Category Archives: Corporations

January 31, 2023 · 12:11 PM

A.I. Bot ChatGPT Explains How Corporate Legal Can Streamline eDiscovery Processes

By John Patzakis

Over the weekend I was about to write a blog post on how corporate legal departments can streamline and improve their internal eDiscovery processes. I instead asked ChatGPT to write it. ChatGPT did a better job of it. So If anyone needs me this week, I will be at the beach.


Here is the full transcript:


My Prompt: Please write a memo explaining how corporate legal departments can streamline their eDiscovery processes to reduce costs and improve compliance.


Response from ChatGPT:

Subject: Streamlining eDiscovery Processes for Corporate Legal Departments

Dear All,

As technology continues to advance and the amount of electronic data generated by companies grows, the eDiscovery process can become increasingly complex and costly. However, there are steps that corporate legal departments can take to streamline their eDiscovery processes and reduce costs while also improving compliance.
1. Invest in eDiscovery Technology Solutions: Utilizing technology solutions, such as automated data collection and review tools, can help reduce the time and cost associated with manual review processes. These solutions can also improve accuracy and consistency in data collection and review, reducing the risk of non-compliance.
2. Establish Clear Protocols and Guidelines: Having clear protocols and guidelines in place for data collection and preservation will help ensure that relevant data is preserved and collected in a timely manner, reducing the risk of spoliation and ensuring compliance with legal obligations.
3. Employee Training: Regular training for employees on best practices for managing electronic data will help ensure that data is properly preserved and collected, reducing the risk of non-compliance.
4. Regular Process Reviews: It is important to regularly review and update processes to ensure they align with changes in regulations and technology. This will help ensure that eDiscovery processes remain efficient and effective, reducing costs and improving compliance.
5. Consider Alternative Service Providers: Utilizing alternative service providers, such as managed eDiscovery service providers, can help reduce costs while also improving compliance. Negotiating service level agreements that meet both cost and compliance goals will ensure that eDiscovery initiatives are managed in a cost-effective and compliant manner.
6. Utilize Project Management Techniques: Using project management techniques, such as setting clear goals, tracking progress, and monitoring budgets, will help keep eDiscovery initiatives on track and within budget, reducing costs and improving compliance.
In conclusion, streamlining eDiscovery processes can help reduce costs and improve compliance. By utilizing technology solutions, establishing clear protocols and guidelines, training employees, regularly reviewing processes, considering alternative service providers, and utilizing project management techniques, corporate legal departments can ensure that their eDiscovery processes are efficient and effective.

If you have any questions or would like to discuss these recommendations further, please do not hesitate to reach out.

Best regards,
[Your Name]

Couldn’t have said it better myself. And if you agree with ChatGPT’s recommendation to invest in automated collection technologies to reduce costs and reduce the risk of non-compliance, please see this information about our X1 Enterprise Collect platform.

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, eDiscovery, Enterprise eDiscovery, ESI

January 10, 2023 · 11:43 AM

Move to the Left and Targeted Collection Featured Widely as a Key 2023 eDiscovery Trend

By John Patzakis

It is prediction season for trends in the eDiscovery space for 2023. While many good eDiscovery scribes have published their prognostications in recent days, the annual predictions and overall analysis from Doug Austin in eDiscovery Today are invariably insightful. As a top industry analyst, Austin is in constant contact with eDiscovery executives and professionals and thus has a good finger on the industry pulse.

One of his key predictions this year, which notably appears in several trending 2023 forecasts, centers around the upstream focus on information governance and targeted collection. “I’m hearing more legal and eDiscovery professionals than ever talk about the importance of information governance, early data assessment (EDA) and targeted collections in discovery,” reports Austin, who then poses a very good question about the ramifications of this trend: “What happens when eDiscovery professionals are no longer routinely collecting the entire data corpus of custodians to sort out downstream? The growth of data for eDiscovery hosting providers to host slows dramatically – which jeopardizes growth in hosting revenue that is based on gigabytes (GBs) online.”

There is a lot going on in terms of takeaways from this paragraph. The “collect everything and sort it out later” is still the dominant model for service providers and, as Austin points out, it can be difficult for them to pivot from this economic model. However, this highlights a key reason why many in house legal departments are now routinely deploying in-house collection and EDA solutions. There are significant cost savings and efficiencies to be gained by narrowing the data funnel upstream before the data is sent out for data hosting. And this approach is favored by the courts in applying the principles of proportionality now ensconced in the Federal Rules of Civil Procedure, with a wealth of case law establishing that ESI preservation efforts should be reasonable, proportionate, and targeted to only relevant information, as opposed to being overly broad and unduly burdensome.

