Information Governance

Browse our library for the latest insights and best practices related to records and information management, archive migration, privacy, data protection and security, and information governance for eDiscovery.

Filter by content type
Select content type
Filter by trending topics
No items found.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Button Text
May 15, 2023
Case Study

Meeting Compliance Burden for Financial-Sector Giant

Lighthouse helps global British bank resolve critical risks during a major technology overhaul. Key Actions Microsoft referred Company to Lighthouse to address eDiscovery needs within Microsoft 365 (M365) Lighthouse assembled a team whose members had former expertise gained from stakeholder departments that were affected by the unresolved needs Key Results Compliance risks were successfully remediated using native M365 tools The Company used its new platform to avoid the need for add-on services or vendors What They Needed M365 Implementation Yields Data Risk Management As one of the nation’s largest financial institutions, the Company’s move to M365 required exceptional time and care—further complicating compliance requirements for record-keeping, data protection, and regulated conduct, and ultimately placing demands on M365 that created uncertainty of whether the platform could be resolved. The complex compliance requirements fueled an internal audit, revealing several risks related to the Company’s management of unstructured data, including its practices for retention, deletion, preservation, and protection of sensitive information. The Company asked Microsoft for help—and Microsoft referred the Company to Lighthouse. Tight Deadlines, Exceptional Solutions Lighthouse was tasked to explore whether M365’s native information governance (IG) and eDiscovery tools could address the risks identified in the audit. The team launched a series of workshops, interviews, and research tasks to: Educate stakeholders about M365’s native capabilities for records and information management (RIM) and IG Define stakeholders’ needs and current workflows regarding RIM and IG Analyze gaps in the current state Test and propose new workflows using native M365 tools Executives intensely monitored this project, as every identified risk was critical, so the pressure on the teams’ proposed workflows was tremendous—not to mention a tight 12-week timeline. Lighthouse prevailed, fielding a team of experienced peers with the Company stakeholders. Every business group—from records management to IT that were responsible for remediating risks—was paired with a Lighthouse consultant who had previously filled a similar role at a comparable institution. Our experts gained rapid credibility with each stakeholder group, and they ultimately accomplished a unified solution that was acceptable to all parties. Our solution succeeded in remediating all flagged risks using RIM and IG workflows within M365. It required the Company to upgrade its M365 licensing agreement from E3 to E5, but the company agreed that the added cost was more than worth it. In the end, Lighthouse achieved two key wins: 1) demonstrating to the Company that M365 could meet even the most stringent security and compliance needs, and 2) securing a new trusted partnership with the customer that has continued to develop. ‍ Corporate Case Studycase-study; big-data; cloud-migration; cloud; cloud-services; corporate; corporation; emerging-data-sources; information-governance; ediscovery; microsoft; legacy-data-remediation; risk-management; record-management; financial-services-industrymicrosoft-365; information-governance; client-success; lighting-the-path-to-better-information-governanceCase-Study, client-success, Big-Data, Cloud-Migration, cloud, Cloud-Services, Corporate, Corporation, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, Legacy-Data-Remediation, microsoft, risk-management, Record-Management, financial-services-industry, microsoft-365, information-governance
October 1, 2022
Case Study

Gap Analysis Solution for IT and Legal Teams Transitioning to M365

Lighthouse saves insurance giant millions of dollars during major technology upgrade. Key Actions Microsoft referred the Company to Lighthouse to resolve existing concerns from the Company’s IT and legal departments that were stifling their automation and transition process to Microsoft 365 (M365). Lighthouse held educational workshops on eDiscovery tools within M365, and devised a comprehensive plan for the compliance. Key Results Unblocked the M365 transition effort and enhanced the partnership between legal and IT. Compliance concerns were answered within M365, saving the company millions of dollars in retaining or updating legacy data management systems. What They Needed Legal Concerns Churn 11th Hour Nightmare for IT Department In 2017, a nationwide insurance giant initiated a transition from an on-premises Microsoft solution to a cloud-based M365 solution fueled by gain from cost, performance, and security improvements. Years later, and well past the intended launch date, the Company’s legal team suddenly halted the transition entirely due to concerns of M365’s eDiscovery capabilities, specifically, how M365 would handle the identification, preservation, and collection of email, instant messages, and files for the Company. The legal department insisted the company retain its custom-built archival solution until all compliance concerns were allayed. These demands put the IT department in an extremely tough spot after having already invested several years into the transition to M365. If forced to extend their aging, on-premises solution, the team would face substantial costs. To help unstick the implementation project, Microsoft suggested the Company engage Lighthouse to assist. Lighthouse immediately understood the legal team’s concerns and acted swiftly to address the Company’s insistence on exercising the transition to M365 with great caution, all while remaining vigilant of the Company’s receipt of hundreds of new legal matters monthly. The sensitive nature of data in this industry and the complex regulatory environment made the potential risk related to mismanagement very high. The process was intricate and complex, and required high-level integration to mitigate the significant risks that were specific to individual privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Hands-on Experience and High-touch Service Bridge the Gaps Lighthouse fielded a team of experts with direct experience in the same or similar roles as the various client stakeholders, ranging from IT to records management, corporate legal, and public affairs. This hand-selected team led a three-part process with their counterparts from the Company: Providing education on the eDiscovery aspects of M365 Analyzing current workflows and performance, and expressing their desired future state Devising a high-level design document for how relevant parties could conduct eDiscovery tasks in compliance with the requirements while using M365 The first two processes helped restore unity among stakeholders, while the design document delivered on the legal team’s concerns, including specified settings for a range of M365 applications and components, such as Exchange Online, SharePoint Online, OneDrive for Business, and Teams. The design document made room for process automation and/or custom workflows, as well as for third-party system integration (for compliance archive, legal hold, matter management, etc.). The initial project success led to a continuing relationship between the Company and Lighthouse, and over time Lighthouse has become a critical element in the Company’s ongoing M365 implementation and adoption journey helping them in charting a path forward. Corporate Case Studycase-study; big-data; cloud-migration; cloud; cloud-services; ccpa; corporate; corporation; data-privacy; data-protection; emerging-data-sources; information-governance; ediscovery; microsoft; gdpr; legacy-data-remediation; legal-holds; risk-management; insurance-industry; record-managementmicrosoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceCase-Study, Big-Data, Cloud-Migration, cloud, Cloud-Services, ccpa, Corporate, Corporation, Data-Privacy, data-protection, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, gdpr, Legacy-Data-Remediation, Legal-Holds, microsoft, risk-management, insurance-industry, Record-Management, microsoft-365, data-privacy, information-governance
June 1, 2023
Case Study

Engineering a Customized M365 eDiscovery Premium Add-on

Lighthouse bridges internal gaps during technology overhaul and solves longstanding compliance issues for a German multinational healthcare manufacturer. Key Actions Lighthouse engaged company stakeholders in operational planning and received funding from Microsoft to devise and integrate a premium Microsoft 365 (M365) add-on to existing Purview Premium eDiscovery, which resolved an outstanding compliance need. Key Results The proof-of-concept achieved a zero-trust security model integrated with third-party software, and satisfied the barring of critical needs for the Company that centralized IT and legal departments after years of dysfunction. What They Needed Automating a transition to M365 commonly yields a clash between IT, legal, and compliance stakeholders if the decision to convert was spearheaded by IT and made without consulting legal and compliance teams. Typically, during planning or implementation of converting to M365, legal teams ask IT how the new platform will manage compliant and defensible processes, and if IT doesn’t have the answers, the project stalls. This was the situation facing a multinational manufacturing Company that engaged Lighthouse for help during the spring of 2020. At that time, the Company was several years into its M365 transition, and the legal teams’ requirements for adoption of native M365 compliance tools barred a complete transition. Pressure to adopt the tools escalated as M365 workloads for content creation, collaboration, and communication were already rolled out, creating an increasingly large and complex volume of data with significant degrees of risk. Lighthouse Responds to Need and Launches New Technology In partnership with Microsoft Consulting Services, Lighthouse organized a companywide M365 “reset,” hosting a three-day workshop to revamp the transition process and generate an official statement of work. The strategic goal was to streamline the stakeholders from litigation, technical infrastructure, cybersecurity, and forensics teams that previously failed to align. The workshop fielded critical topics geared to encourage constructive discussions between stakeholders and to strengthen departmental trust. The outcome of these discussions eventually enabled the company to move forward with critical compliance updates, including the collection and parsing of Microsoft Teams data, and the management of myriad files and email attachments. Lighthouse took stock of the current state, testing potential solutions, and arrived at a proof-of-concept for an eDiscovery Automation Solution (EAS) that augmented existing M365 capabilities to meet the legal team’s security requirements and remediate any performance gaps. Microsoft recognized the potential value of the EAS for the wider market, ultimately leading to Microsoft funding for the proof-of-concept. Inside the eDiscovery Automation Solution (EAS) Technology Azure-native web application designed to orchestrate the eDiscovery operations of an M365 subscriber through Purview Premium eDiscovery automation Maximized Microsoft Graph API “/Compliance/eDiscovery/” functions and other Microsoft API Simplified to Azure AD trust boundary, targeting the M365 tenant hosted within, and enabling full governance of identity and entitlement throughout Azure and M365 security features Benefits Achieved a zero-trust security model Authorized high-velocity, high-volume eDiscovery tasks without outside technology through automation and orchestration of existing M365 eDiscovery premium capabilities native to M365 Mobilized integration with third-party software included in the Company’s eDiscovery workflows Amplified workload visibility by automatically surfacing relevant Mailboxes, OneDrives, and other M365 group-based technologies dependent upon selected Custodians’ access Corporate Case Studybig-data; case-study; cloud-migration; cloud; cloud-services; cloud-security; corporate; corporation; data-privacy; emerging-data-sources; information-governance; ediscovery; microsoft; manufacturing-industry; risk-managementchat-and-collaboration-data; ediscovery-review; microsoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceBig-Data, Case-Study, Cloud-Migration, cloud, Cloud-Services, Cloud-Security, Corporate, Corporation, Data-Privacy, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, manufacturing-industry, risk-management, chat-and-collaboration-data, ediscovery-review, microsoft-365, data-privacy, information-governance
June 1, 2022
Case Study

