Lighthouse Blog

Below is a copy of a featured article written by Jennifer Swanton of Medtronic, Shannon Capone Kirk of Ropes & Gray, and John Del Piero of Lighthouse for Legaltech News.Despite the traditional narrative that lawyers are hesitant to embrace technology, many in-house legal departments and their outside service providers are embracing the use of what is generally referred to as artificial intelligence (AI). In terms of litigation and internal investigations, this translates more specifically into conceptual analytics and predictive coding (also referred to as continuous active learning, or CAL), which are two of the more advanced technological innovations in the litigation space and corporate America.This adoption, in part, seems to be driven by an expectation from corporate leaders that their in-house counsel must be able to identify and utilize the best available technology in order to drive cost efficiency, while also reducing risk and increasing effective and defensible litigation positions. For instance, in a 2019 survey of 163 legal professionals conducted by ALM Intelligence and LexisNexis, 92% of attorneys surveyed planned to increase their use of legal analytics in the upcoming 12 months. The reasoning behind that expected increase in adoption was two-fold, with lawyers indicating that it was driven both by competitive pressure to win cases (57%), as well as client expectation (56%).Given that the above survey took place right before the COVID-19 pandemic hit, it stands to reason that the 92% of attorneys that expected to increase their use of analytics tools in 2020 may actually be even higher now. With a divisive election and receding pandemic only recently behind us, and an already unpredictable market, many corporations are tightening budgets and looking to further reduce unnecessary spend. Conceptual analytics and CAL are easy (yes, really) and effective ways to manage ballooning datasets and significantly reduce discovery, litigation and internal investigation costs.With that in mind, we would like to help create a better relationship between corporate attorneys and advanced technology with the following two step approach—which we will outline in a series of two articles.This first installment will help demystify the language technology providers tend to use around AI and analytics technology so that in-house teams feel more comfortable with adoption. In our second article, we will provide examples of some great use cases where corporate legal teams can easily leverage technology to help improve workflows. Together, we hope this approach can help in-house legal teams adopt technology that drives efficiency, lowers cost, and improves the quality of their work.Demystifying AI JargonIf you have ever discussed AI or analytics technology with a technology provider, you are probably more than aware that tech folks have a tendency to forget that the majority of their clients don’t live in the world of developing and evaluating new technology, day in and day out. Thus, they may use terms that are often confusing to their legal counterparts (and sometimes use terms that don’t match what the technology is capable of in the legal world). For this reason, it is helpful to level set with some common terminology and definitions, so that in-house attorneys are prepared to have better, more practical real-world discussions with technology providers.Analytics Technology: Within the eDiscovery and compliance space, analytics technology is the ability of a machine to recognize patterns, structures, concepts, terminology, and/or the people interacting within data, and then present that analysis in a visual representation so that attorneys have a better overview of their data. As with AI, not all analytics tools have the same capabilities. Vendors may label everything from email threading identification to more advanced technology that can identify complex concepts and human sentiment as “analytics” tools.Within these articles, when we reference this term, we are referring to the more advanced technology that can analyze not only the text within data but also the metadata and any previous coding applied by subject matter experts. This is an important distinction because this type of technology can greatly improve the accuracy of the analysis compared to older tools. For example, analytics technology that can analyze metadata as well as text is much better at identifying concepts like attorney-client privilege because it can analyze not only the language being used but who is using that language and the circumstances in which they use it.Artificial Intelligence (AI): Probably the most broadly recognized term due to its prevalence outside of the eDiscovery space, AI is technically defined as the ability of a computer to complete tasks that usually would require human intelligence. Within the eDiscovery and compliance world, vendors often use the term broadly to refer to a variety of technologies that can perform tasks that previously would require completely human review.It is important to remember though that the term AI can refer to a broad range of technology with very different capabilities. “AI” in the legal world is currently being used as a generalized term and legal consumers of such technologies should press for specifics—not all “AI” is the same, or, in several cases, even AI at all.Machine Learning: Machine learning is a category of algorithms used in AI that can analyze statistics and find patterns in large volumes of data. The algorithms improve with experience—meaning that as documents are coded in a consistent fashion by humans, the better and more accurate the algorithms should become at identifying specific data types. Note here that there is a common misunderstanding that machine learning requires large amounts of data from which to learn. That is not necessarily true—all that is required for machine learning to work well is that the input it learns from (i.e., document coding for eDiscovery purposes) is consistent and accurate.Natural Language Processing (NLP): NLP is a subset of AI that uses machine learning to process and analyze the natural language humans use within large amounts of data. The result is technology that can “understand” the contents of documents, including the context in which language is used within them. Within eDiscovery, NLP is used within more advanced forms of analytics technology to help identify specific content or sentiments within large datasets.For example, NLP can be used to more accurately identify sensitive information, like personally identifiable information (PII), within datasets. NLP is better at this task than older AI technology because older models relied on “regular expressions” (a sequence of characters to define a search pattern) to identify