GDPR Provides a Private Right of Action. Here’s Why That’s Important.

As the world approaches the May 25, 2018 GDPR enforcement date, some organizations are still adapting a wait and see approach, while many others are preparing with a palpable sense of urgency. Gartner published a study reporting that over 50% of companies affected by GDPR will not meet the May deadline. And then there are some pundits who are predicting Armageddon. While the Armageddon forecasts are premature, I do not see a lot of awareness, even among some legal privacy lawyers, of the private right action afforded under the GDPR.

A very important dynamic of the GDPR is that the private citizens of the European Union will have an active role in its enforcement. Unlike many regulatory regimes, where a relatively small handful of government regulators infrequently enforce the rules, organizations that store information on EU citizens will face about 300 million regulators, which is a rough figure of the adult population in the EU. These citizens can make requests at any time to have data deleted in place through the right of erasure as well as make other requests regarding the usage of their personal data.

Even more importantly, the GDPR provides a mechanism for a private right of action under Article 82(1).  And Article 80(2) provides that “[T]he data subject shall have the right to mandate a not-for-profit body, organisation or association …. to lodge the complaint on his or her behalf.”

Regulations which provide a private right of action, including the ability to bring a class action law suit, are exponentially more impactful than the vast majority of regulations which do not.

European privacy lawyer and activist Max Schrems — fresh off his major legal victory resulting the safe harbor provisions in the data transfer arrangement between the EU and US being struck down in 2015 — is running a crowdfunding campaign to set up a not-for-profit privacy enforcement organization to take advantage of the GDPR right of private action provisions to pursue class-action style litigation. Shrems’ NGO, — called noyb; short for: ‘none of your business’ — is being made possible because GDPR allows for collective enforcement of individuals’ data rights.

Mr. Schrems told the Financial Times the organization would help consumers fight for their rights and encourage whistleblowers inside tech companies to speak out. “It makes sense to have a single EU hub to act as a coordinator to connect existing resources, ensure actions are effective and strategic, and ensure efforts and resources are not duplicated,” he said. In other public statements, Schrmes noted that his organization will enable class-action style GDPR claims in order “to enforce your rights individually. The only way to do that is to collectivise it through a rights organisation to get things done as we have in the past with consumer rights.” Schrems and his partners believe that having a single NGO at an EU level with the necessary expertise, experience and connections is far more efficient than lots of individual ones.

These developments concerning a possible torrent of private GDPR claims heighten the urgency and expected impact of the law. In terms of readiness, a mandatory aspect of GDPR compliance is the ability to demonstrate and prove that personal data is being protected, requiring information governance capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement. To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results regarding PII leakage within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Comliance, Cybersecurity, Records Management, Uncategorized

Why the GDPR Will Transform Information Governance

I recall a notable meeting with an in-house litigation counsel at a large company circa 2005 when the concept of enterprise eDiscovery began to gain traction. The lawyer was gearing up for the then-upcoming 2006 amendments Federal Rules of Civil Procedure, and she brought in the company’s Chief Compliance Officer and his team to enlist their assistance.

The compliance team presented a demo of their internal enterprise dashboard, which mapped the company’s policies and procedures, such as document retention. The dashboard tracked compliance with those policies through a litany of impressive charts and color-coded indicators. However, at the end of the demo, the in-house counsel quipped (and I am paraphrasing here), “this is all good, but when opposing counsel serves us with a subpoena to produce specific emails and documents relevant to a litigation matter, we can’t respond by pointing to green lights on a compliance dashboard. We have to comply by actually producing the responsive emails and documents.”

I was reminded of this exchange when reading a practice update from the law firm of DLA Piper on the GDPR, which states: “The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to completely transform the way that they collect, process, securely store, share and securely wipe personal data (emphasis added).”

Translation: written polices, compliance dashboards and data mapping are very important first steps, but organizations are going to have to actually comply with the GDPR in a systematic and operational manner. And as such, many organizations will have to transform their information governance programs (and thinking) with a focus on such operational execution and enforcement of existing policies.

