Category Archives: Uncategorized

eDiscovery Veteran Craig Carpenter Joins X1 as CEO

Today we have some very exciting news: Craig Carpenter has joined X1 as our new CEO. Craig is a seasoned and experienced executive in the eDiscovery and information governance arena, holding several senior executive positions throughout his impressive career, including CEO, EVP of Sales, CMO, COO, and General Counsel.  Craig was an early executive team member of one of the pioneers of eDiscovery software, Recommind, and a key part of that story from startup to creation of an industry-leading brand.  Craig Carpenter 250 sq

Most recently Craig was CEO of Fronteo, which he joined after running sales at Kroll Ontrack. He now brings his proven, customer-centric approach to X1. What I especially like about Craig is his track record as a thought leader and innovator in the legal technology arena. Here is what another thought leader, UK lawyer and renowned eDiscovery expert Chris Dale said last year on his blog, The eDisclosure Project, about Craig:

“Craig Carpenter was personally responsible for much of Recommind’s success in promoting its expertise at predictive coding. This was a tough sell in those days when it was new, and Craig Carpenter tackled the promotional task with vigour. He was also the first person I heard (at a conference in Hong Kong) predict that analytics had a big future role to play in information governance, something which reached fruition when, a long time later, OpenText added Recommind to its stable with precisely that intention in mind.”

I couldn’t agree more. In fact, Craig will be weighing in on very soon with a blog post of his own on why he came to X1, which will include further insight into what Chris Dale says above, so stay tuned. Craig is a central part of X1’s recent growth and expansion. Our X1 eDiscovery and information governance platform has caught fire, fueled in part by our game-changing alliance with Relativity announced earlier this summer. And LegalTech News weighed in today about Craig, noting that “there are few people more equipped to predict the future of e-discovery.” In his interview with Legaltech News, Carpenter said X1’s position aligns well of with his vision of the e-discovery marketplace, where the goal is to “move the strategy formation phase up to the beginning, as opposed to later in the process.”

Besides being a well-known thought leader in eDiscovery, Craig also has forensic technology experience as he served as Chief Marketing Officer and COO of AccessData. Craig began his career as a practicing attorney. He earned both his Juris Doctor and MBA from Santa Clara University (my law school alma mater) and completed his undergraduate studies at UCLA, where he played quarterback on the Bruins’ Pac-10 championship football team. A team, which I might add, could really use his help this season, but I digress.

And speaking of interesting blog posts, look for even more quality content on this site as Craig will be a featured co-blogger going forward. For now, I am very excited to welcome Craig onboard to take the X1 helm!

Leave a comment

Filed under compliance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, Uncategorized

Dark Web Evidence Critical to all Cyber Investigations and Many eDiscovery matters

The dark web is a component of the World Wide Web that is only accessible through special software or configurations, allowing users and website operators to remain anonymous or untraceable. The dark web forms a small part of the deep web, which is the part of the Web not indexed by web search engines. The dark web has gained more notoriety over the past few years and several large criminal investigations have resulted in seizures of both cryptocurrencies and dark web pages and sites. Criminal enterprises involving counterfeiting, hacking, ID and IP theft, narcotics, child pornography, human trafficking, and even murder for hire seek a haven in the mist of encrypted communications and payment, such as Bitcoin, to facilitate their nefarious schemes. dark web

While mining the dark web is critical for many law enforcement investigations, we are also seeing increased focus on this important evidence in civil litigation. Fero v. Excellus Health Plan, Inc., (Jan. 19, 2018, US Dist Ct, NY), is one recent example. Fero arises out of a data breach involving healthcare provider Excellus Health Plan, Inc. According to the complaint, hackers breached Excellus’s network systems, gaining access to personal information millions of individuals, including their names, dates of birth, social security numbers, credit card numbers, and medical insurance claims information. The Plaintiffs brought a class action asserting claims under various federal and state laws.

Initially, the court dismissed the plaintiffs’ case, citing a failure to establish damages and actual misuse by the hackers who allegedly stole their information. However, after conducting a more diligent investigation, the plaintiffs submitted with their motion for reconsideration evidence that the plaintiffs’ PII was placed on the dark web.  This evidence was summarized in an expert report providing the following conclusion:  “it is my opinion to a reasonable degree of scientific certainty that PII and PHI maintained on the Excellus network was targeted, collected, exfiltrated, and put up for sale o[n] DarkNet by the attacker for the purpose of, among other things, allowing criminals to purchase the PII and PHI to commit identity theft.”  Fero, at 17.  Based on this information, the court granted the motion for reconsideration and denied the defendant’s motion to dismiss. In other words, the dark web evidence was game-changing in this high-profile class action suit.

Cases like Fero v. Excellus Health Plan illustrate that dark web evidence is essential for criminal and civil litigation matters alike. Dark Web investigations do require specialized knowledge and tools to execute. For instance, X1 Social Discovery can be easily configured to conduct such dark web investigation and collections.

