Electronic Discovery & Information Governance TIPS OF THE MONTH A Compilation

Size: px
Start display at page:

Download "Electronic Discovery & Information Governance. 2014 TIPS OF THE MONTH A Compilation"

Transcription

1 Electronic Discovery & Information Governance 2014 TIPS OF THE MONTH A Compilation

2 Table of Contents Introduction... 1 January Social Media E-Discovery... 3 February Managing the Risks of Bring Your Own Device... 6 March Preserving Electronically Stored Information When Employees Depart... 9 April Data Privacy Concerns When Moving to the Cloud...12 May Managing the Risks and Costs Associated with Governance of Custodial Data June Implementing An Information Governance Program July Managing the Risks and Costs Associated with Enterprise Social Networks August Staying Informed About State Data Breach Laws September E-Discovery in Patent Litigation October Managing the Electronic Discovery Vendor Relationship November Managing E-Discovery in State Courts December Proposed Amendments to the US Federal Rules of Civil Procedure...37

3 Introduction Mayer Brown s Electronic Discovery & Information Governance Practice hopes you found our Tips of the Month series valuable in We wanted to take an opportunity to recap the major E-Discovery trends of 2014 and to provide last year s tips in a single document for easy reference. We hope that our monthly updates continue to bring you value and, as always, welcome your comments and suggestions for future Tips of the Month in We re here to serve your interests and we sincerely thank you for your continued comments. 2014: The EDIG Year in Review The trend in EDIG this year was convergence: convergence of electronic discovery with information governance; convergence of technology-assisted review and settled workflows; and convergence of cloud data into the electronic discovery workflow. Electronic discovery converges with information governance. Businesses are coming to recognize that the best way to manage electronic discovery issues is to take control of the information that they create. Much of the routinely created information generated in the course of a business day isn t of any particular business use to anyone it s just stuff. And retaining it forever costs money, without delivering any identifiable business benefit. Further, once litigation is filed, having large quantities of this material can bog down your processes and increase the difficulty and cost of managing the litigation. TAR converges with settled workflows. In 2014, we saw growing consensus among judges that technology-assisted review is a viable component of an ediscovery strategy, in combination with human review and search-term based techniques. See generally Bridgestone Americas, Inc. v. Int. Bus. Machs. Corp., 2014 WL (M.D. Tenn. July 22, 2014 ( In the final analysis, the use of predictive coding is a judgment call, hopefully keeping in mind the exhortation of Rule 26 that discovery be tailored by the court to be as efficient and cost-effective as possible. ); FDIC v. Bowden, 2014 WL (S.D. Ga. June 6, 2014) ( Predictive coding has emerged as a far more accurate means of producing responsive ESI in discovery. Studies show it is far more accurate than human review or keyword searches which have their own limitations ) (quotation omitted); Progressive Cas. Ins. Co. v. Delaney, 2014 WL (D. Nev. May 20, 2014) (noting the empirical accuracy of TAR but requiring transparency regarding TAR workflow); Federal Housing Finance Agency v. HSBC North America Holdings, 2014 WL (S.D.N.Y. Feb. 14, 2014) (endorsing use of TAR for responsiveness review). Cloud data converges with ediscovery. We also saw data at cloud providers move to front and center of the EDIG conversation. Large-scale commercial storage-as-a-service and -as-a-service providers are getting enough traction with businesses that there is a good chance that any given business will store at Mayer Brown LLP 1

4 least some information responsive to a litigation requirement with a service provider as opposed to on servers that it owns. Finding elegant solutions to the problem of preserving and collecting information from a heterogeneous environment including resources outside the client s physical control will take a couple more years but the problem is squarely presented now. The big, long-term story for 2015 is how the amendments to the Federal Rules that are due in December will play out. We will be tracking that story, the trends above, and other surprises and developments in the EDIG world in our Tips of the Month. For inquiries related to this summary of 2014 Year in Review, please contact Eric Evans at Ethan Hastert at Michael Lackey at or Kim Leffert at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Eric Evans at Ethan Hastert at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 2

5 January 2014 Social Media E-Discovery Scenario A large corporation has been sued by former employees who allege that their supervisors harassed them and made inappropriate remarks in the workplace and on social media. During discovery, the corporation receives a document request for the supervisors social media postings, s and related files. The corporation must determine how to access, review and produce the requested information and considers seeking similar social media discovery from the former employees. Understanding the Challenges of Social Media E-Discovery Although the concept of electronic discovery and the need to preserve s and computer files in anticipation of litigation is familiar, the advent of social media has greatly increased the potentially relevant information that is available electronically. Similar to other forms of electronic discovery, information posted to social media sites such as Facebook, Twitter or LinkedIn can be subject to discovery. However, knowing when or how to request and/or produce social media information can be a challenge. The following basic principles can provide guidance with regard to social media discovery. Social Media Can Be Discoverable: The discovery of social media information is governed by the same procedural rules that govern other forms of electronic discovery in litigation. Although these rules differ from jurisdiction to jurisdiction, the general limiting discovery principle is whether the information being sought is reasonably calculated to lead to the discovery of admissible evidence. If the information being sought on a social media site will reasonably lead to the discovery of admissible evidence, it will likely be discoverable. Social Media Sites Constantly Evolve: The social media landscape is constantly evolving. Although Facebook and Twitter are currently popular social media sites in the United States, that may not be the case one year from now as new sites are developed. In addition, existing social media sites are frequently updated to provide their users with new ways to share and receive information. As a result, the information that is commonly shared on social media today may not be the same type of information that is shared in the future. Therefore, it is important to stay apprised of the new developments in social media. Social Media Sites Contain Different Types of Information: Social media sites also differ with regard to the information that is being shared. While sites such as Facebook, Twitter, and Instagram are primarily used to post photographs and status messages, or to hold online conversations, an employee or competitor is more likely to share confidential or proprietary company information using a site such as DropBox or Yammer. It is therefore important to understand how each social media site functions, the information likely to be shared on the site, and the various ways Mayer Brown LLP 3

