Lighthouse Blog

Ever since ABA Model Rule of Professional Conduct 1.1 [1] was modified in 2012 to include an ethical obligation for attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology [2]” (emphasis added), attorneys in almost every state have had a duty to stay abreast of how technology can both help and harm clients. In other words, most attorneys practicing law in the United States have an ethical obligation to not only understand the risks created by the technology we use in our practice (think data breaches, data security, etc.), but also to keep abreast of technology that may benefit our practice.Nowhere is this obligation more implicated than within the eDiscovery realm. We live in a digital world and our communications and workplaces reflect that. Almost any discovery request today will involve preserving, collecting, reviewing, and producing electronically stored information (ESI) – emails, text messages, video footage, Word documents, Excels, PowerPoints, social media posts, collaboration tool data – the list is endless. To respond to ESI discovery requests, attorneys need to use (or in many cases, hire someone who can use) technology for every step of the eDiscovery process – from preservation to production. Under Model Rule 1.1, that means that we must stay abreast of that technology, as well as any other technology that may be beneficial to completing those tasks more effectively for our clients (whether we are providing legal advice to an organization as in-house counsel or externally through a law firm).In this post, I posit that in the very near future, this ethical obligation should include a duty to understand and evaluate the benefits of leveraging Artificial Intelligence (AI) during almost any eDiscovery matter, for a variety of different use cases.AI in eDiscoveryFirst, let’s level set by defining the type of technology I’m referring to when I use the term “AI,” as well as take a brief look at how AI technology is currently being used within the eDiscovery space. Broadly speaking, AI refers to the capability of a machine to imitate intelligent human behavior. Within eDiscovery, the term is often also used broadly to refer to any technology that can perform document review tasks that would normally require human analysis and/or review.There is a wide range of AI technology that can help perform document review tasks. These include everything from older forms of machine learning technology that can analyze the text of a document and compare it to the decisions made about that document by a human to predict what the human decision would be on other documents to newer generations of analytics technology that can analyze metadata and language used within documents to identify complicated concepts, like the sentiment and tone of the author. This broad spectrum of technology can be incredibly beneficial in a number of important document review use cases – the most common of which I have outlined below: Culling Data - One of the most common use cases for AI technology within eDiscovery is leveraging it to identify documents that are relevant to the discovery request and need to be produced. Or, conversely, identify documents that are irrelevant to the matter at hand and do not need to be produced. AI technology is especially proficient at identifying documents that are highly unlikely to be responsive to the discovery request. In turn, this helps attorneys and legal technologists “cull” datasets, essentially eliminating the need to have a human review every document in the dataset. Newer AI technology is also better at identifying documents that would never be responsive to any document request (i.e., “junk” documents) so that these documents can be quickly removed from the review queue. More advanced AI technology can do this by aggregating previously collected data from within an organization as well as the attorney decisions made about that data, and then use advanced algorithms to analyze the language, text, metadata, and previous attorney decisions to identify objectively non-responsive junk documents that are pulled into discovery request collections time and time again. Prioritizing and Categorizing Data - Apart from culling data, AI can also be used to simply make human review more efficient. Advanced AI technology can be used to identify specific concepts and issues that attorneys are looking for within a dataset and group them to expedite and prioritize attorney review. For example, if a litigation involves an employee accused of stealing company information, advanced AI technology can analyze all the employee’s communications and digital activities and identify any anomalies, such as an activity that occurred during abnormal work hours or communications with other employees with whom they normally would not have reason to interact. The machine can then group those documents so that attorneys can review them first. This identification and prioritization can be critical in evaluating the matter as a whole, as well as helping attorneys make better strategic decisions about the matter. Review prioritization can also simply help meet court-imposed production deadlines on time by enabling human reviewers to focus on data that can go out the door quickly (i.e., documents that the machine identified as highly likely to be responsive but also highly unlikely to involve issues that would require more in-depth human review like privilege, confidentiality, etc.). Identifying Sensitive Information - On the same note, AI technology is now more adept at identifying issues that usually require more in-depth human