Big Pharma Relies on Lighthouse to Manage Complex eDiscovery

Lighthouse partners with a rapidly expanding pharmaceutical company to streamline its eDiscovery workflow and meet obligations more efficiently. What They Needed A large pharmaceutical client received subpoenas from several regulators. The subpoenas covered multiple product lines, implicated 60 custodians, and virtually all the company’s email. The client’s IT group identified over 35TBs of data requiring collection, processing, and review. Complicating matters further, the company had only 60 days to respond, well outside its estimated time of nine months to complete the project. Faced with this near impossible timeline, the client looked to Lighthouse for support. How We Did It Relying on procedures outlined in a jointly developed eDiscovery Playbook, Lighthouse’s data collection and forensics experts worked closely with the client’s legal and IT groups to implement a defensible strategy that greatly reduced the amount of data requiring collection. Experts from Lighthouse’s Advisory Services group worked with the client to implement a legal hold and data retention policy, customized to the various subpoenas. Lighthouse provided a unified review database, allowing outside counsel (who was responding to separate subpoenas) to leverage each other’s work product, greatly reducing review costs and preventing the inadvertent production of privileged and other sensitive materials. The Results Our combined efforts reduced the originally estimated 35TBs of data requiring review to less than 3TBs. By greatly reducing the amount of data requiring processing and review, the client saved significant review costs and reduced the estimated project completion time from nine months to only four weeks. Review cost reductions were achieved by leveraging Lighthouse’s project management team as well as the company’s proprietary suite of technology-assisted review offerings. These, and other efficiencies discovered during the project, have been implemented in future matters, continuing to drive down costs and increase value. Corporate Case Studyadvisory-services; big-data; case-study; collections; corporate; corporation; ediscovery; forensics; information-governance; investigations; pharma; privilege; privilege-review; processing; project-management; tar; tar-predictive-coding; technology-assisted-reviewediscovery-review; digital forensics; ai-and-analytics; information-governance; client-successAdvisory-Services, Big-Data, Case-Study, collections, Corporate, Corporation, eDiscovery, digital forensics, Information-Governance, investigations, Pharma, privilege, privilege-review, Processing, Project-Management, TAR, TAR-Predictive-Coding, technology-assisted-review, ediscovery-review, digital forensics, ai-and-analytics, information-governance
No items found.
September 29, 2023
Podcast

The Great Link Debate and the Future of Cloud Collaboration

Michael Blank, Corporate Counsel ‚Äì eDiscovery, at DISH, and Lisa Lukaszewski, counsel at Gunster, discuss how the issues with hyperlinks and collaboration data continue to transform., Links, modern attachments, shared documents‚Äîthe descriptors for files exchanged through email and collaboration platforms continue to grow with no clear consensus on what to call them or how exactly to handle them. Despite their wide use, why are they a persistent challenge for eDiscovery and data governance teams? Beyond semantics, links and attachments raise bigger questions about how to manage collaboration data as it proliferates in the evolving workplace. Michael Blank , Corporate Counsel ‚Äì eDiscovery , at DISH, and Lisa Lukaszewski , Of Counsel at Gunster, join Law & Candor to discuss how the issues with links and collaboration data continue to transform‚Äîincluding changes to ESI protocols‚Äîhow recent legal decisions are contributing to the debate, and best practices for tackling these persistent challenges.  This episode‚Äôs sighing of radical brilliance: ‚Äú Carmakers are failing the privacy test. Owners have little or no control over data collected ,‚Äù Frank Bajak, AP, September 6, 2023. Learn more about the show and our speakers on lawandcandor.com , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and Twitter . , chat-and-collaboration-data; information-governance, chat and collaboration data, information governance, Microsoft 365, big-data; compliance; corporate; emerging-data-sources; g-suite; information-governance; microsoft; podcast; preservation; legal-holds
September 29, 2023
Podcast

Generative AI and Healthcare: A New Legal Landscape

Lighthouse welcomes Ty Dedmon, Partner and lead of Bradley’s healthcare litigation team, to assess how generative AI is impacting litigation and what we can do to minimize the risk., Although the novel and often comical uses of generative AI have captured more recent headlines—think philosophical conversations with a chatbot or essays written in seconds using AI—there are big changes happening across sectors of the economy thanks to adoption of new tools and programs, including the legal and healthcare spaces. Recent case law and legislation highlights the new landscape emerging in healthcare litigation with potential long-term implications. Lighthouse welcomes Ty Dedmon , Partner at Bradley who leads their healthcare litigation team, to assess how generative AI is impacting litigation and what we can do to prepare, and to share advice on leverage AI innovation while minimizing the risk. This episode’s sighing of radical brilliance: “ Top AI companies agree to work together toward transparency and safety ,” Kevin Collier, NBCNews , July 21, 2023. Learn more about the show and our speakers on lawandcandor.com , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and Twitter . , ai-and-analytics; ediscovery-review; information-governance, AI, analytics, eDiscovery, Review, information governance, generative AI, PHI, PII, healthcare, HIPAA, podcast, ai-and-analytics; analytics; artificial-intelligence; compliance; data-privacy; healthcare; healthcare-litigation; hipaa-phi; phi; pii; podcast; regulation
March 29, 2023
Podcast

Prioritizing Information Governance and Risk Strategy for a Dynamic Economic Climate

Lica Patterson, Senior Director of Global Advisory Services at Lighthouse, discusses how assessing short and long-term risk can inform a more strategic information governance program.,   As we continue to grapple with a strange and unpredictable economic environment, establishing your legal and information governance priorities can be daunting. While directing investment and energy into the most urgent matters is a reflex during a down economy, neglecting more long-term data issues and risk can be detrimental. How do you balance these interests with already strapped resources? Lica Patterson , Senior Director of Global Advisory Services at Lighthouse, joins the podcast to discuss how assessing short and long-term risk can inform a more strategic information governance program. She also shares how the right technology and teams contribute to accomplishing goals and evolving your program. This episode's sighting of radical brilliance:  3 trends will shape the future of work, according to Microsoft‚Äôs CEO , World Economic Forum,  February 10, 2023. If you enjoyed the show, learn more about our speakers and subscribe on lawandcandor.com , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and  Twitter .   , information-governance; data-privacy; microsoft-365, information-governance, data-privacy, microsoft-365, emerging-data-sources; legal-holds; podcast; record-management; risk-management
April 13, 2022
Podcast

Microsoft 365 and the Age of Automation

Microsoft‚Äôs Stefanie Bier joins Law & Candor to delve into the key types of automation required to support Microsoft 365 at scale for large organizations using Core or Advanced eDiscovery., Bill Mariano and Rob Hellewell bring listeners another Sighting of Radical Brilliance. They discuss an episode of Fast Company‚Äôs podcast Innovation Unrestricted that explores how companies can incorporate diversity and inclusion into product design. They are then joined by Stefanie Bier , Senior Program Manager at Microsoft, to chat about how to deploy critical automation in Microsoft 365 and key updates on the horizon. Some questions they explore, include:  Automation is increasingly becoming a critical component of managing data and scaling programs. What are some of the new ways collaboration platforms, specifically M365, have introduced automation? What are the benefits of adopting these automated processes?  What are some of the key types of automation that are necessary to optimize M365?   With the cloud and automated updates, platforms are undergoing faster changes than ever before. How do you stay on top of them and ensure there‚Äôs cross-functional alignment at your organization? Whether it‚Äôs fear of error or worry about loss of control, some are reticent to automate certain aspects of their programs. What are the risks in not adopting automation? Our co-hosts wrap up the episode with advice for amplifying other women‚Äôs voices in the legal and technology industries and some key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , listen and rate the show wherever you get your podcasts, and join in the conversation on Twitter .  Related Links   Podcast: Understanding Microsoft 365 Unindexed Items Blog post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations Blog post: Breaking the Bias: Strategies from Top Women Leaders in Legal Technology Podcast: Innovation Unrestricted ‚Äì How companies can incorporate diversity and inclusion into product design , microsoft-365; information-governance, microsoft, cloud services, podcast, microsoft-365, information-governance, microsoft; cloud-services; podcast
November 16, 2021
Podcast

Understanding Microsoft 365 Unindexed Items

James Hart of Lighthouse and our hosts discuss this complex aspect of Microsoft 365 eDiscovery, identify best practices and mitigation strategies, and proactive tips for the future., Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss a framework for building accountability into AI from an article in Harvard Business Review by Stephen Sanford . In this episode, Bill and Rob are joined by James Hart of Lighthouse. They discuss this critical component of Microsoft 365 and its important role in maximizing the effectiveness of ediscovery workflows and mitigation strategies. Key questions from their conversation include: What are unindexed items and how critical are they to efficiency in ediscovery workflows? After identifying unindexed items, what is the next step and how do you approach it? What are some key strategies for handling unindexed items? How are different organizations approaching unindexed items from a policy perspective? What are best practices for approaching this unique issue in Microsoft 365? In conclusion, our co-hosts end the episode with key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us on Apple and Stitcher , and join in the conversation on Twitter . Related Links Blog Post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations Blog Post: Making the Case for Information Governance and Why You Should Address It Now White Paper: The Impact of Schrems II and Key Considerations for Companies Using M365 Podcast: Keeping Up with M365 Software Updates , microsoft-365; chat-and-collaboration-data; information-governance; lighting-the-path-to-better-information-governance, microsoft, emerging data sources, podcast, record management, preservation, microsoft-365, chat-and-collaboration-data, information-governance,, microsoft; emerging-data-sources; podcast; record-management; preservation
November 16, 2021
Podcast

Getting Personal—Wearable Devices, Data, and Compliance

Thora Johnson of Orrick joins Bill and Rob to discuss the new data landscape with wearable devices and health apps, and how it has impacted data compliance, cybersecurity, and privacy concerns., In the final episode of the season, co-hosts Bill Mariano and Rob Hellewell review a New Yorker piece by Kyle Chayka about the beauty and uncanniness of AI-created images delivered by the Twitter handle @images_ai. The co-hosts then bring on Thora Johnson of Orrick for a riveting discussion about the rise in wearable devices and the personal data they‚Äôre collecting. They discuss the fascinating innovation in health-related technology and apps and the significant data compliance, privacy, and cybersecurity issues that are accompanying it. Some key questions from their conversation include:  Beyond the more well-known wearable devices and health-related apps, what others are out there and what types of data are they collecting? The proliferation of data these devices and apps are generating have created a unique set of intersecting compliance, security, and privacy challenges‚Äîwhat are some of the most critical to understand? How can teams mitigate the risk of a cyber breach? And in the event it does happen, what are best practices in terms of responding to a breach? What should attorneys and legal teams know about the FTC‚Äôs recent announcement that it plans to ‚Äúvigorously‚Äù enforce its 2009 Health Breach Notification rule? What regulatory issues related to apps collecting genetic information that people should be aware of? The season ends with key takeaways from the guest speaker section. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us on Apple and Stitcher , and join in the conversation on Twitter . , data-privacy; information-governance, ccpa, gdpr, cybersecurity, emerging data sources, pii, podcast, hipaa/phi, data-privacy, information-governance, ccpa; gdpr; cybersecurity; emerging-data-sources; pii; podcast; hipaa-phi
March 23, 2021
Podcast