6 to access that information. This will allow a company to assess whether social media discovery may be potentially necessary in litigation. Social Media Implicates Privacy Concerns: Social media sites are predominately used for personal reasons and social media accounts frequently contain private, nonpublic information. As a result, there is an inherent concern that broad requests for information on social media may invade an individual s right to privacy. Recently, some courts addressing requests for social media have required the party seeking the information to first establish that a review of publicly available social media information revealed a reasonable likelihood that the review of private social media information would lead to the discovery of admissible evidence. These courts have stressed that simply requesting all forms of social media information without limitation is improperly overbroad and that requests must be tailored to the issues in the case. Accordingly, to ensure that the social media information being sought in discovery is potentially relevant, it is advisable to first determine the universe of information that is publicly available on social media and then consider whether additional discovery is needed. Managing Social Media E-Discovery As more people use social media, social media discovery has become more frequent. Given that employees are often accessing and posting to social media sites using personal and company-owned devices, companies should consider the following tips for developing social media discovery strategy. Employee Cooperation: Unlike work accounts and network files, most companies do not have access to their employees personal social media accounts. In fact, a number of states have recently enacted laws prohibiting employers from requiring current or prospective employees to provide their social media passwords. As a result, if an employee s social media posting becomes relevant in litigation, the company will likely need the employee s cooperation to access the account. Therefore, companies should consider seeking out such cooperation at the onset of litigation in order to facilitate the discovery process. Preservation of Social Media: The requirement that relevant documents be preserved in anticipation of litigation also extends to relevant social media information. Because different social media sites contain different types of information, companies should evaluate how, and to what extent, their employees are using social media and whether their use potentially implicates company business. If it is reasonably foreseeable that an employee s social media postings may be relevant in a future litigation, the company should consider taking steps to ensure that the relevant information is properly preserved. Moreover, if the company anticipates seeking social media discovery from the opposition, it should request early in the litigation that any relevant social media information should be preserved. Review Social Media Contextually: Social media postings are often impulse driven, and they do not always contain the same contextual clues as an or internal memo. As a result, the relevance of social media information is not always readily apparent. For example, Twitter postings are limited to a finite number of characters and users frequently use abbreviations, nicknames and code words. Consequently, simply viewing a person s Twitter account on its own without a full understanding of the issues in a case may result in relevant information being overlooked or disregarded. Accordingly, in order to ensure that the social media information is properly evaluated, it should be reviewed at the same time as the other discovery in the case. Mayer Brown LLP 4

7 Conclusion Social media discovery presents its own unique set of challenges. Although social media sites are no longer a new phenomenon, social media discovery is a relatively new issue that is still being developed. To prepare for the challenge of social media discovery, companies should consider how social media affects their business and the types of information that is shared on different social media sites. By having an understanding of what social media is, how it is used and how it can be accessed, a company can be prepared when the issue of social media discovery arises in litigation. For inquiries related to this Tip of the Month, please contact Anthony Diana at Kim Leffert at or Richard Nowak at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Anthony J. Diana at Eric Evans at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 5

8 February 2014 Managing the Risks of Bring Your Own Device Scenario: A multi-national financial institution has decided to implement a Bring Your Own Device (or BYOD) program due to increasing demand from business personnel and a desire to reduce IT costs. The General Counsel s Office is asked whether there are any legal, regulatory or compliance risks that the organization needs to consider when implementing a BYOD program and developing the policies and procedures governing BYOD. What is BYOD? BYOD refers to the policy of allowing employees to use their personal mobile devices to access their employer s information systems and applications for business purposes. In recent years, there has been a fundamental shift in the way people understand and interact with electronic information. First, the ability of employees to access information at any time and from any location has become essential to most business operations. Second, the technology used to access that information has become a matter of personal choice; no longer are employees satisfied with acquiescing to their employer s choice of technology (i.e., BlackBerrys). Instead, employees expect to be able to work with the device of their choice and dislike the inconvenience of maintaining two separate mobile devices for business and personal use. And not only are employers largely powerless to stem the tide of this trend, but many employers appreciate the cost savings and flexibility that a BYOD program brings to the organization. The Risks of BYOD As with any technology, there are risks associated with implementing a BYOD program. There are legal risks, such as the ability to access information responsive to document requests for preservation or production. There are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements. There are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization s networks. There are data privacy risks associated with the mix of personal information with business information on one device. The question for any organization is how to best mitigate and balance these risks in light of the business demand for BYOD flexibility. BYOD represents a significant change in the way organizations manage the risks associated with information governance. Traditionally, an organization s approach was to centralize the storage and retention of that information so that the organization had ultimate control over its distribution, management and retention. BYOD, however, undermines that basic approach. Organizations are now dealing with de-centralized data sources where the organization has little operational control over storage, management and retention. Instead, many organizations find themselves almost entirely dependent on policies and their Mayer Brown LLP 6

9 employees compliance with such policies to manage the considerable risks associated with electronic data. Consider the use of text messaging in a BYOD program. With an organization-owned device, the organization has the option of centralizing control of its employees text messaging by disabling text or instant messaging capabilities on the device or capturing such messages for business purposes on the organization s centralized infrastructure. With a BYOD program, however, an organization loses its ability to easily block or capture businessrelated text messages and is forced to rely more heavily on employee participation and compliance with policies to manage risk. It is important to note that while BYOD programs are a relatively new trend, organizations have been managing similar risks by relying on employee compliance with policy for many years. Personal home computers also allow remote access to an organization s network, and organizations rely on employees to abide by policies against downloading or creating business records on those personal home computers. Organizations also rely on employee compliance with policy in addressing the risks of business being conducted on personal or personal social media sites. There may be heightened risks associated with B.Y.O.D. programs, arising primarily from the portable nature of those devices, the frequency with which such devices are used, and the potential volume of data transmitted to or from those devices, but the risk mitigation strategies associated with B.Y.O.D. programs are not new to the business enterprise. Tips for Managing the Risks of BYOD Because an employee s use of his or her personal device is largely outside of the employer s control, critical components of any BYOD program include a clear, concise policy that is developed with the input of all the relevant stakeholders, together with audit procedures that validate and ensure compliance with that policy. When developing and implementing those policies and procedures, there are a number of issues the organization may want to consider. Involve all Relevant Stakeholders. BYOD implicates many aspects of the organization s operations, and all of those stakeholders should have input into the policies and procedures governing BYOD. Those relevant stakeholders may include personnel from Legal, IT, Human Resources, Data Privacy, Information Security, Compliance, and the relevant Business Lines. Authorized BYOD Users. Careful consideration should be given to which employees the organization will permit to participate in a BYOD program and whether special procedures are needed for certain types of employees participating in a BYOD program. For example, because of retention and supervision requirements, the risks may be higher for regulated employees participating in a BYOD program than for non-regulated employees. Special consideration may need to be given to whether or under what conditions to allow nonexempt employees to conduct business on their personal devices. And the organization s need and ability to access information on an individual s personal device may raise data protection concerns for non-us. employees in certain jurisdictions. The organization should consider whether and how to adjust its policies to address high-risk employees, and whether special training, security, or audit procedures are needed. Uses of the Device. When developing policies and procedures relating to BYOD, consider the types of applications that employees will be authorized to use for business purposes, as well as any restrictions on the use of those applications. This includes the type of information that may be exchanged or distributed using the Mayer Brown LLP 7