information. When a “regular expression” (or regex) is used by an algorithm to find, for example, VISA account numbers—it will be able to identify the correct number pattern (i.e., any number that starts with the number 4 and has 16 digits) within a dataset but will be unable to differentiate other numbers that have the same pattern (for example, employee identification numbers). Thus, the results returned by legacy technology using regex may be overbroad and include false positives.NLP can return more accurate results for that same task because it is able to identify not only the number pattern, but can also analyze the language used around the pattern. In this way, NLP will understand the context in which VISA account numbers are communicated within that dataset compared to how employee identification numbers are communicated, and only return the VISA numbers.Predictive Coding (also referred to as Technology-Assisted Review or TAR): Predictive coding is not the same as conceptual analytics. Also, predictive coding is a bit of a misnomer, as the tools don’t predict or code anything. A human reviewer is very much involved. Simply put, it refers to a form of machine learning, wherein humans review documents and make binary coding calls: what is responsive and what is non-responsive. This is similar in concept to selecting thumbs up or down in Pandora so as to teach the app what songs you like and don’t like. After some human coding and calibrations between the human and the tool, the technology uses the human’s coding selections to score how the remaining documents should be coded, enabling the human to review the high scored documents first.In the most current versions of predictive coding, this technology continually improves and refreshes as the human reviews, which reduces or eliminates the need for surgical precision on coding at the start (which was a concern in the former version of predictive coding and why providers and parties spent a considerable amount of time concerned with “seed sets”). This improved and self-improving prioritization of large document sets based on high-scored documents is usually a more efficient and organized manner in which to review documents.Because of this evolution in predictive coding, it is often referred to in a host of different ways, such as TAR 1.0 (which requires “seed sets” to learn from at the start) and TAR 2.0 (which is able to continually refresh as the human codes—and is thus also referred to as Continuous Active Learning or CAL). Some providers continue to use the old terminology, or explain their advancements by walking through the differences between TAR 1.0 and TAR 2.0, and so on. But, speaking plainly, in this day and age, providers and legal teams should really only be concerned with the latest version of TAR, which utilizes CAL, and significantly reduces or totally eliminates the previous concern with surgical precision on coding an initial “seed set.” With our examples in the next installment, we hope to illustrate this point. In a word, walking through the technological evolution around predictive coding and all of the associated terminology can cause unnecessary intimidation, and can cause confusion between providers, parties and the court.The key takeaway from these definitions is that even though all the technology described above may technically fall into the “AI” bucket, there is an important distinction between predictive coding/TAR technology and advanced analytics technology that uses AI and NLP. The distinction is that predictive coding/TAR is a much more technologically-limited method of ranking documents based on binary human decisions, while advanced analytics technology is capable of analyzing the context of human language used within documents to accurately identify a wide variety of concepts and sentiment within a dataset. Both tools still require a good amount of interaction with human reviewers and both are not mutually exclusive. In fact, on many investigations in particular, it is often very efficient to employ both conceptual analytics and TAR, simultaneously, in a review.Please stay tuned for our next installment in this series, “Analytics and Predictive Coding Technology for Corporate Attorneys: Six Use Cases”, where we will outline six specific ways that corporate legal teams can put this type of technology to work in the eDiscovery and compliance space to improve cost, outcome, efficiencies.ai-and-analyticstar-predictive-coding, blog, corporate, ai, ai-and-analytics,tar-predictive-coding; blog; corporate; ailegaltech news

On July 9, 2021, President Biden signed a sweeping new Executive Order (“the Order”) with the stated goal of increasing competition in American markets. Like the recently issued Executive Order on Improving the Nation’s Cybersecurity, the Executive Order on Promoting Competition in the American Economy is meant to establish “a whole-of-government” approach to tackle an issue that is typically handled by numerous federal agencies. As such, the Order includes 72 initiatives touching more than a dozen federal agencies and numerous industries, including healthcare, transportation, agriculture, internet service providers, technology, beer and wine manufacturing, and banking and consumer finance.Notably, the Order calls on the Department of Justice (DOJ) and Federal Trade Commission (FTC) to “vigorously” enforce antitrust laws and “reaffirms” the government’s authority to challenge past transactions that may have been in violation of antitrust laws and regulations (even if they were not challenged by previous Administrations). The remainder of this blog will broadly outline the contents of the Order and conclude with a brief summary on possible ramifications for organizations undergoing merger and acquisition activity (as well as the law firms that counsel them) and how to prepare for them.What is in the Executive Order on Promoting Competition in the American EconomySection 1: PolicyThis section broadly outlines the benefits of “robust competition” to America’s economy and asserts the U.S policy of promoting “competition and innovation” as an answer to the rise of foreign monopolies and cartels. This section also announces the Administration’s policy of supporting “aggressive legislative reforms” to lower prescription drug prices and supports the enactment of a public health insurance option.Sec. 2: The Statutory Basis of a Whole-of-Government Competition Policy This section outlines the antitrust laws which form the Administration’s whole-of-government anti-competition policy, including the Sherman Act, the Clayton Act, and the Federal Trade Commission Act, as well as fair competition and anti-monopolization laws, including Packers and Stockyards Act, Federal Alcohol Administration Act, the Bank Merger Act, and