DLA Piper also references a very important dynamic of the GDPR in that the private citizens of the European Union will have active role in its enforcement. Unlike many regulatory regimes, where a relatively small handful of government regulators infrequently enforce the rules, organizations that store information on EU citizens will face about 300 million regulators, which is a rough figure of the adult population in the EU. These citizens can make requests at any time to have data deleted in place through the right to be forgotten as well as make other requests regarding the usage of their personal data.

Even more importantly, the GDPR provides a means for a private right of action under Article 82(1). Regulations which provide a private right of action, including the ability to bring a class action law suit, are exponentially more impactful than the vast majority of regulations which do not.

A mandatory aspect of GDPR compliance is the ability to demonstrate and prove that personal data is being protected, requiring information governance capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement. To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results regarding PII leakage within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Comliance, Uncategorized

Practice Tool: Sample FRE 902(14) Certification to Authenticate Social Media Evidence

Update: Law Firm Baker Hostetler has posted a good 902(14) model certification as well.

As part of our continuing coverage of Federal Rule of Evidence 902(14), which goes into effect on Friday December 1, 2017, we will be making available further resources and analysis over the next few weeks in support of this new and important development. To review, FRE 902(14) provides that electronic data recovered “by a process of digital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed. Instead, such properly collected electronic evidence can be certified through a written declaration by a “qualified person.” This rule will have a significant impact on computer forensics and eDiscovery collection practices. A detailed discussion of Rule 902(14) can be found here.

Today we are providing an example of a Rule 902(14) certification for the authentication of social media evidence collected by X1 Social Discovery. This sample document is for general information purposes only. Your use of this example 902(14) certification is at your own risk, and you should not use this sample documents without first seeking professional legal advice. The provision of this sample document (and the document itself) does not constitute legal advice or opinions of any kind. So with those legal disclaimers, here is the sample 902(14) certification:

Certification under Federal Rule of Evidence 902(14)

(Example Only for demonstration purposes)

 

I, __________________, hereby declare and certify:

 

  1. I am currently a (paralegal) (computer forensic specialist) (electronic discovery specialist) employed by “My Organization” (“My Organization”). My Organization specializes in the discovery, collection, investigation, and production of electronic information for investigating and handling computer-related crimes and misuse as well as for in support of discovery for civil litigation matters. I am responsible for conducting computer forensic investigations and providing electronic discovery and litigation support.

 

  1. I have participated in more than 100 investigations and preservation efforts from social media sites and other Internet websites, and was the lead on approximately 20 of those investigations. These investigations involved finding relevant electronic information in support of internal investigations, civil litigation and criminal matters. In the course of these investigations, I was responsible for performing in-depth analyses and providing documentation and related materials in support of criminal and civil matters for law firms/litigation support consulting firms, (or for law enforcement agencies at the federal and local level)

 

  1. I have accumulated extensive experience in the identification, preservation, retrieval, analysis, and documentation of computer-related information, including both data at rest and social media evidence and other internet based electronic evidence in support of computer investigations and ongoing litigation matters.

 

  1. I am a licensed user of X1 Social Discovery (“X1”), the leading software used by law firms, law enforcement, government regulatory agencies and litigation support consultants world-wide. X1 Social Discovery is available for purchase by the general public and is generally accepted in the eDiscovery and computer investigation industry. X1 Social Discovery aggregates comprehensive social media content and web-based data into a single user interface, while preserving critical metadata not possible through image capture “screenshot”, or simple computer screen printouts.

 

  1. X1 Social Discovery includes an automated function to generate an MD5 “hash value” immediately upon the collection of an item of social media evidence or a webpage. The Committee notes to Federal Rule of Evidence 902(14) define a hash value as follows: “Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates.”

 

  1. X1 Discovery, Inc., the software company that develops X1 Social Discovery, makes freely available a separate hash value verification software utility that will recalculate the hash value of an item of electronic evidence that was previously collected by X1 Social Discovery to verify that the evidence has not changed since it was collected by X1. If the “verification” hash value generated by the verification utility is the same as the hash value originally calculated by X1 Social Discovery at the time of the acquisition of the item of electronic evidence, then the identical hash values reliably attest to the fact that the evidence, and any exact duplicates thereof, have not changed.