Keeping Up with M365 Software Updates

In the fourth episode of the seventh season, co-hosts¬†Bill Mariano and¬†Rob Hellewell discuss¬†why diversity in AI is important and how this could impact legal outcomes and decisions.¬†Next, they..., In the fourth episode of the seventh season, co-hosts  Bill Mariano and  Rob Hellewell discuss  why diversity in AI is important and how this could impact legal outcomes and decisions.  Next, they introduce their guest speaker,  Jamie Brown of Lighthouse, who uncovers key strategies to keep up with the constant flow of Microsoft 365 software updates. Jamie answers the following questions (and more) in this episode: What are some of the common challenges associated with M365‚Äôs rapid software updates? How do these constant updates lead to compliance risks? What are some best practices for overcoming these challenges? What recommendations would you pass along to those who are experiencing these challenges? What advice would you give to other women in the ediscovery industry looking to move their careers forward? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , rate us on  Apple and  Stitcher , and join in the conversation on  Twitter . , microsoft-365; information-governance; chat-and-collaboration-data, microsoft, podcast, microsoft-365, information-governance, chat-and-collaboration-data,, microsoft; podcast
December 3, 2020
Podcast

Reducing Cybersecurity Burdens with a Customized Data Breach Workflow

Bill Mariano and Rob Hellewell kick off episode 3 with another segment of Sightings of Radical Brilliance where they discuss the EU striking down the Privacy Shield and what that means for the...,   Bill Mariano and Rob Hellewell kick off episode 3 with another segment of Sightings of Radical Brilliance where they discuss the EU striking down the Privacy Shield and what that means for the legal realm. Next, Bill and Rob chat with Jeremiah Weasenforth of Orrick about a recent customized data breach workflow that Jeremiah and his team implemented to significantly reduce the burdens of a data breach. In this interview, Jeremiah uncovers the answers to the following questions:  What are the burdens of a major data breach? What impacts do DSARs and the CCPA have on these breaches? How do you get started with a customized workflow? What technology should one use? How do you implement the workflow internally? What key tips are there for those experiencing cybersecurity burdens today? The show concludes with key takeaways from the guest speaker segment. Subscribe to Law & Candor here , rate us on Apple and Stitcher, join in the conversation on Twitter , and discover more about our speakers and the show here . , data-privacy; legal-operations; information-governance, cybersecurity, data-privacy, podcast, data-privacy, legal-operations, information-governance,, cybersecurity; data-privacy; podcast
September 22, 2020
Podcast

Achieving Information Governance through a Transformative Cloud Migration

Data migrations are generally perceived as painful and disruptive experiences. However, they also provide unique opportunities to transform the way unstructured data is used and managed within an,   In the first episode of season five, co-hosts  Bill Mariano and  Rob Hellewell , introduce themselves and welcome listeners back for another season of Law & Candor, the podcast wholly devoted to pursuing the legal technology revolution. To kick things off, Bill and Rob begin with Sightings of Radical Brilliance, the part of the show where they discuss the latest news of noteworthy innovation and acts of sheer genius. In this first episode, they dive into a recent article written by the folks at Baker Botts LLP around  Federal Expedited Review in Response to COVID-19 and what that means for the industry. For the guest speaker segment of the show, Bill and Rob bring on  John Holliday of Lighthouse to discuss transformative cloud migrations and how to ensure a successful outcome via the following questions: How do cloud migrations provide an opportunity to transform processes and workflows within an organization?  How does information architecture come into play? What benefits can one achieve during a cloud migration? What are best practices for a successful transformative cloud migration? The episode wraps up with key takeaways. If you enjoyed the show, subscribe here, rate us on Apple and Stitcher, join in the conversation on  Twitter , and discover more about our speakers and the show  here . Related Links Blog Post:  Top Three Things That Could Derail Your Cloud Migration Project Blog Post:  Why Moving to the Cloud is a Legal Conversation   , information-governance; microsoft-365; chat-and-collaboration-data, information-governance, cloud migration, podcast, information-governance, microsoft-365, chat-and-collaboration-data,, information-governance; cloud-migration; podcast
September 22, 2020
Podcast

Effective Strategies for Managing DSARs

Since the introduction of the GDPR, organizations with a European presence have seen a rise in the number of Data Subject Access Requests (DSARs). These matters are time-consuming, costly, and not,   In the fourth episode of season five, co-hosts  Bill Mariano and  Rob Hellewell discuss how  Relativity is using its technology to help medical researchers comb through COVID-19 journal articles to help battle the virus.  Bill and Rob then introduce their guest speaker,  Nicki Woodfall of Travers Smith, who uncovers effective strategies for managing DSARs. Nicki answers the following questions in this episode: Why has there been a recent uptick in DSARs over the past few years?  What are the top challenges when it comes to managing DSARs? What are key ways to overcome these common challenges? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, subscribe here , rate us on Apple and Stitcher, join in the conversation on  Twitter , and discover more about our speakers and the show  here . Related Links Blog Post: How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery Case Study:  Penningtons Manches Cooper Takes Control of their eDiscovery Process with Lighthouse Spectra About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance; ai-and-analytics, dsars, podcast, data-privacy, information-governance, ai-and-analytics,, dsars; podcast
June 23, 2020
Podcast

Managing Cybersecurity in eDiscovery

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†how¬†password dumping can improve your security and what that means...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss how  password dumping can improve your security and what that means for the future of security.  In this episode, Bill and Rob are joined by  Dave Kuhl of Lighthouse. The three uncover the complexities around managing cybersecurity as well as practical tips for overcoming challenges via the following questions: What are the recent complexities around managing cybersecurity? What are today‚Äôs biggest threats? What are some key lessons learned around these challenges? How do you combat cybersecurity challenges? How do you get ahead of these issues before they hit? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . Related Links Blog Post: Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production Blog Post: Top Three Tips for Structuring an Effective eDiscovery Security Evaluation Podcast Episode:  Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production Webinar Recording: The Risks of Cybersecurity in eDiscovery ‚Äì Is Your Data Safe? About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; ediscovery-review; information-governance, cybersecurity, podcast, data-privacy, ediscovery-review, information-governance,, cybersecurity; podcast
March 24, 2020
Podcast

Data Privacy in a Post-GDPR World: Facing Regulators and Ensuring Compliance Through Rock-Solid Information Governance Practices

In the second episode of season three, co-hosts¬†Bill Mariano and¬†Rob Hellewell kick off the show with¬†Sightings of Radical Brilliance. In this episode, they discuss¬†how¬†technology competence has...,   In the second episode of season three, co-hosts  Bill Mariano and  Rob Hellewell kick off the show with Sightings of Radical Brilliance. In this episode, they discuss how  technology competence has become a priority for today‚Äôs lawyers, which has become a recent hot topic within the space as more  states make technical competence for lawyers mandatory .  They then introduce the next guest speaker segment from the live recording of Law & Candor during Legaltech, which features Kelly Clay from GSK. They explore how GDPR has impacted the ediscovery world, both globally and in the US, since its enactment and focus on ways to mitigate risk by uncovering answers to the following questions:  What key challenges have GDPR and the rise of recent privacy laws created globally and in the US? How can information governance and compliance practices mitigate data privacy and security risks? What are best practices or key recommendations for listeners? Our co-hosts wrap up the episode with a few key takeaways. Join in the conversation on  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, gdpr, data-privacy, information-governance, compliance and investigations, podcast, data-privacy, information-governance, gdpr; data-privacy; information-governance; compliance-and-investigations; podcast
December 4, 2019
Podcast

Understanding and Creating Effective and Best eDiscovery Practices for G-Suite

In the final episode of season two, co-hosts¬†Bill Mariano and¬†Rob Hellewell discuss what a¬†US approach to data protection and privacy would look like in the¬†Sightings of Radical Brilliance segment...,   In the final episode of season two, co-hosts  Bill Mariano and  Rob Hellewell discuss what a  US approach to data protection and privacy would look like in the Sightings of Radical Brilliance segment of the show. In particular, they discuss how we are seeing these pop up on a state-by-state basis and whether we need a Federal law that applies to privacy.  Bill and Rob are joined by  Alison Shier , Client Development Manager at Lighthouse, to discuss the challenges and best practices around G-Suite data for their sixth and final episode of the season. The three cover the following questions:  Is leveraging G-suite a more common trend/theme in the space? How is Gmail data different than Outlook data?  What are some of the challenges around managing this data? What are some of the downstream issues and challenges around review of this data? How do we address these challenges? How do TAR and analytics impact G-suite data? The season ends with key takeaways from the guest speaker section.  Connect with us  Twitter , discover more about our speakers and the show  here , and, if you are interested in attending the live podcast show at Legaltech,  email us for details. About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , chat-and-collaboration-data; information-governance, g suite, ediscovery process, podcast, chat-and-collaboration data, information-governance, g-suite; ediscovery-process; podcast
December 4, 2019
Podcast

Would a No-Deal Brexit Change How We Handle Cross-Border Collections in Europe?

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†personalized and predictive medicine and how¬†apple watches have...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss  personalized and predictive medicine and how  apple watches have been saving lives . In addition, they dive into what these trends mean for the legal field. In this episode, Bill and Rob are joined  Josh Yildirim , Executive Director of Service Delivery of Europe at Lighthouse. The three of them jump into the current status of Brexit and what the future of cross-border data collections could look like. Below are the questions they address:  Where we are at currently with Brexit and whether a no-deal is likely? How could this potentially impact data privacy? How could this impact cross-border collections? What are some practical tips when it comes to potential challenges? What are companies going to need to do to prepare? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, cross border data transfers, podcast, data-privacy, information-governance, cross-border-data-transfers; podcast
December 4, 2019
Podcast

Data Preservation in the World of Ephemeral Data, Mobile Devices, and Other New Challenges in Forensic Technology

Co-hosts Bill Mariano and¬†Rob Hellewell share details around the¬†five biggest data breaches of the year so far in¬†Sightings of Radical Brilliance and what this means for the future of legal...,   Co-hosts Bill Mariano and  Rob Hellewell share details around the  five biggest data breaches of the year so far in Sightings of Radical Brilliance and what this means for the future of legal space. Next, Bill and Rob bring on  Jerry Bui , Executive Director of Digital Forensics at Lighthouse, to help uncover the answers to the following questions around data preservation when it comes to ephemeral and encrypted data:  What do ephemeral and encryption mean? What are the different types of enterprise communication platforms? Which platform gives you the most in terms of investments from a legal and compliance perspective? What about data privacy on these platforms? How is the personal data treated? What should IT and Legal departments keep in mind when it comes to platforms that are not encrypted? The show concludes with key takeaways from the guest speaker segment. Join the conversation on  Twitter and discover more about our speakers and the show  here . Related Links Podcast: Digital Forensics Future About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , chat-and-collaboration-data; forensics; information-governance; microsoft-365, emerging data sources, preservation and collection, podcast, digital-forensics, chat-and-collaboration-data, digital-forensics, information-governance, microsoft-365, emerging-data-sources; preservation-and-collection; podcast; digital-forensics
December 4, 2019
Podcast

Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production

In the fourth episode of season two, co-hosts¬†Bill Mariano and¬†Rob Hellewell begin with¬†Sightings of Radical Brilliance and the recent¬†trend of folks moving away from email and towards text and...,   In the fourth episode of season two, co-hosts  Bill Mariano and  Rob Hellewell begin with Sightings of Radical Brilliance and the recent  trend of folks moving away from email and towards text and chat tools . They dive into the diverse challenges and risks associated with this shift. Next, Bill and Rob introduce their guest speaker,  David Kessler , Head of Data and Information Risk, United States, at Norton Rose Fulbright US LLP, to discuss cybersecurity challenges across the various stages of the EDRM. In this episode they ask the following key questions to David: What does a high-level overview of data security look like today? Who does this affect? Where are vulnerabilities within the EDRM? What are some key solutions for overcoming top challenges? In the end, our co-hosts wrap up with a few key takeaways. Follow us on  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, cybersecurity, preservation and collection, processing, podcast, data-privacy, information-governance, ediscovery-review,, cybersecurity; preservation-and-collection; processing; podcast
December 4, 2019
Podcast

Bridge the Gap: Innovative Ways to Enable eDiscovery Collaboration Between Legal and IT

In the very first episode of season two, co-hosts¬†Bill Mariano and¬†Rob Hellewell, introduce themselves and welcome listeners back for another riveting season of Law & Candor, the¬†podcast wholly...,   In the very first episode of season two, co-hosts  Bill Mariano and  Rob Hellewell , introduce themselves and welcome listeners back for another riveting season of Law & Candor, the podcast wholly devoted to pursuing the legal technology revolution. To kick things off, Bill and Rob begin with, Sightings of Radical Brilliance, the part of the show where they discuss the latest news of noteworthy innovation and acts of sheer genius. In this first episode, they dive into a recent story around  how legal technology helped capture the BTK killer and recap the key legal mistakes of this notorious serial killer. In the guest speaker segment of the show, our co-hosts were joined by  Craig Shaver , Director, eDiscovery Program, Hilton Worldwide, who helped them uncover the answers to the following questions around cross-departmental collaboration: What are the current challenges in play when IT and Legal are out of sync? Why is it critical for these two groups to be in sync? What are some of the risks of these groups being out of alignment? Who is the best person to lead the effort of aligning Legal and IT? Are there other departments within an organization that need to be at the table as well? What are the greatest challenges you‚Äôve seen in achieving better alignment? What are some new ways these two groups can ensure they are in alignment? What are the benefits to an organization of this alignment? In conclusion, our speakers share top takeaways. If you enjoyed the show, join in the conversation on  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , legal-operations; information-governance, ediscovery process, podcast, legal-operations, information-governance, ediscovery-process; podcast
September 20, 2019
Podcast

Moving to the Cloud: A Law Firm Journey

In the final episode of season one, co-hosts Bill Mariano and Rob Hellewell share their thoughts around AI-enabled deep fakes in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they chat about the...,   In the final episode of season one, co-hosts Bill Mariano and Rob Hellewell share their thoughts around AI-enabled deep fakes in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they chat about the implications and dangers around this technology and what that means for the legal space and beyond. Bill and Rob bring on David Arlington , Special Counsel at Baker Botts, to discuss the move to the Cloud from a law firm‚Äôs perspective. Bill and Rob cover the following questions with David in the season finale: Why did the firm decide to move to a cloud-based service? Did you get any pushback or fear around moving to the Cloud, and, if so, how did you handle it? How long did it take to get up on the Cloud, from the initial decision to getting up and running on the Cloud? What were some of the unanticipated surprises that popped up during this process? What kind of advantages have you seen so far? The season ends with key takeaways from the guest speaker section and a reminder to watch for the release of season two in December. Connect with us Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , information-governance; microsoft-365, microsoft-365, information-governance, self-service, spectra; cloud-migration; podcast; law-firm
September 20, 2019
Podcast

Microsoft Office 365 Part 2: How to Leverage all the Tools in the Toolbox

In the fourth episode of season one, co-hosts Bill Mariano and Rob Hellewell begin with SIGHTINGS OF RADICAL BRILLIANCEaround the dawn of realistic face masks as well as retina scans and...,   In the fourth episode of season one, co-hosts Bill Mariano and Rob Hellewell begin with SIGHTINGS OF RADICAL BRILLIANCEaround the dawn of realistic face masks as well as retina scans and fingerprints for authentication, and the security and legal concerns that hide beneath. Next, Bill and Rob introduce guest Chris Hurlebaus , eDiscovery Architect at Lighthouse, to discuss the tools that are available in Office 365 and how to leverage them. The speakers cover the following questions in this episode: What do I need to know around Office 365 licensing when having an ediscovery conversation? What Office 365 tools are currently available to users? What are the different options/subscription levels? What are the advanced features of Office 365? What about reporting of ediscovery activities in Office 365? What is Microsoft looking to do next around this technology? In the end, our co-hosts wrap up with a few key takeaways. Follow us on Twitter and discover more about our speakers and the show here . Related Links Case Study: The Benefits of an Office 365 Workshop About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , microsoft-365; information-governance; chat-and-collaboration-data, microsoft-365, information-governance, chat-and-collaboration-data, microsoft; podcast
September 20, 2019
Podcast

Moving to the Cloud: A Corporate Journey

Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss Rob Robinson's recent article around the eras of ediscovery and...,   Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss Rob Robinson's recent article around the eras of ediscovery and where the industry is going next. In today‚Äôs episode, Bill and Rob are joined by Alex Shusterman , eDiscovery Manager at Accenture. The three discuss key components for corporate legal teams to keep in mind when considering the move to the Cloud as well as the benefits. Below are the questions they address: What are the key aspects corporate legal teams should keep in mind when considering the move to the Cloud? Why is it critical for Legal and IT to be in collaboration for these types of moves? What should corporate legal teams avoid when moving to the Cloud? What are lessons learned from moving to the Cloud? What are some of the benefits of moving to the Cloud? In conclusion, our co-hosts end the episode with key takeaways. To join in on the conversation, connect with us Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , information-governance; microsoft-365, information-governance, microsoft-365, self-service, spectra; cloud-migration; corporation; podcast
September 20, 2019
Podcast

Microsoft Office 365 Part 1: Microsoft’s Influence on the Next Evolution of eDiscovery

Co-hosts Bill Mariano and Rob Hellewell introduce the issues around ephemeral data in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they look at the huge growth rates in Snapchat users and what...,   Co-hosts Bill Mariano and Rob Hellewell introduce the issues around ephemeral data in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they look at the huge growth rates in Snapchat users and what the continued growth of ephemeral data means for the legal space. Next, Bill and Rob bring on Mo Ramsey , General Manager of Global Advisory Services at Lighthouse, to help uncover the answers to the following questions around Office 365 in the ediscovery space: What does Microsoft‚Äôs evolution of ediscovery capabilities in Office 365 look like? What‚Äôs Microsoft doing within ediscovery and how do they want to differentiate? What specific actions are advanced users able to perform in Office 365? What should teams consider when evaluating Office 365? The show concludes with key takeaways from the guest speaker segment. Join the conversation on Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , microsoft-365; information-governance, microsoft-365, information-governance, microsoft; podcast
October 3, 2023
Blog

Law & Candor Season 12: Five Views of Innovation and Risk Impacting AI, eDiscovery, and Legal

AI, generative AI, antitrust, second requests, HSR, eDiscovery, review, information governance, healthcare, legal operations, law firm, corporate counsel ai-and-analytics; compliance; corporate; corporate-legal-ops; data-analytics; healthcare; healthcare-litigation; innovative-technology; innovation; information-governance; law-firm; mergers; modern-data; phi; pii; podcast; self-service, spectra; regulation; production mitch montoya In a year of unprecedented advancement in AI capabilities and economic uncertainty, legal teams and attorneys have been given both a compelling look into what the future of their work may look like and a sharp picture of today’s challenges. With a critical eye on how to manage and capitalize on these dueling perspectives that define legal’s current landscape, the guests on the new season of Law & Candor offer insights on a range of issues, including generative AI, new M&A guidelines and HSR rules, collaboration data, strategic partnerships, and the future of the industry. Listen for news, AI and technology updates, and best practices from leaders confronting these challenges and charting new paths forward. Episode 1: The Power of Three: Maximizing Success with Law Firms, Corporate Counsel, and Legal Technology Episode 2: What You Need to Know About the New FTC and DOJ HSR Changes Episode 3: Why Your eDiscovery Program and Technology Need Scalability Episode 4: Generative AI and Healthcare: A New Legal Landscape Episode 5: The Great Link Debate and the Future of Cloud Collaboration To keep up with news and updates on the podcast, follow Lighthouse on LinkedIn and Twitter . And check out previous episodes of Law & Candor at lighthouseglobal.com/law-and-candor-podcast. For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.
September 26, 2023
Blog

Navigating Cross-Border eDiscovery Issues in the Wake of a U.S. Adequacy Determination

At Lighthouse our teams have the benefit of working across numerous clients, cases, and jurisdictions. As a result, we are building deep institutional knowledge across many aspects of eDiscovery that may be more difficult for individuals or teams to amass organically. To benefit our clients, we regularly share these insights in an ongoing series of best practices articles. This article provides updated guidance on cross-border eDiscovery in the wake of a recent adequacy determination by the European Commission for EU-US data transfers.Best Practices to Support Cross-Border Data Transfers in eDiscovery In any matter that potentially involves the processing and transfer of personal data across country borders, case teams should consider the following factors before deciding on a strategy:The underlying company’s own policy governing the processing of personal data (including transfer mechanisms, such as consent and/or binding corporate rules)The specific countries at issue (some countries have additional requirements for data residency, heightened consent requirements, etc.)The nature of the data (including special categories of protected data, i.e., high risk data), as well as the importance of the custodian and uniqueness/criticality of the dataThe options and feasibility of obtaining custodian consent for the transfer of their data (e.g., time to obtain consent, employment status of the custodian, the impact of obtaining consent on an investigation)When evaluating options for where the data should be processed, case teams should also consider:The country where most custodians are located (i.e., where the largest volume of data will be located) Data center options (if no data center, consider other cloud based or remote kit options and the impact on downstream search/review)The pros and cons of processing data in a single data repositoryMinimization at the point of collection as opposed to once data is processed into a review toolNote that most clients follow a “hub-centric” approach and process data in accordance with specific regions, e.g., data stored in the US is processed in the US; data stored in Europe is processed in a European data center; data stored in APAC is process either in APAC, depending on the country-specific laws, or in Europe, and so forth.Whenever non-U.S. data is present in a matter, case teams should consider the following best practices for cross-border data transfers:Establish lawful grounds for processing personal data (e.g., custodian consent, adequacy decision, or a legal exception defined by applicable data privacy regulations, such as the GDPR’s legitimate business interest exception). Note that many case teams choose not to rely solely on custodial consent for larger matters, unless the data originates from a highly restrictive jurisdiction (e.g., Switzerland, France, Germany, Luxembourg, etc.) or the matter involves specially protected data. Ensure there are adequate safeguards in place to support exceptions, such as the legitimate business interest exception. At a minimum, this includes efforts to “minimize” what is being processed (i.e., collecting only data that is necessary for the activity at hand). Case teams can minimize the volume of data being processed by using keywords or other filters to reduce what is collected, culling data at the processing stage, conducting a search for certain categories of personal data, redacting personal data, and permitting a custodian to review data prior to transfer.Case teams should also follow specific best practices when encountering any of the below scenarios during eDiscovery: Matters involving U.S. litigations and eDiscovery: Consider adding supplemental data privacy safeguards, including putting a protective order in place that specifically addresses the handling of personal data subject to applicable law (e.g., GDPR and other applicable country specific regulations). This includes provisions to designate certain data as subject to the protective order and specific provisions that require the deletion of data (and confirmation of deletion) once the litigation concludes. Matters involving cross-border transfers from other (non-U.S.) countries: Ensure an appropriate cross-border transfer mechanism is in place for all data transfers. Common examples of appropriate cross-border transfer mechanisms include model contract clauses, intra-company agreements, and adequacy decisions rendered by the European Commission (including the adequacy decision for the new EU-U.S. Data Privacy Framework).Matters involving data originating in China (PRC): Take into consideration all data security implications and PRC laws before transferring any data out of the country (including the requirement to conduct a state-secrets review in-country before any data can be transferred outside the country).Matters involving data originating in countries with heightened privacy restrictions and/or sector-specific requirements (i.e., bank secrecy): Consider processing (and potentially reviewing) data in-country.Document the protocol adhered to for each matter.ConclusionWhile transferring personal data across borders may feel like an increasingly complicated task for legal and eDiscovery teams, it is also a task that will be increasingly necessary as corporate data volumes grow and spread. The good news is that case teams do not have to navigate those complexities alone. An experienced eDiscovery partner with a global footprint and information governance/legal experts on staff can work closely with both outside and in-house counsel to develop a solution for cross-border data transfers that meets the legal requirements and needs of each matter. resource-article; data-privacy; information-governanceCross-border data transfercross-border-data-transfersjamie brown
July 23, 2019
Blog

Why Moving to the Cloud is a Legal Conversation

There is a common theme buzzing around the legal tech and eDiscovery industry – the Cloud and how in-house lawyers should be aware of the implications of their companies moving to the Cloud. Due to its regular appearance, there is an increasing focus on the legal implications of moving to the Cloud, rather than IT and operational considerations, within organisations.Setting the StageThe Cloud is familiar to most people thanks to the way we store photos and save emails. However, the impact of the Cloud in such a short space of time, even for personal users, is remarkable. Google now gives away cloud storage space worth around $15,000 per person at 1995 prices to its users (of which there are approximately 1 billion). In other words, what would have cost a combined $15 trillion just 24 years ago is now being offered for free (Goldin and Kutarna. Age of Discovery. 1990. Print.).The common response to the question of moving a companies' data to the Cloud is typically around perceived issues of both cost and security. Both of these topics are fundamental but are limited in scope when considering the wide-ranging potential of enterprise cloud technology from the perspective of data governance, compliance, and eDiscovery.Reducing or eliminating IT spend on building and maintaining infrastructure is a driving force for companies to move to the Cloud. Another is the need to provide employees with the tools they need to not only continue their everyday tasks but also to adapt and innovate. Microsoft recently quoted that, “97% of Fortune 500 and 95% of Fortune 1000 companies have Office 365 to benefit from streamlined infrastructure, data management, and collaborative technology opportunities.” They have discovered that cloud-based productivity has moved far beyond just standard applications like Word or Excel. Networked applications fuel employee innovation. According to a study by Vanson Bourne, “companies leveraging cloud services increased their time to market by 20.7%. At the same time, IT spending decreased by 15.1%, and, as for employees, productivity jumped 18.8%.”When compared to cost savings and data security, data governance, compliance, and eDiscovery often get less consideration. This is because a transition to the cloud is a core business decision, taken on at an enterprise-wide level to streamline the company and provide business-critical tools to employees. The legal capabilities of the technology may seem peripheral to the IT teams focusing on transitioning from on-premise infrastructure to cloud-based data centres. However, when you consider the variety of ways in which data is generated and the volume of this data, legal needs to lead the way in managing risk and adding value to how collaboration is managed across the company.Driving Home the PointIronically, cloud-based technologies like Office 365 make it even easier to generate ever-larger amounts of data. It is, therefore, no surprise that the same technology can (and should) be used to govern this data. Legal needs to consider how to take ownership of the companies' data for risk management purposes if nothing else.An example of this is persistent chat using Skype, Teams, Yammer, etc. Legal rather than IT needs to drive the key questions. Is this functionality available to everyone? How long is chat data stored? Does the company utilise more than one chat solution and do they interact with each other? Is the data discoverable if necessary and can it be searched? Can a legal hold be placed on this content? When deleted, does that fit with the overall data retention policy and is that consistent across multiple locations?Just one aspect of data governance that, of data retention and associated policies and logistics, can be overwhelming. Every organisation has many applications that employees use. A switch to a cloud-based environment doesn’t just mean the data is stored somewhere else. It means that tools are probably available for employees to work more intelligently and collaboratively. This is a positive thing for both efficiency and most likely profitability. It is also positive in terms of data governance and compliance. Policies such as data retention and categorisation can be refreshed so that they are not written and ignored. They can be hardwired into the very applications that generate the bulk of a company's data, from email and business documents to persistent chat applications, financial data, and internal social media.Cloud-based technology such as Office 365 can be utilised to manage contentious matters more effectively and proportionally (crucial for Subject Access Requests), without the need for large-scale intervention from third parties who deploy forensic data collection experts to ship large volumes of data elsewhere for eDiscovery purposes.Furthermore, failure to provide modern workplace technology often means that a shadow IT environment develops within a company, a phenomenon that makes governance and compliance even more difficult than it already is. Employees will use whatever technology they can to make their job easier, regardless of policy. Again, legal, not IT, can lead the way in aligning policies with the use of modern workplace tools.Fortunately, security concerns have done little to hold back the tide of progress to cloud-based infrastructure. Microsoft may be a company that has the most attempted external hacks, but it also has a budget of over $1 billion annually to ensure the data it holds is secure. Other cloud-based providers also understand the value of managing their clients’ data and have similar impressive ways and large budgets to protect it. Microsoft's share price demonstrates what shareholders think of their focus on the cloud over the last five years. Windows is not discussed as widely these days compared to Office 365.Looking Forward IT and security may be the departments responsible for a transition to the Cloud but legal and compliance are the departments that should take ownership of the generation and governance of the data. This should not be seen as a burden, but a welcome change in how to align a modern workplace with a comprehensive framework to manage risks inherent in big data.If you would like to discuss this topic further, please feel free to reach out to me at MBrown@lighthouseglobal.com.data-privacy; ediscovery-review; information-governance; microsoft-365cloud, information-governance, cloud-security, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; information-governance; cloud-security; blogmichael brown
March 26, 2021
Blog

Legal Tech Innovation: Learning to Thrive in an Evolving Legal Landscape

The March sessions of Legalweek took place recently, and as with the February sessions, the virtual event struck a chord that reverberated deep from within the heart of a (hopefully) receding pandemic. However, the discussions this time around focused much less on the logistics of working in a virtual environment and much more on getting back to the business of law. One theme, in particular, stood out from those discussions – the idea that legal professionals will need to have a grasp on the technology that is driving our new world forward, post-pandemic.In other words, the days when attorneys somewhat-braggingly painted a picture of themselves as Luddites holed up in cobwebbed libraries are quickly coming to an end. We live in an increasingly digital world – one where our professional communications are taking place almost exclusively on digital platforms. That means each of us (and our organizations and law firms) are generating more data than we know what to do with. That trend will only grow in the future, and attorneys that are unwilling to accept that fact may find themselves entombed within those dusty libraries.Fortunately, despite our reputation as being slow to adapt, legal professionals are actually an innovative, flexible bunch. Whether a matter requires us to develop expertise in a specific area of the medical field, learn more about a niche topic in the construction industry, or delve into some esoteric insurance provision – we dive in and become laymen experts so that we can effectively advocate for our clients and companies. Thus, there is no doubt that we can and will evolve in a post-pandemic world. However, if anyone out there is still on the fence, below are four key reasons why attorneys will need to become tech savvy, or at least knowledgeable enough to understand when to call in technical expertise.1. Technological Competence is Imposed by Ethics and Evidence RulesFirst and foremost, attorneys have an ethical duty (under ABA Model Rule 1.1) to “keep abreast of changes in the law and its practice, including the benefits and risk associated with relevant technology.” Thirty seven states have adopted this language within their own attorney ethics rules. Thus, just as we have a duty to continue our legal education each year to stay abreast of changes in law, we also have an ethical duty to continue to educate ourselves on the technology that is relevant to our practice.We also have a duty to preserve and produce relevant electronically stored information (ESI) (under both the Federal Rules of Civil Procedure (FRCP), as well as the ABA model ethics rules)[1] during civil litigation. To do so, attorneys must understand (or work with someone who understands) where their client’s or company’s relevant ESI evidence is, how to preserve it, how to collect it, and how to produce it. This means preserving and producing not only the documents themselves but also the metadata (i.e., the information about the data itself, including when it was generated and edited, who created it, etc.). This overall process grows more complicated with each passing year, as companies migrate to the unlimited storage opportunities of the Cloud and employees increasingly communicate through cloud-based collaboration platforms. Working within the Cloud has a myriad of benefits, but it can make it more difficult for attorneys to understand where their client’s or company’s relevant information might be stored, as well as harder to ensure metadata is preserved correctly.Together, these rules and obligations mean that whether we are practicing law within a firm or as in-house counsel at an organization, we have a duty to understand the basics of the technology our clients are using to communicate so that at the very least, we will know when to call in technical experts to meet the ethical and legal obligations we owe to those we counsel.2. Data Protection and Data Privacy is Becoming Increasingly ImportantThe data privacy landscape is becoming a tapestry of conflicting laws and regulations in which companies are currently navigating as best they can. Within the United States alone, there were a multitude of state and local laws regulating personal data that came into effect or were introduced in 2020. For companies that have a global footprint, the worldwide data protection landscape is even more complicated – from the invalidation of the EU-US privacy shield to new laws and modifications of data protection laws across the Americas and Asia Pacific countries. It will not be long before most companies, no matter their location, will need to ensure that they are abiding within the constructs of multiple jurisdictional data privacy laws.This means that attorneys who represent those companies will need to understand not only where personal data is located within the company, but also how the company is processing that data, how (and if) that data is being transmitted across borders, when (and if) it needs to be deleted, the process for effectively deleting it, etc., etc. To do so, attorneys must also have at least some understanding of the technology platforms their companies and clients are using, as well as how data is stored and transferred within those platforms, to ensure they are not advertently running afoul of data privacy laws.As far as data protection, attorneys need to understand how to proactively protect and safeguard their clients’ data. There have been multiple high-profile data breaches in the last few months,and law firms and companies that routinely house personal data are often the target of those breaches. Protecting client data requires attorneys to have a semblance of understanding of where client data is and how to protect it properly, including knowing when and how to hire experts who can best offer the right level of protection.3. Internal Compliance is Becoming More Technologically Complicated There has been a lot of interest recently in using artificial intelligence (AI) and analytics technology to monitor internal compliance within companies. This is in part due to the massive amount of data that compliance teams now need to comb through to detect inappropriate or illegal employee conduct. From monitoring departing employees to ensure they aren’t walking out the door with valuable trade secret information, to monitoring digital interactions to ensure a safe work environment for all employees – companies are looking to leverage advances in technology to more quickly and accurately spot irregularities and anomalies within company data that may indicate employee malfeasance.Not only will this type of monitoring require an understanding of analytics and AI technology, but it will also require grasping the intricacies of the company’s data infrastructure. Compliance and legal teams will need to understand the technology platforms in place within their organization, where employees are creating data within those platforms, as well as how employees interact with each other within them.4. The Ability to Explain Technology Makes Us Better AdvocatesFinally, it is important to note that the ability to understand and explain the technology we are using makes us better and more effective advocates. For example, within the eDiscovery space, it can be incredibly important for our clients’ budgets and case outcomes to attain court acceptance of AI and machine-learning technology that can drastically limit the volume of data requiring expensive and tedious human review. To do so, attorneys often must first be able to get buy-in from their own clients, who may not be well versed in eDiscovery technology. Once clients are on-board, attorneys must then educate courts and opposing counsel about the technology in order to gain approval and acceptance.In other words, to prove that the methods we want to use (whether those methods relate to document preservation and collection, data protection, compliance workflows, or eDiscovery reviews) are defensible and repeatable, attorneys must be able to explain the technology behind those methods. And as in all areas of law, the most successful attorneys are ones who can take a very complicated, technical subject and break it down in a way that clients, opposing counsel, judges, and juries can understand (or alternatively are knowledgeable enough about the technology to know when it is necessary to bring experts in to help make their case).Best Practices for Staying Abreast of TechnologyReach out to technology providers to ask for training and tips when needed. When evaluating providers, look for those that offer ongoing training and support.For attorneys working as in-house counsel, work to build healthy partnerships with compliance, IT, and data privacy teams. Being able to ask questions and learn from each other will help head off technology issues for your company.For attorneys working within law firms, work to understand your clients’ data infrastructure or layout. This may mean talking to their IT, legal, and compliance teams so that you can ensure you are up to date on changes and processes that affect your ability to advocate effectively for your client.Look for CLEs, trainings, and vendor offerings that are specific to the technology you and your clients use regularly. Remember that cloud-based technology, in particular, changes and updates often. It is important to stay on top of the most recent changes to ensure you can effectively advocate for your clients.Recognize when you need help. Attorneys don’t need to be technological wizards in order to practice law, however, you will need to know when to call in experts…and that will require a baseline understanding of the technology at issue.To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. [1] ABA Model Rule 3.4, FRCP 37(e) and FRCP 26)ai-and-analytics; ediscovery-review; data-privacy; information-governanceanalytics, data-privacy, information-governance, ediscovery-process, blog, law-firm, ai-and-analytics, ediscovery-review, data-privacy, information-governanceanalytics; data-privacy; information-governance; ediscovery-process; blog; law-firmsarah moran
September 8, 2020
Blog

Google Drive: What Happened to Our Date?

Like most cloud-based productivity platforms, Google offers solutions for both home and business environments. Free for personal use applications such as Gmail, Google Docs, and Google Drive deliver a rich set of communication and Office-like functionality that have near feature parity with their commercial corporate-focused G Suite counterparts. From the perspective of evidence acquisition in the civil arena, we find a significant number of organizations bypassing the conventional Microsoft stack in favor of G Suite. These organizations tend to operate in the technology space including biotech, electronics, engineering, and all flavors of “garage” startups.While cloud platforms enable a limitless world of collaboration and information storage, they also introduce an alternative set of metadata that can trip up seasoned examiners and eDiscovery practitioners. This can be particularly problematic for metadata dates. Historically, determining the date of a file that moved between computers is quite simple; however, arriving at the “best” date for any given piece of cloud evidence can be a subjective exercise and is limited to metadata exposed and potentially altered by the cloud platform. In the following post, I’ll dive into how this issue arises so that practitioners and analysts can use the most accurate evidence date for their eDiscovery needs. A “document” in Google Docs is simply a set of records and field values stored in a database. This departs from the traditional concept of a document being contained in a stand-alone file on your computer’s desktop. Currently, to be reviewed alongside traditional ESI, a Google Doc (ie, a spreadsheet or presentation) must be pulled from Google’s database, converted into a traditional document file, and downloaded for processing and review.Thus, the handling of dates can become an issue for documents within G Suite. If a Microsoft (MS) Excel document is created by a user on their laptop, uploaded to Google Drive, edited in place, and then later downloaded for eDiscovery purposes, what is the document’s date? A typical MS Office (Excel, Word, PowerPoint, etc) document has three dates assigned by the file system (think: my laptop’s hard drive): Created, Modified, and Accessed. It also has up to three dates “embedded” inside the file itself: Created, Modified, and Last Printed. What happens when the Excel file makes a round trip to Google and back? With so many dates to choose from, it’s tough to pick just one!Before the upload to Google Drive, here are the file system dates for our MS Excel document. Notice that the file system is telling us the document was created on June 30, 2020, at 11:33 AM.And here are the embedded “application” dates. Note that “Date last saved” is essentially a “modified” date, and this document has not yet been printed. By looking at the application-level dates, we can also tell that the file was actually created at 11:04 AM, and then copied to its present location at 11:33 AM.After uploading to Google Drive, Google will assign its own Created and Modified dates to the item. You’ll notice in the graphic below that Google’s displayed Modified date of June 30 at 1:36 PM matches the Modified date of the original file. So far so good! But, take a look at Google’s recording of the Created Date: it’s been set by Google to simply “11:23 AM” on the date of the upload action (July 10, 2020.) Notice also that Google indicates the document was created “with Google Drive Web.”Now, let’s make an edit to the Excel file. There are two ways to accomplish this in Google Drive: 1) you can edit the document “in place” using Google Docs without abandoning the original MS Excel format, or 2) you can do a “Save As” and convert the document into Google Sheets format. In this example, we are going to use method #1 and make a couple of edits to our MS Excel file. Google Docs immediately auto saves the file for us. Let’s look at the dates.After editing in Google Drive, but leaving as Excel format, you’ll notice in the graphic below that Google’s Modified date has been changed to the time of the edit. This makes sense. The Created date, which Google previously set to the time of upload, remains the same.Let’s assume that this record is needed for e discovery purposes, and it is downloaded from Google Drive to a forensic examiner’s machine to pass along to the case team. When the file reaches the machine, the creation of the new file results in the following file system date values. Notice that they’ve all been changed to the date/time of the download action!However, if we take a look inside the Excel file at the embedded “application” dates, we notice that we have a creation date of 6/30/2020 at 11:04 AM that has remained unaltered throughout this entire process. However, the “Date last saved” is reflective of the time of the download action. We may have expected this date to be set to 11:27 AM, which was the time at which the document was edited in Google Drive, but it is unfortunately altered by the download action. The image on the right shows the “Info” tab from MS Excel itself, which indicates a blank value for “Last Modified.”Using the same Excel file, I will now choose to “Save as Google Sheets”.You’ll notice that the creation and modification timestamps in the graphic below have been set to the time at which the MS Excel file was converted to a Google Sheet. Google also indicates the application that created the document was “Google Sheets.”I made a couple of edits to the file in Google Sheets and then right clicked to download it to my workstation. First, Google converts the file from Google Sheets format into MS Excel format.chat-and-collaboration-data; information-governancecloud, g-suite, blog, chat-and-collaboration-data, information-governancecloud; g-suite; blogjosh headley
November 5, 2020
Blog

Why Moving to the Cloud can Help with DSARs (and Have Some Surprise Benefits)

However you view a DSAR, for any entity who receives one, they are time consuming to complete and disproportionately expensive to fulfill. Combined with the increasing manner in which they are being weaponized, companies are often missing opportunities to mitigate the negative effects of DSARs by not migrating data to the Cloud.Existing cloud solutions, such as M365 and Google Workplace (formerly known as G-Suite) allow administrators to,for example, set data retention policies, ensuring that data cannot routinely be deleted before a certain date, or that a decision is made as to when data should be deleted. Equally, legal hold functionality can ensure that data cannot be deleted at all. It is not uncommon for companies to discover that when they migrate to the Cloud all data is by default set to be on permanent legal hold. Whilst this may be required for some market sectors, it is worth re-assessing any existing legal hold policy regularly to prevent data volumes from ballooning out of control.Such functionality is invaluable in retaining data, but can have adverse effects in responding to DSARs, as it allows legacy or stale data to be included in any search of documents and inevitably inflates costs. Using built-in eDiscovery tools to search and filter data in place in combination with a data retention policy managed by multiple stakeholders (such as Legal, HR, IT, and Compliance) can mitigate the volumes of potentially responsive data, having a significant impact on downstream costs of fulfilling a DSAR.Typically, many key internal stakeholders are frequently unaware of the functionality available to their organization. This can help to mitigate costs, such as Advanced eDiscovery (AED) in Microsoft 365, or Google Vault in Google Workspace. Using AED, a user can quickly identify relevant data sources, from mailboxes, OneDrive, Teams, Skype, and other online data sources, apply filters such as date range and keywords, and establish the potential number of documents for review within in minutes. Compare this to those who have on-premise solutions, where they are wholly dependent on an internal IT resource, or even the individual data custodians, to identify all of the data sources, confirm with HR / Legal that they should be collected, and then either apply search criteria or export the data in its entirety to an external provider to be processed. This process can take days, if not weeks, when the clock is ticking to provide a response in 30 days. By leveraging cloud technology, it is possible to identify data sources and search in place in a fraction of the time it takes for on-premise data.Many cloud platforms include functionality, which means that when data is required for a DSAR, it can now be searched, filtered, and, crucially, reviewed in place. If required, redactions can be performed prior to any data being exported externally. Subject to the level of license held, additional functionality, such as advanced indexing or conceptual searching, can also be deployed, allowing for further filtering of data and thus reducing data volumes for review or export.The technology also allows for rapid identification of multiple data types including:Stale dataSensitive data types (financial information/ PII)Customer-specific dataSuspicious / unusual activitiesBy using the inbuilt functionality to minimize the impact of such data types as part of an Information Governance / Records Management program, there can be significant changes and improvements made elsewhere, including data retention policies, data loss prevention, and improved understanding of how data is routinely used and managed in general day-to-day business. This, in turn, has significant time and cost benefits when required to search for data, whether for a DSAR, investigation, or a litigation exercise. Subject to the agreement with the cloud service provider, this may also have benefits in reducing the overall volume and cost of data hosted.With a sufficiently robust internal protocol in place, likely data sources can be identified and mapped. Now, when a DSAR request is received, an established process exists to rapidly search and cull potential cloud-based data sources, including using tools such as Labels or Sensitivity Type to exclude data from the review pool, and efficiently respond to any such request.Migrating to the Cloud may seem daunting, but the benefits are there and can be best maximized when all stakeholders work together, across multiple teams and departments. DSARs do not have to be the burden they are today. Using tools readily available in the Cloud might also significantly reduce the burdens and costs of DSARs.To discuss this topic further, please feel free to reach out to me at MBicknell@lighthouseglobal.com.data-privacy; ediscovery-review; information-governance; microsoft-365cloud, dsars, cloud-services, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; dsars; cloud-services; blogmatt bicknell
April 20, 2020
Blog

Three Steps to Tackling Data Privacy Compliance Post GDPR

Recently we took Lighthouse’s legal technology podcast series Law and Candor on the road and broadcast a special live edition to our audience straight from Legaltech. One episode focused on the issue that’s at the forefront of the eDiscovery and information governance world: data privacy compliance in the post-GDPR world. Our distinguished Law and Candor hosts spoke with special guest Kelly Clay, global eDiscovery counsel and head of information governance at GlaxoSmithKline (GSK), about the key challenges or “opportunities” that GDPR, CCPA, and other burgeoning laws around data privacy have presented, and subsequently how the associated risks have permanently shifted the legal landscape.With the two-year anniversary of GDPR’s first day of implementation right around the corner, it’s a perfect time to reflect on where we are now. Organizations around the world have become more comfortable with the idea that data governance, privacy, and security are more than just new challenges they are being forced to solve. Businesses are beginning to see the new opportunities that come from data privacy regulations as they realize the benefits that come from cross-functional stakeholders working together across all of their internal support functions.So what are organizations doing to get a handle on the information governance side of the house and ensure compliance in this post-GDPR era? Here are three steps to take on the road to continual compliance:Understand where your data resides. It might seem obvious, but the number one place to start (and some would argue the most important) is taking a detailed look at your data and understanding all of the different types your organization generates, and the various locations where it all resides. Many who have already embarked on this journey have found silos during the process and encountered complications in understanding the full extent of their data and where it is. Now’s the time to use the information you gather to create a detailed and comprehensive data map that can be easily and automatically updated as new locations and new data are constantly created.Focus on the general principles. It’s easy to get overwhelmed in the data mapping process, especially if you’re a large organization whose employees utilize many different communication methods and IT has traditionally employed disparate storage methods for that never-ending mountain of data. Once your data map is in place, take a step back and realize you can’t tackle every potential compliance issue at the same time. Instead, continue to focus on the overall general principles like understanding where the data is flowing from and where it’s going, whether it’s email, chats, or data in the Cloud.Change the narrative. Historically, Legal and IT have operated separately and handled data based on the nature of their specific job functions. For example, Legal views data and information through the lens of risk management, while IT has a different approach in how it views managing and archiving data within an enterprise. With GDPR, CCPA, and likely many more privacy regulations to come, organizations need to handle data differently and understand everyone is accountable and must work cross functionally. Key players from the technology group to the procurement team to the business strategy group must change their mindset and be mindful of how they deal with data while keeping legal risk at the forefront.Ultimately, the post-GDPR era is here to stay and organizations should treat these dramatic changes in how we view and handle data as an opportunity not a challenge. Getting a handle on how to create an effective compliance program is a team effort that requires everyone to get on the same page, and it’s particularly important to involve your key stakeholders early on in the process.More on this topic can be found in this article, How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery. data-privacy; information-governanceccpa, gdpr, cloud-security, blog, data-privacy, information-governanceccpa; gdpr; cloud-security; bloglighthouse
March 18, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Background

In 2016, European companies doing business in the US were able to breathe a sigh of relief. The European Commission deemed the Privacy Shield to be an adequate privacy protection. For the next half a decade, this shield, as well as Standard Contractual Clauses (SCCs), created the foundation upon which most global businesses were able to manage the thousands of data transfers that occur in each of their business days.Everything changed in July 2020 when the Court of Justice of the European Union gave its seismic judgment in a case generally known as Schrems II. As we will see, the decision has a particular impact on any companies relying on, or moving to, a cloud computing strategy. Businesses have been left needing to make a risk decision with seemingly no ideal outcome. Some legal, privacy, and compliance teams may be advocating for staying away from a cloud approach in light of the decision. The business teams, however, are focused on the vast array of benefits that cloud software offers.So what is the right decision? Where does the law stand and how do you manage your business in this uncertain time? In this four-part blog series, we’ll explain the impact of Schrems II, provide practical tips for companies in the midst of making a cloud decision, give specific advice regarding companies who have, or are implementing, Microsoft’s cloud offering (M365), and offer our view as to the future.Schrems II and Its ImpactFirst, let;s look at the Schrems II decision. The background to the case is well worth exploring but for the sake of brevity and providing actionable information we’ll focus on the outcome and the consequences. The key outcomes impact the two primary ways in which most data transfers between Europe and the US:The EU-US Privacy Shield was invalidated with immediate effect.SCCs (the template contracts created by the EU Commission which are the most common way in which data is moved from the EU) were declared valid, but companies using SCCs could no longer just sign up and send. A company relying on SCCs would have to verify on a case-by-case basis that the personal data being transferred was adequately protected. This process is sometimes called a Transfer Impact Assessment, although the court did not coin that phrase. If the protection is inadequate, then additional safeguards could be needed.The consequences of the decision are still revealing themselves, but as things stand:The Privacy Shield (used by more than 5,000 mostly small-to-medium enterprises) has gone with no replacement in sight (although the Biden administration appears to recognise its importance with the rapid appointment of the experienced Christopher Hoff to oversee the process).There have been significant developments in relation to SCCs, additional safeguards, and transfer impact assessments:The US published a white paper to help organisations make the case that they should be able to send personal data to the US using approved transfer mechanisms.The European Data Protection Board (EDPB) published guidance on how to supplement transfer tools.The European Commission published draft replacement SCCs.The EDPB and the European Data Protection Supervisor adopted a joint opinion on the draft replacement SCCs requesting several amendments.There is not a clear timetable as to when the replacement SCCs or EDPB guidance (which has completed a period of publication consultation) will be finalised. The sooner the better because there seem to be inconsistencies between them. For example, the Schrems II judgment and draft replacement SCCs permit a risk assessment (i.e., it is possible to conclude that personal data might not be completely protected, but that the risk is so small that the parties can agree to proceed), whereas the EPDB recommendations seem to deal in black and white with no shades between (i.e., there is either adequate protection or there is not). It will be important to monitor which, if any, of these drafts moves and in which direction. Whether the SCCs are supported with a risk assessment or analysis along the lines of the EDPB recommendations (or perhaps both), going forward using SCCs may be rather cumbersome particularly in a cloud environment where the location and path of the data is not always crystal clear. Companies are therefore in something of a grey triangle, the sides of which are a judgment of the highest European Court, a draft replacement to the SCCs the Court reviewed in its judgment, and draft guidance about additional safeguards. In part two </span><span>of the series, we will offer companies some practical guidance on how to move forward in light of this grey triangle.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, data-privacy, blog, privacy-shield, data-privacy, microsoft-365, information-governance,microsoft; data-privacy; blog; privacy-shieldlighthouse
July 22, 2020
Blog

Three Key Tips to Keep in Mind When Leveraging Corporate G Suite for eDiscovery

In the eDiscovery space, we are always spotting new trends. Our industry has seen text messages, chat message platforms, websites, and various unstructured data sources become increasingly relevant during discovery. Over the past several years, we have started to see another new trend emerge - many of our clients are using Corporate G Suite rather than Office 365.The use of emerging technologies is part of everyday life for many companies in the space. However, we are beginning to see established biotech, healthcare, manufacturing, and retailers shift to G Suite, an area that was once almost exclusively dominated by on-prem Microsoft products. This transition introduces some new considerations around managing discovery. In this post, we talk about three impacts that G Suite data has on downstream eDiscovery workflows, and the need to factor these items into your discovery plan. Recipient Metadata: Gmail renders email header information in a unique format. While the last-in-time email in a given string will have all expected sender and recipient information (From, To, CC, BCC), all other previous messages exchanged in the email string will display only the sender information and will not display the recipient information. This is not a collection, processing, metadata, or threading issue. Rather, this relates to how Gmail stores and exports recipient information. This presents some unique document review challenges, as previous parts of the thread could include recipients that are not visible to the reviewer, and may include attorneys who have sent privileged communications. As a result, it is important to work closely with your project management team to create workflows related to Gmail. ‚ÄçLinks: Historically, we have all attached copies of documents (e.g. Word, Excel, and PowerPoint files) to an email during the normal course of business. Due to the emergence of technologies such as SharePoint and Google Drive, we now have the ability to send emails with embedded links that reference documents rather than attaching the document itself. When Gmail is exported from Google Vault, the documents referenced in links embedded throughout email exchanges are not exported. As a result, reviewers will encounter these links, but will be unable to readily view the corresponding document referenced in said link. At present, Google Vault does not allow for the mass search and export of these links. However, you do have the ability to manually pull documents referenced in these links. You should be mindful of this issue when drafting your ESI protocol, as opposing parties and regulators may request that your company retrieve these documents.‚ÄçExported Load File: Unlike a standard PST export, when you export a mailbox or set of documents from Google Vault, you have the ability to retrieve a corresponding load file that contains metadata captured in G Suite. Sometimes, the date-related metadata extracted during processing, will not align with dates exported from G Suite. There are a variety of legitimate reasons for this. You will need to determine if you want to produce the date metadata extracted from the processing platform, date values exported from Vault, or both.All of the above items are manageable when in-house legal teams, outside counsel, and eDiscovery vendors work together to proactively implement appropriate downstream eDiscovery workflows. If you have experience with G Suite data or thoughts on managing the discovery of G Suite data, please reach out to me at ashier@lighthouseglobal.com.chat-and-collaboration-data; information-governancechat-and-collaboration-data, information-governanceemerging-data-sources; g-suite; preservation-and-collection; blogalison shier
March 26, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Future

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse
March 22, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Cloud Environment

