Category Archives: compliance

Government Regulators Reject “Paper” Corporate Compliance Programs Lacking Actual Enforcement

By John Patzakis

Recently, US Government regulators fined Stanley Black & Decker $1.8m after its subsidiary illegally exported finished power tools and spare parts to Iran, in violation of sanctions. The Government found that the tool maker failed to “implement procedures to monitor or audit [its subsidiary] operations to ensure that its Iran-related sales did not recur.”

Notably, the employees of the subsidiary concealed their activities by creating bogus bills of lading that misidentified delivery locations and told customers to avoid writing “Iran” on business documents. This conduct underscores the importance of having a diligent internal monitoring and investigation capability that goes beyond mere review of standard transactional records in structured databases such as CRM systems. This type of conduct is best detected on employee’s laptops and other sources of unstructured data through effective internal investigations processes.Law Journal2

The Treasury Department stated the Stanley Black & Decker case “highlights the importance of U.S. companies to conduct sanctions-related due diligence both prior and subsequent to mergers and acquisitions, and to take appropriate steps to audit, monitor and verify newly acquired subsidiaries and affiliates for….compliance.”

Further to this point, the US Department of Justice Manual features a dedicated section on assessing the effectiveness of corporate compliance programs in corporate fraud prosecutions, including FCPA matters. This section is a must read for any corporate compliance professional, as it provides detailed guidance on what the USDOJ looks for in assessing whether a corporation is committed to good-faith self-policing or is merely making hollow pronouncements and going through the motions.

The USDOJ cites United States v. Potter, 463 F.3d 9 (1st Cir. 2006), which provides that a corporation cannot “avoid liability by adopting abstract rules” that forbid its agents from engaging in illegal acts, because “[e]ven a specific directive to an agent or employee or honest efforts to police such rules do not automatically free the company for the wrongful acts of agents.” Id. at 25-26. See also United States v. Hilton Hotels Corp., 467 F.2d 1000, 1007 (9th Cir. 1972) (noting that a corporation “could not gain exculpation by issuing general instructions without undertaking to enforce those instructions by means commensurate with the obvious risks”).

The USDOJ manual advises prosecutors to determine if the corporate compliance program “is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives,” and that “[p]rosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

With these mandates from government regulators for actual and effective monitoring and enforcement through internal investigations, organizations need effective and operational mechanisms for doing so. In particular, any anti-fraud and internal compliance program must have the ability to search and analyze unstructured electronic data, which is where much of the evidence of fraud and other policy violations can be best detected.

To help meet the “actual enforcement” requirements of government regulators, X1 Distributed Discovery (X1DD) enables enterprises to quickly and easily search across up to thousands of distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, and full results with completed collection in hours, instead of days or weeks. Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed data discovery across an organization. X1DD replaces expensive, cumbersome and highly disruptive approaches to meet enterprise investigation, compliance, and eDiscovery requirements.

Once the legal team is satisfied with a specific search string, after sufficient iteration, the data can then be collected by X1DD by simply hitting the ‘collect’ button. The responsive data is “containerized” at each end point and automatically transmitted to either a central location, or uploaded directly to Relativity, using Relativity’s import API where all data is seamlessly ready for review. Importantly, all results are tied back to a specific custodian, with full chain of custody and preservation of all file metadata. Here is a recording of a live public demo with Relativity, showing the very fast direct upload from X1DD straight into RelativityOne.

This effort described above — from iterative, distributed search through collection and transmittal straight into Relativity from hundreds of endpoints — can be accomplished in a single day. Using manual consulting services, the same project would require several weeks and hundreds of thousands of dollars in collection costs alone, not to mention significant disruption to business operations. Substantial costs associated with over-collection of data would mount as well, and could even dwarf collection costs through unnecessary attorney review time.

In addition to saving time and money, these capabilities are important demonstrate a sincere organizational commitment to compliance versus maintaining a mere “paper program.”