While there is keen awareness of proportionality in the legal community, attaining the benefits requires the ability to operationalize workflows as far upstream in the eDiscovery process as possible. The case law and the Federal Rules provide that the duty to preserve only applies to potentially relevant information, but unless you have the right operational processes in place, you’re losing out on the ability to attain the benefits of proportionality. And with the proliferation of enterprise cloud data sources, it’s important that holistic and targeted collections encompass Microsoft 365 data as well as laptops and file shares.

To answer this unmet critical need, X1 has added MS 365 data connectors to our X1 Enterprise Collect platform. X1 Enterprise Collect provides users the unique ability to search and collect MS 365 data in-place. X1’s optimized approach of iterative search and targeted collection enables organizations to apply proportionality principles across both cloud and on-premise data sources with clear and consistent results for effective eDiscovery. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%).

The X1 Enterprise Collect Platform is available now from X1 and its global channel network in the cloud, on-premise, and with our services available on-demand. For a demonstration of the X1 Enterprise Collect Platform, contact us at sales@x1.com. For more details on this innovative solution, please visit www.x1.com/x1-enterprise-collect-platform.

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, eDiscovery, Enterprise eDiscovery, Information Governance, Preservation & Collection, proportionality

December 6, 2022 · 10:23 AM

Significant Microsoft 365 eDiscovery Challenges Require a New Approach

By John Patzakis

The adoption of cloud-based Microsoft 365 (“MS 365”) by enterprises continues to grow exponentially, with the company recently reporting 300 million monthly active users, and the addition of over 100 petabytes of new content each month. There is no question that MS 365 is now a major data source for eDiscovery, second only to file-shares and laptops, and as such provides challenges to every legal and eDiscovery practitioner.

While MS 365 includes built-in eDiscovery tools in the Security and Compliance Center, many users look to third party alternatives due to the high cost, perceived concerns over the accuracy of search results, and other key challenges. However, most non-MS eDiscovery tools collect from MS 365 by simply making bulk copies of data associated with individual accounts, and then attempting to transfer that data en masse to their own proprietary processing and/or review platform. This problematic approach is counter-productive to the very purpose of why you put data in the cloud.

Such an effort is very costly, time consuming, and inefficient for many reasons. For one, this bulk transfer triggers data transfer throttling by Microsoft, causing significant time delays. But the main problem is that clients who are investing in MS 365 do not want to see all their data routinely exported out of its native environment every time there is an eDiscovery or compliance investigation. Organizations are fine with a targeted set of potentially relevant ESI leaving MS 365. What they do not want is a mass bulk export of terabytes of data at great expense because eDiscovery and processing tools need to first broadly ingest that data in their disparate platform in order to even begin the indexing, culling and searching process.

Additionally, organizations, especially larger enterprises, rarely house all or even most of their data within MS 365, with hybrid cloud and on-premise environments being the norm. MS 365 eDiscovery tools can only address what is contained within MS 365. Any on-premise data, including on-premise Microsoft sources (SharePoint, Exchange) cannot be readily consolidated by MS 365, and neither can data from other cloud sources such as Google Drive, Box, Dropbox, etc. And of course, laptops and file-shares are critical to eDiscovery collections and are also not supported by the MS 365 eDiscovery tools, with Microsoft indicating that they do not have any plans to address all of these non-MS 365 data sources.

So, eDiscovery software providers need to have a good process to perform unified search and collection of MS 365 and non-MS 365 sources. To achieve requisite efficiency and the minimization of data transfer, this process should be based upon a targeted search and collection in-place capability, and not simply involve mass export of data out of MS 365 for downstream processing and searching.

To answer this unmet critical need, X1 has added MS 365 data connectors to our X1 Enterprise Collect platform. X1 Enterprise Collect provides users the unique ability to search and collect MS 365 data in-place. X1’s optimized approach of iterative search and targeted collection enables organizations to apply proportionality principles across both cloud and on-premise data sources with clear and consistent results for effective eDiscovery. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%).

The X1 Enterprise Collect Platform is available now from X1 and its global channel network in the cloud, on-premise, and with our services available on-demand. For a demonstration of the X1 Enterprise Collect Platform, contact us at sales@x1.com. For more details on this innovative solution, please visit www.x1.com/x1-enterprise-collect-platform.

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, Data Audit, ECA, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, ESI, Information Governance, Information Management, OneDrive, Preservation & Collection, SharePoint

Tagged as , , , ,

May 12, 2022 · 11:06 AM

Usage-Based Pricing Model Increasingly Driving eDiscovery Software Growth

by John Patzakis

Legal Tech software CEOs often grapple with two competing challenges: Growing revenue in a manner that supports how customers buy their products for their individual cases, while at the same time maximizing shareholder value by recording recurring revenue, which the investor community typically favors. Recurring revenue generally comes in the form of fixed annual or monthly subscription licenses.

