Category Archives: Information Management

Moving Beyond Litigation Support

By Sonam Sharma, Senior Manager, X1
(Originally published on ILTAnet.org, February 19, 2021)

The age-old adage of change being the only constant has never been truer than in today’s times. With pandemic induced disruptions fast-tracking an already burgeoning impact of technology in day-to-day proceedings of your business and having a likewise impact in the lives of our clients, the ability to manage and react to this change must make all the difference between the longevity of your business and ensuring that you stay ahead of the market.

Over the last decade, a lot of energy has been spent towards understanding the pain points of the lawyers while constantly examining ways to reinvent to stay ahead of the competitors of varying scale, capabilities, and customer base. Change is inevitable but the transformation is a conscious choice. To navigate through a highly fluctuating market, we are witnessing law firms embracing change and revisiting their litigation support services and strategies to develop a unified and client-centric approach for their organizations. A focus on operational efficiency is becoming more about survival and excellence rather than a good-to-have organization priority.

So, what is this change that we are talking about?

The Legal industry is a fast pace world. Clients are rapidly outgrowing conventional models, largely as a result of how they are using technology in their everyday lives. As the expectations of the clients are ever-evolving, legal professionals need to find ways of delivering more seamless and client-centered experiences.

Client-facing services roles such as litigation support, legal assistants, and paralegals are the first points of contact for the commencement of legal work. These professionals play an important role in ensuring case proceedings go as smoothly as possible. However, due to the lack of synergies and functional silos between these groups the operational model can become obsolete/misaligned. “Over time, to maintain the efficiency of teams, it is important to focus on communications and the improvement of processes and procedures,” said Ardian Triantoro, Practice Support Manager, Schulte Roth & Zabel LLP.

To mitigate risks arising from process inefficiencies and to overcome organizational barriers, law firms need to bolster their capabilities by combining teams dealing with legal operations (such as clerks, paralegals, attorneys, and technical support).  and develop communication strategies between them. The goal is to streamline the legal operations workflow to provide a connected experience to the client.

There’s no better time to start the transformation than now!

The more progressive law firms are methodically building and systematically delivering work in-house. Leveraging a base of existing skills, experience, and vendor relationships, organizations have merged their Litigation Technology Support and operational support teams into the Practice Support department to deliver value to customers.

Leading law firms such as Kirkland & Ellis, Latham & Watkins, Baker & McKenzie, Schulte Roth & Zabel, LLP have implemented new ways to approach critical back-office operational functions. “For the law firms, it is not just about implementing the technology but to shift the focus from commoditized services to high-value expertise to recalibrate a more predictable pricing model that generates a cost-effective outcome of the case,” said Jared Michael Coseglia, Founder & CEO of award-winning legal staffing firm TRU Staffing, Inc.

So where can you start?

To prepare for the future, you should begin with a focus on the following areas:

  • Process: Strategize the ebbs and flows! Develop a communication map to help attorneys and staff members better understand the firm’s operating functions and how it fits together. Design effective processes that drive transparency and have a clear description of tasks and outcomes.
  • People: A starting point for assessing the firm’s capabilities is to determine skills, competencies, the talent available and create a capability map. Align skills with the evolving business needs and identify partnership opportunities with a focus on enabling attorneys to focus on long-term strategic decision-making; and
  • Technology: Understand the business needs and align the technology with the law firm organizational framework so that it is supporting the firm’s overall business objectives. It is about using technology to improve the old ways of working.

The more things change, law firms will see increased benefits from…

  • Seamless Client Service: Today, clients expect effortless experience from start to finish. It is critical to serving as a team member to the clients. By streamlining the processes internally, the practice support department acts as an all-in-one suite that law firms can leverage to build a repeatable and defensible process for optimal service delivery.
  • Efficiency Across Legal Ecosystem: Litigation professionals are masters in their field and have worked with a multitude of attorneys on countless cases over time. By utilizing in-house expertise, law firms can establish robust business practices to allow for quick and effective decision-making.
  • Reduced Costs: Staying on top of technology and constantly building expertise enables law firms to design custom-tailored solutions designed for cost efficiency and operational excellence.