10 application, the ability to ensure data security, the ability or need for the organization to capture the information exchanged through the application on its own systems, and the ability to quickly access, preserve, retrieve or delete data stored on the device itself. Employees should be provided with clear and specific guidance on the appropriate use of authorized applications, as well as uses that are prohibited. Ownership of the Data. Most organizations have data retention policies or electronic communication policies notifying all employees that all data on organization s systems belongs to the organization and is subject to monitoring or use by the organization. An organization implementing a BYOD program should clearly convey to participating employees the organization s policy regarding ownership of data on devices that are part of a BYOD program. For example, the organization may have a policy that all business-related data on a BYOD program belongs to the organization, regardless of where on the device that data is stored. Access to the Device. The organization s ability to access information on an employee s personal device as part of BYOD program is critical to the organization s ability to meet its legal, regulatory and compliance obligations. The organization should consider the extent and nature of such access, including whether: (i) remote access to data on the device is needed for collection or supervision, (ii) the organization may have to take possession of the physical device under certain circumstances and (iii) the organization wants the ability to remotely delete information from a lost or stolen device, or from a device belonging to a former employee. Compliance & Audit Procedures. Given the challenges of monitoring and controlling the data on devices in a BYOD program, organizations should consider the need for specialized and enhanced training and audit procedures. Specialized training on the proper use of authorized applications may help to minimize confusion and inadvertent user error. Enhanced audit procedures, such as signed acknowledgements of the policy, periodic certifications of compliance or random testing for compliance, should also be considered. Incorporating these steps as part of a BYOD program provides additional assurance of compliance and strengthens the defensibility of the overall program. For inquiries related to this Tip of the Month, please contact Anthony Diana at or Therese Craparo at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Anthony J. Diana at Eric Evans at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 8

11 March 2014 Preserving Electronically Stored Information When Employees Depart Scenario: A large company has reorganized its operations and plans to terminate or reassign a number of employees. The company s head of litigation knows that some of the affected employees are subject to a litigation hold and wants to ensure that data is not lost or misplaced as a result of employees leaving the company. There is a particular concern as the company permits employees to use their own devices for company communications and other purposes. Planning for Employee Departures It is unlikely that an employee in career transition (for whatever reason) is thinking about a former employer s legal obligation to preserve electronically stored information (ESI). Likewise, the IT department is focused on managing assets (e.g., PC s, laptops, tablets, smartphones) and server space (e.g., servers and personal drives on network), and views an employee departure as an opportunity to reduce IT-related costs. Nevertheless, a company s obligation to preserve ESI relating to current or anticipated litigation remains in place regardless of any employee terminations or transitions. Courts and regulators require that companies make good faith, reasonable efforts to preserve ESI of departing employees that is subject to a legal hold. Therefore, it is important for a company to implement procedures aimed at preserving and collecting, if necessary, ESI associated with its departing and transitioning employees. The Employee Leaves, But the Hardware Stays While it is common for a company to reuse electronic equipment after an employee leaves the organization, doing so can result in the inadvertent destruction of ESI subject to a legal hold. IT departments managing a company s computers, storage devices and smartphones, or similar devices, often do not learn that information stored on a departing employee s device may be subject to a legal hold until after the equipment has been wiped clean and reissued. One way to preserve ESI is to institute a waiting period before reintroducing previously used electronic devices back into the current workforce. The exact length of any waiting period depends on the size and culture of the company, but it should be long enough to allow the company to determine whether any departed employees were subject to an existing legal hold. The waiting period should also provide sufficient time to coordinate any necessary data preservation measures. During this waiting period, a company should not delete any of the departing employee s s or other ESI. Ensuring your company has enough time to determine whether it should preserve a former employee s electronic data before reusing the electronic Mayer Brown LLP 9

12 equipment (or deleting the data) is an excellent way to help avoid the inadvertent destruction of ESI. If possible, the company should develop standard operating procedures around the management of ESI of departing employees, so that the business, IT, records management, compliance and legal department each has a clearly defined role in making sure that ESI that should be retained, is retained, and, equally as important, that any ESI that need not be retained is destroyed in a timely manner consistent with the organization s document retention policies. The Employee Leaves and Takes the Hardware It is becoming more commonplace for companies to permit employees to use their own devices for company communications and other company purposes. The and documents accessed on these devices may be stored on the company s server, on the device, or both. If a company permits employees to bring-your-own-device, or even if employees are permitted to retain some devices (i.e., smartphones or tablets) upon termination, the company can consider developing a policy or practice ensuring that all company-related ESI is in the company s control before the employee departs with the device. Alert New Employees that a Litigation Hold Is In Place Another risk can occur when a new or reassigned employee is unaware that a legal hold is in place. Therefore, it is important to promptly identify those new employees who inherit data that is subject to a legal hold. That new or reassigned employee should be informed of the company s obligation to preserve the data in the former employee s files and, if applicable, of any continuing obligation to preserve future information. Keep Litigation Hold Lists Current A company s personnel will not likely remain static for the duration of a lawsuit or an investigation. Thus, companies should periodically review their litigation hold lists to determine whether any departed employees remain among the listed document custodians and, if so, whether any new employees who took possession of the departed employee s data should be added to the list. Companies that do not maintain lists of employees subject to a legal hold should consider implementing a process to retain this information in a convenient and accessible manner. Investigate ESI Issues through Exit Interviews It is prudent to institute a practice where all departing employees are asked, prior to leaving, whether their data is subject to a legal hold. Not only does this provide an opportunity to confirm where the data resides, but it also prompts the company to be alert to preserving a departing employees information while transitioning employees out of the company. If the departing employees responses are documented, this helps to create a record of the company s good faith efforts at preserving ESI. In certain circumstances, a legal hold may extend to information stored on an employee s personal , home computer or other personal device. For this reason, companies should also ask whether the departing employee ever used personal or personal storage devices (such as thumb drives) to store company ESI that is subject to a legal hold. With this knowledge, companies are better equipped to determine whether additional steps may be needed to preserve such data to ensure compliance with an existing legal hold. Mayer Brown LLP 10

13 Collecting ESI in Advance of Terminations or Transitions Employee terminations can put any company in a temporary state of flux. However, a company s ongoing duty to comply with legal holds remains unaffected. Consider taking proactive steps during this period to ensure that ESI is not accidentally lost along the way. These steps could include: Backing up the electronic data of employees subject to a legal hold in advance of any downsizing event; Collecting responsive ESI from departing employees; and Promptly revoking any former employee s ability to access company or electronic devices immediately upon termination in order to prevent the accidental (or intentional) deletion of ESI by employees whose interests may no longer be aligned with the company s. Dealing proactively with departing employees ESI is good records governance regardless of any legal holds; however, the stakes are raised considerably when the ESI is subject to such a hold. When ESI subject to a legal hold goes missing, courts can respond by issuing sanctions, and regulators can respond by refocusing their investigation on the company s compliance with subpoenas. Departing employees can compromise a company s ability to comply with its obligation to preserve responsive data. Therefore, companies should consider taking steps to ensure that changes in the makeup of its workforce do not impact the company s ability to satisfy its obligation to preserve ESI. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at or Kim Leffert at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Anthony J. Diana at Eric Evans at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 11

