Lighthouse Blog

Emerging challenges with big data—large sets of structured or unstructured data that require specialized tools to decipher— have been well documented, with estimates of worldwide data consumed and created by 2025 reaching unfathomable volumes. However, these challenges present an opportunity for innovation. Over the past few years, we’ve seen a renaissance in AI products and solutions to help address and evolve past these issues. From smaller players creating bespoke algorithms to bigger technology companies developing solutions with broader applications, there are substantial opportunities to harness AI and rethink how to manage data.A recent announcement of Microsoft’s Syntex highlights the immense possibilities for, and investment in, leveraging AI to manage content and augment human expertise and knowledge. The new feature in Microsoft 365 promises advanced AI and automation to classify and extract information, process content, and help enforce security and compliance policies. But what do new solutions like this mean for eDiscovery and the legal industry?There are three key AI benefits reshaping the industry you should know about:1. Meeting the challenges of cloud and big data2. Transforming data strategies and workflows3. Accelerating through automationMeeting the challenges of cloud and big data Anyone close to a recent litigation or investigation has witnessed the challenge posed by today’s explosion of data—not just volume, but the variety, speed, and uncertainty of data. To meet this challenge, traditional approaches to eDiscovery need to be updated with more advanced analytics so teams can first make sense of data and then strategize from there. Simultaneous with the need to analyze post-export documents, it’s also clear that proactively managing an organization’s data is increasingly essential. Organizations across all industries must comply with an increasingly complex web of data privacy and retention regulations. To do so, it is imperative that they understand what data they are storing, map how that data flows throughout the organization, and have rules in place to govern the classification, deletion, retention, and protection of data that falls within certain regulated categories of data types. However, the rise of new collaboration platforms, cloud storage, and hybrid working have introduced new levels of data complexity and put pressure on information governance and compliance practices—making it impossible to use older, traditional means of information governance workflows. Leveraging automation and analytics driven by AI advances teams from a reactive to proactive posture. For example, teams can automate a classification system with advanced AI where it reads documents entering the organization’s digital ecosystem, classifies them, and labels them according to applicable sensitivity or retention categories implemented by the organization—all of which is organized under a taxonomy that can be searched later. This not only helps an organization better manage data and risks upfront—creating a more complete picture of the organization’s data landscape—but also informs better and more efficient strategies downstream. Transforming data strategies and workflows New AI capabilities give legal and data governance teams the freedom to think more holistically about their data and develop strategies and workflows that are updated to address their most pressing challenges. For eDiscovery, this does not necessarily mean discarding legacy workflows (such as those with TAR) that have proven valuable, but rather augmenting them with advanced AI, such as natural language processing or deep learning, which has capabilities to handle greater data complexity and provide insights to approach a matter with greater agility. But the rise of big data means that legal teams need to start thinking about the eDiscovery process more expansively. An effective eDiscovery program needs to start long before data collection for a specific matter or investigation and should contemplate the entire data life cycle. Otherwise, you will waste substantial time, money, and resources trying to search and export insurmountable volumes of data for review. You will also find yourself increasingly at risk for court sanctions and prolonged eDiscovery battles if your team is unprepared or ill-equipped to find and properly export, review, and produce the requested data within the required timeline. For compliance and information governance teams, this proactive approach to data has even greater implications since the data they’re handling is not restricted to specific matters. In both cases, AI can be leveraged to classify, organize, and analyze data as it emerges—which not only keeps it under control but also gives quicker access to vital information when teams need it during a matter.Advanced AI can be applied to analyze and organize data created and held by specific custodians who are likely to be pulled into litigation or investigations, giving eDiscovery teams an advantage when starting a matter. Similarly, sensitive or proprietary information can be collected, organized, and searched far more seamlessly so teams don’t waste time or resources when a matter emerges. This allows more time for case development and better strategic decisions early on.Accelerating through automation Data growth continues to show no signs of slowing, emphasizing the need for data governance systems that are scalable and automated. If not, organizations run the risk of expending valuable resources on continually updating programs to keep pace with data volumes and reanalyzing their key information.The best solutions allow experts in your organization to refine and adjust data retention policies and automation as the organization’s data evolves and regulations change. In today’s cloud-based world, automation is a necessity. For example, a patchwork of global and local data privacy regulations (GDPR, California’s CCPA, etc.) include restrictions related to the timely disposal of personal information after the business use for that data has ended. However, those restrictions often conflict with or are triggered by industry regulations that require companies to keep certain types of documents and data for specific periods of time. When you factor in the dynamic, voluminous, and complex cloud-based data infrastructure that most company’s now work within, it becomes obvious why a manual, employee-based approach to categorizing data for retention and disposal is no longer