Key Takeaway:  The problem is that this is easier said than done, but the actual mantra is not perfection; it is an iterative progression!

Leave a comment

Filed under Best Practices, eDiscovery, Information Management, law firm, Uncategorized

Meeting Modern Discovery Demands with RelativityOne Collect and X1

By John Patzakis

As we’ve all heard time and again, 2020 was a transformative year—and in our space, it has had a huge impact and really changed the way people work.

With widespread teams, evolving data types, growing data volumes, and deadlines getting shorter—well, the entire e-discovery process has the potential to spiral out of control.

But not for those who are well prepared to meet these modern challenges.

Here at X1, we’ve been working hard on giving modern organizations the technology they need to get data identified, collected, and ingested with maximum effectiveness for years. Now, with X1 integrated into RelativityOne via RelativityOne Collect, users of the industry-leading SaaS e-discovery platform can accomplish this in more targeted and faster ways than ever before.

Let’s take a look at what this integration means, and why it offers non-negotiable capabilities to today’s legal teams.

A Remote Workforce

Work from home has rapidly accelerated and will likely not dramatically reverse in the foreseeable future. Many of us will continue to work remotely for months to come—or perhaps permanently.

These trends were already ramping up, but 2020 hammered the accelerator on telecommuting and remote working. According to Global Workplace Analytics, before the COVID-19 pandemic, just 3.6 percent of US workers worked from home multiple days a week. That number is now estimated at 25-30 percent.

This may be a boon for work-life balance, but it poses big complications for data collection in response to litigation and investigations. Historically, this process has required disk imaging or other methods that often prompted collections to be performed in person. In a shared office, that might be easy to accomplish (in fact, it might be too easy, resulting in vast over-collections of data in many cases). But with everyone working from home and confronted by concerns about social distancing, travel restrictions, and possible quarantines, it quickly became untenable last year.

Thanks to those circumstances and the increased use of the cloud for data storage, demand for web-enabled collections is up—by a lot.

RelativityOne Collect gives legal teams the ability to index and search on data in place, analyze the contents of a data source, and categorize data quickly to identify what warrants collection and what can be eliminated—all before it’s pulled from the source and brought into a workspace, and from anywhere. Previously, RelativityOne Collect was able to directly connect with Office 365 and Slack sources to perform these remote collections; with the integration of X1’s innovative endpoint technology, Collect can now gather data from additional sources like email and files on laptops, servers, or network locations.

Then, the targeted data is seamlessly imported into Relativity—no extra processing, downloads, uploads, or risky data hand-offs required.

This means a streamlined process that can be performed from anywhere, on multiple custodians at a time, and across many of the most common data sources. Forward-thinking teams are saying goodbye to cumbersome and expensive ESI collection and processing tools in favor of this bright new world.

Proportional Data Decisions

Another trend that began to take hold over the last decade is the move toward targeted collections. Gone are the days when full disk imaging was standard practice. Today’s sources are far too densely packed with data to assume everything needs to be captured for every matter. Over-collecting means not just increased costs for data storage on your matters, but huge amounts of time wasted on reviewing unnecessary documents—and all of this adds up to proportionality violations.

The courts agree: Complete disk imaging is by and large unwarranted in civil litigation. (In particular, see Diepenhorst v. City of Battle Creek.)

Instead, what is needed is a middle ground approach in the form of a targeted, automated, and remote collection that provides documentation for defensibility and an emphasis on speed to review.

With traditional processes, there is an inability to quickly and remotely search across and access distributed unstructured data in-place. e-Discovery teams may end up spending weeks or more collecting data, with traditional workflows taking as long as 30 days to complete before data is available for review.

In addition to putting deadlines and case strategy efforts in jeopardy, these delays can increase the risk of errors and security vulnerabilities as data is moved between systems and team members rush to get things done. With X1 endpoint collections integrated into Collect, data can be accessed, searched upon, culled, and ingested directly into your review workspace with no go-betweens required—so your targeted data sets are defensible and in good hands from start to finish. Oh, and that 30 days is cut down to mere hours.

