Finding a New Safe Harbor

Similar documents
Only 1% of that data has preservation requirements Only 5% has regulatory requirements Only 34% is active and useful

Viewpoint ediscovery Services

E-Discovery Roundtable: Buyers Perspectives on the Impact of Technology Innovation

for Insurance Claims Professionals

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

E-Discovery Basics For the RIM Professional. Learning Objectives 5/18/2015. What is Electronic Discovery?

Veritas ediscovery Platform

Simplify the e-discovery process by learning which tools to use and when to use them. CHAPTER 7. Proactive. Review tools. litigation hold tools.

Symantec ediscovery Platform, powered by Clearwell

Best Practices in Electronic Record Retention

Enhancing Document Review Efficiency with OmniX

e-discovery Forensic Services kpmg.ch Advisory

In-house Counsel s Next Cost Savings Frontier: Cost Minimization by Centralizing Litigation Document Collections

What Am I Looking At? Andy Kass

Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014

Predictive Coding Defensibility and the Transparent Predictive Coding Workflow

The Business Case for ECA

Proactive Data Management for ediscovery

electronic discovery requests

Discussion of Electronic Discovery at Rule 26(f) Conferences: A Guide for Practitioners

ediscovery Software Buyer s Guide FOR SMALL LAW FIRMS

Discovery in the Digital Age: e-discovery Technology Overview. Chuck Rothman, P.Eng Wortzman Nickle Professional Corp.

Asia Disputes Academy

Predictive Coding Defensibility and the Transparent Predictive Coding Workflow

AccessData Corporation. No More Load Files. Integrating AD ediscovery and Summation to Eliminate Moving Data Between Litigation Support Products

ARCHIVING FOR EXCHANGE 2013

Reducing Total Cost and Risk in Multilingual Litigation A VIA Legal Brief

Delivering Global Ediscovery Successfully. Emily A. Cobb, Ropes & Gray Andrew Szczech, Kroll Ontrack Thomas Sely, Kroll Ontrack

AlixPartners, LLP. General Data Protection Statement

Contents. April HBR CONSULTING. All Rights Reserved.

REDUCING COSTS WITH ADVANCED REVIEW STRATEGIES - PRIORITIZATION FOR 100% REVIEW. Bill Tolson Sr. Product Marketing Manager Recommind Inc.

Data Sheet: Archiving Symantec Enterprise Vault Discovery Accelerator Accelerate e-discovery and simplify review

Achieving & Maintaining E-discovery Fitness

Whitepaper: Enterprise Vault Discovery Accelerator and Clearwell A Comparison August 2012

What You Should Know About ediscovery

NUIX WHITE PAPER THE INVESTIGATIVE LAB: A MODEL FOR EFFICIENT COLLABORATIVE DIGITAL INVESTIGATIONS WHITE PAPER

Five Steps to Ensure a Technically Accurate Document Production

Cross-border Challenges for e-discovery

Sample Electronic Discovery Request for Proposal

Discovery Data Management

How Cisco IT Uses SAN to Automate the Legal Discovery Process

ediscovery 101 Myth Busting October 29, 2009 Olivia Gerroll ediscovery Solutions Group Director

ESI Discovery in Federal Criminal Cases: Leveraging the New JETWG Recommendations


(1) Overall Context Corporate Legal and Compliance Matters

E-DISCOVERY: A Primer

IBM Policy Assessment and Compliance

Best Practices: Defensibly Collecting, Reviewing, and Producing

Considering Third Generation ediscovery? Two Approaches for Evaluating ediscovery Offerings

The Duke Conference: Bench-Bar-Academy Distinguished Lawyers Series Protected-Privacy Data Conference

It s All About the Deadline:

IBM ediscovery Identification and Collection

E- Discovery in Criminal Law

Case 2:14-cv KHV-JPO Document 12 Filed 07/10/14 Page 1 of 10 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

Global ediscovery Document Review. Managed technology for the global legal profession

Image Control. Administrator Guide

Journal of Digital Forensic Practice

Clearwell Legal ediscovery Solution

Understanding How Service Providers Charge for ediscovery Services

Cross-Border EDiscovery

Early Case Assessment in ediscovery

E-discovery Project Decision Guide

WHITE PAPER. Deficiencies in Traditional Information Management

Intellectual Property Issues for Asset Managers

Managing Electronic Data in FCPA Investigations

Guide to advanced ediscovery solutions

Software-assisted document review: An ROI your GC can appreciate. kpmg.com

e-discovery Solutions and Services

CASE STUDY: Top 5 Communications Company Evaluates Leading ediscovery Solutions

EnCase ediscovery. Automatically search, identify, collect, preserve, and process electronically stored information across the network.