Recently, Joe Church of Digital Shield led a very informative and instructive webinar on this topic. Joe is one of the most knowledgeable people that I’m aware of out there on dark web investigations, and his detailed presentation did not to disappoint. Joe’s presentation featured a concise overview of the dark web, how its used, and how to navigate it. He included a detailed lesson on tools and techniques needed to search for and investigate key sources of evidence on the dark web. This webinar is a must see for anyone who conducts or manages dark web investigations. Joe also featured a section on how to specifically utilize X1 Social Discovery to collect, search and authenticate dark web evidence. You can review this very informative 30 minute training session (no sign in required) by visiting here.

Leave a comment

Filed under Uncategorized, Case Law, Cloud Data, Preservation & Collection, Best Practices, Social Media Investigations, Case Study, eDiscovery, dark web

When your “Compliance” and eDiscovery Processes Violate the GDPR

Time to reevaluate tools that rely on systemic data duplication

The European Union (EU) General Data Protection Regulation (GDPR) became effective in May 2018. To briefly review, the GDPR applies to the processing of “personal data” of EU citizens and residents (a.k.a. “data subjects”).” Personal data” is broadly defined to include “any information relating to an identified or identifiable natural person.” That could include email addresses and transactional business communications that are tied to a unique individual. GDPR is applicable to any organization that provides goods and services to individuals located in the EU on a regular enough basis, or maintains electronic records of their employees who are EU residents.

In additional to an overall framework of updated privacy policies and procedures, GDPR requires the ability to demonstrate and prove that personal data is being protected. Essential components for such compliance are data audit and discovery capabilities that allow companies to efficiently search and identify the information necessary, both proactively, and also reactively to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement through an effective eDiscovery information governance platform.

However, some content management and archiving tool providers are repurposing their messaging with GDPR compliance. For example, an industry executive contact recently recounted a meeting with such a vendor, where their tool involved duplicating all of the emails and documents in the enterprise and then migrating all those copies to a central server cluster. That way, the tool could theoretically manage all the documents and emails centrally. Putting aside the difficulty of scaling up that process to manage and sync hundreds of terabytes of data in a medium-sized company (and petabytes in a Fortune 500), this anecdote underscores a fundamental flaw in tools that require systemic data duplication in order to search and manage content.

Under the GDPR, data needs to be minimized, not systematically duplicated en masse. It would be extremely difficult under such an architecture to sync up and remediate non-compliant documents and emails back at the original location. So at the end the day, this proposed solution would actually violate the GDPR by making duplicate copies of data sets that would inevitably include non-compliant information, without any real means to sync up remediation.Desktop_virtualization

The same is true for the much of the traditional eDiscovery workflows, which require numerous steps involving data duplication at every turn. For instance, data collection is often accomplished through misapplied forensic tools that operate by a broadly collecting copies through over collection. As the court said in In re Ford Motor Company, 345 F.3d 1315 (11th Cir. 2003): “[E]xamination of a hard drive inevitably results in the production of massive amounts of irrelevant, and perhaps privileged, information…” Even worse, the collected data is then re-duplicated one or often two more times by the examiner for archival purposes. And then the data is sent downstream for processing, which results in even more data duplication. Load files are created for further transfers, which are also duplicated.

Chad Jones of D4 explains on a recent webinar and in his follow-on blog post about how such manual and inefficient handoffs throughout the discovery process greatly increase risk as well as cost. Like antiquated factories spewing tons of pollution, outdated eDiscovery processes spin out a lot of superfluous data duplication. Much of that data likely contains non-compliant information, thus “polluting” your organization, including through your eDiscovery services vendors, with increased GDPR and other regulatory risk.

In light of the above, when evaluating your compliance and eDiscovery software, organizations should keep in mind these five key requirements to keep in line with GDPR and good overall information governance:

  1. Search data in place. Data on laptops and file servers need to be in searched in place. Tools that require copy and migration to central locations to search and manage are part of the problem, not the solution.
  1. Delete Data in Place. GDPR requires that non-compliance data be deleted on demand. Purging data on managed archives does not suffice if other copies are on laptops, unmanaged servers and other unstructured sources. Your search in place solution should also delete in place.
  1. Data Minimization. GDPR requires that organizations minimize data as opposed to exploding data through mass duplication.
  1. Targeted and Efficient Data Collection: Only potentially relevant data should be collected for eDiscovery and data audits. Over-collection leads to much greater cost and risk.
  1. Seamless integration with attorney review platforms, to bypass the processing steps which requires manual handoffs and load files.

X1 Data Audit & Compliance is a ground-breaking platform that meets these criterion while enabling system-wide data discovery supporting GDPR and many other information governance requirements.   Please visit here to learn more.

Leave a comment

Filed under Best Practices, compliance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management, Uncategorized

Live Demo of Relativity and X1 Integration Creates Significant Buzz

Last week we hosted a webinar with Relativity and D4, which highlighted the very compelling integration of our X1 Data Insight and Collection solution with the Relativity platform, including RelativityOne.  This integration is important as it provides game-changing efficiencies in the eDiscovery process by accelerating speed to review, and enabling more intelligent decision making.

The webinar featured live demonstration showing X1 quickly collecting data across multiple custodians and seamlessly importing that data into RelativityOne in less than two minutes.

This tweet from D4 is representative of the public and private reactions we received:

D4 Tweet July 18 v3

With the ability to search and collect emails and documents across up to thousands of endpoints and network sources with industry-leading speed, X1 Insight and Collection revolutionizes enterprise eDiscovery. For example, X1 empowers legal and consulting teams to iterate their search parameters in real time before collection, providing a revolutionary true pre-collection early case assessment capability. Additionally, with its intelligent collection capability, X1 performs instantaneous data processing (culling, de-duplication, text and metadata extraction, etc) in a fully automated manner.

Webinar speaker and D4 Director Chad Jones reported on his blog post that “In a matter of a few minutes X1 collected, processed, uploaded and published data from 5 custodians into a Relativity One (Relativity’s cloud offering) workspace. This functionality, built into a collection tool, has a chance to revolutionize the current eDiscovery process by collapsing the many hand-offs built into the current EDRM into a few short steps managed by one or two people.”

Barry O’Melia, a senior product manager at Relativity, advised the webinar attendees that “when we were planning the webinar I said that I wanted us to do a live demo into an empty Relativity workspace, as it is unbelievable without seeing it with your own eyes.”

The X1 and Relativity integration addresses several pain points in the existing eDiscovery process. For one there, is currently an inability to quickly search across all unstructured data, meaning eDiscovery teams have to spend weeks or even months to collect data as required by other cumbersome solutions. Additionally, using ESI processing methods that involve appliances that are not integrated with the collection will significantly increase cost and time delays.

So in terms of the big picture, with this integration providing a complete platform for efficient data search, eDiscovery and review across the enterprise, organizations are going to save a lot of time, save a lot of money, and be able to make faster and better decisions. When you accelerate the speed to review and eliminate over collection, you are going to have much better early insight into your data and increase efficiencies on many levels.

View the on-demand webinar see first hand the capabilities of X1 and Relativity by clicking here.

Leave a comment

Filed under Uncategorized

Assessing GDPR 30 Days In: A Report from the Field

Enforcement of the EU General Data Protection Regulation (GDPR) began May 25, 2018, and this new development is significantly reshaping the information governance landscape for organizations worldwide that control, process or store the data of European residents. Yesterday, X1 hosted a live webinar featuring GDPR experts Jay Kramer, a partner at Lewis Brisbois in the firm’s cybersecurity and privacy group, and Marty Provin, executive vice president at Jordan Lawrence.

Kramer provided a “battlefield report” about what he is seeing from the field and hearing from his various clients, with three main observations:

  1. Many are still late to the game. Kramer noted that he has several clients contacting him well after the May 25 enforcement date to begin the process of GDPR compliance.
  1. GDPR compliance maps to best practices. Becoming GDPR ready is a good business decision because it establishes transparency, data privacy and security processes that companies should be doing anyway.
  1. Now that the law has gone into effect, organizations that have been proactive are quickly transitioning from readiness to operational compliance and enforcement. For instance, many organizations are finding themselves responding to data subject access requests.

Kramer also noted that while much focus has been on potential fines levied under GDPR, organizations need to be aware that individuals can file complaints with the supervisory authorities under article 77, or even bring their own private actions, citing article 82. These claims have already been brought in the form of class actions, and Kramer expressed concern that many more claims could be fanned by “privacy trolls” – similar in concept to “patent trolls” – or by disgruntled customers or ex-employees.

Marty Provin outlined the importance of information governance and data classification in support GDPR compliance, especially from a standpoint of the need to operationalize policies and procedures in order to identify non-compliant data throughout your organization, and properly respond to regulatory requirements and data subject access requests. Kramer seconded that point, noting that the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise and be able to remove or minimize it when required.

This readiness is achieved through planning, data mapping, and data classification. Provin provided an informative overview of these processes, based upon his extensive experience implementing such best practices for his clients over the past 20 years. Marty observed that it is also important to have a solution like X1 Data Audit and Compliance to search and identify documents, emails and other records across your enterprise that are non-compliant with GDPR. Such a capability is essential to address both the proactive and reactive components of GDPR.

The final segment of the webinar included a live demonstration of a proactive data audit across numerous computers to find PII of EU data subjects. The second half of the demonstration illustrated an effective response to an actual data subject access request in the form of a request by an individual to have their data erased.

In addition to comprehensive search, the demo highlighted the ability of X1 to also report in a detailed fashion and then take action on identified data by migrating it or even delete in place, including within email containers.

A recording of this informative and timely webinar is available for viewing here.

 

 

Leave a comment

Filed under Best Practices, eDiscovery & Compliance, GDPR, Information Governance, Records Management, Uncategorized