This enables much needed efficiencies in the e-discovery process in the face of growing data volumes, widespread teams and data sources, and diversified data types, because you can target which data you bring into your workspace before it’s published (and have detailed reports on those decisions to back up your final collection). You’ll see benefits not just in greater speed to review, but also greater speed in review, because you’ve eliminated a lot of inefficiencies from the get-go. Plus, you’re protecting potentially privileged or secret information that doesn’t need to be pulled into a project in the first place.

Process Democratization

Finally, there’s a third evolving trend in the collection space. For a long time, there has been a perception that doing collections is difficult, and requires a lot of specialized training or certifications. With the proliferation of the cloud and new data sources, however, this has started to shift. Most e-discovery cases do not require collection by a certified forensics examiner, especially since not every drive needs to be imaged. Instead, as the industry has moved more toward targeted collections, the accessibility of the process has greatly improved.

Additionally, today’s legal teams are under great pressure to do more with less—less money, less time, and less help. As a result, they need to be empowered to perform some collections themselves even if they don’t have that highest degree of training and expertise. Fortunately, cases using targeted e-discovery collections and collections from cloud sources don’t generally require such extensive training.

When organizations are given the tools to do some of this work internally, they can save forensic resources for when they’re truly needed (on really hairy or dicey matters).

RelativityOne Collect’s easy-to-use interface lets any individual perform those type of targeted e-discovery and cloud collections with minimal training. And as a growing number of organizations are experiencing a greater need to remotely collect from computer endpoints as well, Relativity and X1 have partnered to build an integration to help in-house teams do that, too. 

So, while numerous courts have held that custodian self-collection is simply not defensible, capable and well-equipped legal teams can and do collect data from custodians in a defensible and secure manner. Then, those same team members can take what they’ve learned from this at-a-glance view of the origins of their data sets, and bring that knowledge to the rest of the e-discovery or investigation project.

The result is streamlined, end-to-end e-discovery in a single, secure, and easy-to-use platform.

And we will be demonstrating this integration live on our February 24 joint webinar with Relativity: “RelativityOne Collect and X1: Streamlining the Global Collection Process.” Please join us by registering here.

This blog post is also prominently featured on the Relativity blog site here.

Leave a comment

Filed under eDiscovery & Compliance, Enterprise eDiscovery, Information Management, law firm, Preservation & Collection

Architecting a New Paradigm in Legal Governance

By Michael Rasmussen

Editor’s note: Today we are featuring a guest blog post from Michael Rasmussen, the GRC Pundit & Analyst at GRC 20/20 Research, LLC.

Exponential growth and change in business strategy, risks, regulations, globalization, distributed operations, competitive velocity, technology, and business data encumbers organizations of all sizes. Gone are the years of simplicity in business operations.

Managing the complexity of business from a legal and privacy perspective, governing information that is pervasive throughout the organization, and keeping continuous business and legal change in sync is a significant challenge for boards, executives, as well as the legal professionals in the legal department. Organizations need an integrated strategy, process, information, and technology architecture to govern legal, meet legal commitments, and manage legal uncertainty and risk in a way that is efficient, effective, and agile and extends into the broader enterprise GRC architecture.

In my previous blog, Operationalizing GRC in Context of Legal & Privacy: The Last Mile of GRC, I began this discussion, and here I aim to expound on it further from a legal context.

Legal today is more than legal matters, actions, and contracts. Today’s legal organization has to respond to incident/breach reporting and notification laws in a timely and compliant manner, respond to Data Subject Access Requests (DSAR), harmonize and monitor retentions obligations, conduct eDiscovery, manage legal holds on data, and continuously monitor regulations and legislation and apply them to a business context.

In today’s global business environment, a broad spectrum of economic, political, social, legal, and regulatory changes are continually bombarding the organization. The organization continues to see exponential growth of regulatory requirements and legal obligations (often conflicting and overlapping) that must be met, which multiply as the organization expands global operations, products, and services. This requires an integrated approach to legal governance, risk management, and compliance (GRC) with a goal to reliably achieve objectives while addressing uncertainty and act with integrity.[1] This includes adherence to mandatory legal requirements and voluntary organizational values and the boundaries each organization establishes. The legal department, with responsibility for understanding matter management, issue identification, investigations, policy management, reporting and filing, legal risk, and the regulatory obligations faced by the organization, is a critical player in GRC (what is understood as Enterprise or Integrated GRC), as well as improving GRC within the legal function itself.

