organizations will be required to respond to data subject requests (DSRs) from individual, or groups of, EU data subjects. The DSRs under the GDPR consist of requests for data erasure, data transfer, or a confirmation that data permissively kept is done so in a minimal fashion without excessive duplication or re-purposing outside of the granted consent. Payseno said that companies must be able to document and demonstrate compliance with these DSRs, in a manner generally akin to responding to a subpoena or other legal requirement.

So a clear takeaway from the Microsoft summit is that GDPR compliance requires the ability to demonstrate and prove that personal data is being protected, requiring data audit and discovery capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement.

While Microsoft demonstrated their capabilities to conduct effective data discovery in their O365 cloud environment, they openly acknowledge a significant gap for addressing on-premise unstructured data. Effective GDPR compliance requires the ability to gain immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of weeks or months as is the case with traditional crawling tools.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Best Practices, compliance, Corporations, Data Audit, GDPR, Hybrid Search, Information Governance, Uncategorized

Commonwealth vs. Mangel: Print Screen for Social Media Disallowed Again

In the recently published opinion of Commonwealth v. Mangel, 2018 Pa. Super. 57 (March 15, 2018) the Superior Court of Pennsylvania addressed the standard for admissibility of social media posts and ultimately disallowed into evidence a social media post presented by the prosecution as a simple screen shot. In Mangel, the State charged the defendant with aggravated assault and harassment and sought, in a pre-trial hearing, to introduce evidence of an image of bloody hands posted to Facebook, as well as messages allegedly authored by the defendant. The Facebook account at issue bore the defendant’s name, hometown and high school, which the prosecution argued was sufficient to authenticate the proffered evidence.

Both the trial court and the appellate court found that merely presenting evidence that the posts and messages came from a social media account bearing the Defendant’s name was not enough to allow the evidence in. Instead, the social media posts must be properly authenticated with direct or circumstantial evidence that corroborates the identity of the author. Such evidence may include testimony from the person who sent or received the communication or contextual clues in the communication tending to reveal the identity of the sender. The State’s computer forensics expert acknowledged that type of substantiation is the only way to determine with a reasonable degree of certainly that the actual user authored the communication in question given that social media accounts are easily hacked or falsified. Although this decision was rendered in the criminal context, its extension to civil admissibility also would be instructive.

The court, in its opinion, noted that  “authenticating social media evidence is to be evaluated on a case-by-case basis to determine whether or not there has been an adequate foundational showing of its relevance and authenticity,” and that “authentication of electronic communications, like documents, requires more than mere confirmation that the number or address belonged to a particular person. Circumstantial evidence, which tends to corroborate the identity of the sender, is required.” Metadata is a key form of circumstantial evidence, and the Mangel court noted the absence of two key metadata items: the date the post was created, and account ID:

“A thorough review of the Facebook posts and messages themselves raises specific issues. First, the evidence presented by the Commonwealth does not indicate the exact time the posts and messages were made. The incident which brought about the instant criminal charges occurred allegedly on June 26th, 2016, according to the Criminal Information. The lack of a date and timestamps raises a significant question regarding the connection of the posts and messages to the alleged incident on June 26th, 2016. Furthermore, the ‘Tyler Mangel who allegedly authored the Facebook posts and messages does not specifically reference himself in the incident on June 26th, 2016; rather, other individuals, many of them who are not directly involved in the instant criminal case, reference a “Tyler Mangel” in response to a post made and in subsequent conversations about an alleged assault.”

So with a solution like X1 Social Discovery, both the date of the post and the account ID would have been collected and preserved, which would have addressed these specific problems the court had with the Facebook evidence offered by the prosecution. By using print screen instead, the evidence was thrown out.

Mangel is yet another case illustrating that social media provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various social media websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or social media evidence than for any other.

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available circumstantial evidence in order to present the best case possible for the authenticity of social media evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data for verification of the integrity of the evidence. It is important to collect and preserve social media posts and general web pages in a thorough manner with best-practices technology specifically designed for litigation purposes.  For instance, there are over twenty unique metadata fields associated with individual Facebook posts and messages. Any one of those entries, or a combination of them contrasted with other entries, can provide unique circumstantial evidence that can establish foundational proof of authorship.

Additionally, when an examiner merely relies on print screen, they also severely limit the scope and thoroughness of the social media and internet collection. Employing more automated means, such as X1 Social Discovery, enables the examiner to quickly collect entire web pages and publically available social media accounts, which can be hundreds of pages long. This allows the examiner to build a much stronger case for authentication by building timelines, drawing more connections between witnesses and their various posts, collecting more collaborating metadata, and a litany of other means to build a compelling circumstantial case to authenticate the social media or web page evidence in question.

When lawyers and their service providers rely on simple screen captures, printouts or even compliance archiving solutions that fail to collect and preserve all key metadata to admit social media into evidence, they run a significant risk of having key evidence in support of their case disallowed by the court. The prosecutors in Mangel just learned this lesson the hard way.

Leave a comment

Filed under Uncategorized

GDPR Provides a Private Right of Action. Here’s Why That’s Important.

As the world approaches the May 25, 2018 GDPR enforcement date, some organizations are still adapting a wait and see approach, while many others are preparing with a palpable sense of urgency. Gartner published a study reporting that over 50% of companies affected by GDPR will not meet the May deadline. And then there are some pundits who are predicting Armageddon. While the Armageddon forecasts are premature, I do not see a lot of awareness, even among some legal privacy lawyers, of the private right action afforded under the GDPR.

A very important dynamic of the GDPR is that the private citizens of the European Union will have an active role in its enforcement. Unlike many regulatory regimes, where a relatively small handful of government regulators infrequently enforce the rules, organizations that store information on EU citizens will face about 300 million regulators, which is a rough figure of the adult population in the EU. These citizens can make requests at any time to have data deleted in place through the right of erasure as well as make other requests regarding the usage of their personal data.

Even more importantly, the GDPR provides a mechanism for a private right of action under Article 82(1).  And Article 80(2) provides that “[T]he data subject shall have the right to mandate a not-for-profit body, organisation or association …. to lodge the complaint on his or her behalf.”

Regulations which provide a private right of action, including the ability to bring a class action law suit, are exponentially more impactful than the vast majority of regulations which do not.

European privacy lawyer and activist Max Schrems — fresh off his major legal victory resulting the safe harbor provisions in the data transfer arrangement between the EU and US being struck down in 2015 — is running a crowdfunding campaign to set up a not-for-profit privacy enforcement organization to take advantage of the GDPR right of private action provisions to pursue class-action style litigation. Shrems’ NGO, — called noyb; short for: ‘none of your business’ — is being made possible because GDPR allows for collective enforcement of individuals’ data rights.

Mr. Schrems told the Financial Times the organization would help consumers fight for their rights and encourage whistleblowers inside tech companies to speak out. “It makes sense to have a single EU hub to act as a coordinator to connect existing resources, ensure actions are effective and strategic, and ensure efforts and resources are not duplicated,” he said. In other public statements, Schrmes noted that his organization will enable class-action style GDPR claims in order “to enforce your rights individually. The only way to do that is to collectivise it through a rights organisation to get things done as we have in the past with consumer rights.” Schrems and his partners believe that having a single NGO at an EU level with the necessary expertise, experience and connections is far more efficient than lots of individual ones.

These developments concerning a possible torrent of private GDPR claims heighten the urgency and expected impact of the law. In terms of readiness, a mandatory aspect of GDPR compliance is the ability to demonstrate and prove that personal data is being protected, requiring information governance capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement. To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results regarding PII leakage within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Comliance, Cybersecurity, Records Management, Uncategorized