Lighthouse Blog

LegalWeek’s April conference took place recently, and as with the sessions earlier this year, the April thought leadership panels touched on many of the struggles we are all facing in the legal technology space. But where the February sessions focused on the post-pandemic future of legal technology and the March sessions focused on getting back to the business of law, the April sessions weaved in a more nuanced theme: obtaining organizational buy-in from stakeholders around legal technology and processes.The need for stakeholder buy-in for any type of legal technology change is imperative. Without it, organizations and law firms stop evolving and become stagnant as more agile competitors onboard better, more efficient processes, tools, and teams. But perhaps more importantly, being unable to obtain stakeholder involvement and approval can also end up leaving the company and law firms open to risk.For an example of the ramifications of failing to obtain the necessary buy-in, let’s take look at the legal technology process that many organizations and law firms have been struggling to implement recently: defensible disposal of legacy data. Without an effective defensible data disposal process and policy, data volumes can balloon out of control – especially in a Cloud environment – meaning that organizations and/or law firms will needlessly waste money storing obsolete data that should have been disposed of previously. But it also can increase risk in several ways. For starters, legacy data may contain personally identifiable information (PII) that organizations may be legally required to dispose of after a specified time period, pursuant to sectorial or jurisdictional data privacy laws. Even if personal data does not fall within the purview of a disposal requirement, keeping it for longer than it is needed for business purposes can still pose a risk should the company or firm holding it suffer a data breach or ransomware attack. Additionally, even obsolete non-personal data can cause confusion, disruption, and increased cost and risk if it winds up subject to a legal hold or swept up in an internal investigation. But despite all this, implementing an effective defensible data disposal program is a challenge for many because it often requires sweeping organizational buy-in, from the highest C-Suite executive to the lowliest employee with access to a company-sponsored collaborative platform.So how can legal teams get the buy-in necessary to implement new legal technology and processes that enable organizations and law firms to compete and evolve? It is tempting to think that buy-in starts with learning to control stakeholders. But attempting to control other teams and individuals will only lead to misalignment, tension, and failed implementation. Instead, gaining stakeholder buy-in actually starts with trust. Stakeholders must trust that whatever you are proposing to implement (whether that is a new technology, a new policy, or a new workflow) will be beneficial to them, to their team, and to the organization as a whole and that implementation is actually feasible. Below I have outlined a few tips for gaining stakeholder trust and buy-in for new legal technology and processes.Identify all the necessary stakeholders. Whether you want to onboard a new legal technology or implement a new legal data policy, like an updated document retention schedule, you will need to understand who the decisions makers are, as well as identify anyone who will be affected by the new tools, processes, or workflow.Prepare, Prepare, Prepare. Once you have identified the stakeholders and all those affected by the planned change, you can start preparing to gain their trust. This means doing all the necessary research and legwork up front so that you are well informed and have a fully developed, practical plan in place to present to those stakeholders. For instance, if you are seeking to onboard advanced AI technology to help streamline your eDiscovery program, you can prepare to gain trust by first talking to peers in the industry, as well as legal technology providers, to find the best technology and pricing options. Once you’ve selected an option, choose a test case and run a proof of concept to validate the effectiveness within your own data.Run the numbers. Once you’ve done the research and are satisfied that the new technology or workflow will be a good fit for your organization, quantify that fit by focusing on the bottom line. How much money will this be able to save your organization or law firm? How much risk can it eliminate and how can you quantify that risk? How can this new process or tool improve efficiency and how much money will that efficiency save? What is at stake if this new technology or process is not implemented and how can you quantify that? What is your plan for how this new tool or process will be funded by the organization or law firm?Stop, Collaborate, and Listen. Once you have identified all relevant stakeholders and collected the data, it is time to gather everyone together to present your research (either individually or via cross-organizational working groups or teams). Note that the order in which you present data to stakeholders will depend on your organization or law firm. For some, it may be best to get management and