14 April 2014 Data Privacy Concerns When Moving to the Cloud Scenario: In an effort to reduce costs and leverage the latest advances in technology, the chief information officer of a multinational company decided to use a cloud computing vendor to host the company s . After identifying a handful of vendors that appeared to meet the company s needs, the CIO asked each vendor to submit bids and proposed service agreements. Aware of the strict data privacy laws that applied to the company s European offices, the CIO brought the contracts to the company s general counsel for review. Cloud Computing and SaaS Solutions Cloud computing is the use of computing resources, including both hardware and software, that are made available over the Internet by a subscription-based service provider. Software as a service (SaaS) is one type of cloud computing service that provides companies with remote access to software being hosted by a third party. Companies often adopt SaaS solutions for because doing so allows employees to access corporate from any device connected to the Internet. In addition to providing increased mobility and accessibility, cloud-based may reduce the costs associated with acquiring and maintaining servers. To stay current with the latest technology, minimize their own hardware, development and support costs, attract the widest customer base possible, vendors providing cloud-based services often offer a standardized product with little or no customization. Given the nature of off-the- shelf SaaS solutions a single product being offered to a large number of customers vendor services are often provided to many customers simultaneously. Because highly negotiated contracts would make implementation and support impracticable, SaaS contracts also tend to be standardized. This does not, however, mean that companies seeking to use cloud-based should give up on negotiating the contractual terms, especially those that may require modification to comply with data privacy laws. On the contrary, they should expect to negotiate the terms, particularly with respect to provisions assuring compliance with data privacy laws. Cloud Computing and EU Data Privacy Laws While moving to a cloud provider presents a number of data privacy risks for all companies, it presents a more complicated challenge for companies with operations in both the United States and the European Union, especially if the potential cloud provider s facilities are located in the United States. The EU has implemented a comprehensive regulatory framework that, among other things, sets forth the circumstances under which personal data (encompassing a broad range of information, including name, age, gender, marital status, nationality, citizenship, veteran status, personal or business contact information including addresses and identification numbers) may be lawfully Mayer Brown LLP 12

15 transferred to parties residing in foreign jurisdictions. In the context of cloud computing, the EU maintains that these laws are triggered when either the company or the cloud provider is located within the EU. Other laws that could potentially affect in the cloud are the so-called blocking statutes, instituted by a number of EU member nations, which prohibit the transfer of data requested in the course of foreign legal proceedings. Location of Data Companies assessing the risks of migrating their to the cloud need to know which laws will be triggered. To make that assessment, they must know where the data will be hosted. The answer, however, is not always clear. Depending on how a vendor has configured its network, a client s could be separated and stored on multiple servers in various locations. When evaluating potential cloud providers, it is crucial that vendors disclose where a company s data will be hosted. Use of Subcontractors A SaaS solution consists of various components that may be beyond the control of company using the solution, such as the hardware, the operating system and the network infrastructure. However, the vendor might not be the entity that operates each of these elements. Instead, the SaaS provider may subcontract with a third party to provide one or more of them. Additionally, there are a number of services required to provide cloud solutions, including hosting, processing, transmission and security, which also may be subcontracted to third parties. Not only does the use of subcontractors make it harder to determine where the data is hosted; if not handled properly, it may also run afoul of EU data privacy laws. Tips for Managing Risk To properly assess the data privacy risks associated with using cloud-based , a company with data hosted in the EU needs to know who will be handling the data and where the data will be hosted. Once the company has this information, it will be in a better position to request certain contractual terms designed to ensure compliance with EU data privacy laws. When negotiating a contract for cloud-based , consider the following: Region-specific servers: The company should require that for EU-based operations reside on a server in the EU. Similarly, the company should require that a server be based in the United States to host all US . Keeping all US within the United States will make it easier for the company to comply with any applicable state or federal data privacy laws and prevent possibly subjecting that to the blocking statutes of EU member nations. Identify subcontractors: The company should ask the cloud services provider for both the identity and location of any subcontractors that will be working with the company s . EU data privacy laws require cloud providers to disclose the identity of any subcontractors that will be used to provide services in connection with a SaaS contract. Subcontractor agreements: Cloud providers must provide the company with assurances that all subcontractors will comply with EU data privacy laws, which can be accomplished through an agreement between the cloud provider and each subcontractor reflecting the data privacy safeguards appearing in the contract between the cloud provider and the company. Additionally, the company should have recourse for any breach caused by a subcontractor. This can be accomplished through either (1) a provision contained in the agreement between the cloud provider and the company stating that the cloud provider remains liable for Mayer Brown LLP 13

16 any work done by a subcontractor in connection with the agreement or (2) a provision in each contract between the cloud provider and a subcontractor that names the company as a third-party beneficiary. Cross-border data transfers: The European Commission has adopted model contractual clauses designed to provide adequate safeguards in the context of crossborder data transfers. If a cloud provider cannot guarantee that will be hosted within the borders of EU member countries or if the cloud provider uses subcontractors located outside of the EU, then such model clauses should be included in the SaaS contract. For inquiries related to this Tip of the Month, please contact Eric Evans at or Michael D. Battaglia at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Anthony J. Diana at Eric Evans at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 14

17 May 2014 Managing the Risks and Costs Associated with Governance of Custodial Data Scenario: A large organization is selling one of its business units. Questions arise about how to define the scope of data associated with employees in the business unit being sold that may need to be transferred to the new owner and whether to implement a process for remediating custodial data associated with those same soon-to-be-departing employees. As part of this process, the organization is attempting to compile records identifying all current and former employees associated with the business unit, including any custodial data associated with those employees and any employees on legal hold. The organization does not have an identity management system that would help track data associated with those employees. The General Counsel s Office is working with Compliance and IT to determine how to compile the necessary information. Custodial Data and Identity Management As the technology landscape changes, so does an organization s perspective of who is responsible for managing specific data sources within the organization. With the increased use of collaborative technologies for information exchange, more data may be considered shared data, rather than data that is exclusively associated with one person. However, most organizations today still tend to view data as custodial (i.e., data associated primarily or exclusively with one individual employee), or non-custodial (i.e., data that is shared by and accessible to multiple employees within an organization). In any organization, there are numerous sources of information associated primarily with one individual employee that may be pertinent to data management and retention. And those data points may change over time. For example: Employees are constantly joining, leaving, or changing positions within an organization. Custodial data is often transferred among incoming and outgoing employees as needed for business purposes. Employees frequently have the same or similar names, or have name changes (and corresponding alias changes) throughout their careers. Employees may be subject to varying retention requirements for regulatory or business reasons. Employees are often subject to multiple legal holds, often at the same time. Mayer Brown LLP 15