sustainable. AI automation can identify personal information as it enters the company’s system, immediately classify it as sensitive data, and label it with specific retention rules. This type of automation not only keeps organizations compliant, it also enables legal and data governance teams to support their organization’s growth—whether it’s through new products, services, or acquisitions—while keeping data risk at bay. Conclusion Advancements in AI are providing more precise and sophisticated solutions for the unremitting growth in data—if you know how to use them. For legal, data governance, and compliance teams, there are substantial opportunities to harness the robust creativity in AI to better manage, understand, and deploy data. Rather than be inhibited by endless data volumes and inflexible systems, AI can put their expertise to work and ultimately help to do better at the work that matters. practical-applications-of-ai-in-ediscovery; ai-and-analytics; chat-and-collaboration-data; microsoft-365; lighting-the-path-to-better-information-governancemicrosoft, ai-big-data, cloud-security, blog, record-management, ai-and-analytics, chat-and-collaboration-data, microsoft-365,microsoft; ai-big-data; cloud-security; blog; record-managementmitch montoya

As the corporate workplace continues to evolve—encompassing hybrid work environments, bring your own device policies, and cloud-based storage—companies are well-advised to consider areas of increased vulnerability and whether their policies, procedures, and forensic tools are keeping pace with reality. A hybrid or remote workforce and a more collaborative data infrastructure only exacerbate data risks that were easier to manage when employees were comfortably situated at their desks. Adding even more complexity to these risks are broader labor trends, including “the Great Resignation and Reshuffle” and an aging work force, which are changing staffing and recruiting strategies and impacting knowledge transfer and IP creation.Employee intake and departure: crucial points of data security Two areas likely needing renewed attention are the moments of employee onboarding and offboarding, when a company’s most prized assets—people and data—are on the move. Departing employees present a particular risk as the potential for data exfiltration of IP and other sensitive information, whether intentional or not, is high. Often, employees take corporate IP with them inadvertently, a situation bound to get worse as turnover rates grow (Gartner anticipates a 20% jump in turnover from the pre-pandemic national average).Since people usually take jobs similar to the ones they leave (and often with competitors), taking company data along with their coffee mug and potted plant may seem justified (I wrote this stuff, so it’s mine)—or simply inconsequential. Cloud storage services such as Dropbox, Box, or Google Drive, and collaborative apps such as Microsoft Teams or Slack make it all the easier to appropriate files, lending credence to a feeling of personal data ownership. No matter how it happens, the escape into the wild of proprietary items such as source code, strategy documents, contact lists, and financial information exposes the company to untold risk, including the danger of running afoul of any number of privacy regulations if personal data is exfiltrated from its protected environment—an additional headache for the company if things go south. Are current entry and exit protocols enough? Although most companies have entrance and exit protocols usually siloed as HR and IT functions, the recent surge in employee turnover has put those very teams under pressure as they face their own personnel and budget deficits. Further, responsibilities have become less defined at a time when offboarding tasks—many now carried out at a distance—should be fortified to include proactive data monitoring and oversight, activities such teams may not be equipped to handle. The challenge, of course, is the growing complexity of the data landscape. Knowing what information is where, who accesses it, and for what purpose becomes more difficult to track as software and storage options grow, yet this is key to keeping important data protected. Data security: start training early and reinforce often Onboarding procedures can play a key role in keeping data where it belongs and helping employees navigate through and understand their responsibilities in this increasingly intricate data terrain. First, a sound onboarding protocol can ensure that new employees aren’t bringing troublesome data into the environment. No company wants to deal with the fallout of being in possession of some other company’s IP or sensitive information. More importantly, onboarding offers the most opportune time to clearly communicate expectations regarding data management and safety—information that should be reinforced with frequent (and up to date) training that emphasizes data protection and ownership. It's easy to forget as time goes on what data may be confidential or sensitive, and even easier to forget that data belongs to the business, not the employee. In short, data awareness should be instilled as part of the company culture right from the start. Seize the moment: identify and monitor offboarding risksThe recent and ongoing workplace disruption calls for a hard look at offboarding data risks and an evaluation of potential vulnerabilities to protect data before an employee leaves the company, bolster the exit protocols to have in place when they do, and have the proper forensic and analytic tools to handle data monitoring and address potential wrongdoing. Most companies do have standard offboarding checklists that address employee assets, data access, and preservation obligations as they leave the company. But there’s more to data protection at this crucial moment than ticking off boxes. Expand and optimize the offboarding checklistSavvy companies implement a more proactive, programmatic approach that begins earlier, with monitoring procedures that include defensible and repeatable processes to guard against the exfiltration of company data while helping to fortify the company’s position in case of a breach. A few important things to consider as part of the offboarding process:Know which employees warrant departure attention. Develop risk profiles with business stakeholders to identify which classes of employees, whether based on role, circumstance of departure, seniority, or access to sensitive information could present an exfiltration