executives on board first to help drive change further downstream. In others, it may be more impactful to get lower-level teams on board first before presenting to final decision makers. Whichever order you choose, it is imperative to remember to listen and accept feedback once you’ve made your pitch. Remember this process will be iterative. It will require you to be flexible and possibly deviate from your original plan. It may also necessitate going back to the drawing board completely and selecting a different workflow or tool that works better for other groups. It may end up changing your desired implementation timeline. But the key to gaining trust from stakeholders is to get them involved early and listen to their feedback regarding planning, onboarding, and implementation.Retain Trust. Congratulations! Once all stakeholders have come to a consensus and you have achieved buy-in from all necessary decision makers, you are ready to implement and onboard. But that is not the end of this process. After implementation, you will need to protect the trust you have worked so hard to earn. You can do this by ensuring that everyone has the necessary training to effectively use the tool or abide by the new workflow or process. Nothing erodes trust more than incorrect (or non-existent) utilization. Whether you’re seeking to onboard a new eDiscovery platform or you’re rolling out a new legal hold technology, people who are affected by the change will need to understand how to use the technology and/or comply with the program. Set up training programs and then have avenues of ongoing support where people can ask questions and continue to train should they need it.I hope these tips come in handy when you are looking for buy-in from stakeholders around legal technology and processes. To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. ai-and-analytics; ediscovery-review; legal-operationscloud, data-privacy, information-governance, ai-big-data, preservation-and-collection, blog, ai-and-analytics, ediscovery-review, legal-operations,cloud; data-privacy; information-governance; ai-big-data; preservation-and-collection; blogsarah moran

While the U.S. is figuring out privacy laws at the state and federal level, artificial and augmented intelligence (AI) is evolving and becoming commonplace for businesses and consumers. These technologies are driving new privacy concerns. Years ago, consumers feared a stolen Social Security number. Now, organizations can uncover political views, purchasing habits, and much more. The repercussions of data are broader and deeper than ever.Lighthouse (formerly H5) convened a panel of experts to discuss these emerging issues and ways leaders can tackle their most urgent privacy challenges in the webinar, “Everything Personal: AI and Privacy.”The panel featured Nia M. Jenkins, Senior Associate General Counsel, Data, Technology, Digital Health & Cybersecurity at Optum (UnitedHealth Group); Kimberly Pack, Associate General Counsel, Compliance, at Anheuser-Busch; Jennifer Beckage, Managing Director at Beckage; and Eric Pender, Senior Director at Lighthouse (formerly with H5); and was moderated by Sheila Mackay, Managing Director at Lighthouse (formerly with H5).While the regulatory and technology landscape continues to rapidly change, the panel highlighted some key takeaways and solutions to protect and manage sensitive data leaders should consider:Build, nurture, and utilize cross-functional teams to tackle data challengesDevelop robust and well-defined workflows to work with AI technology Understand the type and quality of data your organization collects and stores Engage with experts and thought leadership to stay current with evolving technology and regulations Collaborate with experts across your organization to learn the needs of different functions and business units and how they can deploy AI Enable your company’s innovation and growth by understanding the data, technology, and risks involved with new AIDevelop collaboration, knowledge, and cross-functional teamsWhile addressing challenges related to data and privacy certainly requires technical and legal expertise, the need for strong teamwork and knowledge sharing should not be overlooked. Nia Jenkins said her organization utilizes cross-functional teams, which can pull together privacy, governance, compliance, security, and other subject matter experts to gain a “line of sight into the data that’s coming in and going out of the organization.”“We also have an infrastructure where people are able to reach out to us to request access to certain data pools,” Jenkins said. “With that team, we are able to think through, is it appropriate to let that team use the data for their intended purpose or use?”In addition to collaboration, well-developed workflows are paramount too. Kimberly Pack explained that her company does have a formalized team that comes together on a bi-monthly basis and defined workflows that are improving daily. She emphasized that it all begins with “having clarity about how business gets done.”Jennifer Beckage highlighted the need for an organization to develop a plan, build a strong team, and understand the type and quality of the data it collects before adopting AI. Businesses have to address data retention, cybersecurity, intellectual property, and many other potential risks before taking full advantage of AI technology.Engage with internal and external experts to understand changing regulations Keeping up with a dynamic regulatory landscape requires expanding your information network. Pack was frank that it’s too much for one person to learn themselves. She relies on following law firms, becoming involved in professional organizations and forums, and connecting with privacy professionals on LinkedIn. As she continually educates herself, she creates training for various teams at her organization, including human resources, procurement, and marketing.