review. Newer AI technology that uses advanced Natural Language Processing (NLP) and analyzes both the metadata and text of a document is much better at identifying documents that contain sensitive information, like attorney-client privileged communications, company trade secrets, or personally identifiable information (PII). This is because more advanced NLP can take context into account and, therefore, more accurately identify when an internal attorney is chatting with other employees over email about the company fantasy football rankings vs. when they are providing actual legal advice about a work-related matter. It can do this by analyzing not only the language being used within the data, but also how attorneys are using that language and with whom. In turn, this helps attorneys conducting eDiscovery reviews prioritize documents for review, expedite productions, and protect privileged information.Attorneys’ Ethical Obligation to Consider the Benefits of AI in eDiscovery The benefits of AI in eDiscovery should now be clear. It is already infeasible to conduct a solely human linear review of terabytes of data without the help of AI technology to cull and/or prioritize data. A review of that amount of data (performed by humans reviewing one document at a time) can require months and even years, a virtual army of human reviewers (all being paid at an hourly rate), as well as the training, resources, and technology necessary for those reviewers to perform the work proficiently. Because of this, AI technology (via technology assisted review (TAR)) has been widely accepted by courts and used by counsel to cull and prioritize large sets for almost a decade.However, while big datasets involving terabytes of data were once the outliers in the eDiscovery world, they are now quickly becoming the norm for organizations and litigations of all sizes due to exploding data volumes. To put the growing size of organizational data in context, the total volume of data being generated and consumed has increased from 33 zettabytes worldwide in 2018 to a predicted 175 zettabytes in 2025[3]. This means that soon, even the smallest litigation or investigation may involve terabytes of data to review. In turn, that means that AI technology will be critical for almost any litigation involving a discovery component.And that means that we as attorneys will have an ethical duty to keep abreast of AI technology to competently represent our clients in matters involving eDiscovery. As we have seen above, there is just no way to conduct massive document reviews without the help of AI technology. Moreover, the imperative task of protecting sensitive client data like attorney-client privilege, trade secret information, and PII (which all can be hidden and hard to find amongst massive amounts of data) also benefits from leveraging AI technology. If there is technology readily available that can lower attorney costs and client risk, while ensuring a more consistent and accurate work product, we have a duty to our clients to stay aware of that technology and understand how and when to leverage it.But this ethical obligation should not scare us as attorneys and it doesn’t mean that every attorney will need to become a data scientist in order to ethically practice law in the future. Rather, it just means that we, as attorneys, will just need to develop a baseline knowledge of AI technology when conducting eDiscovery so that we can effectively evaluate when and how to leverage it for our clients, as well as when and how to partner with appropriate eDiscovery providers that can provide the requisite training and assist with leveraging the best technology for each eDiscovery task.ConclusionAs attorneys, we have all adapted to new technology as our world and our clients have evolved. In the last decade or so, we have moved from Xerox and fax machines to e-filings and Zoom court hearings. The same ethic that drives us to evolve with our clients and competently represent them to the best of our ability will continue to drive us to stay abreast of the exciting changes happening around AI technology within the eDiscovery space.To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com.‍[1] “Client-Lawyer Relationship: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” ABA Model Rules of Professional Conduct, Rule 1.1.[2] See Comment 8, Model Rules of Professional Conduct Rule 1.1 (Competence)[3] Reinsel, David; Gantz, John; Rydning, John. “The Digitization of the World From Edge to Core.” November 2018. Retrieved from https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf. An IDC White Paper, Sponsored by SEAGATE.ai-and-analyticsanalytics, ai-big-data, ediscovery-process, red-flag-reporting, departing-onboarding-employee, prism, blog, focus-discovery, ai-and-analytics,analytics; ai-big-data; ediscovery-process; red-flag-reporting; departing-onboarding-employee; prism; blog; focus-discoverysarah moran