18 Employees are often issued multiple devices (e.g., mobile, desktop and other) throughout their careers, or their network data may be moved over time, depending on the IT needs of the organization. Employees may be authorized to access different systems or sources of information, or may be assigned different passwords for accessing certain types of data All of this information about an individual employee may be associated with identity management : the management and control of information about individual employees, including authentication, authorization, regulation and privileges within the organization. Yet this information is rarely consolidated or centralized in one location (if it is managed at all). Where some systems of record do exist, the disparate systems containing the information seldom communicate or link to one another, and they often do not retain information about individual employees in a consistent or systematic way. Further, each aspect of identity management may be the responsibility of different departments or individuals within an organization, leading to inconsistent or ad hoc procedures for managing this information. The Importance of Managing Custodial Data The implications of a decentralized and ad hoc approach to managing custodial data may be profound, especially given today s heightened sensitivities toward data security and data management. Appropriate identity management can help an organization improve security, simplify compliance with legal and regulatory obligations, and enhance business opportunities. Effectively secure data. An organization that knows where data is, how sensitive that data is and who has access to the data, may be better able to implement policies, procedures and safeguards to ensure that the data is appropriately protected and to manage and detect security risks. Comply with legal and regulatory obligations. An organization that can easily and accurately identify key employees (including employees subject to specific regulatory requirements), locate the data sources to which they have access, collect data from those sources, and apply appropriate levels of protection to data sent outside of the organization may be better able to ensure that it is meeting its legal requirements and is prepared for regulatory inquiries or litigation. Ensure efficient business operations. An organization that can provide efficient access to business data, is able to effectively mine the available data, and can get rid of that data when it is no longer needed may be better able to realize cost-effective data management while still supporting its business units and leveraging the available information for business purposes. Tips for Managing the Costs and Risks of Custodial Data For the reasons articulated above, centralized and integrated identity management is likely to become a critical component of the business operations of most large organizations. Thus, it may be wise to begin to assess the challenges associated with custodial data and identity management. Know Your Custodial Data: To understand how an organization is (or should be) managing its custodial data sources, the organization must first have an understanding of what data sources within the organization are considered custodial. This may be significant to understanding who has control over, access to or responsibility for the data, where the data is located and how the data is treated within the organization. For example, understanding what data is solely associated Mayer Brown LLP 16

19 with an employee who is leaving the organization is critical to ensuring that the information is appropriately retained, destroyed or transferred as needed for business, legal or regulatory purposes. Understand How Your Organization Manages Custodial Data Today: Often the risks associated with the failure to manage custodial data sources are not apparent until an event triggers the need for the information (e.g., the need to transfer data to an entity purchasing a business unit, the need to implement legal holds, the need to respond to regulator inquiries about employees with prescribed retention periods, etc.). While it may be impracticable for an organization to truly track, on an ongoing basis, the location and nature of all custodial data, it is prudent to at least understand how the organization currently is managing and recording information about its employees data before the need arises to access and compile this information. Develop Policies and Procedures Regarding Custodial Data Sources: Organizations should consider developing policies and procedures centered on management of custodial data including who is responsible for establishing, managing and tracking information about employees and their data sources. This may include controls around assignment of employee IDs, how retention periods or access authorizations are assigned, implementation of retention settings, the handling of data sources associated with departing employees, implementing legal holds, etc. Establish a Unique Identifier for Each Employee: A unique identifier for each employee (e.g. employee ID) is a basic requirement of identity management. These identifiers should be truly unique and should not be re-used regardless of employment status or name changes. Many organizations do assign employee IDs, or other unique identifiers, for gaining access to network systems, but may not continue to use these unique identifiers to track an employee s associated data throughout the data's lifecycle. Even without a consolidated system for identity management, simply integrating the use of employee IDs across various functions, including IT, asset management, records retention, human resources and legal, can help improve efficiency and accuracy in identifying and isolating custodial data. Identify High-Risk Employees and High-Risk Data Sources: Implementing a comprehensive program for identifying all data associated with each employee can be daunting. Consider focusing efforts on high-risk employees within your organization who are subject to specific retention requirements, or who frequently handle highly sensitive data. Instituting controls around high-risk designations and ensuring that relevant stakeholders within the organization have a systematic and efficient way to identify high-risk employees will enable the organization to take the necessary steps to mitigate any risk: IT and Information Security will know when to implement special security, access or retention settings; Audit will know to assess whether appropriate controls are in place; Legal and Compliance will be better able to respond to regulatory inquiries or know to use special handling when collecting and processing the data of those employees. Consider Identity Management Software: There is software that may help an organization systematize and centralize its identity management. Such software can assist with streamlining asset management, monitoring changes in employment or identity, providing an audit trail of assets and information associated with each employee, or linking different sources of information about employees. An organization should carefully weigh the costs and benefits of employing such software for its business. Mayer Brown LLP 17

20 Consider Document Management for Key Information: Custodial data tends to be less centralized and more difficult to manage than non-custodial data. As such, it may be more efficient for an organization to have key business information stored in non-custodial data sources. But employees need to have convenient and realistic options for where and how to store their custodial data. An organization should clearly define where and how key business information must be stored, and should take steps to train employees on the appropriate storage of that information. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at or Therese Craparo at Learn more about Mayer Brown s Electronic Discovery & Records Management practice or contact Anthony J. Diana at Eric Evans at Michael Lackey at or Edmund Sautter at Please visit us at Mayer Brown LLP 18

Considerations for Outsourcing Records Storage to the Cloud

Considerations for Outsourcing Records Storage to the Cloud Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

More information

BYOD Policies: A Litigation Perspective

BYOD Policies: A Litigation Perspective General Counsel Panel Reveals the Real Deal BYOD Policies: A Litigation Perspective By Andrew Hinkes Reprinted with Permission BYOD Policies: A Litigation Perspective By Andrew Hinkes Bring-your-own-device

More information

10 Steps to Establishing an Effective Email Retention Policy

10 Steps to Establishing an Effective Email Retention Policy WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Privacy and Security Law Report

Privacy and Security Law Report Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 1929, 11/18/13. Copyright 姝 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

How to Manage Costs and Expectations for Successful E-Discovery: Best Practices

How to Manage Costs and Expectations for Successful E-Discovery: Best Practices How to Manage Costs and Expectations for Successful E-Discovery: Best Practices Mukesh Advani, Esq., Advisory Board Member, UBIC North America, Inc. UBIC North America, Inc. 3 Lagoon Dr., Ste. 180, Redwood

More information

A White Paper from AccessData Group. The Future of Mobile E-Discovery

A White Paper from AccessData Group. The Future of Mobile E-Discovery A White Paper from AccessData Group The Future of Mobile E-Discovery Contents 1. The changing landscape of e-discovery 2. New expectations in the courtroom 3. Mobile discovery within corporations 4. MPE+

More information

New E-Discovery Rules: Is Your Company Prepared?

New E-Discovery Rules: Is Your Company Prepared? November 2006 New E-Discovery Rules: Is Your Company Prepared? By Maureen O Neill, Kirby Behre and Anne Nergaard On December 1, 2006, amendments to the Federal Rules of Civil Procedure ( FRCP ) concerning

More information

A White Paper from AccessData Group. The Future of Mobile E-Discovery

A White Paper from AccessData Group. The Future of Mobile E-Discovery A White Paper from AccessData Group The Future of Mobile E-Discovery Contents 1. The changing landscape of e-discovery 2. New expectations in the courtroom 3. Mobile discovery within corporations 4. MPE+

More information

The Challenge of Securing and Managing Data While Meeting Compliance

The Challenge of Securing and Managing Data While Meeting Compliance ESG Brief Commvault: Integrating Enterprise File Sync and Share Capabilities with Data Protection and Backup Date: September 2015 Author: Terri McClure, Senior Analyst, and Leah Matuson, Research Analyst

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys

Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys Electronic Discovery and the New Amendments to the Federal Rules of Civil Procedure: A Guide For In-House Counsel and Attorneys By Ronald S. Allen, Esq. As technology has evolved, the federal courts have

More information

3 "C" Words You Need to Know: Custody - Control - Cloud

3 C Words You Need to Know: Custody - Control - Cloud 3 "C" Words You Need to Know: Custody - Control - Cloud James Christiansen Chief Information Security Officer Evantix, Inc. Bradley Schaufenbuel Director of Information Security Midland States Bank Session

More information

Hillary Clinton Email Incident: Five Lessons Learned for Information Governance

Hillary Clinton Email Incident: Five Lessons Learned for Information Governance Hillary Clinton Email Incident: Five Lessons Learned for Information Governance Soo Y Kang, IGP, CIPP/US General Counsel / Director, Consulting Division Zasio Enterprises, Inc. March 2015 June 2015 Article

More information

Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI)

Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI) University of California, Merced Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI) Responsible Officials: Executive Vice Chancellor and Provost Vice Chancellor

More information

UNDERSTANDING E DISCOVERY A PRACTICAL GUIDE. 99 Park Avenue, 16 th Floor New York, New York 10016 www.devoredemarco.com

UNDERSTANDING E DISCOVERY A PRACTICAL GUIDE. 99 Park Avenue, 16 th Floor New York, New York 10016 www.devoredemarco.com UNDERSTANDING E DISCOVERY A PRACTICAL GUIDE 1 What is ESI? Information that exists in a medium that can only be read through the use of computers Examples E-mail Word Documents Databases Spreadsheets Multimedia

More information

savvisdirect White Papers

savvisdirect White Papers savvisdirect White Papers Email Archiving, Compliance & ediscovery for Legal Professionals Services not available everywhere. CenturyLink may change or cancel services or substitute similar services at

More information

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) David J. Chavolla, Esq. and Gary L. Kemp, Esq. Casner & Edwards, LLP 303 Congress Street Boston, MA 02210 A. Document and Record Retention Preservation

More information

Office of the Chief Information Officer

Office of the Chief Information Officer Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

DOCSVAULT WhitePaper. Concise Guide to E-discovery. Contents

DOCSVAULT WhitePaper. Concise Guide to E-discovery. Contents WhitePaper Concise Guide to E-discovery Contents i. Overview ii. Importance of e-discovery iii. How to prepare for e-discovery? iv. Key processes & issues v. The next step vi. Conclusion Overview E-discovery

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

Predictability in E-Discovery

Predictability in E-Discovery Predictability in E-Discovery Presented by: John G. Roman, Jr. National Manager, Practice Group Technology Services Nixon Peabody LLP Tom Barce Assistant Director of Practice Support Fulbright & Jaworski

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security

More information

E-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers

E-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers MARCH 7, 2007 E-Discovery: The New Federal Rules of Civil Procedure A Practical Approach for Employers By Tara Daub and Christopher Gegwich News of the recent amendments to the Federal Rules of Civil Procedure

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

Best Practices Series Document Retention and Best Practices

Best Practices Series Document Retention and Best Practices Best Practices Series Document Retention and Best Practices 1. Sarbanes Oxley Act provides guidance to businesses Sections 802 and 1102 of SOX make it a crime to alter, cover up, falsify, or destroy any

More information

E-Discovery in Practice: A Roadmap for Financial Institutions

E-Discovery in Practice: A Roadmap for Financial Institutions E-Discovery in Practice: A Roadmap for Financial Institutions Martha R. Mora Martha R. Mora, Esq. ARHM&F Avila Rodriguez Hernandez Mena & Ferri LLP 2525 Ponce de Leon Blvd., Suite 1225, Coral Gables, Florida

More information

"Bring Your Own Device" Brings its Own Challenges

Bring Your Own Device Brings its Own Challenges 6 June 2012 "Bring Your Own Device" Brings its Own Challenges By Susan McLean and Alistair Maughan The consumerisation of IT is the growing trend for information technology to emerge first in the consumer

More information

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key

More information

Practical Legal Aspects of BYOD

Practical Legal Aspects of BYOD Practical Legal Aspects of BYOD SESSION ID: LAW-F01 Lawrence Dietz General Counsel & Managing Director TalGlobal Corporation ldietz@talglobal.net +1 408 993 1300 http://psyopregiment.blogspot.com Francoise

More information

Privacy in the Cloud A Microsoft Perspective

Privacy in the Cloud A Microsoft Perspective A Microsoft Perspective November 2010 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

ZL UNIFIED ARCHIVE A Project Manager s Guide to E-Discovery. ZL TECHNOLOGIES White Paper

ZL UNIFIED ARCHIVE A Project Manager s Guide to E-Discovery. ZL TECHNOLOGIES White Paper ZL UNIFIED ARCHIVE A Project Manager s Guide to E-Discovery ZL TECHNOLOGIES White Paper PAGE 1 A project manager s guide to e-discovery In civil litigation, the parties in a dispute are required to provide

More information

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY 2016 CLM Annual Conference April 6-8, 2016 Orlando, FL Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY Understanding e-discovery definitions and concepts is critical to working with vendors,

More information

In-House Solutions to the E-Discovery Conundrum

In-House Solutions to the E-Discovery Conundrum 125 In-House Solutions to the E-Discovery Conundrum Retta A. Miller Carl C. Butzer Jackson Walker L.L.P. April 21, 2007 www.pointmm.com I. OVERVIEW OF THE RULES GOVERNING ELECTRONICALLY- STORED INFORMATION

More information

ediscovery and Information Governance Practice Overview

ediscovery and Information Governance Practice Overview ediscovery and Information Governance Practice Overview ediscovery and Information Governance Electronic discovery, or ediscovery, is increasingly changing from the exception to the norm in modern litigation.

More information

POWER PROTECT PROMOTE. Information Governance In The Cloud

POWER PROTECT PROMOTE. Information Governance In The Cloud Information Governance In The Cloud Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions Topics Cloud Characteristics And Risks Information Management In

More information

FDU - Records Retention policy Final.docx

FDU - Records Retention policy Final.docx Records and Information Management Program Policy and Procedure Responsible Office Office of the General Counsel Effective Date 04/01/2012 Responsible Official General Counsel Last Revision I. Rationale

More information

E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation

E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation TABLE OF CONTENTS Introduction... 3 IMPACT OF CLOUD COMPUTING... 3 Enforcing data management policies... 3 Protecting

More information

Meeting Changing Information Management Needs with Next-Generation Email Archiving

Meeting Changing Information Management Needs with Next-Generation Email Archiving Whitepaper Sponsored by Written by Info-Tech Research Group Meeting Changing Information Management Needs with Next-Generation Email Archiving Introduction Email archiving is evolving beyond pure storage

More information

Governance Takes A Central Role As Enterprises Shift To Mobile

Governance Takes A Central Role As Enterprises Shift To Mobile A Forrester Consulting Thought Leadership Paper Commissioned By Druva October 2014 Governance Takes A Central Role As Enterprises Shift To Mobile Table Of Contents Executive Summary... 1 Mobility Adds

More information

LEGAL ISSUES IN CLOUD COMPUTING

LEGAL ISSUES IN CLOUD COMPUTING LEGAL ISSUES IN CLOUD COMPUTING RITAMBHARA AGRAWAL INTELLIGERE 1 CLOUD COMPUTING Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

More information

Generally Accepted Recordkeeping Principles

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to

More information

University of Louisiana System

University of Louisiana System Policy Number: M-17 University of Louisiana System Title: RECORDS RETENTION & Effective Date: OCTOBER 10, 2012 Cancellation: None Chapter: Miscellaneous Policy and Procedures Memorandum Each institution

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

WHITE PAPER. Deficiencies in Traditional Information Management

WHITE PAPER. Deficiencies in Traditional Information Management WHITE PAPER Deficiencies in Traditional Information Management Table of Contents 3 Abstract 3 Information Management Defined 7 Problems with Traditional Approaches 8 Conclusion Table of Figures 5 Figure

More information

Information Retention and ediscovery Survey GLOBAL FINDINGS

Information Retention and ediscovery Survey GLOBAL FINDINGS 2011 Information Retention and ediscovery Survey GLOBAL FINDINGS CONTENTS Introduction... 4 Methodology... 6 Finding 1: There is more to ediscovery than email... 8 Finding 2: Wide variations in information

More information

EADS-NA Code of Ethics

EADS-NA Code of Ethics Page: 1 of 7 EADS-NA Code of Ethics Introduction The Company demands high ethical standards of conduct from its directors, employees, and agents and will conduct its business with honesty, integrity, and

More information

Pierce County Policy on Computer Use and Information Systems

Pierce County Policy on Computer Use and Information Systems Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail

More information

Proactively Using Information Governance and Advance Planning to Reduce the Burden and Expense of E-Discovery

Proactively Using Information Governance and Advance Planning to Reduce the Burden and Expense of E-Discovery KNOW THYSELF: Proactively Using Information Governance and Advance Planning to Reduce the Burden and Expense of E-Discovery Jonathan D. Rudolph, General Counsel of Accumen Data Services Jeffrey D. Bukowski,

More information

Solving Key Management Problems in Lotus Notes/Domino Environments

Solving Key Management Problems in Lotus Notes/Domino Environments Solving Key Management Problems in Lotus Notes/Domino Environments An Osterman Research White Paper sponsored by Published April 2007 sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington

More information

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS White Paper Table of Contents Addressing compliance with privacy laws for cloud-based services through persistent encryption and key ownership... Section

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

More information

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp.

What Every User Needs To Know Before Moving To The Cloud. LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense

Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense SAP White Paper SAP Partner Organization Mobile Device Management Managing Mobile Devices in a Device-Agnostic World Finding and Enforcing a Policy That Makes Business Sense Table of Content 4 Mobile Device

More information

Delaware State University Policy

Delaware State University Policy Delaware State University Policy Title: Delaware State University Acceptable Use Policy Board approval date: TBD Related Policies and Procedures: Delaware State University Acceptable Use Policy A Message

More information

REED COLLEGE. ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS

REED COLLEGE. ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...

More information

BYOD Policy Implementation Guide. BYOD Three simple steps to legally secure and manage employee-owned devices within a corporate environment

BYOD Policy Implementation Guide. BYOD Three simple steps to legally secure and manage employee-owned devices within a corporate environment BYOD Policy Implementation Guide BYOD Three simple steps to legally secure and manage employee-owned devices within a corporate environment We won t bore you with the typical overview that speaks to the

More information

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) This document provides answers to some frequently asked questions about the The Personal Health

More information

AskAvanade: Answering the Burning Questions around Cloud Computing

AskAvanade: Answering the Burning Questions around Cloud Computing AskAvanade: Answering the Burning Questions around Cloud Computing There is a great deal of interest in better leveraging the benefits of cloud computing. While there is a lot of excitement about the cloud,

More information

Social Media Discovery: It's Not So Different After All

Social Media Discovery: It's Not So Different After All Social Media Discovery: It's Not So Different After All by Cris Whitman As the use of social media continues to grow, so do concerns about preserving and collecting related content. Topics surrounding

More information

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015 Breaking Down the Silos: A 21st Century Approach to Information Governance May 2015 Introduction With the spotlight on data breaches and privacy, organizations are increasing their focus on information

More information

Information Technology Security Policies

Information Technology Security Policies Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral

More information

BEYOND THE HYPE: Understanding the Real Implications of the Amended Federal Rules of Civil Procedure. A Clearwell Systems White Paper