“Really cascade that information,” said Pack. “Really try to tailor the training so that it makes sense for people. Also, try to have tools and infographics, so people can use it, pass it along. Record all your trainings because everyone’s not going to show up.”The panel discussed how their companies are using AI and whether there’s any resistance. Pack noted her organization has carefully taken advantage of AI for HR, marketing, enterprise tools, and training. She noted that providing your teams with information and assistance is key to comfort and adoption.“AI is just a tool, right?” Pack said. “It’s not good, it’s not bad.” The privacy team conducts a privacy impact assessment to understand how the business can use the technology. Then her team places any necessary limitations and builds controls to ensure the team uses the technology ethically. Pack and Jenkins both noted that the companies must proactively address potential bias and not allow automated decision-making.Evaluate the benefits and risks of AI for your organization The panel agreed organizations should adopt AI to remain competitive and meet consumer expectations. Pack pointed out the purpose of AI technology is for it to learn. Businesses adopting it now will see the benefits sooner than those that wait.Eric Pender noted advanced technologies are becoming more common for particular uses: cybersecurity breach response, production of documents, including privilege review and identifying Personally Identifiable Information (PII), and defensible disposal. Many of these tasks have tight timelines and require efficiency and accuracy, which AI provides.The risks of AI depend on the nature of the specific technology, according to Beckage. It’s each organization’s responsibility to perform a risk assessment, determine how to use the technology ethically, and perform audits to ensure the technology is working without unintended consequences.Facilitate innovation and growth It is also important to remember that in-house and outside counsel don’t have to be “dream killers” when it comes to innovation. Lawyers with a good understanding of their company’s data, technology, and ways to mitigate risk can guide their businesses in taking advantage of AI now and years down the road.Pack encouraged compliance professionals to enjoy the problem-solving process. “Continue to know your business. Be in front of what their desires are, what their goals are, what their dreams are, so that you can actively support that,” she said.Pender says companies are shifting from a reactive approach to a proactive approach, and advised that “data that’s been defensively disposed of is not a risk to the company.” Though implementing AI technology is complex and challenging, managing sensitive, personal data is achievable, and the potential benefits are enormous.Jenkins encouraged the “four B’s.” Be aware of the data, be collaborative with your subject matter experts, be willing to learn and ask tough questions of your team, and be open to learning more about the product, what’s happening with your business team, and privacy in an ever-changing landscape.Beckage closed out the webinar by warning organizations not to reinvent the wheel. While it’s risky to copy another organization’s privacy policy word for word, organizations can learn from the people in the privacy space who know what they’re doing well.ai-and-analytics; data-privacyprivilege, cybersecurity, ai-big-data, pii, blog, preservation, ai-and-analytics, data-privacyprivilege; cybersecurity; ai-big-data; pii; blog; preservationlighthouse

The March sessions of Legalweek took place recently, and as with the February sessions, the virtual event struck a chord that reverberated deep from within the heart of a (hopefully) receding pandemic. However, the discussions this time around focused much less on the logistics of working in a virtual environment and much more on getting back to the business of law. One theme, in particular, stood out from those discussions – the idea that legal professionals will need to have a grasp on the technology that is driving our new world forward, post-pandemic.In other words, the days when attorneys somewhat-braggingly painted a picture of themselves as Luddites holed up in cobwebbed libraries are quickly coming to an end. We live in an increasingly digital world – one where our professional communications are taking place almost exclusively on digital platforms. That means each of us (and our organizations and law firms) are generating more data than we know what to do with. That trend will only grow in the future, and attorneys that are unwilling to accept that fact may find themselves entombed within those dusty