Legal departments tend to run fairly lean. This means relying on external parties to accomplish any task is the norm. But when you are managing dozens of outside counsel on different matters, it can be nearly impossible to keep abreast of email traffic, calendars, and the status of any given task. Thankfully with a little bit of technology and some organization, this issue can be solved. This blog will share some tips on how other legal departments have solved this challenge.Select a technology platform to support organization and collaboration. The technology should allow internal and external parties to edit documents, view and manage calendars, organize task lists, and make comments and/or send messages to each other. There are many technologies that organizations use, such as Microsoft Teams or Google Workspace, that work well for this type of collaboration internally, but are not necessarily set up for external collaboration. With some additional work, you can also set these tools up for external collaboration. However, given all the privacy and data management considerations for internal use, one can imagine how high the hurdles are to set this up for external use. If you are facing those hurdles, there are several third-party technologies, such as Joinder and HighQ, that work well for external collaboration. These third-party cloud technologies are fairly low cost and quick to implement. The most important thing here is to choose a single platform. You want to make sure that you are able to minimize switching platforms with every new matter and/or outside counsel. Imagine the ease with which you can get an overview of all your legal work if you can log in to one platform and see your litigation eDiscovery deadlines, patent filing deadlines, and third-party subpoena response deadlines. You can then seamlessly edit the associated documents and assign a task to the next reviewer. You can see how selecting a single platform provides greater visibility and efficiency.Ensure each third party has a person responsible for maintaining the records inside the shared technology. Although you will likely have multiple people working on any given matter, you want to make sure there is at least one person from each third party who is responsible for updating the system. This should be someone knowledgeable about the matter, the deadlines, and the tasks. This should also be someone who is highly organized and comfortable with the technology.Agree upon a common organizational structure. The hardest thing about managing hundreds of matters is staying organized across all of them. If you choose a way to organize that remains consistent, it makes it much easier to find what you are looking for quickly. For example, you may choose to folder documents and tasks by matter type or by the department of origination. Either way, make sure it is a structure that makes sense across your legal portfolio. Here are some considerations to ponder when deciding how to name your files.Write the above into your outside counsel guidelines. A third-party collaboration tool and the organizational system are only as good as the adoption. By writing a requirement to keep it updated into your outside counsel guidelines, you are increasing the chances of success. Here is some sample text for your use:[Company name] uses [software name] as its third-party collaboration tool and asks that each of its outside counsel use [software name] for all work on the matter. On at least a weekly basis, outside counsel shall update [software name] with important dates in the matter, an updated list of tasks in the matter, and any final versions of key documents in the matter.The benefits of having all your legal documents in one platform increase over time. You create a system of records that can be referenced at any time. I hope that these tips will help you implement a solution for third-party collaboration so you can reduce the time you spend searching your email for the last version of the contract.legal-operationsediscovery-process, legal-ops, blog, legal-operations,ediscovery-process; legal-ops; bloglighthouse

What the administration’s early actions can spell for dynamic changes in regulation and compliance.On day one of his administration, President Biden got off to a bold start by signing more than a dozen executive orders on subjects ranging from student loans to deportation — including a freeze on all regulatory actions in process under the prior administration.In the subsequent 99 days, more orders, executive appointments, nominations, and legislative activities have contributed to a notable thaw in the regulatory sphere as the administration strives to fulfill the policy-driven promises made during the campaign. A recent Corporate Compliance Insights article suggests that companies “should look to bolster their compliance infrastructure ahead of this imminent wave of regulation,” an activity that legal departments would surely applaud.Although the full impact of activities from the first 100 days may not play out for some time, the combination of COVID-19 fallout and the actions of the new administration — especially the appointments of some agency leaders — is already beginning to change business, legal, and compliance dynamics. Many companies are already facing increased litigation and fraud investigations as a result of the pandemic with the expectation that incidents will rise; the potential for increased regulatory actions from agencies energized by new leadership will only intensify the need for a corporate response.Energized regulatory agencies with a consumer protection focus A more robust regulatory environment is expected under the Biden administration, especially for financial and monetary systems, with a greater focus on consumer protection. With Gary Gensler heading up the SEC, there will likely be an emphasis implementing regulatory measures or approaches to broaden the retail investor focus. The Federal Reserve Board will resume examination activities for all banks after previously announcing a reduced focus on exam activity in light of the coronavirus response. And, with Janet Yellen at the helm of the Treasury, there will likely be stepped-up enforcement and investigatory activities on several fronts, including a