However, eDiscovery software providers are increasingly aligning their SaaS pricing strategy with the amount of product usage their customers consume. Instead of paying a fixed rate, the pricing is based upon actual usage. The benefits of this approach include a shorter and simpler purchasing process and increased customer satisfaction and retention.

In the eDiscovery space, customers often prefer to pay by “matter”, i.e., per lawsuit or legal case. Law firms and service providers typically utilize eDiscovery SaaS software specific to an individual case on a pass-through cost basis, where their end-client ultimately pays for the services. In the case of corporate law departments, oftentimes the organization prefers to purchase annual subscriptions for eDiscovery and apply the license over multiple matters in the course of the year. However, such buying decisions vary by organization, with corporate counsel sometimes deferring eDiscovery workflow and tech decisions to their law firms, which favors a usage-based pricing model.

While tech companies with recurring annual term revenue will typically garner higher valuations, eDiscovery software firms with usage-based pricing models are now seeing similarly elevated valuations. Investors are recognizing the very unique economics and buying dynamics specific to the eDiscovery software space. But it is incumbent on eDiscovery software execs, their investment bankers, and board members to educate the broader market on this dynamic unique to the eDiscovery space. In some situations, investors new to this space attempt to apply a steep discount to usage-based SaaS revenue, as it doesn’t fit in with their “paint by the numbers” ARR models. Rick Weber, Managing Director of Legal Tech investment banking firm Arbor Ridge Partners notes, “while the usage model is not annual recurring, it is ‘monthly re-occurring,’ and thus projections and modeling can be made based on company history and industry norms and should be treated like ARR contracts.”

In fact, usage-based pricing is now gaining wider acceptance in the broader SaaS software market beyond legal tech. Cloud infrastructure providers AWS and Microsoft Azure are obvious examples of successful usage-based pricing strategies, but many startups and medium sized companies have successfully implemented the model as well. While usage-based revenue may seem less predictable compared to other pricing models, companies using this model are often growing faster, retaining more revenue, and valued at high revenue multiples. But again, this realization requires a closer look by investors and an intelligent education effort by the companies and their advisors.

One caveat for investors is to confirm that the value of the SaaS usage offering is mostly based upon proprietary software tech versus services that are dressed up as SaaS. Some eDiscovery service providers attempt to position their services as SaaS, without a true standalone propriety software component. An analysis of the cost of sales/gross margins and assessment of the actual proprietary nature of the software is determinative. Gross margins should be at least 80 percent. And while some services are often provided in conjunction with a SaaS usage-based offering, a qualifying factor is whether the software is also separately offered purely as a traditional license to end users without any services required, which is how many customers will opt to buy.

But for true usage-based SaaS offerings, the flexibility, simplicity and supporting of legal customers purchasing dynamics are key to rapid growth and customer satisfaction. As summarized by Weber, “many of the PE firms and investors that have made big bets on such companies in recent years seem to understand the nuance and opportunity while many still lag behind and simply need to think outside of their box.”

Leave a comment

Filed under Best Practices, Cloud Data, Corporations, eDiscovery, Enterprise eDiscovery, Information Management, SaaS, Uncategorized

June 23, 2020 · 9:36 AM

CCPA and GDPR UPDATE: Unstructured Enterprise Data in Scope of Compliance Requirements

An earlier version of this article appeared on Legaltech News

By John Patzakis

A core requirement of both the GDPR and the similar California Consumer Privacy Act (CCPA), which becomes enforceable on July 1, is the ability to demonstrate and prove that personal data is being protected. This requires information governance capabilities that allow companies to efficiently identify and remediate personal data of EU and California residents. For instance, the UK Information Commissioner’s Office (ICO) provides that “The GDPR places a high expectation on you to provide information in response to a SAR (Subject Access Request). Whilst it may be challenging, you should make extensive efforts to find and retrieve the requested information.”CCPA GDPR

However, recent Gartner research notes that approximately 80% of information stored by companies is “dark data” that is in the form of unstructured, distributed data that can pose significant legal and operational risks. With much of the global workforce now working remotely, this is of special concern and nearly all the company data maintained and utilized by remote employees is in the form of unstructured data. Unstructured enterprise data generally refers to searchable data such as emails, spreadsheets and documents on laptops, file servers, and social media.

The GDPR

An organization’s GDPR compliance efforts need to address any personal data contained within unstructured electronic data throughout the enterprise, as well as the structured data found in CRM, ERP and various centralized records management systems. Personal data is defined in the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Under the GDPR, there is no distinction between structured versus unstructured electronic data in terms of the regulation’s scope. There is a separate guidance regarding “structured” paper records (more on that below). The key consideration is whether a data controller or processor has control over personal data, regardless of where it is located in the organization. Nonetheless, there is some confusion about the scope of the GDPR’s coverage across structured as well as unstructured electronic data systems.

The UK ICO is a key government regulator that interprets and enforces the GDPR, and has recently issued important draft guidance on the scope of GDPR data subject access rights, including as it relates to unstructured electronic information. Notably, the ICO notes that large data sets, including data analytics outputs and unstructured data volumes, “could make it more difficult for you to meet your obligations under the right of access. However, these are not classed as exemptions, and are not excuses for you to disregard those obligations.”

Additionally the ICO guidance advises that “emails stored on your computer are a form of electronic record to which the general principles (under the GDPR) apply.” In fact, the ICO notes that home computers and personal email accounts of employees are subject to GDPR if they contain personal data originating from the employers networks or processing activities. This is especially notable under the new normal of social distancing, where much of a company’s data (and associated personal information) is being stored on remote employee laptops.

The ICO also provides guidance on several related subjects that shed light on its stance regarding unstructured data:

Archived Data: According to the ICO, data stored in electronic archives is generally subject to the GDPR, noting that there is no “technology exemption” from the right of access. Enterprises “should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.” Further, enterprises “should use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes.”

Deleted Data: The ICO’s view on deleted data is that it is generally within the scope of GDPR compliance, provided that there is no intent to, or a systematic ability to readily recover that data. The ICO says it “will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously ‘deleted’ personal data held in electronic form. We do not require organisations to use time and effort reconstituting information that they have deleted as part of their general records management.”

However, under this guidance organizations that invest in and deploy re-purposed computer forensic tools that feature automated un-delete capabilities may be held to a higher standard. Deploying such systems can reflect intent to as well as having the systematic technical ability to recover deleted data.

Paper Records: Paper records that are part of a “structured filing system” are subject to the GDPR. Specifically, if an enterprise holds “information about the requester in non-electronic form (e.g. in paper files or on microfiche records)” then such hard-copy records are considered personal data accessible via the right of access,” if such records are “held in a ‘filing system.” This segment of the guidance reflects that references to “unstructured data” in European parlance usually pertains to paper records. The ICO notes in separate guidance that “the manual processing of unstructured personal data, such as unfiled handwritten notes on paper” are outside the scope of GDPR.

GDPR Article 4 defines a “filing system” as meaning “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.” The only form of “unstructured data” that would not be subject to GDPR would be unfiled paper records like handwritten notes or legacy microfiche.

The CCPA  

The California Attorney General (AG) released a second and presumably final round of draft regulations under the California Consumer Privacy Act (CCPA) that reflect how unstructured electronic data will be treated under the Act. The proposed rules outline how the California AG is interpreting and will be enforcing the CCPA. Under § 999.313(d)(2), data from archived or backup systems are—unlike the GDPR—exempt from the CCPA’s scope, unless those archives are restored and become active. Additional guidance from the Attorney General states: “Allowing businesses to delete the consumer’s personal information on archived or backup systems at the time that they are accessed or used balances the interests of consumers with the potentially burdensome costs of deleting information from backup systems that may never be utilized.”

What is very notable is that the only technical exception to the CCPA is unrestored archived and back-up data. Like the GDPR, there is no distinction between unstructured and structured electronic data. In the first round of public comments, an insurance industry lobbying group argued that unstructured data be exempted from the CCPA. As reflected by revised guidance, that suggestion was rejected by the California AG.

For the GDPR, the UK ICO correctly advises that enterprises “should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract information requested by the data subjects whose personal data you process and redact third party data where it is deemed necessary.” This is why Forrester Research notes that “Data Discovery and Classification are the foundation for GDPR compliance.”

Establish and Enforce Data Privacy Policies

So to achieve GDPR and CCPA compliance, organizations must first ensure that explicit policies and procedures are in place for handling personal information. Once established, it is important to demonstrate to regulators that such policies and procedures are being followed and operationally enforced. A key first step is to establish a data map of where and how personal data is stored in the enterprise. This exercise is actually required under the GDPR Article 30 documentation provisions.

An operational data audit and discovery capability across unstructured data sources allows enterprises to efficiently map, identify, and remediate personal information in order to respond to regulators and data subject access requests from EU and California citizens. This capability must be able to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of weeks or months as is the case with traditional crawling tools. This includes laptops of employees working from home.

These processes and capabilities are not only required for data privacy compliance but are also needed for broader information governance and security requirements, anti-fraud compliance, and e-discovery.

Implementing these measures proactively, with routine and consistent enforcement using solutions such as X1 Distributed GRC, will go a long way to mitigate risk, respond efficiently to data subject access requests, and improve overall operational effectiveness through such overall information governance improvements.

Leave a comment

Filed under CaCPA, compliance, Corporations, Cyber security, Cybersecurity, Data Audit, GDPR, Information Governance, Information Management, Uncategorized