Category Archives: Best Practices

X1 Insight and Collection & RelativityOne Integration: Testing and Proof of Concept

Editor’s Note: The following is a blog post published by eDiscovery expert Chad Jones, Director at D4 Discovery, regarding D4’s extensive testing and validation of the integration of R1 and X1 Insight and Collection.  It is republished here with permission. 

Discovery is a complicated business. For a typical litigation, there are at least five separate stages, collection, processing, review, analysis, and production, and while the average discovery period lasts eight to ten months, the matters themselves can run for years. During the lifecycle of a common eDiscovery project, these five stages are usually performed by several different parties, which further complicates the process by introducing a variety of hand-offs and delays between organizations and individuals.

The proof of concept that follows was designed to validate Insight and Collection, a product created by X1 Discovery, Inc, and that now features a direct upload to Relativity and RelativityOne. With this product, X1 proposes to streamline the five-stage process by allowing enterprises to search locally, collect those search hits, process the results and push them directly to RelativityOne in a matter of minutes.

To evaluate the viability of the X1 Insight and Collection, D4, LLC. designed and executed the following Proof of Concept (POC). A leader in forensic collection services and a seven-time Relativity Best in Service, Orange Levelhosting partner, D4 staff leveraged its expertise in end to end eDiscovery to implement the workflow and document the results.

Background

Project

eDiscovery is a multi-stage process with a series of hand-offs between disconnected parties. This process can be extremely expensive and error prone. In addition to the costs, the time to review can often span weeks or even months to complete.

Stakeholders

Those who stand to benefit from X1 Insight and Collection are business and organization leaders looking to manage and control the cost and risks of discovery.

Solution Features and Benefits

There are several features of the X1 Insight and Collection: search-in-place, early case assessment visualizations, remote collection, processing on demand, publish to review in RelativityOne. Searching in place on the local machine has several benefits. It prevents needless over collection and saves the end user from the hassle of turning over her machine and losing productivity. It also gives case teams the opportunity to iterative refine search terms and review search hits on the fly.

Finally, searching in place replaces the need to collect data and load to a master repository for indexing and searching. This includes email containers – the ability to index, search and collect all email in place on the custodian’s computer or the corporate Exchange server without the need to migrate the entire container or full account is a strong and unique capability. With X1’s remote collection, once users target the specific files and emails they need, they can immediately collect and process that information. Once collected and processed, enterprise users have the option of creating standard load files or sending text, metadata and native files directly to RelativityOne.

Practical Details of POC

To test and vet the software, D4 built a mini-cloud environment, consisting of five custodian machines; one enterprise server; and one client server meeting the specs listed below:

Server 1

  • OS: Microsoft Server 2012 R2
  • CPU: 2.6 GHz minimum 8 processors
  • Memory: 16 GB RAM
  • Disk: 180 GB free hard disk space (software)
  • Disk 2: 1TB for collected data (or available network drive)

Server 2

  • OS: Microsoft Server 2012 R2
  • CPU: 2.6 GHz minimum 8 processors
  • Memory: 32 GB RAM
  • Disk: 180 GB free hard disk space (software)

Testing Desktop: (QTY 5)

  • OS: Microsoft Windows 7, 8 or 10
  • CPU: 1.8 GHz minimum 2 processors
  • Memory: 8 GB RAM

On each custodian machine we placed a mix of email and non-email data. From these data sets we ran a series of tests from which we collected data.

Although X1 Insight and Collection provides a variety of workflows allowing for a complex collection strategy, for the purposes of this proof-of concept, the collection was limited to a simple Boolean query of common football related terms across Enron data. We made two separate collections of email data: a collection to disc with load files and a collection direct pushed to RelativityOne. The terms used in the POC were: “football OR game OR trade OR QB OR league OR cowboys OR longhorns OR thanksgiving OR player.” Following the collections, the results of the load file export were test loaded to Relativity and the results of the dataset published direct to RelativityOne were evaluated in that workspace.

Test Results

The testing process considered four main areas: documenting search results; documenting upload/download times; metadata validation; and reports and exception handling. To test the search results the loaded data was indexed, and searches run to confirm the results. In both load formats, the search results remained the same as shown below.

It is important to note that in Relativity only the text was searched while in X1 all metadata was also included in the search. This is a common difference between review platforms and collection tools, as collection tools are able to search all components of the file, while review is limited to extracted metadata fields only.