shoring up of the Dodd-Frank act, which was relaxed under the prior administration, and implementation of the Corporate Transparency Act to expose and combat money-laundering, which Yellen has said is “one of her highest priorities.”Rohit Chopra, awaiting confirmation as head of the Consumer Financial Protection Bureau, is also expected to play a role in increasing regulatory actions, reversing the prior administration’s more lax oversight and enforcement policies. Already, analysts say, bank examinations, student lending, subprime auto loans, debt collection, mortgage services, and payday loans are expected to come under renewed scrutiny.The M&A landscape is in flux, impacted substantially by the pandemic but now gaining renewed momentum. Due to COVID-19 and its impact on the economy, the DOJ and FTC have been on alert for antitrust violations. According to at least one major law firm’s assessment, there is likely to be increased antitrust enforcement by the DOJ in several key industries over the next several years including tech, health care, and agriculture as well as increased merger enforcement that will lead to more second requests and potential for litigation.Also affecting M&A activity is a possible increase in the capital gains tax that could spur even more activity ahead of its passage. The pending confirmation of Lina Kahn as a commissioner of the FTC marks the probability of greater investigative efforts to potentially break up the expanding reach of Big Tech. Google, Facebook, Microsoft, and Apple will be the most likely targets, but expanded investigations related to M&A in other industries are also probable. The healthcare and pharmaceutical industries, whose activities stand out in high relief due to the pandemic, are sure to face more scrutiny in terms of both monopoly pricing issues and market concentration, which Biden says he will aggressively tackle.The 100-day message? Be proactive and be prepared. One thing seems certain: the regulatory landscape will continue to be dynamic. The first 100 days is, after all, just the beginning. Increasing litigation and investigations, second requests, and the due diligence and regulatory reporting necessitated by just the few probable changes suggested above threaten to impact the workload of most corporate legal and compliance departments, which may already be overburdened and understaffed.The possibility of such activity is best met with well-prepared legal and compliance functions and a laser focus on corporate data, with the appropriate tools to manage it. Any proactive steps taken to ensure that the appropriate workflows are in place should stand companies in good stead, accelerating any necessary response and mitigating the costly effects of poorly handled document productions. Companies with teams at the ready to meet these data-heavy challenges will be in a much better position to respond quickly and efficiently should the need arise.antitrustblog, regulation, biden-administration, antitrustblog; regulation; biden-administrationlighthouse

LegalWeek’s April conference took place recently, and as with the sessions earlier this year, the April thought leadership panels touched on many of the struggles we are all facing in the legal technology space. But where the February sessions focused on the post-pandemic future of legal technology and the March sessions focused on getting back to the business of law, the April sessions weaved in a more nuanced theme: obtaining organizational buy-in from stakeholders around legal technology and processes.The need for stakeholder buy-in for any type of legal technology change is imperative. Without it, organizations and law firms stop evolving and become stagnant as more agile competitors onboard better, more efficient processes, tools, and teams. But perhaps more importantly, being unable to obtain stakeholder involvement and approval can also end up leaving the company and law firms open to risk.For an example of the ramifications of failing to obtain the necessary buy-in, let’s take look at the legal technology process that many organizations and law firms have been struggling to implement recently: defensible disposal of legacy data. Without an effective defensible data disposal process and policy, data volumes can balloon out of control – especially in a Cloud environment – meaning that organizations and/or law firms will needlessly waste money storing obsolete data that should have been disposed of previously. But it also can increase risk in several ways. For starters, legacy data may contain personally identifiable information (PII) that organizations may be legally required to dispose of after a specified time period, pursuant to sectorial or jurisdictional data privacy laws. Even if personal data does not fall within the purview of a disposal requirement, keeping it for longer than it is needed for business purposes can still pose a risk should the company or firm holding it suffer a data breach or ransomware attack. Additionally, even obsolete non-personal data can cause confusion, disruption, and increased cost and risk if it winds up subject to a legal hold or swept up in an internal investigation. But despite all this, implementing an effective defensible data disposal program is a challenge for many because it often requires sweeping organizational buy-in, from the highest C-Suite executive to the lowliest employee with access to a company-sponsored collaborative platform.So how can legal teams get the buy-in necessary to implement new legal technology and processes that enable organizations and law firms to compete and