libraries.Fortunately, despite our reputation as being slow to adapt, legal professionals are actually an innovative, flexible bunch. Whether a matter requires us to develop expertise in a specific area of the medical field, learn more about a niche topic in the construction industry, or delve into some esoteric insurance provision – we dive in and become laymen experts so that we can effectively advocate for our clients and companies. Thus, there is no doubt that we can and will evolve in a post-pandemic world. However, if anyone out there is still on the fence, below are four key reasons why attorneys will need to become tech savvy, or at least knowledgeable enough to understand when to call in technical expertise.1. Technological Competence is Imposed by Ethics and Evidence RulesFirst and foremost, attorneys have an ethical duty (under ABA Model Rule 1.1) to “keep abreast of changes in the law and its practice, including the benefits and risk associated with relevant technology.” Thirty seven states have adopted this language within their own attorney ethics rules. Thus, just as we have a duty to continue our legal education each year to stay abreast of changes in law, we also have an ethical duty to continue to educate ourselves on the technology that is relevant to our practice.We also have a duty to preserve and produce relevant electronically stored information (ESI) (under both the Federal Rules of Civil Procedure (FRCP), as well as the ABA model ethics rules)[1] during civil litigation. To do so, attorneys must understand (or work with someone who understands) where their client’s or company’s relevant ESI evidence is, how to preserve it, how to collect it, and how to produce it. This means preserving and producing not only the documents themselves but also the metadata (i.e., the information about the data itself, including when it was generated and edited, who created it, etc.). This overall process grows more complicated with each passing year, as companies migrate to the unlimited storage opportunities of the Cloud and employees increasingly communicate through cloud-based collaboration platforms. Working within the Cloud has a myriad of benefits, but it can make it more difficult for attorneys to understand where their client’s or company’s relevant information might be stored, as well as harder to ensure metadata is preserved correctly.Together, these rules and obligations mean that whether we are practicing law within a firm or as in-house counsel at an organization, we have a duty to understand the basics of the technology our clients are using to communicate so that at the very least, we will know when to call in technical experts to meet the ethical and legal obligations we owe to those we counsel.2. Data Protection and Data Privacy is Becoming Increasingly ImportantThe data privacy landscape is becoming a tapestry of conflicting laws and regulations in which companies are currently navigating as best they can. Within the United States alone, there were a multitude of state and local laws regulating personal data that came into effect or were introduced in 2020. For companies that have a global footprint, the worldwide data protection landscape is even more complicated – from the invalidation of the EU-US privacy shield to new laws and modifications of data protection laws across the Americas and Asia Pacific countries. It will not be long before most companies, no matter their location, will need to ensure that they are abiding within the constructs of multiple jurisdictional data privacy laws.This means that attorneys who represent those companies will need to understand not only where personal data is located within the company, but also how the company is processing that data, how (and if) that data is being transmitted across borders, when (and if) it needs to be deleted, the process for effectively deleting it, etc., etc. To do so, attorneys must also have at least some understanding of the technology platforms their companies and clients are using, as well as how data is stored and transferred within those platforms, to ensure they are not advertently running afoul of data privacy laws.As far as data protection, attorneys need to understand how to proactively protect and safeguard their clients’ data. There have been multiple high-profile data breaches in the last few months,and law firms and companies that routinely house personal data are often the target of those breaches. Protecting client data requires attorneys to have a semblance of understanding of where client data is and how to protect it properly, including knowing when and how to hire experts who can best offer the right level of protection.3. Internal Compliance is Becoming More Technologically Complicated There has been a lot of interest recently in using artificial intelligence (AI) and analytics technology to monitor internal compliance within companies. This is in part due to the massive amount of data that compliance teams now need to comb through to detect inappropriate or illegal employee conduct. From monitoring departing employees to ensure they aren’t walking out the door with valuable trade secret information, to monitoring digital interactions to ensure a safe work environment for all employees – companies are looking to leverage advances in