risk.Understand the company’s data landscape. Make sure there are mechanisms in place for tracking where sensitive data and IP may reside and when such data has been accessed.Explore activity and assets with the employee prior to their departure. An expert, friendly review of a departing employee’s recent computer activity with the employee, including an audit of their recent network activities, use of peripherals, cloud uploads, and email sends, can reveal and help mitigate potential trouble.Preserve employee devices and data as warranted with state-of-the-art forensic tools. Forensic preservation is critical to ensuring valid evidence down the line, especially since investigations today regularly involve new and novel devices, data sources, and artifacts that must be diagnosed and understood.Document all offboarding information. A paper trail of findings during the exit procedure is important if further analysis is recommended or necessary and will be crucial for subsequent investigation, if it comes to that. Have a plan if there is evidence of wrongdoing. Part of any data security effort is having an action plan to execute if there are signs of a breach. Preservation, collection, and a forensic analysis may be required should legal action ensue. ConclusionThe recent upheaval in employee turnover along with more collaboration tools and storage options present increasing risk for today’s enterprise. Companies that acknowledge new vulnerabilities and leverage opportunities to revamp outdated policies and protocols are better positioned to stop data exfiltration before it becomes a problem. The best solution: Implement robust onboarding and offboarding solutions that include data monitoring, reporting, and forensic analysis to enable a quick pivot to actionable remediation steps if trouble is brewing. digital-forensics; information-governancedeparting-onboarding-employee, blog, risk-management, digital-forensics, information-governancedeparting-onboarding-employee; blog; risk-managementdaniel black

On July 15, 2022, the mandatory Disclosure Pilot Scheme (PD51U) was officially approved and will operate on a permanent basis within the Business and Property Courts (BP&C) of England and Wales. Originally implemented in 2019 on a temporary pilot basis, it was extended twice and had been set to expire in December of 2022. Its approval means that on October 1, 2022, the pilot will end, and the scheme will officially be known as Practice Direction (PD) 57AD “Disclosure in the Business and Property Courts.”This approval is no surprise to those familiar with the modern disclosure process in the UK. PD51U was originally implemented to address the key issues associated with standard disclosure under Civil Procedure Rule (CPR) 31, such as unwieldly costs and the insurmountable scale of disclosure due to ever-growing corporate data volumes. As per UTB LLC v Sheffield United, the pilot was meant to effect a “culture change” in the reasonableness and proportionality of disclosure requests by streamlining the process in a variety of ways. One of the most notable is through the encouragement of leveraging technology (such as technology assisted review or TAR) and data analytics for document review—even going so far as to mandate the use of TAR in cases where the document count exceeds 50,000.Over the last two years, this push toward implementing more technology to streamline the disclosure process has proven to be a wise one. With a worldwide shift to cloud-based infrastructures and remote working, corporate data volumes have exploded and will only continue to grow. Therefore, the traditional means of disclosure review, wherein a team of reviewers looks at each electronic document one-by-one, is quickly becoming untenable. Utilising technology to streamline review is more imperative than ever and will only grow in importance as data volumes continue to balloon. What 57AD does not mean, however, is that solicitors faced with disclosure need to be data science or technology experts. It simply means that it will become increasingly important for solicitors who are not comfortable with disclosure technology to find a solid managed review partner that can help streamline the disclosure process with technology and meet Practice Direction 57AD requirements. Below are key attributes to look for when seeking such a partner.Look for a managed review partner with expertise on the Disclosure Review Document (DRD)The DRD is meant to facilitate an agreement between parties about what constitutes proportional disclosure, and how to achieve that goal in a cost-effective manner. To do so, it requires parties to identify the key issues of the case and then detail the method of disclosure for each issue, with five methods from which to choose.[1] Each method can have severe impacts on the cost of a matter, as well as the overall outcome of the case for clients. It is vital that someone with in-depth disclosure expertise is involved in the negotiation and completion of this document. Some managed review vendors may be able to provide staffing and project management when it comes to disclosure document review but will not have experts available and capable to provide advice on effective disclosure strategy, including DRD assistance. Without this expertise, a party may find itself agreeing to disclosure methods that significantly balloon budgets or even worse, result in harmful outcomes for clients. Look for a managed review partner who has developed strong defensible workflowsOne of the hallmarks of and impetuses for PD 51U (soon to be PD 57AD) was to streamline the disclosure process in the face of ever-growing and unprecedented data volumes. Understanding when and how to leverage technology to cull and prioritise data for review, as well as how to leverage TAR, is imperative. However, the technology and workflows can seem overwhelming, especially to those who don’t perform disclosure often. Thus, it is essential to find a managed review partner who has access to the best review technology and knows how to leverage that technology to achieve the best results in every type of matter. It is also important that that managed review partner has developed strong defensible workflows for data reduction that can be customised to meet the individual needs of each client.Look for a managed review partner who thinks outside of the traditional linear review approachWhile it may seem simpler to fall back on traditional approaches to the disclosure document review process (i.e., hiring many reviewers to read and categorize each document), it is important to remember that PD 57AD was enacted because that approach is quickly becoming too burdensome for parties. The traditional approach also opens parties up to risk, when reviewers cannot effectively review the volume of documents within the time frames required for disclosure. Today’s larger data volumes and more complicated data increase the risk that human reviewers will miss important documents that were required to be disclosed, or conversely, that they will disclose harmful or sensitive documents that should not have been disclosed. Forward-thinking managed review partners have anticipated this change and have invested in technology and human expertise that can defensibly minimise document volumes so that a discrete number of subject matter experts can look at prioritised categories of pertinent documents, maximizing the value of human review. In this way, a managed reviewer partner can help solicitors move away from an outdated approach to review, while streamlining the disclosure process, keeping litigation budgets in check, minimising risk, and achieving better outcomes. Look for a partner who will help prepare bespoke briefing documentation, right from the outsetWhen a matter needs to scale up quickly and on short notice, the painstaking process of adding new reviewers can explode budgets—not only because of the additional overhead, but also because of the churn and inefficiency created by inconsistent work product from inexperienced, new reviewers. A good managed review partner will prepare for and minimise this churn from the outset, by creating customised briefing documentation that enables new reviewers to roll onto matters seamlessly, without a heavy lift from the client or review manager. Documentation like term glossaries for niche cases (for example, medical inquiries) that are kept in a central repository will help case teams quickly scale up and onboard new reviewers at short notice, while minimizing the churn and risk often thought of as inevitable when adding new reviewers. Look for a partner who has developed ways to ensure quality work from review teamsInconsistent or incorrect decisions from review teams creates additional work, which can decimate budgets. Even when data volumes are culled to more manageable levels, inaccurate review work product can still open clients up to risk, especially when sensitive data is involved. Look for managed review partners who have systems in place to ensure the accuracy of the review team from the outset. For example, some managed review providers will rigorously “test” the work product of review teams, directly after training has finished. This testing process can ensure that each reviewer assigned to the team understands the subject matter and review process, and that from the start of the matter their work product aligns with the case team’s direction. This type of quality control, started at the reviewer selection process, can greatly reduce risk while keeping budgets under control. Look for a managed review partner who ensures value for money in terms of candidatesIn a traditional approach, first pass review for relevance, privilege, and issues are undertaken by UK-based paralegals, with proven experience in reviewing and redacting documents together with a law degree, LPC/GDL, or NALP certification. However, these reviewers can be expensive, and billed at exorbitant hourly rates. Forward-thinking managed review partners often have partnerships with reviewers who have been admitted to Bars outside of the UK, providing an added layer of experience offered at a reduced cost. This complies with the overall message of PD 57AD, in that it offers a reliable basis for costs which promotes the cost-effective and efficient conduct of disclosure. [1] Model A – No order for disclosure; Model B – Limited disclosure; Model C – Request-led, search-based disclosure; Model D – Narrow search-based disclosure (with or without narrative documents); Model E – Wide search-based disclosureediscovery-reviewreview, blog, ediscovery-review,review; blogjennifer cowman

As legal teams expand their responsibilities and business impact throughout their organizations, there’s a delicate balance legal professionals must strike in their roles: be better partners and balance risk.To tease out this complex and dynamic relationship, Megan Ferraro, Associate General Counsel of eDiscovery and Information Governance at Meta, recently joined as a guest on Law & Candor.Highlights from that conversation are below.The legal function's bigger roleLegal departments are playing a more significant part in strategy and innovation because the role of in-house counsel has changed greatly in the past few decades. There's been a considerable shift in forward-thinking companies from viewing legal as a blocker to more of a strategic partner.Successful legal teams are partnering internally to ensure attorneys across their organization get early signals to address potential inquiries in litigation or investigations. Additionally, companies are now hiring in-house teams to fill roles where those legal partners can identify and assess legal risk early on.In-house counsel have become advocates for why legal deserves a seat at the table at all company levels, which contributes to the overall success of the business.A great example of how legal is partnering with other parts of their organizations to drive innovation is through the role of product counsel at technology companies. The most effective product counsel have a deep understanding of product goals early, which helps them to identify and address legal issues more quickly and accurately. By working closely with the product team through development, updates, and deployment, they also serve as a conduit between legal and product teams to help advance projects and address potential risks.Critical risks for legal teams todayOne of the most significant challenges for in-house legal teams is keeping up with the pace of their organization’s growth—whether it’s developing products and services, forging unique partnerships, or adopting new technology and software.Often, business teams do not appreciate how even the slightest difference in facts can contribute to different outcomes in the law. Managing the expectations of the business regarding the time it takes to do legal analysis is extremely important.It's normal to take the time to think about these challenging issues. An important adage for the business to remember is that the law is not “Minute Rice.”The balancing act between risk and innovationWeighing risk and innovation requires that you keep pace with changes throughout the organization, including pivots in strategic priorities, with a variety of stakeholders. Staying ahead of these developments and allowing counsel enough time to evaluate potential impacts is key to understanding if the benefits are worth the risk, and if not, how to adjust a business plan accordingly.Along with providing the guidance stakeholders need to assess risk and make decisions, legal teams also frequently manage how organizational data is stored and accessed with IT departments. If other teams throughout the business do not have the information they need, they can't move as fast to help the company innovate. How long to keep data, what format it is in, and who can access it are all questions that can have a huge impact on innovation.Cross-functional collaborationIn-house counsel are increasingly working with other leaders in their organizations to inform strategic decisions, but having a seat at the table requires listening and staying connected to “clients” within the business. Strategic priorities can change very often, especially in a fast-paced environment.Knowing not just what these priorities are but how the business interprets them and what success means to the company will contribute to the most successful legal partners for balancing risk factors and supporting innovation.To listen to the full conversation and hear more stories from the legal technology revolution, check out Law & Candor.ai-and-analytics; information-governanceblog, risk-management, ai-and-analytics, information-governanceblog; risk-managementlighthouse

Among data challenges that businesses and their law firms face, those surrounding mergers and acquisitions are arguably some of the most daunting. Fast-paced and demanding, the high-stakes M&A process is like an amped-up litigation and investigation combined, with specific M&A data requirements, massive document productions, fact-finding imperatives, and more.To add a bit of drama, inflationary pressure and fears of a recession could cool M&A activity, while the impacts of the pandemic continue to make regulatory reaction to the M&A landscape unpredictable, especially as to whether an HSR Second Request will be in the offing. If there is Second Request, document requirements ramp up and so does heightened scrutiny from regulatory agencies, especially in light of the 2021 Executive Order on Promoting Competition in the American Economy. “Providing heightened scrutiny to a broader range of relevant market realities is core to fulfilling our statutory obligations under the law.” – FTC, 2021Know as much as you can, as soon as you canIn a Second Request (as with any legal matter), the more you know and the sooner you know it, the better. Since technology assisted review (TAR), continuous active learning (CAL), and other eDiscovery technology has largely usurped a linear responsive review process, there is often less need for attorneys to review the majority of the documents that get produced to the government. This is good news for attorneys, who are faced with ever-growing data volumes that would be nearly impossible to tackle using a linear document review process, while still meeting the tight substantial compliance timeframe in a typical Second Request. However, less human review during the eDiscovery process elevates the need for counsel to find a way to uncover key information within the documents for fact development, witness kits, or expert support.From a data standpoint, what fact-finding can be done early using human expertise, technology, and a specific search workflow? The sophisticated analytics tools available today make any number of assessments possible, even before data is collected. Basic data characteristics gleaned from metadata can reveal important information: email domains, recipients, BCCs, timestamps—such metadata is fodder for data analytics tools that can reveal custodians, relationships, timelines, communications patterns and more, all necessary information in regulatory matters. Companies that have found a way to have previously-assessed characteristics live with a document (think privilege, PII, confidentiality status) are really ahead of the game.Let’s also not forget that evidence of anti-competitive behavior is really what Second Requests are all about. Although there are plenty of market facts and figures to be scrutinized, communications among people who are knowledgeable about the proposed deal could tell an “interesting” story. Common words and phrases casually bandied about (“dominant player,” “sticky customers”) can be laden with meaning to regulators or attorneys, throwing up red flags for further investigation. Company data stores can thus either be a gold mine or a land mine—and it helps counsel tremendously if they have the information on hand to prepare for either circumstance. Finding key documents: a surgical strike, not a data dumpIdentifying key information requires a precise approach and assessment —it’s not something that can be accomplished with a keyword list created during a brainstorming session. Keywords can’t help much if you don’t know exactly what you’re looking for. Rather, finding key documents today can be an elevated process—one that is technology-enabled and executed by a nimble team that can leverage linguistic expertise, proven search algorithms and processes, and proprietary technology to quickly pinpoint and deliver a highly-curated set of documents on target topics. As key information is uncovered, further fact-finding can be curtailed or expanded. A team can adapt to any change in priorities, custodians, subjects, and/or time frames as a regulator changes the focus of the review. This reduces the amount of time counsel must spend going through documents, keeping costs in check, and providing the best ROI.Between the initial filing and receipt of a Second Request, especially when there is little doubt that the Second Request will be issued, a team executing key document identification can help kick off the fact-finding and development process with whatever data is available—before any responsiveness review has even begun.And even when no Second Request is issued, a team of experts executing key document identification can play a significant role. In support of an initial filing, they can help identify 4(c) and 4(d) documents that are required as part of the disclosure and get the best instance or latest version of important documents. This is especially helpful in situations where executives or others involved in the deal have massive data populations and don’t know where the relevant documents are. ConclusionIdentifying key documents is a critical part of a Second Request. If client and counsel are well-prepared—armed with the ability to leverage expertise and advanced technology to find key documents from the get-go—the most challenging hurdles can often be overcome, enabling timely compliance, and avoiding potential complications that could delay resolution—or even kill the deal. antitrust; ediscovery-reviewantitrust, ediscovery-reviewhsr-second-requests; bloglighthouse

A Second Request for a Hart-Scott-Rodino (HSR) filing thrusts companies and their counsel into a high-stakes race against time, complicated by massive data volumes and strict requirements. Policy and enforcement shifts by the Federal Trade Commission (FTC) and Department of Justice Antitrust Division (DOJ), brought on by a change in presidential administrations, complicate the landscape even further.In early 2022, Lighthouse analyzed the data and recent history of Second Requests in our whitepaper, the 2021 Second Request Trends Report, to help predict activity this year and beyond.Now, as we approach the halfway point of the Biden administration’s inaugural term, it seems a pertinent time to check in on the agencies’ attitudes and actions thus far, and what they mean for mergers and acquisitions — both today and in the future. To grasp the shifts in HSR Second Requests over the past two years, Lighthouse's Bill Mariano interviewed Corey Roush, a partner at Akin Gump who leads their antitrust and competition practice, and is head of their FTC-facing consumer protection practice. Below is an excerpt from their conversation.The Biden administration has now had more than a year and a half to shape its approach to mergers and acquisitions. How do you view the landscape at this point?I see outward signs of moderate hostility towards mergers that have created general uncertainty. This owes mostly to statements by leadership at both agencies rather than unexpected actions. For the most part, we are seeing Second Requests issued when one would traditionally expect them, and we are also seeing some high-profile public transactions like Elon Musk/Twitter and PMI/Swedish Match avoiding Second Requests.What have regulatory agencies done to create this atmosphere?A handful of things, from making specific policy changes to expressing general disdain for consolidation. The discourse coming from regulators is guided largely by a July 2021 Executive Order from President Biden. Inspired by that order, FTC Chair Lina Khan told Congress that “significant consolidation has undermined open and competitive markets” so it’s her agency’s responsibility “to redouble [its] commitment to policing mergers.” That attitude was echoed by Assistant Attorney General Jonathan Kanter, head of the Antitrust Division at DOJ, who said mergers “can harm downstream consumers and upstream workers at the same time that they foster coordination or exclusion in adjacent markets. Everyone loses, except extractive powerful firms in the middle.”Disdain for consolidation, at least among the largest companies, is an increasingly bipartisan posture, by the way. Last spring Senator Josh Hawley (R-Mo.) introduced the Trust-Busting for the Twenty-First Century Act, complaining that a small group of “woke mega-corporations control the products Americans can buy, the information Americans can receive” and so on. The legislation would help regulators “crack down on mergers and acquisitions by monopoly companies” and even “pursue the breakup of dominant, anticompetitive firms.”There’s the hostility you mentioned. What about enforcement? How are they following through on this rhetoric?Overall, by expecting companies to accommodate the agencies. You see cases where companies agree to delay consummation until three or four months after complying with a Second Request, so that agencies have more time to review. And even when companies agree to delay consummation under a timing agreement, the agencies may ask for even more time. Last year, 7-Eleven was three days away from closing an acquisition when the FTC asked for more time — and this was after the company had already given the Commission more time on four separate occasions. The company was able to close the deal as planned and without a Commission vote because it had already negotiated a consent decree approved by the FTC staff. Two Commissioners responded with a public threat stating, “The parties have closed their transaction at their own risk. The Commission will continue to investigate to determine an appropriate path forward to address the anticompetitive harm and will also continue to work with State Attorneys General.” After all that, a “new” consent order was issued that was almost identical to the one that the company had previously agreed to and was approved by the Commission on a 4-0 vote two months later.It seems like “close at your own risk” is becoming a trend now?It is. The FTC has been issuing letters since the fall of 2021 warning parties whose regulatory review periods had expired or were about to expire that the agency was continuing to investigate the transaction, so parties who decided to close on their planned date would do so at their own risk. By early 2022, the DOJ joined the fray, issuing at least one warning letter that I’m aware of. So far, though, it appears to be a red herring. First, parties have always closed with some risk of a post-closing challenge. For instance, the FTC is currently challenging Facebook’s acquisition of WhatsApp and Instagram—deals that were consummated eight and ten years ago, respectively. Second, in the current landscape, companies have been closing despite receiving the letters, and we haven’t seen any efforts to unwind those deals. Nor have we seen many investigations actually continue. What other policy changes have altered the landscape for HSR and Second Requests?The big one in my mind affects prior approval. In July of 2021, the FTC — by a 3-2 party-line vote — adopted a new policy that requires “buyers of divested assets in Commission merger consent orders to agree to a prior approval for any future sale of the assets they acquire in divestiture orders.” This rescinds a nearly 30-year-old policy and creates real complications in the divestiture process. To state the obvious, an asset is less attractive if it comes with a restriction on its sale and a requirement that the divestiture buyer sign a consent decree with the FTC. We now see these agreements in consent orders regularly. That said, we have also seen at least one consent order that did not require the divestiture buyer to sign on. What distinguished that case from the others is unclear.What does this all mean going forward? What should parties expect from regulators?Longer reviews, with unpredictable engagement. Some deals that do not present clear competition problems are taking longer than one might traditionally expect. At the same time, we have avoided Second Requests even though, at first glance, there were competitive overlaps and/or vertical relationships. In those cases, along with competitive analysis proving the transaction wasn’t troublesome, our early engagement with the agencies appeared to be key. The uncertainty applies mostly to certain high-profile, high-scrutiny areas like tech, pharma, and agriculture. Deals outside of those areas appear to be more predictable and consistent with past scrutiny. So, will 2023 be more of the same?Most likely. Legislation like the American Innovation and Choice Online Act and Open App Markets Act have bipartisan support. Alvaro Bedoya was confirmed as the third Democrat Commissioner in May. And the antitrust agencies are working on new merger guidelines that could replace the current Horizontal Merger guideline and provide more guidance on vertical merger enforcement (the FTC rescinded the existing vertical guidelines last year). Given all this, we expect the trends of hostility and uncertainty to magnify in the near future.Hear from other experts and dive into the numbers in the 2021 Second Request Trends Report.antitrust; ediscovery-reviewediscovery-review, digital-forensics, antitrusthsr-second-requests; blog; mergersbill mariano

Cloud computing dates to the mid-1990s – so why is this relatively old concept still such a hot topic? Haven’t we figured it all out by now? And isn’t the benefit of today’s SaaS cloud environments that someone else, namely the SaaS provider, handles software management? What else is there to figure out? Having spent the last several months talking to legal, compliance, and IT professionals about their Microsoft 365 environments, I am confident that there is still a lot that corporate IT departments are grappling with. In fact, a recent survey conducted by Lighthouse of 106 IT managers and executives found that although most organizations had a change management process in place for on-premises feature updates and upgrades, and most organizations planned to have change management in place for enterprise-wide SaaS technology updates in the next five years, only 16% had something in place today.[1] To better harness this technology as it continues to evolve and to minimize risks along the way, it’s important to understand why these change management gaps exist, what their impact is, and how legal and IT teams can work together in new ways to close them.Managing the Evolution of SaaSThe adoption of enterprise SaaS cloud technologies has only become prevalent in the last decade and growth has skyrocketed over the last couple of years. In fact, Microsoft 365 had 23.1 million consumer subscribers five years ago (Fiscal Year 2016) and that number has grown to 58.4 million. As such, IT organizations have not had to support SaaS enterprise offerings at scale until very recently and today most IT departments are supporting both on-premises and SaaS cloud environments. The first priority in supporting this explosive adoption was to implement and migrate over to the new system. It is only recently that focus has shifted toward governance and processes around these systems.Even with a newer focus on process, one of the touted benefits of SaaS cloud technology is less maintenance and software support by the in-house IT team. Of course, there is the need to set up process to resolve user questions and to ensure systems have been set up to facilitate the business running properly. But, planning and executing hardware or software upgrades is mostly managed by a third-party provider so there is not an urgent need to set up robust change management. In addition, the old change management process where major developments are analyzed, tested, and timed for deployment to desktops still applies to Microsoft 365.However, using the old process for new applications can have drawbacks. First, not all updates that Microsoft or others make are configurable updates where there is a choice on how, and whether, to implement. Second, if users are logging into a web environment (as opposed to desktop apps), IT teams don’t necessarily have control over the version their users are utilizing. Finally, given that most organizations have differing levels of IT permissions, meaning some groups are upgraded sooner than others, teams must move quickly to handle unpredictable and varied update schedules. With the speed and variability of new feature updates, the old process may not be agile enough to handle them. The differences between SaaS and on-premises environments (where you have full control of the upgrade schedule) can leave some gaps even when organizations review, analyze, and test the roadmap and updates from the Microsoft Message center.The old process often fails to prepare the business for these changes because IT, legal, and other teams are not always communicating about the broader risk or implementation implications. Because the IT team is focused on availability and scalability, it often misses how certain changes can introduce business risks outside of their ken. Solely relying on IT professionals to determine the broader impact of updates can mean that business, regulatory, and other risks outside of IT’s awareness are overlooked.Measuring the Impact of UpdatesWhether these management gaps are tolerable is a risk decision that each organization must make—one that can put the user experience in tension with a developed IT process. In discussions with legal, compliance, and information governance professionals that focus on SaaS services, handling the cadence and speed of these updates is a concern that keeps them up at night. But, quickly providing users new features has considerable benefits for the business too. It’s important for IT to prioritize ensuring that users can access their business data and that the business can continue without interruption over cumbersome update management.When weighing these