evolve? It is tempting to think that buy-in starts with learning to control stakeholders. But attempting to control other teams and individuals will only lead to misalignment, tension, and failed implementation. Instead, gaining stakeholder buy-in actually starts with trust. Stakeholders must trust that whatever you are proposing to implement (whether that is a new technology, a new policy, or a new workflow) will be beneficial to them, to their team, and to the organization as a whole and that implementation is actually feasible. Below I have outlined a few tips for gaining stakeholder trust and buy-in for new legal technology and processes.Identify all the necessary stakeholders. Whether you want to onboard a new legal technology or implement a new legal data policy, like an updated document retention schedule, you will need to understand who the decisions makers are, as well as identify anyone who will be affected by the new tools, processes, or workflow.Prepare, Prepare, Prepare. Once you have identified the stakeholders and all those affected by the planned change, you can start preparing to gain their trust. This means doing all the necessary research and legwork up front so that you are well informed and have a fully developed, practical plan in place to present to those stakeholders. For instance, if you are seeking to onboard advanced AI technology to help streamline your eDiscovery program, you can prepare to gain trust by first talking to peers in the industry, as well as legal technology providers, to find the best technology and pricing options. Once you’ve selected an option, choose a test case and run a proof of concept to validate the effectiveness within your own data.Run the numbers. Once you’ve done the research and are satisfied that the new technology or workflow will be a good fit for your organization, quantify that fit by focusing on the bottom line. How much money will this be able to save your organization or law firm? How much risk can it eliminate and how can you quantify that risk? How can this new process or tool improve efficiency and how much money will that efficiency save? What is at stake if this new technology or process is not implemented and how can you quantify that? What is your plan for how this new tool or process will be funded by the organization or law firm?Stop, Collaborate, and Listen. Once you have identified all relevant stakeholders and collected the data, it is time to gather everyone together to present your research (either individually or via cross-organizational working groups or teams). Note that the order in which you present data to stakeholders will depend on your organization or law firm. For some, it may be best to get management and executives on board first to help drive change further downstream. In others, it may be more impactful to get lower-level teams on board first before presenting to final decision makers. Whichever order you choose, it is imperative to remember to listen and accept feedback once you’ve made your pitch. Remember this process will be iterative. It will require you to be flexible and possibly deviate from your original plan. It may also necessitate going back to the drawing board completely and selecting a different workflow or tool that works better for other groups. It may end up changing your desired implementation timeline. But the key to gaining trust from stakeholders is to get them involved early and listen to their feedback regarding planning, onboarding, and implementation.Retain Trust. Congratulations! Once all stakeholders have come to a consensus and you have achieved buy-in from all necessary decision makers, you are ready to implement and onboard. But that is not the end of this process. After implementation, you will need to protect the trust you have worked so hard to earn. You can do this by ensuring that everyone has the necessary training to effectively use the tool or abide by the new workflow or process. Nothing erodes trust more than incorrect (or non-existent) utilization. Whether you’re seeking to onboard a new eDiscovery platform or you’re rolling out a new legal hold technology, people who are affected by the change will need to understand how to use the technology and/or comply with the program. Set up training programs and then have avenues of ongoing support where people can ask questions and continue to train should they need it.I hope these tips come in handy when you are looking for buy-in from stakeholders around legal technology and processes. To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. ai-and-analytics; ediscovery-review; legal-operationscloud, data-privacy, information-governance, ai-big-data, preservation-and-collection, blog, ai-and-analytics, ediscovery-review, legal-operations,cloud; data-privacy; information-governance; ai-big-data; preservation-and-collection; blogsarah moran