others.Sect 3: Agency Cooperation in Oversight, Investigation, and RemediesThis section outlines the Administration’s policy of cooperation between agencies on anti-competition issues, stating that when there is overlapping jurisdiction over anticompetitive conduct and mergers, the involved agencies should “endeavor to cooperate fully in the exercise of their oversight authority” to benefit from the respective expertise of the agencies and to improve Government efficiency.Section 4: The White House Competition Council This section establishes a White House Competition Council to “coordinate, promote, and advance” government efforts to address monopolies and unfair competition. The section also mandates that the Council should work across agencies to provide a coordinated response to monopolization and unfair competition and outlines the Council make up and meeting cadence.Section 5: Further Agency Responsibilities This section mandates that the heads of all agencies must “consider using their authorities” to further the anti-competition policies outlined within the Order, and “encourages” relevant positions and heads of agencies (including the Attorney General, Chair of the Federal Trade Commission (FTC), Secretary of Commerce, and others) to enforce existing antitrust laws “vigorously,” as well as review and consider revisions to other laws and powers, including encouragement to:Enforce the Clayton Act and other antitrust laws “fairly and vigorously.Review merger guidelines to consider whether they should be revised.Revise positions on the intersection of intellectual property and antitrust laws.Review current practices and adopt a plan for the revitalization of merger oversight under the Bank Merger Act and the Bank Holding Company Act of 1956.Consider whether to revise the Antitrust Guidance for Human Resource Professionals of October 2016.Consider curtailing the unfair use of non-compete clauses that may unfairly limit worker mobility.Consider rulemaking in other areas such as: Unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy; Unfair anticompetitive restrictions on third-party repair or self-repair of items (aimed at restrictions that prevent farmers from repairing their own equipment);Unfair anticompetitive conduct or agreements in the prescription drug industries;Unfair competition in major Internet marketplaces;Unfair occupational licensing restrictions;Unfair exclusionary practices in the brokerage or listing of real estate; andAny other unfair industry-specific practices that substantially inhibit competition.The section also calls upon the Secretary of Agriculture to address the unfair treatment of farmers and improve competition in the markets for farm products, and for the Secretary of the Treasury to assess the conditions of competition around the American markets for beer, wine, and spirits (including improving the market for smaller, independent operations).Notably, this section also calls for the Chair of the Federal Communications Commission to consider adopting “Net Neutrality” rules and other avenues to promote competition and lower prices across the telecommunications ecosystem.Finally, the section also calls for the Secretary of Transportation to protect consumers and improve competition in the aviation industry, including enhancing consumer access to airline flight information, providing consumers with more flight options at better prices, promoting rulemaking around requiring airlines to refund baggage fees, and address the failure of airlines to provide timely refunds for flight cancellations resulting from the COVID-10 pandemic.ConclusionAs a whole, the result of this Order will be that organizations undergoing mergers and acquisition activity can expect to face more scrutiny from the government – and that law firms that provide counsel for those types of transactions can expect that government investigations of those activities (like HSR Second Requests) will be more in-depth and meticulous. Accordingly, any law firms and organizations preparing for those types of investigations would do well to evaluate their eDiscovery technology now, in order to ensure that they are using the best and most up-to-date legal technology and workflows to help locate the data requested by the government more accurately and efficiently.antitrustprism, blog, antitrustprism; blog; antitrustsarah moran

As summarized in the first installment of our two-part blog series, President Biden recently issued a sweeping Executive Order aimed at improving the nation’s cybersecurity defense. The Order is a reaction to increased cybersecurity attacks that have severely impacted both the public and private sectors. These recent attacks have evolved to a point that industry solutions have a much more difficult time detecting encryption and file state changes in a reasonable timeframe to prevent an actual compromise. The consequence is that new and evolving ransomware and malware attacks are now getting past even the biggest solution providers and leading scanners in the industry.Thus, while on its face, many of the new requirements within the Order are aimed at federal agencies and government subcontractors, the ultimate goal appears to be to create a more unified national cybersecurity defense across all sectors. In this installment of our blog series, I will outline recommended steps for private sector organizations to prepare for compliance with the Order, as well as general best-practice tips for adopting a more preemptive approach to cybersecurity. 1. Conduct a Third-Party AssessmentFirst and foremost, organizations must understand their current cybersecurity posture. Given the severity and volume of recent cyberattacks, third-party in-depth or red-team assessments should be done that would include not only the organization’s IT assets, but also include solutions providers, vendors, and suppliers. Red teaming is the process of providing a fact-driven adversary perspective as an input to solving or addressing a problem. In the cybersecurity space, it has become a best practice wherein the cyber resilience of an organization is challenged by an adversary or a threat actor’s perspective.