Electronic Discovery. Answers to life s enduring questions

Capstone Compliance Using Symantec Archiving and ediscovery Solutions

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

IBM Unstructured Data Identification and Management

Review Easy Guide for Administrators. Version 1.0

Amendments to the Rules to Civil Procedure: Yours to E-Discover. Prepared by Christopher M. Bartlett Cassels Brock & Blackwell LLP

State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN. January 2010 December 2012 DECEMBER 31, 2009

New Amendments to Rule 26 Dictate Use of Electronic Discovery Technology by Larry Johnson, Esq. Director, Electronic Discovery Services

This Webcast Will Begin Shortly

Reprinted with permission of the authors and the Association of Corporate Counsel as it originally appeared: Lawrence Ryz and Tracey Stretton, EU

APPENDIX B TO REQUEST FOR PROPOSALS

Predictive Coding Helps Companies Reduce Discovery Costs

Meeting E-Discovery Challenges with Confidence

WHAT MATTERS MOST TO CORPORATE COUNSEL IN E-DISCOVERY MANAGEMENT. Presenting the results from BDO s inaugural Inside E-Discovery Survey

Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. ediscovery for DUMMIES LAWYERS. MDLA TTS August 23, 2013

GOT LAWYERS? THEY'VE GOT STORAGE AND ESI IN THE CROSS-HAIRS! Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

E-Discovery in Michigan. Presented by Angela Boufford

Unified ediscovery Platform White DISCOVERY, LLC

Best Practices for Streamlining Digital Investigations

Making Sense of E-Discovery: 10 Plain Steps for Producing ESI

How to Manage Costs and Expectations for Successful E-Discovery: Best Practices

Ethics in Technology and ediscovery Stuff You Know, But Aren t Thinking About

Streamlining the ediscovery

Metadata, Electronic File Management and File Destruction

Best Practices for Streamlining Digital Investigations

Jason Velasco 1/23/14. Webinar Sponsorship Partner

Transcription:

Finding a New Safe Harbor How Technology Can Support Data Protection Compliance By Michael Becker, Managing Director, Consilio

How Technology Can Support Data Protection Compliance The nullification of the U.S.-EU Safe Harbor Agreement was a shot heard around the legal world last fall. In the vacuum created by the collapse of this framework, and with new data privacy laws continuously emerging, organizations have been struggling to determine how best to proceed with cross-border transfers for litigation, compliance and regulatory investigations. Data privacy officers, compliance teams and legal counsel are attempting to find a balance between the regulatory framework governing personally identifiable information (PII) and their data transfer obligations. The answer to this challenge may lie in evolving ediscovery technology. The Current Data Protection Landscape In October 2015, the Court of Justice of the European Union issued its decision in Schrems v. Data Protection Commissioner, which invalidated the 15-year-old U.S.-EU Safe Harbor Agreement that provided organizations a means often the only means for transferring PII across EU borders to the United States. Its replacement, the Privacy Shield, has yet to be adopted by the EU data protection authorities, but it creates stricter obligations, including tighter controls over transfers to third-party data controllers and their agents. In the interim, organizations have limited options for transfers, including adopting model contract clauses that contain EU-approved language, implementing binding corporate rules that require consent from the local data protection authority or obtaining the freely given consent of the data subjects. The EU is not alone in strengthening protections for personal data. Numerous other nations, particularly in the Asia-Pacific and South America, are bolstering their data protection laws, making it even more difficult for data to cross borders. For instance, although China does not have a single, overarching data protection law, it has enacted a complex series of laws in various sectors that together create a right of privacy. China s Consumer Rights Protection Law governs consumers personal information, its Decision on Enhancing Internet Information Protection protects any personal data collected on or transferred over the Internet and its sweeping Law of the People s Republic of China on Guarding State Secrets regulates the processing and transferring of sensitive data. Likewise, Russia recently enacted new localization requirements for data controllers who store and process its citizens personal data, requiring them to first process data in Russia before transferring it out of the country. Rethinking the Approach to Cross-Border Data Transfers With so many complex data protection laws in place, and more being adopted all the time, companies with a recurring need to transfer data across international borders must rethink their approach. Two strategies suggested by The Sedona Conference in Practical In-House Approaches for Cross-Border Discovery & Data Protection are to [u]se the Processing stage of discovery as an opportunity to balance compliance with both discovery and Data Protection Laws, thereby