technology to more quickly and accurately spot irregularities and anomalies within company data that may indicate employee malfeasance.Not only will this type of monitoring require an understanding of analytics and AI technology, but it will also require grasping the intricacies of the company’s data infrastructure. Compliance and legal teams will need to understand the technology platforms in place within their organization, where employees are creating data within those platforms, as well as how employees interact with each other within them.4. The Ability to Explain Technology Makes Us Better AdvocatesFinally, it is important to note that the ability to understand and explain the technology we are using makes us better and more effective advocates. For example, within the eDiscovery space, it can be incredibly important for our clients’ budgets and case outcomes to attain court acceptance of AI and machine-learning technology that can drastically limit the volume of data requiring expensive and tedious human review. To do so, attorneys often must first be able to get buy-in from their own clients, who may not be well versed in eDiscovery technology. Once clients are on-board, attorneys must then educate courts and opposing counsel about the technology in order to gain approval and acceptance.In other words, to prove that the methods we want to use (whether those methods relate to document preservation and collection, data protection, compliance workflows, or eDiscovery reviews) are defensible and repeatable, attorneys must be able to explain the technology behind those methods. And as in all areas of law, the most successful attorneys are ones who can take a very complicated, technical subject and break it down in a way that clients, opposing counsel, judges, and juries can understand (or alternatively are knowledgeable enough about the technology to know when it is necessary to bring experts in to help make their case).Best Practices for Staying Abreast of TechnologyReach out to technology providers to ask for training and tips when needed. When evaluating providers, look for those that offer ongoing training and support.For attorneys working as in-house counsel, work to build healthy partnerships with compliance, IT, and data privacy teams. Being able to ask questions and learn from each other will help head off technology issues for your company.For attorneys working within law firms, work to understand your clients’ data infrastructure or layout. This may mean talking to their IT, legal, and compliance teams so that you can ensure you are up to date on changes and processes that affect your ability to advocate effectively for your client.Look for CLEs, trainings, and vendor offerings that are specific to the technology you and your clients use regularly. Remember that cloud-based technology, in particular, changes and updates often. It is important to stay on top of the most recent changes to ensure you can effectively advocate for your clients.Recognize when you need help. Attorneys don’t need to be technological wizards in order to practice law, however, you will need to know when to call in experts…and that will require a baseline understanding of the technology at issue.To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. [1] ABA Model Rule 3.4, FRCP 37(e) and FRCP 26)ai-and-analytics; ediscovery-review; data-privacy; information-governanceanalytics, data-privacy, information-governance, ediscovery-process, blog, law-firm, ai-and-analytics, ediscovery-review, data-privacy, information-governanceanalytics; data-privacy; information-governance; ediscovery-process; blog; law-firmsarah moran

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse

The Law & Candor podcast is back for season seven, with a special guest speaker twist! In celebration of Women’s History Month (March), this season features an all-female guest speaker lineup. Our esteemed guests will not only explore the hottest topics in legal tech, but also discuss how to champion the development and career growth of women within the space in each episode.Law & Candor co-hosts, Bill Mariano and Rob Hellewell, are back to help lead those discussions in six easily digestible episodes that cover a range of topics: from diversity within eDiscovery, to keeping up with M365 software updates, to a look at possible antitrust changes in a new presidential administration. Check out season seven's lineup below:Diversity and eDiscovery: How Diverse Hiring Practices Lead to a More Innovative Workforce Innovating the Legal Operations Model Efficiently and Defensibly Addressing Microsoft Teams Data Keeping Up with M365 Software Updates AI and Analytics for Corporations: Common Use Cases Antitrust Changes in a New Administration Listen now or bookmark individual episodes to listen to them later, and be sure to follow the latest updates on Law & Candor's Twitter. And if you want to catch up on past seasons or special editions, click here.For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.diversity-equity-and-inclusionmicrosoft, ai-big-data, legal-ops, blog, antitrust, corporate-legal-ops, diversity-equity-and-inclusionmicrosoft; ai-big-data; legal-ops; blog; antitrust; corporate-legal-opslighthouse

Evolving analytics tools and methods can help expedite review.Analyze this! No, we’re not talking about the 1999 movie starring Robert DeNiro and Billy Crystal, but rather analytics mechanisms that many organizations are using today to streamline discovery. As these mechanisms become more sophisticated, it pays to keep abreast of the ways in which they can impact a review, including how data can be organized, visualized, identified and reduced.For example, conceptual clustering can identify groups of topics that might be clearly responsive or non-responsive. Communication visualization maps can identify communication patterns of key parties within a data collection And, of course, predictive coding can train a supervised machine learning algorithm to identify potentially responsive and non-responsive documents based on classifications of other documents.But there are other use cases for eDiscovery analytics many organizations aren’t taking advantage of that make eDiscovery workflows even more efficient and more cost effective. To improve the efficiency of eDiscovery workflows, organizations can now implement technology with the following analytics features.Email Threading and Near Duplicate IdentificationYou may have heard the famous phrase “Insanity is doing the same thing over and over again expecting a different result.” But, in document review, insanity is simply doing the same thing over and over again. De-duplication using hash values identifies documents that are exact duplicates in content and format, but there is considerable additional content within document collections that is also duplicated within documents that aren’t exact matches. Email conversation threads contain considerable duplicative information, but conversations between multiple people can branch off, so you can’t just assume that the last message for the thread contains the entire thread discussion.Documents converted to PDF may be identical in content but not format, so they have different hash values and are not “de-duped.” ESI collections often include multiple drafts of documents that have both duplicative and unique content. To avoid over-capture of duplicates and gain visibility into email branches, organizations can now employ advanced analytics that can help in the following ways:Utilize advanced algorithms to identify email thread relationships and individual emails in a thread with unique contentGroup similar documents with flexible near-duplicate identification to easily review and compare to determine whether the differences are significantIdentify exact content duplicates with only formatting differences that hash de-duplication would not catch.Name Normalization and Entity AnalysisWhat’s in a name? Potentially, a whole lot of options! If the sixth US president were alive today and sending emails, here are some ways that you might see him represented within the collection:John AdamsJohnny AdamsJohn Q. AdamsQ. AdamsQuincy AdamsAdams, JohnAdams, John Q.Adams, J.Q.Adams, J. Quincyjadams@xyzcorp.com/O=XYZCORP/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=jadamsAdams@gmail.comAnd potentially more…That’s a lot of variation – just for one person! Case teams often waste significant time and energy sorting through the numerous variations of names and email addresses for individuals in a matter. Advanced analytics solutions can be used to automated name normalization algorithms to link different name variations and email addresses to a single individual, format those names uniformly and aggregate the normalized participants that appear across an entire email thread group. The result? Refined results that streamline processes such as privilege logging without the intensive manual cleanup typically associated with the process.Metadata AnalyticsAI-driven analytics applied to the metadata can streamline eDiscovery by:a) identifying mass email communications so that reviewers can focus on more likely responsive emails;b) filtering email signature images and other extraneous embedded objects; andc) remediating data populations with missing or incomplete metadata by auto-detecting and populating email metadata fields on inbound productions.Privilege AnalyticsAutomated categorization and classification powered by advanced analytics can also be applied to privilege review to weed out non-responsive and non-privileged material early and rapidly identify, elevate and prioritize potentially privileged information. Customizable rules to exclude disclaimers and boilerplate language can also improve the accuracy of that identification process by eliminating many false positives.As most privilege determinations involve considerations of nuance and context, human judgments are a necessary part of the process. Pre-built and customized linguistic models, name normalization and email thread identification can extend those automated privilege determinations more quickly through the collection, with automated identification of legal concepts, privilege actors and law firms and a reusable asset with consistent propagation of privilege designations across matters.And clean name normalization outputs, along with automated and customizable privilege reasons assigned to each document expedite privilege log creation, significantly decreasing the manual cleanup often associated with this time-consuming task.Personal Identifiable Information (PII) DetectionFinally, with