While the U.S. is figuring out privacy laws at the state and federal level, artificial and augmented intelligence (AI) is evolving and becoming commonplace for businesses and consumers. These technologies are driving new privacy concerns. Years ago, consumers feared a stolen Social Security number. Now, organizations can uncover political views, purchasing habits, and much more. The repercussions of data are broader and deeper than ever.Lighthouse (formerly H5) convened a panel of experts to discuss these emerging issues and ways leaders can tackle their most urgent privacy challenges in the webinar, “Everything Personal: AI and Privacy.”The panel featured Nia M. Jenkins, Senior Associate General Counsel, Data, Technology, Digital Health & Cybersecurity at Optum (UnitedHealth Group); Kimberly Pack, Associate General Counsel, Compliance, at Anheuser-Busch; Jennifer Beckage, Managing Director at Beckage; and Eric Pender, Senior Director at Lighthouse (formerly with H5); and was moderated by Sheila Mackay, Managing Director at Lighthouse (formerly with H5).While the regulatory and technology landscape continues to rapidly change, the panel highlighted some key takeaways and solutions to protect and manage sensitive data leaders should consider:Build, nurture, and utilize cross-functional teams to tackle data challengesDevelop robust and well-defined workflows to work with AI technology Understand the type and quality of data your organization collects and stores Engage with experts and thought leadership to stay current with evolving technology and regulations Collaborate with experts across your organization to learn the needs of different functions and business units and how they can deploy AI Enable your company’s innovation and growth by understanding the data, technology, and risks involved with new AIDevelop collaboration, knowledge, and cross-functional teamsWhile addressing challenges related to data and privacy certainly requires technical and legal expertise, the need for strong teamwork and knowledge sharing should not be overlooked. Nia Jenkins said her organization utilizes cross-functional teams, which can pull together privacy, governance, compliance, security, and other subject matter experts to gain a “line of sight into the data that’s coming in and going out of the organization.”“We also have an infrastructure where people are able to reach out to us to request access to certain data pools,” Jenkins said. “With that team, we are able to think through, is it appropriate to let that team use the data for their intended purpose or use?”In addition to collaboration, well-developed workflows are paramount too. Kimberly Pack explained that her company does have a formalized team that comes together on a bi-monthly basis and defined workflows that are improving daily. She emphasized that it all begins with “having clarity about how business gets done.”Jennifer Beckage highlighted the need for an organization to develop a plan, build a strong team, and understand the type and quality of the data it collects before adopting AI. Businesses have to address data retention, cybersecurity, intellectual property, and many other potential risks before taking full advantage of AI technology.Engage with internal and external experts to understand changing regulations Keeping up with a dynamic regulatory landscape requires expanding your information network. Pack was frank that it’s too much for one person to learn themselves. She relies on following law firms, becoming involved in professional organizations and forums, and connecting with privacy professionals on LinkedIn. As she continually educates herself, she creates training for various teams at her organization, including human resources, procurement, and marketing.“Really cascade that information,” said Pack. “Really try to tailor the training so that it makes sense for people. Also, try to have tools and infographics, so people can use it, pass it along. Record all your trainings because everyone’s not going to show up.”The panel discussed how their companies are using AI and whether there’s any resistance. Pack noted her organization has carefully taken advantage of AI for HR, marketing, enterprise tools, and training. She noted that providing your teams with information and assistance is key to comfort and adoption.“AI is just a tool, right?” Pack said. “It’s not good, it’s not bad.” The privacy team conducts a privacy impact assessment to understand how the business can use the technology. Then her team places any necessary limitations and builds controls to ensure the team uses the technology ethically. Pack and Jenkins both noted that the companies must proactively address potential bias and not allow automated decision-making.Evaluate the benefits and risks of AI for your organization The panel agreed organizations should adopt AI to remain competitive and meet consumer expectations. Pack pointed out the purpose of AI technology is for it to learn. Businesses adopting it now will see the benefits sooner than those that wait.Eric Pender noted advanced technologies are becoming more common for particular uses: cybersecurity breach response, production of documents, including privilege review and identifying Personally Identifiable Information (PII), and defensible disposal. Many of these tasks have tight timelines and require efficiency and accuracy, which AI provides.The risks of AI depend on the nature of the specific technology, according to Beckage. It’s each organization’s responsibility to perform a risk assessment, determine how to use the technology ethically, and perform audits to ensure the technology is working without unintended consequences.Facilitate innovation and growth It is also important to remember that in-house and outside counsel don’t have to be “dream killers” when it comes to innovation. Lawyers with a good understanding of their company’s data, technology, and ways to mitigate risk can guide their businesses in taking advantage of AI now and years down the road.Pack encouraged compliance professionals to enjoy the problem-solving process. “Continue to know your business. Be in front of what their desires are, what their goals are, what their dreams are, so that you can actively support that,” she said.Pender says companies are shifting from a reactive approach