time of the essence in the heat of litigation and investigations, With so many complex data protection laws in place, and more being adopted all the time, companies with a recurring need to transfer data across international borders must rethink their approach. tools such as duplicate detection, predictive coding, redaction and anonymization must play a role in limiting the need to process and transfer PII. Duplicate Detection Because e-mails have both a sender as well as at least one recipient, demonstrating due respect for Data Subjects privacy rights, and to consider ways to limit the production of Protected Data during review. In turn, following this recommendation in tandem with Principle 3 of The Sedona Conference International Principles on Discovery, Disclosure & Data Protection can minimize conflicts with data protection laws: the [p]reservation or discovery of Protected Data should be limited in scope to that which is relevant and necessary to support any party s claim or defense in order to minimize conflicts of law and impact on the Data Subject. In short, one key to success in cross-border ediscovery is to minimize the data particularly protected data for transport. The Sedona Conference recommends that parties use technology to limit the amount of PII that must cross borders. One suggested approach is to filter using keywords to isolate documents that contain personal data before transferring them elsewhere in the same jurisdiction for review, which could help parties satisfy their obligations to produce information for overseas discovery while still complying with local data protection laws. The Sedona Conference cites an example of searching for terms such as the names of financial institutions to identify potentially sensitive banking information. However, it is almost impossible to identify all PII in a document set using keywords because it would require the attorneys and teams constructing the search to know in advance what they are looking for, which is rarely, if ever, the case in litigation or regulatory matters. Given the fact that data stores are growing exponentially, and with and collections often span those custodians, exact duplicates are rife across collected data sets. Thus, tools that can identify and eliminate exact duplicates are an essential component because they can greatly reduce the number of documents that organizations must actually review. Similarly, near duplicate documents, which are documents that contain a high degree of similar content, are estimated to make up as much as one-third of data sets. Technology can lend an assist here as well by allowing privacy review teams to look at nearly duplicate documents together, speeding the privacy review process. And, select review toolsets can also identify email duplicates which are email documents that have identical body text. These documents do not deduplicate from exact dupe analysis because their header information makes them unique, even when the text body of the email is identical. When applied for a privacy review, tags can set to automatically propagate to email duplicate records, further reducing the need to review often thousands of email documents. Predictive Coding Predictive coding is a type of technology-assisted review that learns by examining how senior attorneys code documents and then applies that learning across entire data sets. More specifically, after lawyers code a sample set of documents, the predictive coding algorithm analyzes this training data to discern indicia of for relevance, privilege, hotness and the like. The algorithm then classifies every document

in the data set accordingly. Typically, the classification is a ranking of probability that the document belongs to each category: the higher the probability, the more likely the document is relevant, privileged or important. For cross-border matters that require a privacy review, predictive coding expedites the process by culling nonresponsive documents from a collection and giving counsel a preview of a data set for early case assessment. Experience has shown that predictive coding is mightier than keyword searches when it comes to culling: on average, when parties run predictive coding after keyword filtering, 60 to 70 percent more nonresponsive documents are culled from the population. Moreover, predictive coding allows parties to process more documents quickly, saving precious review dollars and resources. Another key advantage of using predictive coding for privacy reviews is that because predictive coding is driven by statistics, the review process becomes more defensible than when keywords alone are used. This technology gives parties greater confidence that they have trimmed out as much nonresponsive information as possible. Unfortunately, not all predictive coding software is created equal. Today, most predictive coding software is created by American technologists with U.S.-based trial data. Therefore, the majority of these tools classifier engines fall short when it comes to evaluating the multilingual data sets typically involved in global matters. For these matters, where privacy is of the utmost importance, counsel should choose a discovery platform with predictive coding technology that supports multilingual document sets without needing to separate the data sets by language and without requiring the additional time and resources to create language-specific computer models. Redaction If relevant documents that contain PII must be produced, it may be possible to remove the PII to avoid violating data protection laws before transferring the documents out of the country. Two options are possible: manual and automated redaction. With traditional redaction, reviewers manually remove all personal information from a TIFF image or a PDF copy of the document to be produced. One difficulty is that this sensitive information often appears in exact duplicate or near duplicate documents or buried within e-mail threads within a data set. This is where review that groups near duplicates (or exact duplicates) together can be an accelerant and where e-mail thread grouping of reviewed sets can also improve redaction speed and consistency. Review administrators must ensure that any redactions are burned into the images so they cannot be removed by opposing legal teams, and they must confirm that metadata and text load files created from the original documents also reflect the redactions so sensitive data is not exposed in metadata fields (such as e-mail subjects or file names). To address the tediousness and other shortcomings of manual redaction, some review platforms now offer expressionbased searches. These tools can automate searches for certain programmable combinations of text, such as e-mail addresses or numeric combinations that represent telephone, employee identification, social security or bank account numbers which