[1] Red-team testing is very useful to test organizational policies, procedures, and reactions against defined, intended standards.A third-party assessment must include a comprehensive remote network scan and a comprehensive internal scan with internal access provided or gained with the intent to detect and expose potential vulnerabilities, exploits, and attack vectors for red-team testing. Internal comprehensive discovery includes scanning and running tools with the intent to detect deeper levels of vulnerabilities and areas of compromise. Physical intrusion tests during red-team testing should be conducted on the facility, networks, and systems to test readiness, defined policies, and procedures.The assessment will evaluate the ability to preserve the confidentiality, integrity, and availability of the information maintained and used by the organization and will test the use of security controls and procedures used to secure sensitive data.2. Integrate Solution Providers and IT Service Companies into Plans to Address Above Executive Order StepsTo accurately assess your organization’s risk, you first have to know who your vendors, partners, and suppliers are with whom you share critical data. Many organizations rely on a complex and interconnected supply chain to provide solutions or share data. As noted above, this is exactly why the Order will eventually broadly impact the private sector. While on its face, the Order only seems to impact federal government and subcontractor entities, those entities’ data infrastructures (like most today) are interconnected environments composed of many different organizations with complex layers of outsourcing partners, diverse distribution routes, and various technologies to provide products and services – all of whom will have to live up to the Order’s cybersecurity standards. In short, the federal government is recognizing that its vendors, partners, and suppliers’ cybersecurity vulnerabilities are also its own. The sooner all organizations realize this the better. According to recent NIST guidance, “Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services.” NIST recommends focusing on foundational practices, enterprise-wide practices, risk management processes, and critical systems. “Cost-effective supply chain risk mitigation requires organizations to identify systems and components that are most vulnerable and will cause the largest organizational impact if compromised.[2]In the recent attacks, hackers inserted malicious code into Orion software, and around 18,000 SolarWinds customers, including government and corporate entities, installed the tainted update onto their systems. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges. Locking down your networks, systems, and data is just the beginning! Inquiring how your supply chain implements a Zero Trust strategy and secures their environment as well as your shared data is vitally important. A cyber-weak or compromised company can lead to exfiltration of data, which a bad actor can exploit or use to compromise your organization.3. Develop Plan to Address Most Critical Vulnerabilities and Threats Right AwayThird-party assessors should deliver a comprehensive report of their findings that includes the descriptions of the vulnerabilities, risks found in the environment, and recommendations to properly secure the data center assets, which will help companies stay ahead of the Order’s mandates. The reports typically include specific data obtained from the network, any information regarding exploitation of exposures, and the attempts to gain access to sensitive data.A superior assessment report will contain documented and detailed findings as a result of performing the service and will convey the assessor’s opinion of how best to remedy vulnerabilities. These will be prioritized for immediate action, depending upon the level of risk. Risks are often prioritized as critical, high, medium, and low risk to the environment, and a plan can be developed based upon these prioritizations for remediation.4. Develop A Zero Trust StrategyAs outlined in Section 3 of the Order, a Zero Trust strategy is critical to addressing the above steps, and must include establishing policy, training the organization, and assigning accountability for updating the policy. Defined by the National Security Agency (NSA)’s “Guidance on the Zero Trust Security Model”: “The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.”[3]Properly implemented Zero Trust is not a set of access controls to be “checked,” but rather an assessment and implementation of security solutions that provide proper network and hardware segmentation as well as platform micro-segmentation and are implemented at all layers of the OSI (Open Systems Interconnection) model. A good position to take is that Zero Trust should be implemented using a design where all of the solutions assume they exist in a hostile environment. The solutions operate as if other layers in a company’s protections have been compromised. This allows isolation of the different layers to improve protection by combining the Zero Trust principles throughout the environment from perimeters to VPNs, remote access to Web Servers, and applications. For a true Zero Trust enabled environment, focus on cybersecurity solution providers that qualify as “Advanced” in the NSA’s Zero Trust Maturity Model; as defined in NSA’s Cybersecurity Paper, “Embracing a Zero Trust Security Model.”[4] This means that these solution providers will be able to deploy advanced protections and controls with robust analytics and orchestration.5. Evaluate Solutions that Pre-emptively Protect Through Defense-In-DepthIn order to further modernize your organization’s cybersecurity protection, consider full integration and/or replacement of some existing cybersecurity systems with ones that understand the complete end-to-end threats across the network. How can an organization implement confidentiality and integrity for breach prevention? Leverage automated, preemptive cybersecurity solutions, as they possess the greatest potential in thwarting attacks and rapidly identifying any security breaches to reduce time and cost. Use a Defense-in-Depth blueprint for cybersecurity to establish outer and inner perimeters, enable a Zero Trust environment, establish proper security boundaries, provide confidentiality for proper access into the data center, and support capabilities that prevent data exfiltration inside sensitive networks. Implement a solution to continuously scan and detect ransomware, malware, and unauthorized encryption that does NOT rely on API calls, file extensions, or signatures for data integrity.Solutions must have built-in protections leveraging multiple automated defense techniques, deep zero-day intelligence, revolutionary honeypot sensors, and revolutionary state technologies working together to preemptively protect the environment. ConclusionAs noted above, Cyemptive recommends the above steps in order to take a preemptive, holistic approach to cybersecurity defense. Cyemptive recommends initiating the above process as soon as possible – not only to comply with potential government mandates brought about due to President Biden’s Executive Order, but also to ensure that organizations are better prepared for the increased cybersecurity threat activity we are seeing throughout the private sector. ‍[1]“Red Teaming for Cybersecurity”. ISACA Journal. October 18, 2018. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-5/red-teaming-for-cybersecurity#1 [2] “NIST Cybersecurity & Privacy Program” May 2021. Cyber Supply Chain Risk Management C-SCRM” https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/C-SCRM_Fact_Sheet_Draft_May_10.pdf [3] “NSA Issues Guidance on Zero Trust Security Model”. NSA. February 25, 2021. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2515176/nsa-issues-guidance-on-zero-trust-security-model/[4] “Embracing a Zero Trust Security Model.” NSA Cybersecurity Information. February 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDFdata-privacy; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporatelighthouse

On May 12, President Biden issued a landmark Executive Order (“the Order”) aimed at improving the country’s cybersecurity threat defense. This Order is an attempt to create a “whole of government” response to increasingly frequent cybersecurity incidents that have wreaked havoc in the United States in recent months, affecting everything from energy supplies to healthcare systems to IT infrastructure systems. In addition to becoming more frequent, recent cyberattacks have also become increasingly more sophisticated – and even somewhat professional. In response to these attacks, the Biden administration seeks to build a national security framework that aligns the Federal government with private sector businesses in order to “modernize our cyber defenses and enhance the nation’s ability to quickly and effectively respond to significant cybersecurity incidents.” Prior to this Order, there has been no unified system to report or respond to cybersecurity threats and breach incidents. Instead, there is currently a patchwork of state legislation and separate federal government agency protocols, all with differing reporting, notification, and response requirements.In the first of this two-part blog series, I will broadly outline the details of this Order and what it will mean for private sector companies in the coming years. In the second installment, Rob Pike (CEO and Founder of Cyemptive Technologies) will provide guidance on how to set up your organization for compliance with the Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. What is in President Biden’s Executive Order on Improving the Nation’s CybersecurityThere are nine main sections to the Order, which are summarized below.Section 1: PolicyThis section outlines the overall goal of the Order – namely that, with this Order, the Federal government is intent on making “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” To do so, the Order states that the government must improve its efforts to “identify, deter, protect against, detect, and respond to” cybersecurity attacks. While this may sound like a purely governmental task, the Order specifically states that this defense will require partnership with the private sector. Section 2: Removing Barriers to Sharing Threat Information As noted above, prior to this Order, there was no unified system for sharing information regarding threats and data breaches. In fact, separate agency procurement contract terms may actually prevent private companies from sharing that type of information with federal agencies, including the FBI. This section of the Order responds to those challenges by requiring the government to update federal contract language with IT service providers (including cloud service providers) to require the collection and sharing of threat information with the appropriate government agencies. While the Order currently only speaks to federal subcontractors, it is expected that this information-sharing requirement will have a trickle-down effect across the private sector, with purely private companies falling in line to share threat information once federal subcontractors are required to do so. Section 3: Modernizing Federal Government CybersecurityThis section calls for the federal government to adopt security best practices – and is specifically aimed at adopting Zero Trust Architecture and pushing a move to secure cloud services, including “Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).” It requires that each government agency update plans to prioritize the adoption and use of cloud technology and develop a plan to implement Zero Trust Architecture, in part by incorporating the migrations steps outlined by the National Institute of Standards and Technology (NIST).Section 4: Enhancing Software Supply Chain SecurityThis section deals with increasing the cybersecurity standards of software sold to the government. It specifically calls out the fact that the development of commercial software “often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” It, therefore, calls for “more rigorous and predictable mechanisms for ensuring that products function securely.” Thus, this section calls for NIST to issue new security guidelines for software used by the government. These new guidelines will include encryption requirements, multi-factor and risk-based authentication requirements, vulnerability detection and disclosure programs, and trust relationship audits, among others.Section 5: Establishing a Cyber Safety Review BoardThis section establishes a federal Cyber Safety Review Board, which will convene following significant cyber incidents, providing recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. It will be made up of federal officials, as well as representatives from private sector entities.Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and IncidentsThis section again speaks to the patchwork of differing vulnerability and incident response procedures that currently exists across multiple federal agencies. The goal here is to create a standard set of operational procedures (or a playbook) for cybersecurity vulnerability and incident response activity. The playbook will have to incorporate all appropriate NIST standards, be used by all Federal Civilian Executive Branch (FCEB) Agencies, and spell out all phases of incident response.Sections 7 and 8: Improving Detection, Investigation, and Remediations of Cybersecurity Vulnerabilities and Incidents on Federal Government NetworksThese two sections focus on creating a unified approach to the detection, investigation, and remediation of cybersecurity vulnerabilities and incidents. Section 7 focuses on improving detection – mandating that all FCEB agencies deploy an “Endpoint Detection and Response (EDR)” initiative to support proactive detection of cybersecurity incidents and establishes a procedure for the implementation of threat hunting and detection, as well as inter-agency information sharing around threat detection. Section 8 is focused on improving the government’s investigative and remediation capabilities – namely, by establishing requirements for agencies and their IT service providers to collect, maintain, and share specified information from Federal Information System network logs.Section 9: National Security SystemsThis section requires the Secretary of Defense to adopt National Security System requirements that are at least equivalent to the requirements spelled out by the above sections in the Order.Who Will This Impact?As noted above, while the Executive Order is aimed at shoring up the federal government’s cybersecurity detection and response systems – its impacts will be felt throughout much of the private sector. That isn’t a bad thing! A patchwork cybersecurity system is clearly not the best way to respond to the increasingly sophisticated cybersecurity incidents currently threatening both the United States government and the private sector. Responding to these threats requires a robust, unified national cybersecurity system, which in turn requires updated and unified cybersecurity standards across both government agencies and private sector companies. This Executive Order is a great stepping stone towards that goal.As far as timing for private sector impacts: the first impacts will be felt by software companies and other organizations that directly contract with the federal government, as there are direct requirements and implications for those entities spelled out within the Order. Many of those requirements come into play within 60 days to a year after the date of the Order, so there may be a quick turnaround to comply with any new standards for those organizations. Impacts are then expected to trickle down to other private sector organizations: as government subcontractors update policies and systems to comply with the Order, they will in turn require the companies that they do business with to comply with the new cybersecurity standards. In this way, the Order actually creates an opportunity for the federal government to create a cybersecurity floor above which most companies in the US will eventually have to comply.ConclusionDetecting and defending against cybersecurity threats is an increasingly difficult worldwide challenge – a challenge to which, currently, no perfect defense exists. However, with this Order, the United States is taking a step in the right direction by creating a more unified cybersecurity standard and network that will encourage better detection, investigation, and mitigation.Check out the second installment of this blog series, where Rob Pike, CEO and Founder of Cyemptive Technologies, provides guidance on how to set up your organization for compliance with the Executive Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. If you would like to discuss this topic further, please reach out to me at erubenstein@lighthouseglobal.com.data-privacy; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporateerin rubenstein

In a recent post, we discussed that requesting parties often demand more transparency with a Technology Assisted Review (TAR) process than they do with a process involving keyword search and manual review. So, how do you get started using (and understanding) TAR without having to defend it? A fairly simple approach: start with some use cases that don’t require you to defend your use of TAR to outside parties.Getting Comfortable with the TAR WorkflowIt’s difficult to use TAR for the first time in a case for which you have production deadlines and demands from requesting parties. One way to become comfortable with the TAR workflow is to conduct it on a case you’ve already completed, using the same document set with which you worked in that prior case. Doing so can accomplish two goals: You develop a better understanding of how the TAR algorithm learns to identify potentially responsive documents: Based on documents that you classify as responsive (or non-responsive), you will see the algorithm begin to rank other documents in the collection as likely to be responsive as well. Assuming your review team was accurate in classifying responsive documents manually, you will see how those same documents are identified as likely to be responsive by the algorithm, which engenders confidence in the algorithm’s ability to accurately classify documents. You learn how the TAR algorithm may identify potentially responsive documents that were missed by the review team: Human reviewers are only human, and they sometimes misclassify documents. In fact, many studies would say they misclassify them regularly. Assuming that the TAR algorithm is properly trained, it will often more accurately classify documents (that are responsive and non-responsive) than the human reviewers, enabling you to learn how the TAR algorithm can catch mistakes that your human reviewers have made.Other Use Cases for TAREven if you don’t have the time to use TAR on a case you’ve already completed, you can use TAR for other use cases that don’t require a level of transparency with opposing counsel, such as: Internal Investigations: When an internal investigation dictates review of a document set that is conducive to using TAR, this is a terrific opportunity to conduct and refine your TAR process without outside review or transparency requirements to uphold. Review Data Produced to You: Turnabout is fair play, right? There is no reason you can’t use TAR to save costs reviewing the documents produced to you to while determining whether the producing party engaged in a document dump. Prioritizing Your Document Set for Review: Even if you plan to review the entire set of potentially responsive documents, using TAR can help you prioritize the set for review, pushing documents less likely to be responsive to the end of the queue. This can be useful in rolling production scenarios, or if you think that eventual settlement could obviate the need to reduce the entire collection.Combining TAR technology with efficient workflows that maximize the effectiveness of the technology takes time and expertise. Working with experts who understand how to get the most out of the TAR algorithm is important. But it can still be daunting to use TAR for the first time in a case where you must meet a stringent level of defensibility and transparency with opposing counsel. Applying TAR to use cases first where that level of transparency is not required enables your company to get to that efficient and effective workflow—before you have to prove its efficacy to an outside party.ediscovery-review; ai-and-analyticstar-predictive-coding, ediscovery-review, ai-and-analyticstar-predictive-codingmitch montoya