A successful legal management information architecture will be able to connect information across risk management and business systems. This requires a robust and adaptable legal information architecture that can model the complexity of legal information, discovery, transactions, interactions, relationship, cause and effect, and the analysis of information, which can integrate and manage a range of business systems and external data. Key to this information architecture is a clear data inventory and map of information that informs the organization of what data it has, who in the organization owns it, what regulatory retention obligations are attached to it, and what third parties have access to it. This is a fundamental requirement for applying process and effectively operationalizing an organization’s GRC activities, as detailed in the previous blog.

There can and should be an integrated technology architecture that extends GRC technology and operationalizes it in a legal and privacy context. This connects the fabric of the legal processes, information, discovery, and other technologies together across the organization. This is a hub of operationalizing GRC and requires that it be able to integrate and connect with a variety of other business systems, such as specialized legal discovery solutions and integrate with broader enterprise GRC technology.

The right technology architecture choice for an organization involves the integration of several components into a core enterprise GRC and Legal GRC architecture – which can facilitate the integration and correlation of legal information, discovery, analytics, and reporting. Organizations suffer when they take a myopic view of GRC technology that fails to connect all the dots and provide context to discovery, business analytics, objectives, and strategy in the real-time that a business operates in. 

Extending and operationalizing GRC processes and technology in context of legal and privacy enables the organization to use its resources wisely to prevent undesirable outcomes and maximize advantages while striving to achieve its objectives. A key focus is to provide legal assurance that processes are designed to mitigate the most significant legal issues and are operating as designed. Effective management of legal risk and exposure is critical to the board and executive management, who need a reliable way to provide assurance to stakeholders that the enterprise plans to both preserve and create value. Mature GRC enables the organization to weigh multiple inputs from both internal and external contexts and use a variety of methods to analyze legal risk and provide analytics and modeling.


[1] This is the OCEG definition of GRC.

Leave a comment

Filed under Best Practices, CaCPA, eDiscovery & Compliance, GDPR, Information Governance, Information Management, Uncategorized

Operationalizing GRC in Context of Legal & Privacy: The Last Mile of GRC

By Michael Rasmussen

Editor’s note: Today we are featuring a guest blog post from Michael Rasmussen, the GRC Pundit & Analyst at GRC 20/20 Research, LLC.

At its core, GRC is the capability to reliably achieve objectives [GOVERNANCE], address uncertainty [RISK MANAGEMENT], and act with integrity [COMPLIANCE]. GRC is something organizations do, not something they purchase. They govern, they manage risk, and they comply with obligations. However, there is technology to enable GRC related processes, such as legal and privacy, to be more efficient, effective, and agile.

However, too often the focus on GRC technology is limited to the process management of forms, workflow, tasks, and reporting. These are critical and important elements, but the role of technology for GRC is so much broader to operationalize GRC activities that are labor intensive, particularly in the context of legal and privacy. Simply managing forms, workflow, and tasks are no longer enough. Organizations need to start thinking how they can integrate eDiscovery and data/information governance solutions within their core GRC architecture.

What is needed is the ability to search, find, monitor, interact, and control data throughout the business environment. GRC platforms are excellent at managing forms, workflow, tasks, analytics, and reporting. But behind the scenes there are still labor-intensive tasks or disconnected solutions that actually find, control, and assess the disposition of sensitive data in the enterprise. eDiscovery and information governance solutions have been disconnected and not strategically leveraged for GRC purposes. Together, the core GRC platform that integrates with eDiscovery and information governance technologies builds exponential economies in efficiency, effectiveness, and agility.