BEYOND THE HYPE: Understanding the Real Implications of the Amended Federal Rules of Civil Procedure. A Clearwell Systems White Paper BEYOND THE HYPE: UNDERSTANDING THE REAL IMPLICATIONS OF THE AMENDED FRCP PA G E : 1 BEYOND THE HYPE: Understanding the Real Implications of the Amended Federal Rules of Civil Procedure A Clearwell Systems

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

A Brief Overview of ediscovery in California

A Brief Overview of ediscovery in California What is ediscovery? Electronic discovery ( ediscovery ) is discovery of electronic information in litigation. ediscovery in California is governed generally by the Civil Discovery Act. In 2009, the California

More information

Data Privacy Considerations When Conducting E-Discovery

Data Privacy Considerations When Conducting E-Discovery Data Privacy Considerations When Conducting E-Discovery Therese Craparo Anthony J. Diana Rebecca Kahan Paul Chandler May 17, 2011 MayerBrown is a globallegalservices organisationcomprisinglegalpracticesthatareseparate

More information

Federal Trade Commission Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment Federal Trade Commission Privacy Impact Assessment for the: W120023 ONLINE FAX SERVICE December 2012 1 System Overview The Federal Trade Commission (FTC, Commission or the agency) is an independent federal

More information

ESI DEMYSTIFIED. Streamlining the E-Discovery Process Through Internal Processes and Controls. Melinda Burrows Bruce Cosgrove*

ESI DEMYSTIFIED. Streamlining the E-Discovery Process Through Internal Processes and Controls. Melinda Burrows Bruce Cosgrove* ESI DEMYSTIFIED Streamlining the E-Discovery Process Through Internal Processes and Controls Melinda Burrows Bruce Cosgrove* The widespread proliferation of electronically stored information (so-called

More information

Director, Value Engineering

Director, Value Engineering Director, Value Engineering April 25 th, 2012 Copyright OpenText Corporation. All rights reserved. This publication represents proprietary, confidential information pertaining to OpenText product, software

More information

About Your Email Policy Kit

About Your Email Policy Kit Email Policy Kit About Your Email Policy Kit About Your Email Policy Kit... 2 Email Policy 101... 3 Designing an Email Policy: Key Sections... 4 Sample Records Retention Policy for Electronic Mail... 11

More information

Village of Hastings-on-Hudson Electronic Policy. Internal and External Email Policies and Procedures

Village of Hastings-on-Hudson Electronic Policy. Internal and External Email Policies and Procedures Village of Hastings-on-Hudson Electronic Policy Internal and External Email Policies and Procedures Effective February 2012 1 1. Table of Contents 1. General Policies... 3 1.1 Establishment and upkeep

More information

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division

Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Allison Stanton Director of E-Discovery U.S. Department of Justice, Civil Division Jason R. Baron Director of Litigation National Archives and Records Administration 1 Overview Cloud Computing Defined

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

and ediscovery Peter Pepiton ediscovery Product Manager CA Information Governance

and ediscovery Peter Pepiton ediscovery Product Manager CA Information Governance Electronic Record Retention and ediscovery Peter Pepiton ediscovery Product Manager CA Information Governance Agenda What is all this ediscovery buzz? Email is major focus of ESI Impact of New FRCP rules

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

NightOwlDiscovery. EnCase Enterprise/ ediscovery Strategic Consulting Services

NightOwlDiscovery. EnCase Enterprise/ ediscovery Strategic Consulting Services EnCase Enterprise/ ediscovery Strategic Consulting EnCase customers now have a trusted expert advisor to meet their discovery goals. NightOwl Discovery offers complete support for the EnCase Enterprise

More information

POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY

POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY POLICY NO. 3.14 September 8, 2015 TITLE: INTERNET AND EMAIL USE POLICY POLICY STATEMENT: Many of our employees have access to the internet as well as email capabilities. The County recognizes that these

More information

C. All responses should reflect an inquiry into actual employee practices, and not just the organization s policies.

C. All responses should reflect an inquiry into actual employee practices, and not just the organization s policies. Questionnaire on Electronically Stored Information (May 2014) Comment The Questionnaire is intended to be a comprehensive set of questions about a company s computer systems. The extent to which you should

More information

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8. micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5

More information

Special Report: ROI of Records Management for Legal Discovery

Special Report: ROI of Records Management for Legal Discovery Special Report: ROI of Records Management for Legal Discovery Page 1 Table of Contents Table of Contents 2 Introduction 3 2010 Litigation Cost Survey 3 Legal Discovery Process 4 ROI Scenarios 7 Other Savings

More information

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Cloud Computing and Privacy Toolkit Protecting Privacy Online May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1 Table of Contents ABOUT THIS TOOLKIT... 4 What is this Toolkit?... 4 Purpose of this Toolkit...

More information

SOFTWARE LICENSE AND NON-DISCLOSURE AGREEMENT

SOFTWARE LICENSE AND NON-DISCLOSURE AGREEMENT SOFTWARE LICENSE AND NON-DISCLOSURE AGREEMENT This SOFTWARE LICENSE AND NON-DISCLOSURE AGREEMENT ( Agreement ) is between Drake Software, LLC ( Drake ) and Licensee (as defined below). PLEASE READ THIS

More information

E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert

E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert E-Discovery Quagmires An Ounce of Prevention is Worth a Pound of Cure Rebecca Herold, CISSP, CISA, CISM, FLMI Final Draft for February 2007 CSI Alert While updating the two-day seminar Chris Grillo and

More information

General Items Of Thought

General Items Of Thought ESI PROTOCOLS & CASE LONG BUDGETS General Items Of Thought What s a GB =??? What Are Sources Of Stored Data? What s BYOD mean??? The Human Factor Is At Play! Litigation Hold Duty Arises When? Zubulake

More information

Successful ediscovery in a Bring Your Own Device Environment

Successful ediscovery in a Bring Your Own Device Environment IT@Intel White Paper Intel IT IT Best Practices IT Governance and IT Consumerization June 2012 Successful ediscovery in a Bring Your Own Device Environment Executive Overview Close collaboration between

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Assessing the Opportunities Presented by the Modern Enterprise Archive

Assessing the Opportunities Presented by the Modern Enterprise Archive Assessing the Opportunities Presented by the Modern Enterprise Archive Published: November 2015 Analysts: James Haight, Research Analyst; David Houlihan, Principal Analyst Report Number: A0193 Share This

More information

ANALYSIS OF ORIGINAL BILL

ANALYSIS OF ORIGINAL BILL Franchise Tax Board ANALYSIS OF ORIGINAL BILL Author: Evans Analyst: Deborah Barrett Bill Number: AB 5 See Legislative Related Bills: History Telephone: 845-4301 Introduced Date: December 1, 2008 Attorney:

More information