For years, general counsel have weighed the pros and cons of doing a task internally versus sending the work to outside counsel – this is not a new dichotomy. What is newer, however, is the proliferation of technology available for legal and the business savvy now being applied to internal legal departments. This has opened up more choices for legal departments. First, you have to figure out whether you can apply technology, then whether you should build or buy that technology, and finally if you should outsource any portion of the process.Before you start down the path of buy vs. build vs. outsource, I would recommend assessing your department’s offerings. In the earlier parts of this series, I outline how you can do that. Once you understand your services and your gaps, you can better determine where you may need to apply build vs. buy decisions. Whether you are a general counsel or a legal operations professional, this blog will outline four key aspects to include in your framework as you make these decisions.1. Problem/Solution ListStart with a list of services your company needs and possible solutions. If you followed the productization process, you will have a good list. If you have not yet done this, you can at least jot down a list of your company’s legal needs, how pervasive and urgent they are, whether they further the company strategy, as well as any potential solutions.Next, order that list from most pervasive to least pervasive. Where there is a tie, look to the problem’s relationship to company strategy.Next, work through all of the items in box A. You want to be able to answer the following questions:Is there an existing solution?Is there a software solution that may apply?What are the costs/benefits of all possible solutions?Is there typically urgency around the request?All other things being equal, do we have the expertise to handle this in house?If you have gaps in A, B, or C, I would recommend addressing those before process improvement items.2. Cost-Benefit AnalysisNext, for any change (either addressing a gap or a process improvement) you should do a cost-benefit/return on investment analysis. Note that if you are just trying to get a sense of which problem on your list to address, you can do a high-level analysis by categorizing the solutions into low, medium, or high financial impact. If, however, you are getting to the point of suggesting a change internally and asking for budget, you want to do a much more in-depth quantitative analysis. On the benefit side, you want to consider any revenue acceleration for the company (e.g., customers’ revenue hits a quarter earlier) as well as costs reduced and avoided (e.g. outside counsel fees). If there are other quantifiable benefits, you should include them as well. On the expense side, make sure to consider licensing, annual maintenance, user fees, implementation, infrastructure, training, hourly support/expert charges, and any ongoing costs. You should predict these benefits and costs for the next 3 years, as that is a common period to see whether there is a return on your investment. You can also prepare a version of this document showing the same cost/benefit of building the solution internally as well as outsourcing it to outside counsel.3. Additional Factors: Urgency and ExpertiseOnce you have the cost-benefit analysis for the various solutions, you usually have a preferred direction. However, don’t forget to account for time and expertise. You should then consider how urgent the requests are. The more urgent a request, the more likely it should be handled by technology or outsourced, as those solutions typically can bring more resources to bear. You should then consider expertise. More specifically, does one need specific knowledge about the company to solve this problem or will there be a lot of need to liaise internally? If so, the solution should likely stay with the internal corporate legal department. Conversely, does this require niche expertise and is it better handled by an outside counsel with that expertise? Make notes of these considerations with your cost-benefit analysis, as these factors can sway a decision in one direction or another.4. Decision TimeUltimately, making these decisions is more of an art than a science. They are also decisions that can and should be revisited as things change in your business and legal department. The above should give you the right information to make an informed decision. Ultimately, you will want to share your decision with others and get input before finalizing a direction.By following the productization process, orienting your solutions towards your customers, streamlining how you deliver services, and applying the right sets of resources through build versus buy decisions, your legal department will operate more efficiently. legal-operationslegal-ops, blog, legal-operations,legal-ops; bloglighthouse

In my last two blogs, I discussed how your legal department can productize services to become more efficient as well as shared some tips for how to determine the legal needs within your organization. Now that you know the added benefits and understand the legal needs, the natural next step is to determine what legal service “products” to offer, as well as any gaps. However, if nobody knows what these repeatable solutions are, what good are they? This is where creating an internal marketing plan to get the word out about your department’s legal services is critically important. In this blog, we’ll talk about how to do that by answering who, what, when, where, and why.Who?When you create your internal plan, the first thing you need to do is understand who you are marketing to. The easiest way to do this is to create some simple “personas.” You can easily do this based on the interviews you conducted as part of your earlier search. You should build a persona for each distinct type of user coming to you – typically this aligns with internal departments. In detailing each persona, you should include the following:Typical day-to-day work of your personaTypical interaction with legalTop of mind issues/challengesOther notesWhat?Next, you will need to decide what you are going to market to these personas (i.e repeatable workflows). Common ones in the legal arena are contract, litigation, HR investigation, and patent workflows. Once you have the workflows applicable to your company identified, detail the features of each workflow. For example, it is automated; has six common template documents, a clause library, and contract status; and leverages existing company technology.Once you have your personas, workflows, and features, you’re ready to create a positioning document. You should create one document for every problem/solution set (i.e. workflow). This will form the basis of how you share the information with others. The goal of this document is to position your solution in a way that resonates with the internal users. Below is a format that I find helpful to follow and I have inserted an example based on a contract workflow.PROBLEM: There is a problem in the company