Specifically, an integrated GRC solution that weds the core GRC platform with eDiscovery and information governance technology delivers full value to an organization that:

  • Discovers the attributes and metadata of data no matter where it lives within the environment as a key component of GRC processes for legal and privacy compliance.
  • Enables 360° awareness to assessments by discovering the information needed to conduct and deliver assessments effectively into the core GRC platform.
  • Delivers a centralized console to interact with data/information and metadata of files on devices across the organization (such as network file shares, OneDrive, and Dropbox data).
  • Automates the ability to interact with downstream endpoints/systems to provide the ability to search the content of records for keywords and perform analysis using regular expressions and classifiers.
  • Controls data wherever it is with the ability to get to the data and analyze it from a centralized console.

An integrated approach that brings together the core GRC platform with eDiscovery and information governance technology enables the organization to discover, manage, monitor, and control data right from the central GRC platform console. It enables the organization to get centralized and accessible insight into where sensitive information is, how it is being used, and what can be done with it.

  • For example. Within the GRC platform I can initiate a search based on key words or patterns (e.g., social security number). The eDiscovery/information governance solution then finds where that information is throughout the enterprise and delivers a list of records back to the GRC platform for analysis and monitoring.

This enables an integrated GRC architecture that brings 360° contextual awareness into information across the enterprise. It delivers enhanced efficiency in time saved and money saved chasing information through disconnected solutions and processes, it provides greater effectiveness through insight and control of information and enables greater agility across a dynamic environment to be responsive to issues of information governance. Together, a GRC platform with eDiscovery/information governance capabilities enables and delivers more complete and accurate data governance and privacy assessments, integrated findings, with the ability to manage remediation tasks from one central place.

Leave a comment

Filed under Best Practices, CaCPA, Data Audit, eDiscovery & Compliance, GDPR, Information Governance, Information Management

CCPA and GDPR UPDATE: Unstructured Enterprise Data in Scope of Compliance Requirements

An earlier version of this article appeared on Legaltech News

By John Patzakis

A core requirement of both the GDPR and the similar California Consumer Privacy Act (CCPA), which becomes enforceable on July 1, is the ability to demonstrate and prove that personal data is being protected. This requires information governance capabilities that allow companies to efficiently identify and remediate personal data of EU and California residents. For instance, the UK Information Commissioner’s Office (ICO) provides that “The GDPR places a high expectation on you to provide information in response to a SAR (Subject Access Request). Whilst it may be challenging, you should make extensive efforts to find and retrieve the requested information.”CCPA GDPR

However, recent Gartner research notes that approximately 80% of information stored by companies is “dark data” that is in the form of unstructured, distributed data that can pose significant legal and operational risks. With much of the global workforce now working remotely, this is of special concern and nearly all the company data maintained and utilized by remote employees is in the form of unstructured data. Unstructured enterprise data generally refers to searchable data such as emails, spreadsheets and documents on laptops, file servers, and social media.

The GDPR

An organization’s GDPR compliance efforts need to address any personal data contained within unstructured electronic data throughout the enterprise, as well as the structured data found in CRM, ERP and various centralized records management systems. Personal data is defined in the GDPR as: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Under the GDPR, there is no distinction between structured versus unstructured electronic data in terms of the regulation’s scope. There is a separate guidance regarding “structured” paper records (more on that below). The key consideration is whether a data controller or processor has control over personal data, regardless of where it is located in the organization. Nonetheless, there is some confusion about the scope of the GDPR’s coverage across structured as well as unstructured electronic data systems.

The UK ICO is a key government regulator that interprets and enforces the GDPR, and has recently issued important draft guidance on the scope of GDPR data subject access rights, including as it relates to unstructured electronic information. Notably, the ICO notes that large data sets, including data analytics outputs and unstructured data volumes, “could make it more difficult for you to meet your obligations under the right of access. However, these are not classed as exemptions, and are not excuses for you to disregard those obligations.”

Additionally the ICO guidance advises that “emails stored on your computer are a form of electronic record to which the general principles (under the GDPR) apply.” In fact, the ICO notes that home computers and personal email accounts of employees are subject to GDPR if they contain personal data originating from the employers networks or processing activities. This is especially notable under the new normal of social distancing, where much of a company’s data (and associated personal information) is being stored on remote employee laptops.

The ICO also provides guidance on several related subjects that shed light on its stance regarding unstructured data:

Archived Data: According to the ICO, data stored in electronic archives is generally subject to the GDPR, noting that there is no “technology exemption” from the right of access. Enterprises “should have procedures in place to find and retrieve personal data that has been electronically archived or backed up.” Further, enterprises “should use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes.”

Deleted Data: The ICO’s view on deleted data is that it is generally within the scope of GDPR compliance, provided that there is no intent to, or a systematic ability to readily recover that data. The ICO says it “will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously ‘deleted’ personal data held in electronic form. We do not require organisations to use time and effort reconstituting information that they have deleted as part of their general records management.”

However, under this guidance organizations that invest in and deploy re-purposed computer forensic tools that feature automated un-delete capabilities may be held to a higher standard. Deploying such systems can reflect intent to as well as having the systematic technical ability to recover deleted data.

Paper Records: Paper records that are part of a “structured filing system” are subject to the GDPR. Specifically, if an enterprise holds “information about the requester in non-electronic form (e.g. in paper files or on microfiche records)” then such hard-copy records are considered personal data accessible via the right of access,” if such records are “held in a ‘filing system.” This segment of the guidance reflects that references to “unstructured data” in European parlance usually pertains to paper records. The ICO notes in separate guidance that “the manual processing of unstructured personal data, such as unfiled handwritten notes on paper” are outside the scope of GDPR.

GDPR Article 4 defines a “filing system” as meaning “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.” The only form of “unstructured data” that would not be subject to GDPR would be unfiled paper records like handwritten notes or legacy microfiche.

The CCPA  

The California Attorney General (AG) released a second and presumably final round of draft regulations under the California Consumer Privacy Act (CCPA) that reflect how unstructured electronic data will be treated under the Act. The proposed rules outline how the California AG is interpreting and will be enforcing the CCPA. Under § 999.313(d)(2), data from archived or backup systems are—unlike the GDPR—exempt from the CCPA’s scope, unless those archives are restored and become active. Additional guidance from the Attorney General states: “Allowing businesses to delete the consumer’s personal information on archived or backup systems at the time that they are accessed or used balances the interests of consumers with the potentially burdensome costs of deleting information from backup systems that may never be utilized.”

What is very notable is that the only technical exception to the CCPA is unrestored archived and back-up data. Like the GDPR, there is no distinction between unstructured and structured electronic data. In the first round of public comments, an insurance industry lobbying group argued that unstructured data be exempted from the CCPA. As reflected by revised guidance, that suggestion was rejected by the California AG.

For the GDPR, the UK ICO correctly advises that enterprises “should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract information requested by the data subjects whose personal data you process and redact third party data where it is deemed necessary.” This is why Forrester Research notes that “Data Discovery and Classification are the foundation for GDPR compliance.”

Establish and Enforce Data Privacy Policies

So to achieve GDPR and CCPA compliance, organizations must first ensure that explicit policies and procedures are in place for handling personal information. Once established, it is important to demonstrate to regulators that such policies and procedures are being followed and operationally enforced. A key first step is to establish a data map of where and how personal data is stored in the enterprise. This exercise is actually required under the GDPR Article 30 documentation provisions.

An operational data audit and discovery capability across unstructured data sources allows enterprises to efficiently map, identify, and remediate personal information in order to respond to regulators and data subject access requests from EU and California citizens. This capability must be able to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of weeks or months as is the case with traditional crawling tools. This includes laptops of employees working from home.

These processes and capabilities are not only required for data privacy compliance but are also needed for broader information governance and security requirements, anti-fraud compliance, and e-discovery.

Implementing these measures proactively, with routine and consistent enforcement using solutions such as X1 Distributed GRC, will go a long way to mitigate risk, respond efficiently to data subject access requests, and improve overall operational effectiveness through such overall information governance improvements.

Leave a comment

Filed under CaCPA, compliance, Corporations, Cyber security, Cybersecurity, Data Audit, GDPR, Information Governance, Information Management, Uncategorized