all of the data privacy requirements associated with recent regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), identifying and protecting PII has become a requirement within every phase of the eDiscovery lifecycle. Using analytics and pattern matching through regular expressions (RegEx) to identify common format numbers such as passport IDs, social security numbers, drivers license numbers and credit card numbers, as well as identification of common form types that often contain PII (such as loan applications or IRS forms) will help flag those documents so that they can be adequately protected throughout the process.Newer, more advanced AI-driven analytics solutions go a step further by utilizing highly precise classifiers to model the way in which different forms of supported personal data appear in data populations. These automated solutions provide rapid identification of likely and potential PII, resulting in rapid insights and immediate access to the most relevant documents first.ConclusionYou may be using analytics to streamline parts of your eDiscovery process, but there are always new use cases being identified to leverage analytics to make your eDiscovery workflows more efficient. Even Analyze This had a sequel!For more information on ways H5 Matter Analytics® can assist your organization in creating efficiencies and expediting eDiscovery workflows, click here.ediscovery-reviewblog, -ediscovery, data-analytics, document-review, ediscovery-review, aiandanalyticsblog; ediscovery; data-analytics; document-reviewlighthouse

In part one of this series, we described the state of the EU-US Privacy Shield and the mechanisms global companies have relied upon to transfer data from their multiple locations. In short, a recent decision – Schrems II – invalidated the Privacy Shield and shook the foundation of Standard Contractual Clauses (SCCs). Companies are now left asking the question of how to respond.In this post, we will share our view on how to navigate forward. If your organization is not already highly reliant on cloud software, we recommend weighing the benefits and risks of making that move. As you assess your options, keep in mind that this move may come at a higher cost because of the need to do periodic risk assessments during this uncertain time. For those already in the Cloud, the motto here is “do everything that you reasonably can.” The position no company wants to find itself in is one of stasis. It is difficult to see such a position being looked upon favourably should regulators start to investigate how companies are responding to Schrems II and the consequences that go along with it.The touchstone is the EDPB guidance and its six-stage approach to assessing data transfers, which we recommend companies undertake:Identify your data transfers: It is an obvious first step, although in practice this could prove challenging. You’ll need to know all the scenarios where your data is moved to a non-European Economic Area (EEA) country (at the time of writing this article, the UK, although out of Europe, is still under the European umbrella until at least the 30th of June).Identify the data transfer mechanisms: You need to decide the grounds upon which the transfer is taking place, such as on the basis of an adequacy decision (this does not apply to the US), SCCs, or a specific derogation (such as consent).Assess the law in the third country: You need to assess “if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” There is more guidance from the EDPB as to how the evaluation should be carried out (i.e., an independent oversight mechanism should exist). How effective or practical it is to suggest each company has to perform its own thorough legal assessment as the entire range of relevant legislation in any importing country is open to debate and might perhaps be considered further as these recommendations are refined.Adopt supplementary measures if necessary to level up protection of data transfers: The EDPB has published a non-exhaustive list of such measures, which essentially fall into one of three categories - technical (i.e., encryption), contractual (i.e., transparency), and organisational (i.e., involvement of a Data Protection Officer on all transfers). We’ll have a look at these measures in more detail below in relation to Microsoft 365.Adopt necessary procedural steps: If you have made changes to deliver the required level of protection, these need to be embedded into your operation (i.e.., by means of policy).Re-evaluate at appropriate intervals: This is not a job that can be completed and then left. It needs continual monitoring. There is no specific guideline as to what an appropriate interval is, but quarterly is probably a reasonable approach.Essentially this boils down to carrying out a risk assessment and taking steps to mitigate the risks that are uncovered. If your cloud strategy includes Microsoft 365, the next part of this blog series is a must-read. We will share what Microsoft has done in response to Schrems II as well as some specific configuration options that will influence steps 4 and 5, listed above. Bear in mind that these recommendations could change and you should watch the space. To continue the discussion or to ask questions, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse