Lighthouse Blog

Artificial intelligence (AI) has proliferated across industries, in popular culture, and in the legal space. But what does AI really mean? One way to look at it is in reference to technology that lets lawyers and organizations efficiently manage massive quantities of data that no one’s been able to analyze and understand before.While AI tools are no longer brand new, they’re still evolving, and so is the industry’s comfort and trust in them. To look deeper into the technology available and how lawyers can use it Lighthouse hosted a panel featuring experts Mark Noel, Director of Advanced Client Data Solutions at Hogan Lovells, Sam Sessler, Assistant Director of Global eDiscovery Services at Norton Rose Fulbright, Bradley Johnston, Senior Counsel eDiscovery at Cardinal Health, and Paige Hunt, Lighthouse’s VP of Global Discovery Solutions.Some of the key themes and ideas that emerged from the discussion include:Defining AIMeeting client expectationsUnderstanding attorneys’ duty of competenceIdentifying critical factors in choosing an AI toolAssessing AI’s impact on process and strategyThe future of AI in the legal industryDefining AIThe term “AI” can be misleading. It’s important to recognize that, right now, it’s an umbrella term encompassing many different techniques. The most common form of AI in the legal space is machine learning, and the earliest tools were document review technologies in the eDiscovery space. Other forms of AI include deep learning, continuous active learning (CAL), neural networks, and natural language processing (NLP).While eDiscovery was a proving ground for these solutions, the legal industry now sees more prebuilt and portable algorithms used in a wide range of use cases, including data privacy, cyber security, and internal investigations.Clients’ Expectations and Lawyers’ DutiesThe broad adoption of AI technologies has been slow, which comes as no surprise to the legal industry. Lawyers tend to be wary of change, particularly when it comes at the hands of techniques that can be difficult to understand. But our panel of experts agreed that barriers to entry were less of an issue at this point, and now many lawyers and clients expect to use AI.Lawyers and clients have widely adopted AI techniques in eDiscovery and other privacy and security matters. However, the emphasis from clients is less about the technology and more about efficiency. They want their law firms and vendors to provide as much value as possible for their budgets.Another client expectation is reducing risk to the greatest extent possible. For example, many AI technologies offer the consistency and accuracy needed to reduce the risk of inadvertent disclosures.Mingled with client expectations is a lawyer’s duty to be familiar with technology from a competency standpoint. We aren’t to the point in the legal industry where lawyers violate their duty of competence if they don’t use AI tools. However, the technology may mature to the point where it becomes an ethical issue for lawyers not to use AI.Choosing the Right AI ToolDecide Based on the Search TaskThere’s always the question of which AI technology to deploy and when. While less experienced lawyers might assume the right tool depends on the practice area, the panelists all focused on the search task. Many of the same search tasks occur across practice areas and enterprises.Lawyers should choose an AI technology that will give them the information they need. For example, Technology-assisted review (TAR) is well-suited to classifying documents, whereas clustering is helpful for exploration.Focus More on FeaturesTeams should consider the various options’ features and insights when purchasing AI for eDiscovery. They also must consider the training protocol, process, and workflow. At the end of the day, the results must be repeatable and defensible. Several solutions may be suitable as long as the team can apply a scientific approach to the process and perform early data assessment. Additional factors include connectivity with the organization’s other technology and cost.The process and results matter most. Lawyers are better off looking at the system as a whole and its features in deciding which AI tech to deploy instead of focusing on the algorithm itself.Although not strictly necessary, it can be helpful to choose a solution the team can apply to multiple problems and tasks. Some tools are more flexible than others, so reuse is something to consider.Some Use Cases Allow for ExperimentationThere’s also the choice between a well-established solution versus a lesser-known technology. Again, defensibility may push a team toward a well-known and respected tool. However, teams can take calculated risks with newer technologies when dealing with exploratory and internal tasks.A Custom Solution Isn’t NecessaryThe participants noted the rise in premade, portable AI solutions more than once. Rarely will it benefit a team to create a custom AI solution from scratch. There’s no need to reinvent the wheel. Instead, lawyers should always try an off-the-shelve system first, even if it requires fine-tuning or adjustments.AI’s Impact on ProcessThe process and workflow are critical no matter which solution a team chooses. Whether for eDiscovery, an internal investigation, or a cyber security incident, lawyers need accurate and defensible results.Some AI tools allow teams to track and document the process better than others. However, whatever the tool’s features, the lawyers must prioritize documentation. It’s up to them to thoughtfully train the chosen system, create a defensible workflow, and log their progress.As the adage goes: garbage in, garbage out. The effort and information the team inputs into the AI tool will influence the validity of the results. The tool itself may slightly influence the team’s approach. However, any approach should flow from a scientific process and evidence-based decisions.AI’s Influence on StrategyThere’s a lot of potential for AI to help organizations more strategically manage their documents, data, and approach to cases. Consider privileged communications and redactions. AI tools enable organizations to review and classify documents as their employees create them—long before litigation or another matter. Classification coding can travel with the document, from one legal matter to another and even across vendors, saving organizations time and money.Consistency is relevant, too. Organizations can use AI tools to improve the accuracy and uniformity of identifying, classifying, and redacting information. A well-trained AI tool can offer better results than people who may be inconsistently trained, biased, or distracted.Another factor is reusing AI technology for multiple search tasks. Depending on the tool, an organization can use it repeatedly. Or it can use the results from one project to the next. That may look like knowing which documents are privileged ahead of time or an ongoing redaction log. It can also look like using a set of documents to better train the algorithm for the next task.The Future of AIThe panelists wrapped the webinar by discussing what they expect for the future of AI in the legal space. They agreed that being able to reuse work products and the concept of data lakes will become even greater focuses. Reuse can significantly impact tasks that have traditionally had a huge cost burden, such as privilege reviews and logs, sensitive data identification, and data breach and cyber incidents.Another likelihood is AI technology expanding to more use cases. While lawyers tend to use these tools for similar search tasks, the technology itself has potential for many other legal matters, both adversarial and transactional. To hear more of what the experts had to say, watch the webinar, “Deploying Modern Analytics for Today’s Critical Data Challenges.” ai-and-analytics; ediscovery-review; lighting-the-path-to-better-ediscoveryai-big-data, blog, data-reuse, project-management, ai-and-analytics, ediscovery-reviewai-big-data; blog; data-reuse; project-managementai-analyticslighthouse

eDiscovery is currently undergoing a fundamental sea change, including how we think about data governance and the EDRM. Linear review and older analytic tools are quickly becoming outdated and unable to handle modern datasets, i.e., eDiscovery datasets that are not only more voluminous than ever before, but also more complicated – emanating from an ever-evolving list of new data sources and steeped in variety of text and non-text-based languages (foreign language, slang, emojis, video, etc.).Fortunately, technological advancements in AI have led to a new class of eDiscovery tools that are purpose built to handle “big data.” These tools can more accurately identify and classify responsiveness, privileged, and sensitive information, parse multiple formats, and even provide attorneys with data insights gleaned from an organization’s entire legal portfolio.This is great news for legal practitioners who are faced with reviewing and analyzing these more challenging datasets. However, evaluating and selecting the right AI technology can still present its own unique hurdles and complexities. The intense purchasing process can raise questions like: Is all AI the same? If not, what is the difference between AI-based tools? What features are right for my organization or firm? And once I’ve found a tool I like, how do I make the case for purchasing it to my firm or organization?These are all tough questions and can lead you down a rabbit hole of research and never-ending discussions with technology and eDiscovery vendors. However, the right preparation can make a world of difference. Leveraging the below steps will help you simplify the process, obtain answers to your fundamental questions, and ultimately select the right technology that will help you overcome your eDiscovery challenges and up level your eDiscovery program.1. Familiarize Yourself with Subsets of AI in eDiscoveryNewer AI technology is significantly better at tackling today’s modern eDiscovery datasets than legacy technology. It can also provide legal teams with previously unheard-of data insights, improving efficiency and accuracy while enabling more data-driven strategic decisions. However, not all technology is the same – even if technology providers tend to generally refer to it all as “AI.” There are many different subsets of AI technology, and each may have vastly different capabilities and benefits. It’s important to understand what subsets of AI can provide the benefits you’re looking for, and how those different technology subsets can work together. For example, Natural Language Processing (NLP) enables an AI-based tool to understand text the same way that humans understand it – thus providing much more accurate classifications results – while AI tools that leverage deep learning technology together with NLP are better able to handle large and complex datasets more efficiently and accurately. Other subsets of AI give tools the ability to re-use data across matters as well as across entire legal portfolios. Learning more about each subset and the capability and benefits they can provide before talking to eDiscovery vendors will give you the knowledge base necessary to narrow down the tools that will meet your specific needs. 2. Learn How to Measure AI ROIAs a partner to human reviewers, advanced AI tools can provide a powerful return on investment (ROI). Understanding how to measure this ROI will enable you to ask the right questions during the purchasing process to ensure that you select a tool that aligns with your organization or law firm’s priorities. For example, if your team struggles with review accuracy when utilizing your current tools and workflows, you’ll want to ensure that the tool you purchase is quantifiably more accurate at classifying documents for responsiveness, privilege, sensitive information, etc. The same will be true for other ROI metrics that are important to your team, such as lower overall eDiscovery spend or increased review efficiency.These metrics will also help you build a strong business case to purchase your chosen tool once you’ve selected it, as well as a verifiable way to confirm the tool is performing the way you want it to after purchase.3. Come Prepared with a List of QuestionsIt’s easy to get swept up in conversations about tools and solutions that end without the metrics you need. A simple way to control the conversation and ensure you walk away with the information you need is to prepare a thorough list of questions that reflect your priorities. Also be sure to have a method to record each vendor’s response to your questions. A list of standard questions will keep conversations more productive and provide a way to easily contrast and compare the technology you’re evaluating. Ensure that you also ask for quantifiable metrics and examples to back up responses, as well as references from clients. This will help you verify that vendor responses are backed by data and evidence.4. Know the Pitfalls of AI Adoption—and How to Avoid ThemIt won’t matter how much you understand AI capabilities, whether you’ve asked the right questions, or whether you understand how to measure ROI, if you don’t know how to avoid common AI pitfalls. Even the best technology will fail to return the desired results if it’s not implemented properly or effectively. For example, there are some workflows that work best with advanced AI, while other workflows may fail to return the best results possible. Knowing this type of information ahead of time will help you get your team on board early, ensure a smooth implementation, and enable you to unlock the full potential of the technology.These tips will help you better prepare for the AI purchasing process. For more information, be sure to download our guide to buying AI. This comprehensive guide offers a deep dive into tips and tactics that will help you fully evaluate potential eDiscovery AI tools to ensure you select the best tool for your needs. The guide can also be used to reevaluate your current AI and analytic eDiscovery tools to confirm you’re using the best available technology to meet today’s eDiscovery challenges.lighting-the-way-for-review; ai-and-analytics; ediscovery-review; lighting-the-path-to-better-review; lighting-the-path-to-better-ediscoveryreview, ai-big-data, blog, ai-and-analytics, ediscovery-reviewreview; ai-big-data; blogai-analyticssarah moran

While everyone hoped that 2021 would be less tumultuous than 2020, it certainly did not turn out that way in the end. The same was true in the world of data privacy – with sweeping new data protection regulations and guidance issued throughout the year that made significant ripples. Below is a summary of some of the most important data privacy changes that will impact companies operating in the United States, Europe, and China in 2022 and beyond.US Regulation ChangesVirginia Consumer Data Protection Act (VCDPA)What it Does: Similar to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (jointly, the first GDPR-like data protection regulations passed within the US), the new Virginia regulation is a comprehensive data protection law that bestows certain rights and protections to Virginia residents regarding the use of their personal data, including:The right to opt out of having their data sold or used for targeted advertising, as well as the right to opt out of having their data used for “profiling” (i.e., using a person’s personal data to evaluate, analyze, or predict aspects of their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements).The right to request that companies provide information about the personal data they have collected from them, and have it corrected or deleted.The right to request a free copy of their personal data in a portable, readily usable format.The law also requires companies to gain permission from citizens before collecting certain classes of highly sensitive personal data, including racial or ethnic origin, genetic data, and geolocation. The new law does not provide for a private right of action (i.e., it does not allow individuals to bring lawsuits against companies for data privacy rights violations). Instead, the law will be enforced by the state’s Attorney General.Who it applies to: All Virginia residents have rights under the VCDPA. Any company or organization that conducts business in Virginia and meets either of the following two criteria must comply with its requirements:Controls or processes personal data of at least 100,000 consumers; orDerives over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.Note that there are broad exemptions for financial institutions, as well as organizations or businesses that are governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.When it takes effect: Jan. 1, 2023When it was passed: March 2, 2021Other notes: Tech industry trade groups and businesses heavily supported the VCDPA. Colorado Privacy Act (CPA)What it Does: Following in the footsteps of California and Virginia, Colorado was the third state to pass a comprehensive GDPR-like data privacy law. The new law conveys data privacy rights to Colorado residents that are nearly identical to the VCDPA, including:The right to opt out of the use of their personal data for sale or targeted advertising, as well as for the use in profiling decisions that would have legal or significant effects to the consumer (such as the use of personal data that may affect decisions regarding consumer lending, financial, housing, and insurance decisions).The right to request that companies provide information about the personal data they have collected from them, and request that it either be corrected or deleted.The right to obtain their personal data from a company in a free “portable” and readily usable format.Similar to Virginia and California, the law also classifies “sensitive data” as a separate category of personal data that requires additional protection, including: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. Note that Colorado’s definition of sensitive data does not include precise geolocation data, whereas Virginia and California’s data protection laws do.Who it applies to: All Colorado residents have rights under the CPA. Any company or organization that conducts business or produces commercial products or services that are intentionally targeted to Colorado residents and meet either of the following two criteria must comply with its requirements: Controls or processes personal data of at least 100,000 consumers in a calendar year; orDerives revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.The law specifically does not apply to state and local governments, state institutions of higher education, personal data governed by certain state and federal laws, and employment records.When it takes effect: July 1, 2023When it was passed: July 7, 2021Other notes: Similar to the VCDPA and to the CCPA, the CPA does not create a private right of action. Enforcement is exclusively with the state’s Attorney General and District Attorneys. Additionally, the act specifically states that a violation of its requirements is a deceptive trade practice for purposes of enforcement. Utah Cybersecurity Affirmative Defense ActWhat it does: Utah’s Cybersecurity Affirmative Defense Act provides new affirmative defenses that businesses in Utah can use to defend themselves against lawsuits arising out of a data security breach. The law states that an organization can affirmatively defend itself against a data security breach lawsuit that alleges that the organization failed to implement reasonable information security controls, so long as that organization maintained and complied with a written cybersecurity program that meets certain requirements spelled out within the law.The new law also allows an organization to defend itself against claims that it failed to appropriately respond to a cybersecurity breach, so long as its cybersecurity program had reasonable protocols in place for responding to breaches.Additionally, an organization can defend itself against claims that it failed to appropriately notify individuals effected by a data breach if the organization’s cybersecurity program had reasonable protocols in place for notifying individuals about breaches and those protocols were followed after the breach.In this way, the law provides an incentive for Utah businesses to implement updated cybersecurity programs to protect Utah residents’ personal data more effectively, by providing defenses to data breach lawsuits if such programs are implemented and followed.Who it applies to: Any person (which the law defines as an individual and most business organizations) that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements spelled out within the act, and is in place during the relevant cybersecurity breach.When it takes effect: May 5, 2021When it was passed: March 11, 2021Other notes: The affirmative defenses are not available where the organization had advanced notice of a cybersecurity threat or risk. The law also states that it does not provide for a private right of action for failing to comply (thus private citizens may not sue organizations who don’t implement cybersecurity programs that meet the requirements spelled out within the law). California Consumer Privacy Act AmendmentsWhat it does: The amendments update the California Consumer Privacy Act (passed in 2018) to include three general changes relating to a consumer’s right to opt out of the selling of their personal information, and one change to authorized agent requests for information related to a consumer’s personal information.The three changes relating to a consumer’s right to opt out of the selling of their information include the following:Any business that sells personal information that it collected offline must now inform consumers in an offline method of their right to opt out, including instructions on how to do so.Authorizes the use of a specific “opt-out” icon that can be used in addition to posting the notice of the right to opt out (but not in lieu of that notice).Mandates that a business’s method for consumer request submissions to opt out must be easy to execute, require minimal steps, and not designed in a way that purposefully or substantially subverts or impairs a consumer’s choice to opt out.The change regarding authorized agent requests to a business on behalf of a consumer related to the consumer’s personal information includes the following:When a consumer uses an authorized agent to submit a request for information about the personal data a company has collected from the consumer (or requests to change or delete that personal data), the responding business may now require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:(1) Verify their own identity directly with the business.(2) Directly confirm with the business that they provided the authorized agent permission to submit the request.This is a change from the previous version of the law, which mandated that the consumer provide the authorized agent’s signed permission, in addition to the other two requirements listed above.Who it applies to: All California residents have rights under the CCPA. Any for-profit business that does business in California and meets any of the following criteria must comply with the CCPA:Has a gross annual revenue of over $25 million.Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; orDerives 50% or more of their annual revenue from selling California residents’ personal information.When it takes effect: March 15, 2021When it was passed: March 15, 2021 GDPR ChangesNew Standard Contractual Clauses (SCCs) Issued by the European CommissionWhat it Does: The SCCs are a contractual device used to help ensure that personal data transferred outside the EU is kept secure and complies with GDPR requirements, wherein the entity receiving the data contractually agrees to protect the transferred personal data according to stringent GDPR requirements. After the 2020 invalidation of the EU-US Privacy Shield, SCCs are now one of the only viable GDPR-compliant methods for entities within the US to receive personal data from entities in Europe.The new SCCs take into account the decision-making behind the invalidation of the EU-US Privacy Shield. Whereas the old SCCs were rigid, the new SCCs provide a bit more flexibility. They are now “modular,” meaning entities can now choose from a selection of four different models, depending on the type of transaction: controller to controller; controller to processor; processor to sub-processor; and processor to controller. They also expand the rights given to data subjects, including the right to enforce SCC provisions against both the data exporter and data importer. Additionally, the SCCs mandate that data importers must agree to EU jurisdiction (including EU courts as well as compliance with applicable EU data protection laws). There is also a new optional clause (Clause 7) that allows new parties to be added to the SCCs, as well as new Annexes that must be customized for each transaction.Who it applies to: A data importer located in a country without an EU adequacy decision (like the US) that is not itself subject to the GDPR should utilize the new SCCs to transfer personal data from the EU – unless exceptions apply (i.e., the parties are able to rely on an alternate transfer mechanism, etc.). However, Recital 7 of the new SCCs appears to state that when the data importer is itself subject to the GDPR (for example, because the company provides services or goods to individuals living in the EU), the new SCCs cannot be used. This language has left open questions around what transfer mechanism companies should use in that situation (see below for a summary of additional guidance issued by the European Data Protection Board surrounding this issue).Additionally, due to Brexit, the new SCCs do not apply in the UK. The UK Information Commissioner’s Office (ICO) has launched a public consultation on drafting a new set of SCCs for use within the UK.When it takes effect: The new SCCs became effective on June 27, 2021. Any new contracts and processing transactions taking place after September 27, 2021 must use the new SCCs. Any contracts entered into prior to September 27th, 2021 must be updated with the new SCCs by December 27, 2022.When it was issued: June 4, 2021 New Guidance for Cross-Border Data Transfers Issued by the European Data Protection Board ("EDPB")What it Does: The invalidation of EU-US Privacy Sheild in 2020, along with the new SCCs (above), has led to uncertainty around how to comply with the GPDR when transferring data between the EU and countries such as the US that do not have an adequacy decision (i.e., a decision by the European Commission that a country outside the EU offers adequate levels of data protection to safely protect EU personal data that is transferred there). In particular, language within the Recitals of the SCCs states that the new SCCs only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR. This language has left open questions around what type of transfer mechanism (if any) is needed for a transfer of data to an importer that is already subject to the GDPR.New guidance issued by the EDPB provides some concrete answers to a few of these questions, as well as resolved some other long-standing murkiness about cross-border transfers (even if the guidance does not resolve all uncertainty).For example, the guidance now definitively states that data transfers from an EU-based data exporter to a data importer based outside the EU is, in fact, a transfer within the meaning of Article 44 of the GDPR and therefore would require the importer to enter into an SCC (or possibly adopt Binding Corporate Rules). However, as noted above, if the importer is itself subject to the GDPR, Recital 7 of the new 2021 SCCs state that the new SCCs cannot be used, leaving open the question of what SCC should be used in that situation. Note that the minutes to the European Data Protection Board plenary meeting held in September of 2021 mention that the EU Commission will issue a new set of SCC to govern this type of data transfer.The guidance also settled some long-standing questions around other types of transactions that are not considered transfers of data under Article 44 of the GDPR. For example, the new guidance affirmatively states that “direct collections” of personal data from individuals located within the EU does not constitute a transfer of data (because when the information is collected directly, there is no transfer between controller and processor). It also clarified that “intra-company” data transfers are not considered a transfer of data under Article 44 because a transfer requires two parties. However, note that while these transactions are not considered “transfers” under Article 44, all other applicable GDPR protections still apply and must be followed.Who it applies to: The guidance will be particularly useful for any non-EU organization that needs to transfer or collect data from within the EU. When it takes effect: November 19, 2021When it was issued: November 19, 2021 Other New RegulationsChina’s Personal Information Protection Law (PIPL)What it does: China’s new Personal Information Protection Law is a GDPR-like comprehensive data protection law aimed at protecting the personal information of “natural persons” located within China. It governs how companies collect, process, and transfer personal data of people within China and like the GDPR, is exterritorial in its reach – meaning it applies to companies outside of China that handle the personal data of someone located in China. Also like the GDPR, it allows individuals in China to request access to their personal data that a company has collected and ask for it to be corrected or deleted. And like the GDPR, the regulation includes the risk of large fines against companies that fail to comply with its mandates – including up to five percent of a company’s annual revenue. However, unlike the GDPR, failure to comply also includes the risk of being “blacklisted” by the Chinese government, as well as possible criminal penalties.Multinational organizations with Chinese employees should also be aware that the law contains specific regulations regarding transferring the personal information of Chinese employees across the country’s borders. This means that companies cannot transfer internal employee information (including typical information routinely handled by a company’s HR department) outside of China’s borders without the consent of the employee and meeting other specifications spelled out within the law.Who it applies to: The PIPL protects the personal data of people located in China. It applies to companies operating in China, as well as organizations outside of China that process the personal data of people within China for any of the following reasons:(1) To provide products or services to people in China;(2) To analyze or assess the behavior of people in China; or(3) Any other circumstances that falls under unspecified Chinese laws and regulations.When it takes effect: November 1, 2021When it was issued: August 20, 2021data-privacydata-privacyblog; data-protectionsarah moran

Complexity, resiliency, adaptability are some of the defining traits from the past year, with good reason. From navigating hybrid workplaces and new collaboration platforms to weathering economic uncertainty and new regulatory postures, the legal industry, and workforce overall, have faced extraordinary challenges. But, with the adversity came great innovation and problem solving. Developments in communications, artificial intelligence (AI), and data have opened new, and often unexpected, possibilities for years to come.With these dynamics in mind, below we've compiled some of our best thinking from 2021, covering critical topics in eDiscovery such as data privacy, AI, information governance, analytics, privilege, and big data. Explore the posts below for some fresh thinking to enter a new year:Navigating the Intersections of Data, Artificial Intelligence, and PrivacyMaking the Case for Information Governance and Why You Should Address it Now Is Your AI Algorithm Admissible in Court? Some Things to ConsiderBig Data Challenges in eDiscovery (and How AI-Based Analytics Can Help)Privilege Mishaps and eDiscovery: Lessons LearnedFour Ways a SaaS Solution Can Make In-House Counsel Life Easierediscovery-reviewblog, ediscovery-reviewbloglighthouse

There is much out there about cloud solutions and how they improve the lives of users, offer flexibility for expansion and contraction of business, and can lighten the lift for IT. There is even a lot of specific commentary about how cloud can help legal teams and enable change management for the department. But what about the day-to-day tasks? How does the cloud change the legal team’s work and what new governance and skills are necessary to handle that change? This blog will tackle these questions so you can be more prepared and agile as cloud technology advances.Why does a shift to the cloud matter for legal teams?From a practical perspective, it means having to be reactive in areas where legal has traditionally been more proactive. Things like data storage timelines and locations, internal access permissions, and document history are now ever-changing with software updates being automatically pushed to corporate software environments. Many organizations that manage on-premises software have historically had an effective software governance structure in place. They can meet, discuss upcoming upgrades and their impacts, and make decisions about when to execute a software upgrade. Now, in an agile cloud approach, upgrades come frequently, without much notice, and sometimes have highly impactful changes. Traditional governance structures are no longer sustainable given the new timing and volume of updates – sometimes hundreds in a week. Legal and IT teams now need to collaborate more often to quickly analyze any impacts updates will have on the organization and what, if anything, needs to be done to mitigate cloud security risks.Given this, how should corporate legal teams adapt?A typical legal department is organized around areas of expertise – you may have employment, litigation, business advice, and contracts, for example. The department may also have a legal operations function, or a member of the team assigned to certain process improvement and/or corporate programs. One of these programs covers technology changes at an organization. It is this latter set of responsibilities that become much more important, and more voluminous, in an agile software environment. Analyzing the potential risks of cloud updates, advising the business on how to mitigate those risks, and changing any associated legal workflows can become a full-time or close to full-time set of responsibilities. In addition, the culture of the department must change to one that embraces frequent change, understands change management, and is consistently updating and improving processes and procedures.Traditionally, in an on-premises environment, an IT organization would typically manage an upgrade governance structure. They would plan for a software upgrade every six months, outline the changes that are due with each upgrade, and analyze what departments it impacts and the risks of those impacts. Finally, they would present this information to a cross-functional committee who would discuss when the upgrade can be made and what kind of work needs to precede the upgrade. Legal was typically part of that committee. Now, in a cloud environment dozens (or even hundreds) of changes get pushed out weekly and, although there may be some advanced warning, the timing isn’t as flexible, it isn’t uniform across users, and there is usually less time to prepare. In addition, changes may be pushed out, rolled back, and potentially reversed. Updates may also occur without any warning, which can contribute to the cloud challenges for corporate legal departments[1]. To minimize risk in this agile environment some specific steps can be helpful: a similar governance committee needs to meet more frequently, the analysis of impact and risk needs to be done very quickly, and changes need to be made almost immediately to ensure you get ahead of any potential impacts. Due to the frequent nature of these changes, and supervising process updates to mitigate risk associated with the changes, managing cloud updates can be more time-consumingWithout structure, these cloud updates can add stress and increase reactive work. However, with some structure and clearly delineated oversight, they can be managed more efficiently. Although many organizations may not have a structure in place, those that do pull together a committee for each enterprise technology. This committee has IT, legal, compliance, and business-focused representation. It may have multiple representatives from some of these groups, depending on the perspectives needed. The goal is for the business representative to advocate for users of the technology, the legal and compliance representatives to mitigate risk and take into account regulatory, litigation and privacy considerations, and the IT team to represent management of the platform and be a voice for the platform provider. The committee should have access to a sandbox-type environment where they can test changes and should be empowered to lead companywide changes – or at least be able to work with a project management office or other resource to make these changes.Most legal departments run pretty lean so creating a new governance structure can be a significant challenge, but there are ways to make the process easier. First, you can hire outside support to handle all, or some, of this work. For example, outsourcing the creation of the governance structure to manage software updates and staffing that group with your own resources or have your external partner staff and manage it until a time when you are ready to take it over. Second, instead of hiring outside support, you can share your risk concerns with IT and rely on them to raise any potential impact that upgrades may have on risk and legal processes. For example, when IT receives an email from a software provider outlining updates, they would analyze them for potential impact to legal workflows, retention policies, or any other issues you have flagged. They would then test the updates and remediate any negative impacts. Finally, you can rotate governance committee membership so that the work is being shared across your team. Whatever approach you choose, keep in mind that changes in the cloud environment are happening frequently and having someone within your company watching from a legal perspective will pay dividends when it comes to accessing data for legal, compliance, investigative, or other reasons down the line.[1] Victoria Hudgins, “Big Adjustment: Legal Departments Struggle with Lack of Control Over Cloud Technology,” Legaltech news, November 29, 2021, law.com information-governance; microsoft-365; lighting-the-path-to-better-information-governancecloud-security, cloud-migration, blog, risk-management, information-governance, microsoft-365cloud-security; cloud-migration; blog; risk-managementlighthouse

The approach of a new year is often a good time to step back and take stock of the eDiscovery industry, so that we can be better prepared to move forward. One of the most dramatic changes over the past few years has been the seismic shift across the legal and corporate data landscapes. That shift has slowly been expanding the concept of eDiscovery beyond a single-litigation focus, to encompass data governance, data privacy and security, and an overall more holistic, strategic approach to review and analysis.As we prepare to move forward in this brave new world, it’s important to understand how those industry changes affect the traditional framework of the eDiscovery process: the Electronic Discovery Reference Model (EDRM). Recently, I was lucky enough to join a panel of industry experts, including Microsoft’s EJ Bastien, TracyAnn Eggen from CommonSpirit Health, and Lighthouse’s Sarah Barsky-Harlan, to dive deeper into that specific issue. Together, we tackled questions like: Does the EDRM still apply in today’s more complex eDiscovery environment? If so, how is the evolving data and eDiscovery landscape reshaping how organizations and law firms think about the EDRM? How can the EDRM be used to meet today’s more complex communication, data, and business challenges?Below are some of the key themes and ideas that emanated from that discussion: A Brave New Data World: Dynamic Changes in eDiscoverySince its inception, the EDRM has been the industry’s standard approach to the eDiscovery process (i.e., identification, collection, processing, review, analysis, and production of electronically stored information (ESI)). However, what we’re seeing today is that organizations and law firms now must think about eDiscovery in much broader terms than that traditionally very linear method. There are three primary reasons for this change:New cloud-based and Software as a Service (SaaS) systems: Enterprise systems are not nearly as controlled by the underlying organization as they used to be. Even five years ago, IT departments could more closely manage what software was installed, as well as when, how, and what upgrades were rolled out. Now those updates and installations are managed by cloud providers, with upgrades rolling out on an almost weekly basis – often with no notice to the organization. All those changes have downstream eDiscovery impacts, which must be dealt with at each stage of the EDRM process.New data formats: Data is no longer structured in the traditional document “family” of an email parent with attachment children. The shift to chat and collaboration platforms within organizations means that communications and workflows generate more data across multiple data sources and are much more fluid and informal. For instance, instead of an employee working on a static document saved on a desktop and then passing that document back and forth to co-workers via email, those employees may work on that document together while it’s saved on a cloud-based collaboration platform, chat about it via an in-office chat application, post updates on it via the collaboration tool channel, as well as email copies back and forth to each other. This means counsel must analyze how relevant data ties together and analyze the relationships between data sources in order to understand the full story of a communication during an investigation or litigation.New capabilities with eDiscovery technology: There are many new types of capabilities that are native to enterprise systems, as well as new types of analytics and artificial intelligence (AI) that can handle more data at scale. These new capabilities are allowing case teams to leverage past data on new cases and get to key data more quickly in the EDRM process. The Impact: How Those Changes Affect the EDRM FrameworkThinking of the EDRM as a monolithic linear process that flows straight from beginning (collection) to end (production) does not fit the way eDiscovery takes place in practice anymore. There is a world of complexity within each step of the EDRM – one that is highly dependent on the data source. And the decisions made along the way for each data source at each new step will impact what happens next – often in a non-linear fashion: Sometimes that next step will send practitioners back to collection again, because they found another data source during review. Sometimes review takes place simultaneously with collection or processing phases, depending on the data source and those newer capabilities discussed above. In short, the old model of collecting all data, exporting it all, and then reviewing it all, in large chunks, one step at a time, is no longer applicable nor practical.Instead, a “mini-EDRM” framework might make more sense, where organizations prepare workflows for the preservation, collection, processing, and review of each particular data source. Thinking of the EDRM in this way also helps the framework stay relevant and future-proof as practitioners deal with the sea-change happening across our data landscape. Practitioners need to be agile enough to handle new data sources as they pop up, for each step of the EDRM process, and then be prepared to do it all over again when someone in a deposition mentions another new data source, and to adapt it when something changes in the data source. A mini-EDRM framework would help organizations and practitioners better meet those challenges.The EDRM and Data-in-PlaceAs noted above, the eDiscovery process is now much broader and has much more of an impact on organizational information governance and data-in-place than ever before. This presents an opportunity to use learnings from across the EDRM to more effectively manage data “to the left” of that traditional process. For example, if a particular data source was problematic during review, that information can be disseminated at the organizational level and help inform how that source is used within the organization moving forward. Or if practitioners notice a large volume of irrelevant data during review that shouldn’t exist in the system at all, that information can be used to redraft document retention policies. In this way, eDiscovery (and the EDRM framework) can now be a force for change over the entire organization.Thinking Beyond a Single MatterIn today’s more dynamic and voluminous data landscape, the work we did in the past is more valuable than ever before and it can be used to inform and impact current processes across the EDRM.This can come in the form of people and institutional knowledge: experienced and consistent staff and outside partners are an invaluable resource. These organizational experts can use their understanding and experience with an organization’s past matters, system architecture, data sources, workflows etc. to improve eDiscovery efficiency and solve current problems more effectively. It can also come in the form of technology: when the EDRM first evolved, data analytics were a much heavier lift. The process and tools were expensive and the amount of data that they could be applied to was much smaller than today. Advancements in AI capabilities now allow us to analyze much larger volumes of data with much more accurate results. Thus, this newer, advanced AI technology is now capable of leveraging the goldmine of millions of previous decisions made by attorneys on an organization’s past matters. That work product is baked into the data, and advanced AI can use it to make more accurate decisions on current data at a much larger scale than ever before.Tips to Keep the EDRM Applicable in an Evolving Data LandscapeStrive to retain institutional knowledge across matters: The constantly evolving eDiscovery landscape makes continuity and retaining institutional knowledge incredibly important. Starting from scratch each time you confront a new data source or problem along the EDRM is no longer practical with today’s diversified and larger data volumes. Work to cultivate valuable partners and staff who will work to understand your organization’s data architecture, as well as the eDiscovery workflows that are effective within your environment.Lean on your peers: Chances are, if you’re facing a problem with a challenging data source at one stage of the EDRM, someone in your peer group has also faced the same or a similar problem. Don’t be afraid to reach out and ask folks to benchmark. Peer experience can help each practitioner learn and move forward, solving challenging industry problems along the way.Open the lines of communication: Because the EDRM process is much more iterative and each step impacts other steps, it is incredibly important that the people working on those steps do not work in silos. Everyone should know the downstream impacts of their decisions and workflows.Test… and test again: Employ a testing framework to test the impact of eDiscovery workflows on the underlying platforms, and then have a feedback loop to apply changes. This will ensure your eDiscovery program is forward-thinking, as opposed to reactive. Automate where possible: When striving for repeatable, defensible eDiscovery processes, predictability is key. And automation, when feasible, is a great way to achieve that predictability. Automating workflows across the EDRM will not only help improve efficiency and lower costs, it will also help minimize risk and keep your eDiscovery program defensible.information-governance; ediscovery-review; chat-and-collaboration-datacloud, analytics, information-governance, ediscovery-process, blog, information-governance, ediscovery-review, chat-and-collaboration-data,cloud; analytics; information-governance; ediscovery-process; bloglighthouse

Legal professionals often take for granted that the eDiscovery software they leverage in-house must come with capability tradeoffs (i.e., if the production capability is easy to use, then the analytics tools are lacking; if the processing functionality is fast and robust, then the document review platform is clunky and hard to leverage, etc.).The idea that these tradeoffs are unavoidable may be a relic passed down from the history of eDiscovery. The discovery phase of litigation didn’t involve “eDiscovery” until the 1990s/early 2000s, when the dramatic increase in electronic communication led to larger volumes of electronically stored information (ESI) within organizations. This gave rise to eDiscovery software that was designed to help attorneys and legal professionals process, review, analyze, and produce ESI during discovery. Back then, these software platforms were solely hosted and handled by technology providers that weren’t yet focused entirely on the business of eDiscovery. Because both the software and the field of eDiscovery were new, the technology often came with a slew of tradeoffs. At the time, attorneys and legal professionals were just happy to have a way to review and produce ESI in an organized fashion, and so took the tradeoffs as a necessary evil.But eDiscovery technology, as well as legal professionals’ technological savvy, has advanced light years beyond where it was even five years ago. Many firms and organizations now have the knowledge and staff needed to move to a “self-service, spectra” eDiscovery model for some or all of their matters – and eDiscovery technology has advanced enough to allow them to do so. Unfortunately, despite these technological advancements, the tradeoffs that were so inherent in the original eDiscovery software still exist in some self-service, spectra eDiscovery platforms. Today, these tradeoffs often occur when technology providers attempt to develop all the technology required in an eDiscovery platform themselves. The eDiscovery process requires multiple technologies and services to perform drastically different and overlapping functions – making it nearly impossible for one company to design the best technology for each and every eDiscovery function, from processing to review to analytics to production.To make matters worse, the ramifications of these tradeoffs are much wider than they were a decade ago. Datasets are much larger and more diverse than ever before – meaning that technological gaps that cause inefficiency or poor work product will skyrocket eDiscovery costs, amplify risk, and create massive headaches for litigation teams. But because these types of tradeoffs have always existed in one form or another since the inception of eDiscovery, legal professionals still tend to accept them without question.But rest assured best-in-class technology does exist now for each eDiscovery function. The trick is being able to identify the functionality that is most important to your firm or organization, and then select a self-service, spectra eDiscovery platform that ties all the best technology for those functions together under one seamless user interface.Below are three key steps to prepare for the research and purchasing process that will help drastically minimize the tradeoffs that many attorneys have grown accustomed to dealing with in self-service, spectra eDiscovery technology. Before you begin to research eDiscovery software, you’ve got to fully understand your firm or organization’s needs. This means finding out what eDiscovery technology capabilities, functionality, and features are most important to all relevant stakeholders. To do so:Talk to your legal professionals and lawyers about what they like and dislike about the current technology they use. Don’t be surprised if users have different (or even opposing) positions depending on how they use the software. One group may want a review platform that is scaled down without a lot of bells and whistles, while another group heavily relies on advanced analytics and artificial intelligence (AI) capabilities. This is common, especially among groups that handle vastly different matter types, and can actually be a valuable consideration during the evaluation process. For instance, in the scenario above, you know you will need to look for eDiscovery software that can flex and scale from the smallest matter to the largest, as well as one that can create different templates for disparate use cases. In this way, you can ensure you purchase one self-service, spectra eDiscovery software that will meet the diverse needs of all your users.Communicate with IT and data security teams to ensure that any platform conforms with their requirements.These two groups often end up being pulled into discussions too late once purchasing decisions have already been made. This is unfortunate, as they are integral to the implementation process, as well as to ensuring that all software is secure and meets all applicable data security requirements. Data security in eDiscovery is non-negotiable, so you want to be sure that the eDiscovery technology software you select meets your firm or organization’s data security requirements before you get too far along in the purchasing process.Create a prioritized list of the most important capabilities, functionality, and attributes to all the stakeholders once you’ve gathered feedback.Having a defined list of must-haves and desired capabilities will make it easier to vet potential technology software and ultimately help you identify a technology platform that fits the needs of all relevant stakeholders.ConclusionWith today’s advanced technology, attorneys and legal professionals should not have to deal with technology gaps in their self-service, spectra eDiscovery software, just as law firms and organizations should not have to blindly accept the higher eDiscovery cost and risk those gaps cause downstream. Powerful best-in-class technology for each step of the eDiscovery process is out there. Leveraging the steps above will help you find a self-service, spectra eDiscovery software solution that ties all the functionality you need under one seamless, easy-to-use interface.For more detailed advice about navigating the purchasing process for self-service, spectra eDiscovery software, download our self-service, spectra eDiscovery Buyer’s Guide here. ediscovery-review; ai-and-analyticsself-service, spectra, review, analytics, processing, blog, production, ediscovery-review, ai-and-analyticsself-service, spectra; review; analytics; processing; blog; productionsarah moran

The Law & Candor podcast is back for Season 8, continuing its exploration of the legal technology revolution. Our co-hosts return with a stellar slate of expert guests and captivating conversations, all striving to elevate the current state of our industry and look to the future.Bill Mariano and Rob Hellewell are back to help lead those discussions in six easily digestible episodes that cover a range of topics, including: AI and linguistics in eDiscovery, staying ahead of AI innovation, family versus four corner review, cross-matter review strategy and implementation, unindexed items in Microsoft 365, and the rise of wearable devices and health-related apps.Episode 1. Finding Lingua Franca: The Power of AI and Linguistics for Legal TechnologyEpisode 2. Staying Ahead of the AI CurveEpisode 3. eDiscovery Review: Family Vs. Four CornerEpisode 4. Achieving Cross-Matter Review Discipline, Cost Control, and EfficiencyEpisode 5. Understanding Microsoft 365 Unindexed Items Episode 6. Getting Personal—Wearable Devices, Data, and CoGetting Personal—Wearable Devices, Data, and Compliance Listen now or bookmark individual episodes to listen to them later, and be sure to follow the latest updates on Law & Candor's Twitter. And if you want to catch up on past seasons or special editions, click here.For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.ediscovery-reviewblog, podcast, ediscovery-review,blog; podcastlighthouse