today. Contract negotiations are long, cumbersome, and not transparent. This can delay revenue opportunities. In addition, final contracts are difficult to locate and manage.SOLUTION: The ideal solution to this problem is an easy-to-use process, with some contracts being able to avoid legal review. The solution would allow easy access to status for interested parties and would allow those, or other, interested parties to access the contractual information at a later date.PRIMARY MESSAGE (SHORT - 1 SENTENCE): The Corporate Legal Department delivers a business-driven model for negotiating and managing contracts that accelerates, not hinders, company growth.SERVICE DESCRIPTION (2-3 SENTENCES): By leveraging an intake form, employees are directed to a self-service, spectra portal for template contracts or put in touch with an attorney for more complex matters. The status of their request, as well as information about all finalized contracts, is displayed in our JIRA system giving users full access to contract status as well as important contractual data of finalized contracts.HIGHLIGHTS (THESE SHOULD BE PROBLEM-ORIENTED FEATURES):Reduces contract turnaround by leveraging templated contracts and clausesAllows users access to contract status anytime, anywhereNo new systems (i.e. leverages existing company tools)Etc.The above will create a lot of different worksheets and information. Since I like to keep things a little simpler, I also create a cliff notes version of this to show the all-up view of your corporate legal department’s services.Once you have completed your positioning, don’t be afraid to run the messaging by some of the people you interviewed. You want to make sure that it is clear how legal will be helping them get their work done. I would suggest selecting people who are friendly to your department and who you have a good working relationship with since you are running draft information by them and not a final product.Where, When, and Why?Third, you need to think about where, when, and why you are getting the message out. The goal is to get it out wherever your users are, often, and in a way that they like to consume the information. At a minimum, I would suggest doing a launch of the updated services and including information about that launch on:The company wiki page/internal siteAny internal ticketing toolA company newsletter (or a company meeting if appropriate)Any onboarding materials/presentations your company does for new hiresOr even a “roadshow,” where you present to each department within your organization what services the legal team offersDuring any presentation, it is always helpful to inject some fun into the presentation. I have heard of some legal departments doing humorous videos or skits to capture the attention of their employees. Partner with your internal marketing team, as they may have some great suggestions on how you can get the word out.Finally, don’t forget about post-launch messaging. Though you may see an uptick in users after a launch, some people will have missed the information the first time around or will have forgotten it by the time they get to an issue that they want to bring to legal. To that end, make sure you have a plan for continued marketing. I like to showcase successes in follow-up marketing (e.g. a contract turnaround case study showing the reduced times or some metrics on impact). This information can be shared in an employee newsletter or as a quick email to leaders asking them to share it in their department meetings.This is quite a robust process and you should expect it will take several weeks, or even months, to complete. You will also likely continue to refine this marketing plan as you address gaps by adding services and gathering feedback. The benefit of going through this process is that it brings clarity to what legal does, brings efficiency by advertising repeatable workflows, and gives everyone in legal visibility into the challenges in the business and how legal addresses those.legal-operationslegal-ops, blog, legal-operations,legal-ops; bloglighthouse

Increasingly, opportunities for cloud-based collaboration and efficiencies, and challenges presented by the rapid proliferation of complex data, are incentivizing organizations to transform their corporate data governance and eDiscovery operations from traditional self-managed infrastructure to the Microsoft 365 (M365) Cloud. Benefits in terms of convenience, security, robust functionality, and native capabilities related to eDiscovery and compliance are the primary drivers of this move.While there are many benefits to moving into the M365 ecosystem, it requires legal and compliance teams to take on new considerations regarding the constant evolution that characterizes cloud software. With continually changing applications, establishing static workflows for eDiscovery, legal holds, data dispositions, and other legal operations is not enough. As the M365 software and functionality changes, workflows must be constantly evaluated to ensure their validity, relevance, and defensibility.Exacerbating this challenge is the reality that the traditional IT change management paradigm designed to preemptively address cross-organizational considerations (including impacts to legal, compliance, and eDiscovery operations) does not fit the Cloud/SaaS framework. Organizations must now rethink their change management approach as they modernize with M365.This is the first in a series of blog posts devoted to highlighting key changes that have been released into the M365 production environments. One of the biggest challenges for organizations is identifying which of the myriad of updates pose potential risks to eDiscovery operations. Distinguishing the changes that do and do not pose a significant eDiscovery impact can be extremely difficult unless the reviewer has some level of subject-matter expertise and understands the specific workflows deployed within the organization. Here are some common scenarios with potential eDiscovery impact that could easily go unnoticed by the untrained eye:Updates that create a new data sourceUpdates that change a backend data storage locationUpdates altering the risk profile of features that were previously disabled due to legal / privacy riskUpdates that render an existing eDiscovery process obsoleteEach subsequent blog post in this series will highlight an example of a software update related to our key software scenarios, detailing the nature of the change, the potential impact, as well as when and why organizations should care.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, compliance-and-investigations, blog, cloudcompass, advisory-services, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; compliance-and-investigations; blog; cloudcompass; advisory-serviceslighthouse