points review teams to the documents that contain private data. Instead of searching for a specific term, these tools are looking for anything that might represent private data, such as a 16-character numeric sequence that could represent a credit card number or an eight-letter sequence preceded by three letters and a dash that could represent an account number. Expression-based searches have their own set of problems, however. These searches are notoriously overinclusive, with a huge number of false positive hits for information that is not private. Moreover, there is no guarantee that the software is finding all of the account numbers, given the number of variations possible and because of the possibility of permutations in the expected character string, whether by a typographical error, faulty optical character recognition or document coding. Furthermore, parties often forget to search beyond documents body text for PII, and metadata is often riddled with private data. Expression-based searches need to explore all metadata fields, but this is beyond the capability of many document review platforms. And most tools do not permit users to redact metadata: tools must have certain scripts and processes in place to anonymize or redact the presence of PII in the metadata. As a result, most parties must devise a workflow that allows them to flag the offending metadata attribute for that particular document so it is redacted or anonymized on production export. Until redaction technology evolves further, quality-control processes are of paramount importance. Parties must undergo a series of trial-and-adjustment searches to fine-tune their expression searches. As they proceed, counsel should create a bank of searches that they can apply to every future matter. Given the risk of revealing PII in the body text or metadata of documents, the bottom line is that few alternatives currently exist, aside from eyes-on review, to protect as much PII as possible. Automated Anonymization Another method for complying with data protection laws is anonymizing any PII in the data set. With anonymization, personal identifiers are permanently and completely deleted from a document. For example, a producing party could anonymize employee phone numbers into one single business phone number, or data about employee nationalities could be aggregated into showing the number of employees who represent each nationality. Another useful tool is pseudonymization, which still removes all identifying information but retains the links between multiple records pertaining to the same person. Unfortunately, today s anonymization tools suffer from flaws similar to many redaction tools currently on the market. For instance, if the PII does not match the expected pattern that the anonymization technology is searching for, whether by typographical errors or otherwise, the tool could fail to identify it. Furthermore, privacy advocates may contend that attempts to remove or modify PII simply whitewash legitimate privacy concerns without failing to address them. Finally, opposing counsel are likely to challenge the integrity of any data manipulated for anonymization. Recommendations for the Future As this white paper reveals, current ediscovery technology is not a silver bullet when it comes to addressing the risks of PII; therefore, parties must also create defensible privacy review processes. To be most effective, these processes must begin with a proactive information governance protocol implemented by an established ediscovery specialist with local roots. By better managing their PII before litigation or regulatory investigations arise and when they are not under the duress of ediscovery organizations can develop a sound understanding of their data at rest: where their data resides, what kinds of PII it contains and what its risk profile is. The only way for organizations to inventory

their data is through customized, expression-based searches. And to conduct a thorough search, the expertise of an ediscovery team with a strong local presence will be required. The key is to find a service provider with experience handling data in the country where it originated so it is aware of the risks and has the optimal technology, infrastructure, bandwidth, workflows and best practices to manage data in that region. The right team will be able to bring its servers, software, project managers and experts to bear for the company or law firm. Technology alone cannot solve the quandary organizations face when they must handle PII in cross-border litigation. Only by partnering with a seasoned provider with the right knowhow and workflows to exploit the power of technology can organizations create a process that they can feel confident presenting to opposing counsel and data protection authorities. About the Author As Managing Director at Consilio, Michael Becker supports international financial and industrial companies and law firms with comprehensive planning and management of ediscovery, computer forensics and managed-reviewed solutions. Michael has extensive expertise in the design, development and implementation of solutions in antitrust, fraud, compliance and corruption procedures, litigation, arbitration and internal investigations with specialized consideration of international data protection regulations and legal process outsourcing. Mr. Becker is a currently licensed attorney in Munich and speaks German, English and Italian. info@consilio.com consilio.com Copyright 2016 Consilio LLC ALL RIGHTS RESERVED

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information