to a proactive approach, and advised that “data that’s been defensively disposed of is not a risk to the company.” Though implementing AI technology is complex and challenging, managing sensitive, personal data is achievable, and the potential benefits are enormous.Jenkins encouraged the “four B’s.” Be aware of the data, be collaborative with your subject matter experts, be willing to learn and ask tough questions of your team, and be open to learning more about the product, what’s happening with your business team, and privacy in an ever-changing landscape.Beckage closed out the webinar by warning organizations not to reinvent the wheel. While it’s risky to copy another organization’s privacy policy word for word, organizations can learn from the people in the privacy space who know what they’re doing well.ai-and-analytics; data-privacyprivilege, cybersecurity, ai-big-data, pii, blog, preservation, ai-and-analytics, data-privacyprivilege; cybersecurity; ai-big-data; pii; blog; preservationlighthouse

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse

The March sessions of Legalweek took place recently, and as with the February sessions, the virtual event struck a chord that reverberated deep from within the heart of a (hopefully) receding pandemic. However, the discussions this time around focused much less on the logistics of working in a virtual environment and much more on getting back to the business of law. One theme, in particular, stood out from those discussions – the idea that legal professionals will need to have a grasp on the technology that is driving our new world forward, post-pandemic.In other words, the days when attorneys somewhat-braggingly painted a picture of themselves as Luddites holed up in cobwebbed libraries are quickly coming to an end. We live in an increasingly digital world – one where our professional communications are taking place almost exclusively on digital platforms. That means each of us (and our organizations and law firms) are generating more data than we know what to do with. That trend will only grow in the future, and attorneys that are unwilling to accept that fact may find themselves entombed within those dusty libraries.Fortunately, despite our reputation as being slow to adapt, legal professionals are actually an innovative, flexible bunch. Whether a matter requires us to develop expertise in a specific area of the medical field, learn more about a niche topic in the construction industry, or delve into some esoteric insurance provision – we dive in and become laymen experts so that we can effectively advocate for our clients and companies. Thus, there is no doubt that we can and will evolve in a post-pandemic world. However, if anyone out there is still on the fence, below are four key reasons why attorneys will need to become tech savvy, or at least knowledgeable enough to understand when to call in technical expertise.1. Technological Competence is Imposed by Ethics and Evidence RulesFirst and foremost, attorneys have an ethical duty (under ABA Model Rule 1.1) to “keep abreast of changes in the law and its practice, including the benefits and risk associated with relevant technology.” Thirty seven states have adopted this language within their own attorney ethics rules. Thus, just as we have a duty to continue our legal education each year to stay abreast of changes in law, we also have an ethical duty to continue to educate ourselves on the technology that is relevant to our practice.We also have a duty to preserve and produce relevant electronically stored information (ESI) (under both the Federal Rules of Civil Procedure (FRCP), as well as the ABA model ethics rules)[1] during civil litigation. To do so, attorneys must understand (or work with someone who understands) where their client’s or company’s relevant ESI evidence is, how to preserve it, how to collect it, and how to produce it. This means preserving and producing not only the documents themselves but also the metadata (i.e., the information about the data itself, including when it was generated and edited, who created it, etc.). This overall process grows more complicated with each passing year, as companies migrate to the unlimited storage opportunities of the Cloud and employees increasingly communicate through cloud-based collaboration platforms. Working within the Cloud has a myriad of benefits, but it can make it more difficult for attorneys to understand where their client’s or company’s relevant information might be stored, as well as harder to ensure metadata is preserved correctly.Together, these rules and obligations mean that whether we are practicing law within a firm or as in-house counsel at an organization, we have a duty to understand the basics of the technology our clients are using to communicate so that at the very least, we will know when to call in technical experts to meet the ethical and legal obligations we owe to those we counsel.2. Data Protection and Data Privacy is Becoming Increasingly ImportantThe data privacy landscape is becoming a tapestry of conflicting laws and regulations in which companies are currently navigating as best they can. Within the United States alone, there were a multitude of state and local laws regulating personal data that came into effect or were introduced in 2020. For companies that have a global footprint, the worldwide data protection landscape is even more complicated – from the invalidation of the EU-US privacy shield to new laws and modifications of data protection laws across the Americas and Asia Pacific countries. It will not be long before most