Additional tests were performed to document search and exports speeds. One of the components of X1 Insight and Collection is its collection module which sits on the client server and manages the collection from a central location. In the initial test, we chose to export the files to disc and create a load file, while in the second test we leveraged X1s integration with RelativityOne and upload data to Relativity’s cloud instance via the Relativity API.

In both cases, the results proved that X1 is incredibly powerful. Each time the system executed saved searches on five separate machines, pulled the data to the client server, extracted text and metadata and then either generated a load file or sent the deliverable straight to the cloud and into Relativity – all within minutes. The results, shown below, are amazing. In both cases the system completed all steps in under 13.5 minutes. Additional tests were performed to document search and exports speeds.

One of the components of X1 Insight and Collection is its collection module which sits on the client server and manages the collection from a central location. In the initial test, we chose to export the files to disc and create a load file, while in the second test we leveraged X1s integration with RelativityOne and upload data to Relativity’s cloud instance via the Relativity API. In both cases, the results proved that X1 is incredibly powerful. Each time the system executed saved searches on five separate machines, pulled the data to the client server, extracted text and metadata and then either generated a load file or sent the deliverable straight to the cloud and into Relativity – all within minutes. The results, shown below, are amazing. In both cases the system completed all steps in under 13.5 minutes.

Further testing showed that while X1 gets the essential metadata components extracted from the data, there are some features we are used to seeing in established eDiscovery processing tools that are lacking in this product. We also found the exception reporting to be lacking. In our RelativityOne tests, we found 40 files were excluded from upload, yet when reviewing the available exception reporting we had trouble seeing what caused those file failures. These issues notwithstanding, the POC proved successful. X1 Insight and Collection proved to be a powerful search engine and collection tool, capable of collecting over 6,000 documents from five separate machines and uploading those files to RelativityOne in less than fifteen minutes!

Conclusion

X1 Insight and Collection offers multiple benefits to the enterprise user looking to take control of the eDiscovery life cycle. By simplifying the course of an eDiscovery project, X1 limits the number of touch points in the traditional vendor-driven process. Internal users can search and vet terms in real-time before collection. This not only mitigates the opportunity for error, but it greatly reduces the time to review, which is what this solution really seems to be all about. X1 seems to have been designed with the internal investigation in mind. Offering a light tagging feature, X1 gives users a light ECA option that with a couple mouse clicks becomes a collection and processing tool that connects directly to all the features of RelativityOne. When combined with Relativity ECA, Analytics and Active Learning, this might be all the solution the typical enterprise would need.

Leave a comment

Filed under Best Practices, Case Study, compliance, eDiscovery, Enterprise eDiscovery, Information Governance, reviewing

Three Key eDiscovery Preservation Lessons from Small v. University Medical Center

Small v. University Medical Center is a recent 123-page decision focused exclusively on issues and challenges related to preservation of electronically stored information in a large enterprise. Its an important ESI preservation case with some very instructive takeaways for organizations and their counsel.  In Small, Plaintiffs brought an employment wage & hour class action against University Medical Center of Southern Nevada (UMC). Such wage & hour employment matters invariably involve intensive eDiscovery, and this case was no exception. When it became evident that UMC was struggling mightily with their ESI preservation and collection obligations, the Nevada District Court appointed a special master, who proved to be tech-savvy with a solid understanding of eDiscovery issues.Case Law

In August 2014, the special master issued a report, finding that UMC’s destruction of relevant information “shock[ed] the conscious.” Among other things, the special master recommended that the court impose a terminating sanction in favor of the class action plaintiffs. The findings of the special master included the following:

  • UMC had no policy for issuing litigation holds, and no such hold was issued for at least the first eight months of this litigation.
  • UMC executives were unaware of their preservation duties, ignoring them altogether, or at best addressing them “in a hallway in passing.”
  • Relevant ESI from laptops, desktops and local drives were not preserved until some 18 months into this litigation.
  • ESI on file servers containing policies and procedures regarding meal breaks and compensation were not preserved.
  • These issues could have been avoided using best practices and if chain-of-custody paperwork had been completed.
  • All of UMC’s multiple ESI vendors repeatedly failed to follow best practices

After several years of considering and reviewing the special master’s detailed report and recommendations, the court finally issued its final discovery order last month. The court concurred with the special master’s findings, holding that UMC and its counsel failed to take reasonable efforts to identify, preserve, collect, and produce relevant information. The court imposed monetary sanctions against UMC, including the attorney fees and costs incurred by opposing counsel. Additionally, the court ordered that should the matter proceed to trial, the jury would be instructed that “the court has found UMC failed to comply with its legal duty to preserve discoverable information… and failed to comply with a number of the court’s orders,” and that “these failures resulted in the loss or destruction of some ESI relevant to the parties’ claims and defenses and responsive to plaintiffs’ discovery requests, and that the jury may consider these findings with all other evidence in the case for whatever value it deems appropriate.” Such adverse inference instructions are invariably highly impactful if not effectively dispositive in a jury trial.

There are three key takeaways from Small:

  1. UMC’s Main Failing was Lacking an Established Process

UMC’s challenges all centered on its complete lack of an existing process to address eDiscovery preservation. UMC and their counsel could not identify the locations of potentially relevant ESI because there was no data map. ESI was not timely preserved because no litigation hold process existed. And when the collection did finally occur under the special master’s order, it was highly reactive and very haphazard because UMC had no enterprise-capable collection capability.

When an organization does not have a systematic and repeatable process in place, the risks and costs associated with eDiscovery increase exponentially. Such a failure also puts outside counsel in a very difficult situation, as reflected by this statement from the Small Court: “One of the most astonishing assertions UMC made in its objection to the special master’s R & R is that UMC did not know what to preserve. UMC and its counsel had a legal duty to figure this out. Collection and preservation of ESI is often an iterative process between the attorney and the client.”

Some commentators have focused on the need to conduct custodian questionnaires, but a good process will obviate or at least reduce your reliance on often unreliable custodians to locate potentially relevant ESI.

  1. UMC Claims of Burden Did Not Help Their Cause

UMC tried arguing that it was too burdensome and costly for them to collect ESI from hundreds of custodians, claiming that it took IT six hours to merely search the email account of a single custodian. Here at X1, I wear a couple of hats, including compliance and eDiscovery counsel. In response to a recent GDPR audit, we searched dozens of our email accounts in seconds. This capability not only dramatically reduces our costs, but also our risk by allowing us to demonstrate diligent compliance.

In the eDiscovery context, the ability to quickly pinpoint potentially responsive data enables corporate counsel to better represent their client. For instance, they are then able to intelligently negotiate keywords and overall preservation scope with opposing counsel, instead of flying blind. Also, with their eDiscovery house in order, they can focus on more strategic priorities in the case, including pressing the adversary on their discovery compliance, with the confidence that your client does not live in a glass house.

Conversely, the Small opinion documents several meet and confer meetings and discovery hearings where UMC’s counsel was clearly at a significant disadvantage, and progressively lost credibility with the court because they didn’t know what they didn’t know.

  1. Retaining Computer Forensics Consultants Late in the Game Did Not Save the Day

Eventually UMC retained forensic collection consultants several months after the duty to preserve kicked in. This reflects an old school reactive, “drag the feet” approach some organizations still take, where they try to deflect preservation obligations and then, once opposing counsel or the court force the issue, scramble and retain forensic consultants to parachute in.  In this situation it was already too late, as much the data had already been spoliated. And because of the lack of a process, including a data map, the collection efforts were disjointed and a haphazard. The opinion also reflects that this reactive fire drill resulted in significant data over-collection at significant cost to UMC.

In sum, Small v. University Medical Center is a 123 page illustration of what often happens when an organization does not have a systematic eDiscovery process in place. An effective process is established through the right people, processes and technology, such as the capabilities of the X1 Distributed Discovery platform. A complete copy of the court opinion can be accessed here: Small v. University Medical Center

1 Comment

Filed under Best Practices, Case Law, compliance, Corporations, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management, Preservation & Collection

Dark Web Evidence Critical to all Cyber Investigations and Many eDiscovery matters

The dark web is a component of the World Wide Web that is only accessible through special software or configurations, allowing users and website operators to remain anonymous or untraceable. The dark web forms a small part of the deep web, which is the part of the Web not indexed by web search engines. The dark web has gained more notoriety over the past few years and several large criminal investigations have resulted in seizures of both cryptocurrencies and dark web pages and sites. Criminal enterprises involving counterfeiting, hacking, ID and IP theft, narcotics, child pornography, human trafficking, and even murder for hire seek a haven in the mist of encrypted communications and payment, such as Bitcoin, to facilitate their nefarious schemes. dark web

While mining the dark web is critical for many law enforcement investigations, we are also seeing increased focus on this important evidence in civil litigation. Fero v. Excellus Health Plan, Inc., (Jan. 19, 2018, US Dist Ct, NY), is one recent example. Fero arises out of a data breach involving healthcare provider Excellus Health Plan, Inc. According to the complaint, hackers breached Excellus’s network systems, gaining access to personal information millions of individuals, including their names, dates of birth, social security numbers, credit card numbers, and medical insurance claims information. The Plaintiffs brought a class action asserting claims under various federal and state laws.

Initially, the court dismissed the plaintiffs’ case, citing a failure to establish damages and actual misuse by the hackers who allegedly stole their information. However, after conducting a more diligent investigation, the plaintiffs submitted with their motion for reconsideration evidence that the plaintiffs’ PII was placed on the dark web.  This evidence was summarized in an expert report providing the following conclusion:  “it is my opinion to a reasonable degree of scientific certainty that PII and PHI maintained on the Excellus network was targeted, collected, exfiltrated, and put up for sale o[n] DarkNet by the attacker for the purpose of, among other things, allowing criminals to purchase the PII and PHI to commit identity theft.”  Fero, at 17.  Based on this information, the court granted the motion for reconsideration and denied the defendant’s motion to dismiss. In other words, the dark web evidence was game-changing in this high-profile class action suit.

Cases like Fero v. Excellus Health Plan illustrate that dark web evidence is essential for criminal and civil litigation matters alike. Dark Web investigations do require specialized knowledge and tools to execute. For instance, X1 Social Discovery can be easily configured to conduct such dark web investigation and collections.

Recently, Joe Church of Digital Shield led a very informative and instructive webinar on this topic. Joe is one of the most knowledgeable people that I’m aware of out there on dark web investigations, and his detailed presentation did not to disappoint. Joe’s presentation featured a concise overview of the dark web, how its used, and how to navigate it. He included a detailed lesson on tools and techniques needed to search for and investigate key sources of evidence on the dark web. This webinar is a must see for anyone who conducts or manages dark web investigations. Joe also featured a section on how to specifically utilize X1 Social Discovery to collect, search and authenticate dark web evidence. You can review this very informative 30 minute training session (no sign in required) by visiting here.

Leave a comment

Filed under Best Practices, Case Law, Case Study, Cloud Data, dark web, eDiscovery, Preservation & Collection, Social Media Investigations, Uncategorized

When your “Compliance” and eDiscovery Processes Violate the GDPR

Time to reevaluate tools that rely on systemic data duplication

The European Union (EU) General Data Protection Regulation (GDPR) became effective in May 2018. To briefly review, the GDPR applies to the processing of “personal data” of EU citizens and residents (a.k.a. “data subjects”).” Personal data” is broadly defined to include “any information relating to an identified or identifiable natural person.” That could include email addresses and transactional business communications that are tied to a unique individual. GDPR is applicable to any organization that provides goods and services to individuals located in the EU on a regular enough basis, or maintains electronic records of their employees who are EU residents.

In additional to an overall framework of updated privacy policies and procedures, GDPR requires the ability to demonstrate and prove that personal data is being protected. Essential components for such compliance are data audit and discovery capabilities that allow companies to efficiently search and identify the information necessary, both proactively, and also reactively to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement through an effective eDiscovery information governance platform.

However, some content management and archiving tool providers are repurposing their messaging with GDPR compliance. For example, an industry executive contact recently recounted a meeting with such a vendor, where their tool involved duplicating all of the emails and documents in the enterprise and then migrating all those copies to a central server cluster. That way, the tool could theoretically manage all the documents and emails centrally. Putting aside the difficulty of scaling up that process to manage and sync hundreds of terabytes of data in a medium-sized company (and petabytes in a Fortune 500), this anecdote underscores a fundamental flaw in tools that require systemic data duplication in order to search and manage content.

Under the GDPR, data needs to be minimized, not systematically duplicated en masse. It would be extremely difficult under such an architecture to sync up and remediate non-compliant documents and emails back at the original location. So at the end the day, this proposed solution would actually violate the GDPR by making duplicate copies of data sets that would inevitably include non-compliant information, without any real means to sync up remediation.Desktop_virtualization

The same is true for the much of the traditional eDiscovery workflows, which require numerous steps involving data duplication at every turn. For instance, data collection is often accomplished through misapplied forensic tools that operate by a broadly collecting copies through over collection. As the court said in In re Ford Motor Company, 345 F.3d 1315 (11th Cir. 2003): “[E]xamination of a hard drive inevitably results in the production of massive amounts of irrelevant, and perhaps privileged, information…” Even worse, the collected data is then re-duplicated one or often two more times by the examiner for archival purposes. And then the data is sent downstream for processing, which results in even more data duplication. Load files are created for further transfers, which are also duplicated.

Chad Jones of D4 explains on a recent webinar and in his follow-on blog post about how such manual and inefficient handoffs throughout the discovery process greatly increase risk as well as cost. Like antiquated factories spewing tons of pollution, outdated eDiscovery processes spin out a lot of superfluous data duplication. Much of that data likely contains non-compliant information, thus “polluting” your organization, including through your eDiscovery services vendors, with increased GDPR and other regulatory risk.

In light of the above, when evaluating your compliance and eDiscovery software, organizations should keep in mind these five key requirements to keep in line with GDPR and good overall information governance:

  1. Search data in place. Data on laptops and file servers need to be in searched in place. Tools that require copy and migration to central locations to search and manage are part of the problem, not the solution.
  1. Delete Data in Place. GDPR requires that non-compliance data be deleted on demand. Purging data on managed archives does not suffice if other copies are on laptops, unmanaged servers and other unstructured sources. Your search in place solution should also delete in place.
  1. Data Minimization. GDPR requires that organizations minimize data as opposed to exploding data through mass duplication.
  1. Targeted and Efficient Data Collection: Only potentially relevant data should be collected for eDiscovery and data audits. Over-collection leads to much greater cost and risk.
  1. Seamless integration with attorney review platforms, to bypass the processing steps which requires manual handoffs and load files.

X1 Data Audit & Compliance is a ground-breaking platform that meets these criterion while enabling system-wide data discovery supporting GDPR and many other information governance requirements.   Please visit here to learn more.

Leave a comment

Filed under Best Practices, compliance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management, Uncategorized

Assessing GDPR 30 Days In: A Report from the Field

Enforcement of the EU General Data Protection Regulation (GDPR) began May 25, 2018, and this new development is significantly reshaping the information governance landscape for organizations worldwide that control, process or store the data of European residents. Yesterday, X1 hosted a live webinar featuring GDPR experts Jay Kramer, a partner at Lewis Brisbois in the firm’s cybersecurity and privacy group, and Marty Provin, executive vice president at Jordan Lawrence.

Kramer provided a “battlefield report” about what he is seeing from the field and hearing from his various clients, with three main observations:

  1. Many are still late to the game. Kramer noted that he has several clients contacting him well after the May 25 enforcement date to begin the process of GDPR compliance.
  1. GDPR compliance maps to best practices. Becoming GDPR ready is a good business decision because it establishes transparency, data privacy and security processes that companies should be doing anyway.
  1. Now that the law has gone into effect, organizations that have been proactive are quickly transitioning from readiness to operational compliance and enforcement. For instance, many organizations are finding themselves responding to data subject access requests.

Kramer also noted that while much focus has been on potential fines levied under GDPR, organizations need to be aware that individuals can file complaints with the supervisory authorities under article 77, or even bring their own private actions, citing article 82. These claims have already been brought in the form of class actions, and Kramer expressed concern that many more claims could be fanned by “privacy trolls” – similar in concept to “patent trolls” – or by disgruntled customers or ex-employees.

Marty Provin outlined the importance of information governance and data classification in support GDPR compliance, especially from a standpoint of the need to operationalize policies and procedures in order to identify non-compliant data throughout your organization, and properly respond to regulatory requirements and data subject access requests. Kramer seconded that point, noting that the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise and be able to remove or minimize it when required.

This readiness is achieved through planning, data mapping, and data classification. Provin provided an informative overview of these processes, based upon his extensive experience implementing such best practices for his clients over the past 20 years. Marty observed that it is also important to have a solution like X1 Data Audit and Compliance to search and identify documents, emails and other records across your enterprise that are non-compliant with GDPR. Such a capability is essential to address both the proactive and reactive components of GDPR.

The final segment of the webinar included a live demonstration of a proactive data audit across numerous computers to find PII of EU data subjects. The second half of the demonstration illustrated an effective response to an actual data subject access request in the form of a request by an individual to have their data erased.

In addition to comprehensive search, the demo highlighted the ability of X1 to also report in a detailed fashion and then take action on identified data by migrating it or even delete in place, including within email containers.

A recording of this informative and timely webinar is available for viewing here.

 

 

Leave a comment

Filed under Best Practices, eDiscovery & Compliance, GDPR, Information Governance, Records Management, Uncategorized