risks and benefits it’s important to fully appreciate their potential impacts. An example of where these priorities conflict is highlighted in a change around Microsoft Teams meeting transcripts. In March 2021, Microsoft made an update that allows for a live transcript of certain Teams meetings. In November 2021, Microsoft expanded that functionality to Teams Channel meetings and upgraded the features of live transcripts to include name attribution to the speaker. This is helpful functionality for users and, given that it is an automatic upgrade, there may be little to do from an IT perspective. From a risk and legal perspective, however, there are a couple of key considerations. First, where is the transcript stored after the meeting and do retention policies apply? Second, is the data subject to ongoing regulatory or litigation requests and how is it accessed? The answers to those questions are complicated by the fact that the location of the data depends on whether a user downloaded the transcript after the meeting. Many IT organizations caught this change by reviewing the Microsoft Message center for updates—and in doing their own testing they determined that disabling the functionality was the best course of action. This was an update with obvious data ramifications that outweighed the potential benefits in a risk assessment from both IT and legal. For updates that are less obvious, IT may not have consulted legal. For updates where the value to users may seem to outweigh the risk, where the risks aren’t initially apparent, or when there are no configuration options—IT may have a more challenging decision to make.Reimagining a Change Management ProcessHaving a cross-functional framework in place to discuss and implement these types of updates is key to managing changes. Many organizations have some sort of accountability in place around updates—an individual or group of people are responsible for reviewing the Microsoft Message center. Although this structure is lower in cost and requires fewer resources, it has a few drawbacks. First, if only IT is involved, you may have only one perspective on the impacts of updates and that can be too narrow to determine the effects on the broader business. Second, many organizations do not have a tracking mechanism to determine what Microsoft updates they have read, evaluated, tested, and taken action against. With dozens of messages, many of which don’t need action, it is easy to lose track of what has been evaluated. Finally, if there isn’t clear accountability with dedicated resources the process can lose legitimacy and fail. Organizations who choose to minimize their business risk do not have to put in place a heavy structure to manage updates. In fact, the process around on-premises software upgrades can easily be adapted to the cloud situation.The single most important thing that an IT team can do for an effective SaaS support practice is to adapt and enforce existing change management and organizational controls. More specifically, IT organizations should consider:Dedicating a resource to track and review changes from service and cloud providers to ensure updates and changes are properly evaluated for risk and business continuity.Relying on a robust change management system with stakeholders throughout the organization to provide clearly articulated approval, risk identification, testing, and risk management.Partnering with your compliance team to ensure adherence to governance frameworks, organizational commitments, and client requirements. The compliance function is trained to manage risk and is uniquely chartered with authority and independence with a company’s governing body.Collaborating with legal. Lawyers are trained to spot issues and manage risk for the entire business. Often times, individual departmental stakeholders are responding to team-level incentives. Legal teams are also learning to adapt their governance structures to evolving cloud solutions.Leveraging the Project Management Office to ensure that stakeholders and risks are identified at the start of any specific project (i.e., measure twice, cut once).One of the most effective ways to get the right stakeholders’ input is to create a Change Approval Board (“CAB”) with subject matter experts from every business group to meet on a periodic basis. The CAB provides a framework that ensures IT has input from across the business while still giving it the opportunity to own and manage the support of the software.One of the benefits of SaaS technologies is the ability to utilize and optimize with the newest features and to take some of the hardware management burden off IT. By putting in place a cross-functional team to review and manage the update process, you can mitigate your organizational risk while allowing users take full advantage of the benefits.[1] In February 2022, Lighthouse surveyed 106 IT managers or above who had Microsoft on-premises and now have Microsoft 365. The survey found that only 16% had implemented a change management process for M365 and 62% of organizations planned to implement one in the next 5 years.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud-migration, cloud-services, blog, microsoft-365, chat-and-collaboration-data, information-governance,bloglighthouse

To celebrate Women’s History Month, the Law & Candor podcast returns for season nine to interview women in the legal and technology industries who are breaking bias and creating more inclusive work cultures, advancing technological innovation, and keeping a pulse on the latest issues facing corporations and law firms.Law & Candor co-hosts, Rob Hellewell and Bill Mariano, return as our guides through a variety of dynamic topics, including balancing risk and innovation, AI and HSR Second Requests, and the evolving data privacy landscape. Check out this season’s lineup belowLeading in Legal with Inclusive MentorshipLegal’s Balancing Act: Risk, Innovation, and Advancing Strategic PrioritiesMapping Updates to Data Privacy Regulations WorldwideSpring Cleaning for Legal Teams: The Cloud and Defensible Deletion of DataClosing the Deal: Deploying the Right AI Tool for HSR Second RequestsMicrosoft 365 and the Age of Automation Listen now or bookmark individual episodes, and be sure to follow the latest updates on Law & Candor’s Twitter.And if you want to catch up on past seasons or special editions, click here.For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.diversity-equity-and-inclusionblog, diversity-equity-and-inclusion,bloglighthouse