companies, no matter their location, will need to ensure that they are abiding within the constructs of multiple jurisdictional data privacy laws.This means that attorneys who represent those companies will need to understand not only where personal data is located within the company, but also how the company is processing that data, how (and if) that data is being transmitted across borders, when (and if) it needs to be deleted, the process for effectively deleting it, etc., etc. To do so, attorneys must also have at least some understanding of the technology platforms their companies and clients are using, as well as how data is stored and transferred within those platforms, to ensure they are not advertently running afoul of data privacy laws.As far as data protection, attorneys need to understand how to proactively protect and safeguard their clients’ data. There have been multiple high-profile data breaches in the last few months,and law firms and companies that routinely house personal data are often the target of those breaches. Protecting client data requires attorneys to have a semblance of understanding of where client data is and how to protect it properly, including knowing when and how to hire experts who can best offer the right level of protection.3. Internal Compliance is Becoming More Technologically Complicated There has been a lot of interest recently in using artificial intelligence (AI) and analytics technology to monitor internal compliance within companies. This is in part due to the massive amount of data that compliance teams now need to comb through to detect inappropriate or illegal employee conduct. From monitoring departing employees to ensure they aren’t walking out the door with valuable trade secret information, to monitoring digital interactions to ensure a safe work environment for all employees – companies are looking to leverage advances in technology to more quickly and accurately spot irregularities and anomalies within company data that may indicate employee malfeasance.Not only will this type of monitoring require an understanding of analytics and AI technology, but it will also require grasping the intricacies of the company’s data infrastructure. Compliance and legal teams will need to understand the technology platforms in place within their organization, where employees are creating data within those platforms, as well as how employees interact with each other within them.4. The Ability to Explain Technology Makes Us Better AdvocatesFinally, it is important to note that the ability to understand and explain the technology we are using makes us better and more effective advocates. For example, within the eDiscovery space, it can be incredibly important for our clients’ budgets and case outcomes to attain court acceptance of AI and machine-learning technology that can drastically limit the volume of data requiring expensive and tedious human review. To do so, attorneys often must first be able to get buy-in from their own clients, who may not be well versed in eDiscovery technology. Once clients are on-board, attorneys must then educate courts and opposing counsel about the technology in order to gain approval and acceptance.In other words, to prove that the methods we want to use (whether those methods relate to document preservation and collection, data protection, compliance workflows, or eDiscovery reviews) are defensible and repeatable, attorneys must be able to explain the technology behind those methods. And as in all areas of law, the most successful attorneys are ones who can take a very complicated, technical subject and break it down in a way that clients, opposing counsel, judges, and juries can understand (or alternatively are knowledgeable enough about the technology to know when it is necessary to bring experts in to help make their case).Best Practices for Staying Abreast of TechnologyReach out to technology providers to ask for training and tips when needed. When evaluating providers, look for those that offer ongoing training and support.For attorneys working as in-house counsel, work to build healthy partnerships with compliance, IT, and data privacy teams. Being able to ask questions and learn from each other will help head off technology issues for your company.For attorneys working within law firms, work to understand your clients’ data infrastructure or layout. This may mean talking to their IT, legal, and compliance teams so that you can ensure you are up to date on changes and processes that affect your ability to advocate effectively for your client.Look for CLEs, trainings, and vendor offerings that are specific to the technology you and your clients use regularly. Remember that cloud-based technology, in particular, changes and updates often. It is important to stay on top of the most recent changes to ensure you can effectively advocate for your clients.Recognize when you need help. Attorneys don’t need to be technological wizards in order to practice law, however, you will need to know when to call in experts…and that will require a baseline understanding of the technology at issue.To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. [1] ABA Model Rule 3.4, FRCP 37(e) and FRCP 26)ai-and-analytics; ediscovery-review; data-privacy; information-governanceanalytics, data-privacy, information-governance, ediscovery-process, blog, law-firm, ai-and-analytics, ediscovery-review, data-privacy, information-governanceanalytics; data-privacy; information-governance; ediscovery-process; blog; law-firmsarah moran

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse