Category Archives: Best Practices

GDPR Fines Issued for Failure to Essentially Perform Enterprise eDiscovery

By John Patzakis

The European General Data Protection Regulation (GDPR) came into full force in May 2018. Prior to that date, what I consistently heard from most of the compliance community was general fear and doubt about massive fines, with the solution being to re-purpose existing compliance templates and web-based dashboards. However, many organizations have learned the hard way that “paper programs” alone fall far short of the requirements under the GDPR. This is because the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to search for, identify and remove it when required.GDPR-stamp

Frequent readers of this blog may recall we banged the Subject Access Request drum prior to May 2018. We noted an operational enterprise search and eDiscovery was required to effectively comply with many of the core data discovery-focused requirements of GDPR. Under the GDPR, a European resident can request — potentially on a whim — that all data an enterprise holds on them be identified and also be removed. Organizations are required to establish a capability to respond to these Subject Access Requests (SARs). Forrester Research notes that “Data Discovery and classification are the foundation of GDPR compliance.” This is because, according to Forrester, GDPR effectively requires that an organization be able to identify and actually locate, with precision, personal data of EU data subjects across the organization.

Failure to respond to SARs has already led to fines and enforcement actions against several companies, including Google and the successor entity to Cambridge Analytica. This shows that many organizations are failing to understand the operational reality of GDPR compliance. This point is effectively articulated by a recent practice update from the law firm of DLA Piper on the GDPR, which states: “The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect, process, securely store, share and securely wipe personal data (emphasis added).”

These GDPR requirements can only be complied with through an effective enterprise eDiscovery search capability:

To achieve GDPR compliance, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and returning results within minutes instead of days or weeks. The need for such an operational capability is further heightened by the urgency of GDPR compliance.

X1 Distributed GRC represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1 Distributed GRC is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while effectuating that all-too-elusive actual compliance with information governance programs, including GDPR.

1 Comment

Filed under Best Practices, compliance, Data Audit, GDPR, Uncategorized

New York Appellate Court Allows “Data Mining” of Social Media accounts for Relevant Information

By John Patzakis

The New York Appellate Division allowed discovery into the non-public information of the social media accounts of a former professional basketball player relevant to his personal injury claims arising out of an automobile accident. In Vasquez-Santos v. Mathew 2019 NY Slip Op 00541 (January 24, 2019), the court held that the defendant may utilize the services of a “data mining” company for a widespread search of the plaintiff’s devices, email accounts, and social media.social-media-cases3

Vasquez-Santos is an extension of a large body of court decisions that allow discovery of a user’s “private” social media messages, posts and photos where that information is reasonably calculated to contain evidence material and necessary to the litigation. Private social media information can be discoverable to the extent it “contradicts or conflicts with [a] plaintiff’s alleged restrictions, disabilities, and losses, and other claims” according the Vasquez-Santos Court.

The Court found that the defendant “is entitled to discovery to….defend against plaintiff’s claims of injury,” and noted that the requested access to plaintiff’s accounts and devices “was appropriately limited in time, i.e., only those items posted or sent after the accident, and in subject matter, i.e., those items discussing or showing defendant engaging in basketball or other similar physical activities.”

Also noteworthy was the Court’s finding that while plaintiff did not take the pictures himself, that was of no import to the decision. He was “tagged,” thus allowing him access to the pictures, and thus populated his social media account.

This decision is consistent with the general rule that while social media is clearly discoverable, there must be a requisite showing of relevance before the court moves to compel full production of a litigant’s “private” social media.

This case illustrates that any solution purporting to support eDiscovery for social media must have robust public search and collection capabilities. This means more than merely one-off screen scrapes but instead an ability to search, identify and capture up to thousands of social media posts on an automated and scalable basis.

X1 Social Discovery has the ability to find an individual’s publicly available content and to collect it in an automated fashion in native format with all available metadata intact to enable systematic and scalable search, review, tagging and analysis. We heard from one major law firm that screen captures of a single public Facebook account took several hours, with the resulting images not searchable or organized into a case-centric workflow. Now with X1 Social Discovery, they are able to accomplish this full capture in seconds. This is critically important to conduct proper due diligence on a case and to better assist legal and investigative professionals to make the requisite showings for the full discovery of social media evidence in civil discovery, as in Vasquez-Santos.

Leave a comment

Filed under Best Practices, Case Law, Case Study, eDiscovery, law firm, Social Media Investigations

In addition to TAR, CAR Can Dramatically Reduce Attorney Review Costs

eDiscovery efforts are often costly, time consuming and burdensome. The volume of Electronically Stored Information is growing exponentially and will only continue to do so. Even with the advent of technology assisted review (TAR), the costs associated with collecting, processing, reviewing, and producing documents in litigation are the source of considerable pain for litigants. The only way to reduce that pain to its minimum is to use all tools available in all appropriate circumstances within the bounds of reasonableness and proportionality to control the volumes of data that enter the discovery pipeline.

Litigators and commentators often pine for the advent of a systemized, uniform and defensible process for custodian self-collection. Conceptually, such an ideal process would be where custodians are automatically presented with a set of their documents and emails that are identified as potentially relevant to a given matter through a set of keywords and other search parameters that are uniformly applied across all custodians. This set of ESI would be presented to the custodian in a controlled interface with no ability to delete documents or emails, and only the ability to review and apply tags and annotations. The custodian would have to comply with the order and all documents responsive to the initial unified search would be collected as a default control mechanism.

With X1 Data Audit and Compliance (XDAC), the option for a defensible custodian assisted review (CAR) is now a reality. At a high level, with XDAC, organizations can perform targeted search and collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%), thereby bringing much needed feasibility to enterprise-wide eDiscovery collection that can save organizations millions while improving compliance. XDAC includes X1 Insight and Collection for pure eDiscovery use cases.

As a key optional feature, XDAC provides custodian assisted review, where custodians are presented with a listing of their potentially relevant ESI in a controlled, systemized and uniform identification process for their review and tagging. Instead of essentially asking the custodians to “please rummage through your entire email account and all your documents to look for what you might think is relevant to this matter,” the custodians are presented with a narrow and organized subset of potentially relevant ESI for their review.

screenshot

While the custodians are able to assist with the review, they cannot impact or control what ESI is identified and preserved; this is controlled and managed centrally by the eDiscovery practitioner. This way, custodians can apply their own insight to the information and even flag personal private data, all while effectuating very cost-effective and systematic ESI collection.

Powerful Analytics Engine

TAR features powerful algorithms that cluster documents and otherwise work their magic. CAR also relies on a powerful analytics engine — the human brain. Custodians know a lot about their own documents and emails. This is particularly true in technical or other complex matter where the custodians are engineers or other professionals who simply better understand the dynamics and the nuances of their information. With the X1 process, the custodians provide a key data point, where their input is used to inform the secondary review.

The process is very defensible as the exercise is logged and documented, with all metadata kept intact and a concise chain of custody established. Best of all, the custodian-applied tags and annotations are preserved and retained through the review process with X1 integration with Relativity. I could describe this very important feature a lot further, but candidly the best way to get a full picture is to see it for yourself. I recommend that you view this recorded 9 minute demonstration of X1’s custodian self-review feature here.

We believe X1’s functionality provides the optimal means for enterprise eDiscovery preservation, collection and early data assessment, especially with the key additional (and optional) feature of custodian assisted review. But please see for yourself and let us know what you think!

 

Leave a comment

Filed under Best Practices, compliance, Desktop Search, eDiscovery & Compliance, Enterprise eDiscovery