1 Comment

Filed under Best Practices, Case Law, Case Study, compliance, Corporations, eDiscovery & Compliance, Enterprise eDiscovery, Information Governance

GDPR Fines Issued for Failure to Essentially Perform Enterprise eDiscovery

By John Patzakis

The European General Data Protection Regulation (GDPR) came into full force in May 2018. Prior to that date, what I consistently heard from most of the compliance community was general fear and doubt about massive fines, with the solution being to re-purpose existing compliance templates and web-based dashboards. However, many organizations have learned the hard way that “paper programs” alone fall far short of the requirements under the GDPR. This is because the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to search for, identify and remove it when required.GDPR-stamp

Frequent readers of this blog may recall we banged the Subject Access Request drum prior to May 2018. We noted an operational enterprise search and eDiscovery was required to effectively comply with many of the core data discovery-focused requirements of GDPR. Under the GDPR, a European resident can request — potentially on a whim — that all data an enterprise holds on them be identified and also be removed. Organizations are required to establish a capability to respond to these Subject Access Requests (SARs). Forrester Research notes that “Data Discovery and classification are the foundation of GDPR compliance.” This is because, according to Forrester, GDPR effectively requires that an organization be able to identify and actually locate, with precision, personal data of EU data subjects across the organization.

Failure to respond to SARs has already led to fines and enforcement actions against several companies, including Google and the successor entity to Cambridge Analytica. This shows that many organizations are failing to understand the operational reality of GDPR compliance. This point is effectively articulated by a recent practice update from the law firm of DLA Piper on the GDPR, which states: “The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect, process, securely store, share and securely wipe personal data (emphasis added).”

These GDPR requirements can only be complied with through an effective enterprise eDiscovery search capability:

To achieve GDPR compliance, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and returning results within minutes instead of days or weeks. The need for such an operational capability is further heightened by the urgency of GDPR compliance.

X1 Distributed GRC represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1 Distributed GRC is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while effectuating that all-too-elusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Best Practices, compliance, Data Audit, GDPR, Uncategorized

In addition to TAR, CAR Can Dramatically Reduce Attorney Review Costs

eDiscovery efforts are often costly, time consuming and burdensome. The volume of Electronically Stored Information is growing exponentially and will only continue to do so. Even with the advent of technology assisted review (TAR), the costs associated with collecting, processing, reviewing, and producing documents in litigation are the source of considerable pain for litigants. The only way to reduce that pain to its minimum is to use all tools available in all appropriate circumstances within the bounds of reasonableness and proportionality to control the volumes of data that enter the discovery pipeline.

Litigators and commentators often pine for the advent of a systemized, uniform and defensible process for custodian self-collection. Conceptually, such an ideal process would be where custodians are automatically presented with a set of their documents and emails that are identified as potentially relevant to a given matter through a set of keywords and other search parameters that are uniformly applied across all custodians. This set of ESI would be presented to the custodian in a controlled interface with no ability to delete documents or emails, and only the ability to review and apply tags and annotations. The custodian would have to comply with the order and all documents responsive to the initial unified search would be collected as a default control mechanism.

With X1 Data Audit and Compliance (XDAC), the option for a defensible custodian assisted review (CAR) is now a reality. At a high level, with XDAC, organizations can perform targeted search and collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%), thereby bringing much needed feasibility to enterprise-wide eDiscovery collection that can save organizations millions while improving compliance. XDAC includes X1 Insight and Collection for pure eDiscovery use cases.

As a key optional feature, XDAC provides custodian assisted review, where custodians are presented with a listing of their potentially relevant ESI in a controlled, systemized and uniform identification process for their review and tagging. Instead of essentially asking the custodians to “please rummage through your entire email account and all your documents to look for what you might think is relevant to this matter,” the custodians are presented with a narrow and organized subset of potentially relevant ESI for their review.

screenshot

While the custodians are able to assist with the review, they cannot impact or control what ESI is identified and preserved; this is controlled and managed centrally by the eDiscovery practitioner. This way, custodians can apply their own insight to the information and even flag personal private data, all while effectuating very cost-effective and systematic ESI collection.

Powerful Analytics Engine

TAR features powerful algorithms that cluster documents and otherwise work their magic. CAR also relies on a powerful analytics engine — the human brain. Custodians know a lot about their own documents and emails. This is particularly true in technical or other complex matter where the custodians are engineers or other professionals who simply better understand the dynamics and the nuances of their information. With the X1 process, the custodians provide a key data point, where their input is used to inform the secondary review.

The process is very defensible as the exercise is logged and documented, with all metadata kept intact and a concise chain of custody established. Best of all, the custodian-applied tags and annotations are preserved and retained through the review process with X1 integration with Relativity. I could describe this very important feature a lot further, but candidly the best way to get a full picture is to see it for yourself. I recommend that you view this recorded 9 minute demonstration of X1’s custodian self-review feature here.

We believe X1’s functionality provides the optimal means for enterprise eDiscovery preservation, collection and early data assessment, especially with the key additional (and optional) feature of custodian assisted review. But please see for yourself and let us know what you think!

 

Leave a comment

Filed under Best Practices, compliance, Desktop Search, eDiscovery & Compliance, Enterprise eDiscovery

X1 Insight and Collection & RelativityOne Integration: Testing and Proof of Concept

Editor’s Note: The following is a blog post published by eDiscovery expert Chad Jones, Director at D4 Discovery, regarding D4’s extensive testing and validation of the integration of R1 and X1 Insight and Collection.  It is republished here with permission. 

Discovery is a complicated business. For a typical litigation, there are at least five separate stages, collection, processing, review, analysis, and production, and while the average discovery period lasts eight to ten months, the matters themselves can run for years. During the lifecycle of a common eDiscovery project, these five stages are usually performed by several different parties, which further complicates the process by introducing a variety of hand-offs and delays between organizations and individuals.

The proof of concept that follows was designed to validate Insight and Collection, a product created by X1 Discovery, Inc, and that now features a direct upload to Relativity and RelativityOne. With this product, X1 proposes to streamline the five-stage process by allowing enterprises to search locally, collect those search hits, process the results and push them directly to RelativityOne in a matter of minutes.

To evaluate the viability of the X1 Insight and Collection, D4, LLC. designed and executed the following Proof of Concept (POC). A leader in forensic collection services and a seven-time Relativity Best in Service, Orange Levelhosting partner, D4 staff leveraged its expertise in end to end eDiscovery to implement the workflow and document the results.

Background

Project

eDiscovery is a multi-stage process with a series of hand-offs between disconnected parties. This process can be extremely expensive and error prone. In addition to the costs, the time to review can often span weeks or even months to complete.

Stakeholders

Those who stand to benefit from X1 Insight and Collection are business and organization leaders looking to manage and control the cost and risks of discovery.

Solution Features and Benefits

There are several features of the X1 Insight and Collection: search-in-place, early case assessment visualizations, remote collection, processing on demand, publish to review in RelativityOne. Searching in place on the local machine has several benefits. It prevents needless over collection and saves the end user from the hassle of turning over her machine and losing productivity. It also gives case teams the opportunity to iterative refine search terms and review search hits on the fly.

Finally, searching in place replaces the need to collect data and load to a master repository for indexing and searching. This includes email containers – the ability to index, search and collect all email in place on the custodian’s computer or the corporate Exchange server without the need to migrate the entire container or full account is a strong and unique capability. With X1’s remote collection, once users target the specific files and emails they need, they can immediately collect and process that information. Once collected and processed, enterprise users have the option of creating standard load files or sending text, metadata and native files directly to RelativityOne.

Practical Details of POC

To test and vet the software, D4 built a mini-cloud environment, consisting of five custodian machines; one enterprise server; and one client server meeting the specs listed below:

Server 1

  • OS: Microsoft Server 2012 R2
  • CPU: 2.6 GHz minimum 8 processors
  • Memory: 16 GB RAM
  • Disk: 180 GB free hard disk space (software)
  • Disk 2: 1TB for collected data (or available network drive)

Server 2

  • OS: Microsoft Server 2012 R2
  • CPU: 2.6 GHz minimum 8 processors
  • Memory: 32 GB RAM
  • Disk: 180 GB free hard disk space (software)

Testing Desktop: (QTY 5)

  • OS: Microsoft Windows 7, 8 or 10
  • CPU: 1.8 GHz minimum 2 processors
  • Memory: 8 GB RAM

On each custodian machine we placed a mix of email and non-email data. From these data sets we ran a series of tests from which we collected data.

Although X1 Insight and Collection provides a variety of workflows allowing for a complex collection strategy, for the purposes of this proof-of concept, the collection was limited to a simple Boolean query of common football related terms across Enron data. We made two separate collections of email data: a collection to disc with load files and a collection direct pushed to RelativityOne. The terms used in the POC were: “football OR game OR trade OR QB OR league OR cowboys OR longhorns OR thanksgiving OR player.” Following the collections, the results of the load file export were test loaded to Relativity and the results of the dataset published direct to RelativityOne were evaluated in that workspace.

Test Results

The testing process considered four main areas: documenting search results; documenting upload/download times; metadata validation; and reports and exception handling. To test the search results the loaded data was indexed, and searches run to confirm the results. In both load formats, the search results remained the same as shown below.

It is important to note that in Relativity only the text was searched while in X1 all metadata was also included in the search. This is a common difference between review platforms and collection tools, as collection tools are able to search all components of the file, while review is limited to extracted metadata fields only.

Additional tests were performed to document search and exports speeds. One of the components of X1 Insight and Collection is its collection module which sits on the client server and manages the collection from a central location. In the initial test, we chose to export the files to disc and create a load file, while in the second test we leveraged X1s integration with RelativityOne and upload data to Relativity’s cloud instance via the Relativity API.

In both cases, the results proved that X1 is incredibly powerful. Each time the system executed saved searches on five separate machines, pulled the data to the client server, extracted text and metadata and then either generated a load file or sent the deliverable straight to the cloud and into Relativity – all within minutes. The results, shown below, are amazing. In both cases the system completed all steps in under 13.5 minutes. Additional tests were performed to document search and exports speeds.

One of the components of X1 Insight and Collection is its collection module which sits on the client server and manages the collection from a central location. In the initial test, we chose to export the files to disc and create a load file, while in the second test we leveraged X1s integration with RelativityOne and upload data to Relativity’s cloud instance via the Relativity API. In both cases, the results proved that X1 is incredibly powerful. Each time the system executed saved searches on five separate machines, pulled the data to the client server, extracted text and metadata and then either generated a load file or sent the deliverable straight to the cloud and into Relativity – all within minutes. The results, shown below, are amazing. In both cases the system completed all steps in under 13.5 minutes.

Further testing showed that while X1 gets the essential metadata components extracted from the data, there are some features we are used to seeing in established eDiscovery processing tools that are lacking in this product. We also found the exception reporting to be lacking. In our RelativityOne tests, we found 40 files were excluded from upload, yet when reviewing the available exception reporting we had trouble seeing what caused those file failures. These issues notwithstanding, the POC proved successful. X1 Insight and Collection proved to be a powerful search engine and collection tool, capable of collecting over 6,000 documents from five separate machines and uploading those files to RelativityOne in less than fifteen minutes!

Conclusion

X1 Insight and Collection offers multiple benefits to the enterprise user looking to take control of the eDiscovery life cycle. By simplifying the course of an eDiscovery project, X1 limits the number of touch points in the traditional vendor-driven process. Internal users can search and vet terms in real-time before collection. This not only mitigates the opportunity for error, but it greatly reduces the time to review, which is what this solution really seems to be all about. X1 seems to have been designed with the internal investigation in mind. Offering a light tagging feature, X1 gives users a light ECA option that with a couple mouse clicks becomes a collection and processing tool that connects directly to all the features of RelativityOne. When combined with Relativity ECA, Analytics and Active Learning, this might be all the solution the typical enterprise would need.

Leave a comment

Filed under Best Practices, Case Study, compliance, eDiscovery, Enterprise eDiscovery, Information Governance, reviewing

Why I Joined X1

X1 Logo 559w 288t

Two weeks ago I joined X1 as CEO, a company I am convinced is in the process of disrupting not just the eDiscovery industry, but the regulatory compliance and corporate governance markets as well.  As I discussed at length with the X1 team and board of directors during the interview process, I see in X1 a ton of similarities to Recommind circa 2007 (shortly after I joined), alongside several additional advantages we didn’t have at Recommind back then.  Does this guarantee greatness for years to come for X1?  Absolutely not.  But it gives us the opportunity to control our own destiny which is all a software startup can ask.  Here’s why.

  • X1’s team and culture are strong. I have learned the hard way how important culture is, how it can be instrumental in raising a collective effort to new heights or hold an otherwise successful company back from reaching its potential.  X1 is filled with people who have been here for 5, 7, 10 and even 14 years (here’s looking at you Alan!).  People here just want to win, to help make clients successful.  Our balance sheet and cap table are clean.  Revenue is growing nicely and we are cashflow positive.  Our investors, shareholders and board of directors have reasonable expectations about our plans and timelines (so far, anyway J).  X1ers are actually nice, which is a refreshing throwback coming from what has become a frequently cutthroat, arrogant culture amongst many of Silicon Valley’s largest tech companies and VC community.  We are building something special at X1, and if we execute well with a customer-centric focus at all times, everything else – accolades, continued revenue growth and profitability, financial gain – will take care of itself.

 

  • Making information actionable is really hard. When I worked at AccessData, a few VC friends of mine gave me grief for being at a company named after a problem that had already been solved.  “Accessing” information is indeed easy in most cases; however, making the right information “actionable” is an entirely different endeavor that is extremely difficult without X1 software.  What has changed over the last 10-15 years is the sheer volume and variety of information being created and therefore subject to litigation, regulatory scrutiny and corporate governance mandates.  Our industry-leading X1 Social Discovery product is proof of this, but the variety of today’s information doesn’t stop at social media: think of collaboration tools like Slack, Skype or Teams.  Simply put, people communicate in a far more varied way today than they used to, and making these varied data types available and actionable is hard.  I want to be at a company that is already addressing these challenges for our corporate, government, law enforcement and law firm clients, with ample runway to extend these capabilities, and X1 is exactly that.

 

  • The pressure on companies to find and act upon data is enormous. In the last 2 weeks we have done webinars on finding information on the Dark Web and California’s Consumer Privacy Act (CaCPA).  These topics weren’t on corporate radars – and in the latter case didn’t even exist – as recently as last year.  Add in GDPR, the growing impact of cybersecurity/breaches, migration of information to SaaS platforms and the cloud and the ever-present scrutiny of regulatory authorities globally and companies are struggling to make their information actionable as never before.  And this situation is unlikely to get any simpler or easier in the coming years, as the way we all communicate continues to evolve more quickly every year.

 

I have learned over my career (and life for that matter) that timing is a key part of life.  It’s rarely something we can control, but it has a huge impact on all of us.  X1 has a terrific opportunity to fill key customer needs at the exact time they need it, and has a team committed to customer success that genuinely cares.  I am extremely fortunate to be here at this time and can’t wait to see where we can take the company over the next 5 years and beyond.

– Craig Carpenter

Craig Carpenter 250 sq

 

Leave a comment

Filed under compliance, Data Audit, eDiscovery, Information Governance, Uncategorized