 

  1. I was retained by attorneys for Defendants to provide examination, preservation and analysis of social media evidence in the present case. Pursuant to this request I collected numerous social media evidence from Twitter, Instagram, and Facebook using the X1 Social Discovery software. Attached as Exhibit “A” are the following items of social media evidence:

 

  1. A Facebook post that was publicly available on Plaintiff’s Facebook dated July 10, 2017, which was acquired by me on September 3, 2017 at 3:45pm.
  2. A Twitter post (Tweet) that was publicly available on Acme company’s Twitter feed dated July 13, 2017, which was acquired by me on September 3, 2017 at 3:48pm.
  3. An Instagram post that was publicly available on Plaintiff’s spouses’ Instagram feed dated July 18, 2017, which was acquired by me on September 3, 2017 at 3:55pm.

 

  1. When the items described above were acquired by X1 Social Discovery, the software automatically generated and assigned a hash value based upon the contents of the evidence. This is termed the “acquisition hash.” Using the hash value verification software utility, I recalculated the hash value of the 3 items listed above, on 12/4/17, shortly before I prepared this declaration. The verification hash in all instances were the same as the acquisition hash value, as set forth in the following table:

902 Certification Table

  1. The identical hash values reliably attest to the fact that the evidence has not changed.

 

I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed this _th day of December 2017 in Los Angeles, California.

 

 

______________________

Signature of Declarant

 

Download a copy of this example Certification here >

Leave a comment

Filed under Authentication, Best Practices, Social Media Investigations, Uncategorized

GDPR Compliance Requires Effective Enterprise eDiscovery Search and Analysis Capabilities

The European General Data Protection Regulation (GDPR), which will be in full force in May 2018, promises to profoundly impact global organizations, requiring the overhaul of their data audit and information governance processes. The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required.

GDPR-stampGDPR’s potentially significant penalties, which can be up to 4% of total global revenues or 20 million euro (whichever is greater), clearly have teeth and are intended to attain meaningful compliance.  However, The CXP Group, a leading IT research firm notes in an industry report that, “compliance with GDPR will only be legally (effectuated) if an organization is able to identify exactly where data is.”

Under the GDPR, a European resident can request — effectively on a whim — that all data an enterprise holds on them be identified and also be removed. Organizations will be required to establish a capability to respond to such requests. Actual demonstrated compliance will require the ability to search across all data sources in the enterprise for data, including distributed unstructured data located on desktops and file servers.

The GDPR specifies processes and capabilities organizations must have in place to ensure the personal data of EU residents is secure, accessible, and can be identified upon request. Its articles and principles set out several obligations organizations will need to address, including the points enumerated below. These requirements can only be complied with through an effective enterprise eDiscovery search capability:

  • Data minimization: Enterprises should only collect and retain as little personal data on EU subjects as possible. Corporate privacy attorneys advising clients on GDPR and EU privacy shield compliance, note that unauthorized “data stashes” maintained by employees on their distributed unstructured data sources is a key problem, requiring companies to search all endpoints to identify information including European phone numbers, European email address domains and other personal identifiable information.
  • Enforcement of Right to be forgotten: An individual’s personal data must be identified and deleted on request.
  • Effective incident response: If there is a compromise of personal data, an organization must have the ability to perform enterprise-wide data searches to determine and report on the extent of such breaches and resulting data compromise within seventy-two (72) hours.
  • Accountability: Log and provide audit trails for all personal data identification requests and remedial actions.
  • Enterprise-wide data audit: Identify the presence of personal data in all data locations and delete unneeded copies of personal data.

A mandatory aspect of GDPR compliance is the ability to demonstrate and prove that personal data is being protected, requiring information governance capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to auditors’ requests. Many consultants and other advisors are helping companies establish GDPR compliance programs, and are documenting policies and procedures that are being put in place.

However, while policies, procedures and documentation are important, such GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement. CIOs and legal and compliance executives often aspire to implement information governance programs like defensible deletion and data audits to detect risks and remediate non-compliance. However, without an actual and scalable technology platform to effectuate these goals, those aspirations remain just that. For instance, recent IDG research suggests that approximately 70% of information stored by companies is “dark data” that is in the form of unstructured, distributed data that can pose significant legal and operational risks.

To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Comliance, Data Audit, eDiscovery, Uncategorized