In part one of this series, we described the state of the EU-US Privacy Shield and the mechanisms global companies have relied upon to transfer data from their multiple locations. In short, a recent decision – Schrems II – invalidated the Privacy Shield and shook the foundation of Standard Contractual Clauses (SCCs). Companies are now left asking the question of how to respond.In this post, we will share our view on how to navigate forward. If your organization is not already highly reliant on cloud software, we recommend weighing the benefits and risks of making that move. As you assess your options, keep in mind that this move may come at a higher cost because of the need to do periodic risk assessments during this uncertain time. For those already in the Cloud, the motto here is “do everything that you reasonably can.” The position no company wants to find itself in is one of stasis. It is difficult to see such a position being looked upon favourably should regulators start to investigate how companies are responding to Schrems II and the consequences that go along with it.The touchstone is the EDPB guidance and its six-stage approach to assessing data transfers, which we recommend companies undertake:Identify your data transfers: It is an obvious first step, although in practice this could prove challenging. You’ll need to know all the scenarios where your data is moved to a non-European Economic Area (EEA) country (at the time of writing this article, the UK, although out of Europe, is still under the European umbrella until at least the 30th of June).Identify the data transfer mechanisms: You need to decide the grounds upon which the transfer is taking place, such as on the basis of an adequacy decision (this does not apply to the US), SCCs, or a specific derogation (such as consent).Assess the law in the third country: You need to assess “if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” There is more guidance from the EDPB as to how the evaluation should be carried out (i.e., an independent oversight mechanism should exist). How effective or practical it is to suggest each company has to perform its own thorough legal assessment as the entire range of relevant legislation in any importing country is open to debate and might perhaps be considered further as these recommendations are refined.Adopt supplementary measures if necessary to level up protection of data transfers: The EDPB has published a non-exhaustive list of such measures, which essentially fall into one of three categories - technical (i.e., encryption), contractual (i.e., transparency), and organisational (i.e., involvement of a Data Protection Officer on all transfers). We’ll have a look at these measures in more detail below in relation to Microsoft 365.Adopt necessary procedural steps: If you have made changes to deliver the required level of protection, these need to be embedded into your operation (i.e.., by means of policy).Re-evaluate at appropriate intervals: This is not a job that can be completed and then left. It needs continual monitoring. There is no specific guideline as to what an appropriate interval is, but quarterly is probably a reasonable approach.Essentially this boils down to carrying out a risk assessment and taking steps to mitigate the risks that are uncovered. If your cloud strategy includes Microsoft 365, the next part of this blog series is a must-read. We will share what Microsoft has done in response to Schrems II as well as some specific configuration options that will influence steps 4 and 5, listed above. Bear in mind that these recommendations could change and you should watch the space. To continue the discussion or to ask questions, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
March 24, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: Microsoft’s Response

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
December 20, 2019
Blog

Sitting at the Same Lunch Table: 3 Key Ways to Ensure Legal and IT are in Sync

Legal and IT teams do not necessarily sit at the same lunch table (to use an over-simplified high-school analogy), however, organizations can quickly run into challenges when these teams are not aligned. As corporate data volume and types continue to grow at record speed, it is critical to maintain a technology infrastructure that is not only secure, but also satisfies the legal requirements for managing information. I recently had the privilege of chatting with Craig Shaver, the eDiscovery Program Director at Hilton Worldwide, about the challenges of this electronic data mosaic and innovative strategies to enable collaboration between these groups on the Law and Candor podcast. In this blog, I will review the key challenges we discussed as well as summarize three key solutions to overcoming them in the hopes it will help align your IT and legal teams.To level set, both teams have different priorities. Legal is generally focused on ensuring that the company’s data is protected and retention policies are upheld, while IT is looking for new ways to manage the ever-increasing volume of data to drive efficiency while maintaining budgets. So, when IT moves forward with new technology solutions, large data migrations, moves to the Cloud, or even simple contractual agreements and is not in sync with Legal due to other priorities or lack of communication, items may be missed and can create large downstream issues such as potentially responsive documents going uncollected, being slapped with spoliation charges, or costly and time-consuming rework.Nobody wants unforeseen charges or to loose time and money, so let’s look at some solutions to overcoming these challenges by ensuring collaboration between these two teams. Begin by:Establishing Legal Processes and Policies – Legal needs to first ensure they have effective legal hold processes in place, clear and consistent policies on data retention, as well as defensible deletion policies. Without these in place there is no formal process.Ensuring Participation on Both Sides – It is important to identify and designate a legal and IT liaison to sit on various steering committees and be a part of any technology decisions, migration projects, etc. In some larger, global organizations, you may want at least two or three people from each group involved to attend these meetings, as it can be a lot of work and require travel. Legal will understand the impact on the overall eDiscovery process and can review service-level agreements and SOWs as well.Continuing the Ongoing Partnership and Communication – Post project, it is important to continue to meet regularly (weekly or monthly) with key stakeholders to continue to communicate around upcoming migrations, technology changes, etc., as well as build trust and a further develop relationships. Legal can help IT enforce their deployment and security policies with other departments within the company as well as ensure GDPR compliance and other factors are considered when looking at new products.Enacting these three solutions will help you ensure your teams stay in sync. When legal and IT sit at the same lunch table and stay in communication, organizations are more likely to experience seamless or near-seamless integration of processes, better understand project timelines, reduce friction between very busy teams, maintain a shared understanding each other’s workloads and processes, as well as gain trust amongst the teams, which helps with future projects and getting folks to support one another.To discuss this topic more, reach out to me at bmariano@lighthouseglobal.com.legal-operations; information-governance; data-privacygdpr, ediscovery-process, blog, legal-operations, information-governance, data-privacy,gdpr; ediscovery-process; blogbill mariano
December 21, 2021
Blog

Rethinking the EDRM for Today’s Evolving eDiscovery Data Landscape

The approach of a new year is often a good time to step back and take stock of the eDiscovery industry, so that we can be better prepared to move forward. One of the most dramatic changes over the past few years has been the seismic shift across the legal and corporate data landscapes. That shift has slowly been expanding the concept of eDiscovery beyond a single-litigation focus, to encompass data governance, data privacy and security, and an overall more holistic, strategic approach to review and analysis.As we prepare to move forward in this brave new world, it’s important to understand how those industry changes affect the traditional framework of the eDiscovery process: the Electronic Discovery Reference Model (EDRM). Recently, I was lucky enough to join a panel of industry experts, including Microsoft’s EJ Bastien, TracyAnn Eggen from CommonSpirit Health, and Lighthouse’s Sarah Barsky-Harlan, to dive deeper into that specific issue. Together, we tackled questions like: Does the EDRM still apply in today’s more complex eDiscovery environment? If so, how is the evolving data and eDiscovery landscape reshaping how organizations and law firms think about the EDRM? How can the EDRM be used to meet today’s more complex communication, data, and business challenges?Below are some of the key themes and ideas that emanated from that discussion: A Brave New Data World: Dynamic Changes in eDiscoverySince its inception, the EDRM has been the industry’s standard approach to the eDiscovery process (i.e., identification, collection, processing, review, analysis, and production of electronically stored information (ESI)). However, what we’re seeing today is that organizations and law firms now must think about eDiscovery in much broader terms than that traditionally very linear method. There are three primary reasons for this change:New cloud-based and Software as a Service (SaaS) systems: Enterprise systems are not nearly as controlled by the underlying organization as they used to be. Even five years ago, IT departments could more closely manage what software was installed, as well as when, how, and what upgrades were rolled out. Now those updates and installations are managed by cloud providers, with upgrades rolling out on an almost weekly basis – often with no notice to the organization. All those changes have downstream eDiscovery impacts, which must be dealt with at each stage of the EDRM process.New data formats: Data is no longer structured in the traditional document “family” of an email parent with attachment children. The shift to chat and collaboration platforms within organizations means that communications and workflows generate more data across multiple data sources and are much more fluid and informal. For instance, instead of an employee working on a static document saved on a desktop and then passing that document back and forth to co-workers via email, those employees may work on that document together while it’s saved on a cloud-based collaboration platform, chat about it via an in-office chat application, post updates on it via the collaboration tool channel, as well as email copies back and forth to each other. This means counsel must analyze how relevant data ties together and analyze the relationships between data sources in order to understand the full story of a communication during an investigation or litigation.New capabilities with eDiscovery technology: There are many new types of capabilities that are native to enterprise systems, as well as new types of analytics and artificial intelligence (AI) that can handle more data at scale. These new capabilities are allowing case teams to leverage past data on new cases and get to key data more quickly in the EDRM process. The Impact: How Those Changes Affect the EDRM FrameworkThinking of the EDRM as a monolithic linear process that flows straight from beginning (collection) to end (production) does not fit the way eDiscovery takes place in practice anymore. There is a world of complexity within each step of the EDRM – one that is highly dependent on the data source. And the decisions made along the way for each data source at each new step will impact what happens next – often in a non-linear fashion: Sometimes that next step will send practitioners back to collection again, because they found another data source during review. Sometimes review takes place simultaneously with collection or processing phases, depending on the data source and those newer capabilities discussed above. In short, the old model of collecting all data, exporting it all, and then reviewing it all, in large chunks, one step at a time, is no longer applicable nor practical.Instead, a “mini-EDRM” framework might make more sense, where organizations prepare workflows for the preservation, collection, processing, and review of each particular data source. Thinking of the EDRM in this way also helps the framework stay relevant and future-proof as practitioners deal with the sea-change happening across our data landscape. Practitioners need to be agile enough to handle new data sources as they pop up, for each step of the EDRM process, and then be prepared to do it all over again when someone in a deposition mentions another new data source, and to adapt it when something changes in the data source. A mini-EDRM framework would help organizations and practitioners better meet those challenges.The EDRM and Data-in-PlaceAs noted above, the eDiscovery process is now much broader and has much more of an impact on organizational information governance and data-in-place than ever before. This presents an opportunity to use learnings from across the EDRM to more effectively manage data “to the left” of that traditional process. For example, if a particular data source was problematic during review, that information can be disseminated at the organizational level and help inform how that source is used within the organization moving forward. Or if practitioners notice a large volume of irrelevant data during review that shouldn’t exist in the system at all, that information can be used to redraft document retention policies. In this way, eDiscovery (and the EDRM framework) can now be a force for change over the entire organization.Thinking Beyond a Single MatterIn today’s more dynamic and voluminous data landscape, the work we did in the past is more valuable than ever before and it can be used to inform and impact current processes across the EDRM.This can come in the form of people and institutional knowledge: experienced and consistent staff and outside partners are an invaluable resource. These organizational experts can use their understanding and experience with an organization’s past matters, system architecture, data sources, workflows etc. to improve eDiscovery efficiency and solve current problems more effectively. It can also come in the form of technology: when the EDRM first evolved, data analytics were a much heavier lift. The process and tools were expensive and the amount of data that they could be applied to was much smaller than today. Advancements in AI capabilities now allow us to analyze much larger volumes of data with much more accurate results. Thus, this newer, advanced AI technology is now capable of leveraging the goldmine of millions of previous decisions made by attorneys on an organization’s past matters. That work product is baked into the data, and advanced AI can use it to make more accurate decisions on current data at a much larger scale than ever before.Tips to Keep the EDRM Applicable in an Evolving Data LandscapeStrive to retain institutional knowledge across matters: The constantly evolving eDiscovery landscape makes continuity and retaining institutional knowledge incredibly important. Starting from scratch each time you confront a new data source or problem along the EDRM is no longer practical with today’s diversified and larger data volumes. Work to cultivate valuable partners and staff who will work to understand your organization’s data architecture, as well as the eDiscovery workflows that are effective within your environment.Lean on your peers: Chances are, if you’re facing a problem with a challenging data source at one stage of the EDRM, someone in your peer group has also faced the same or a similar problem. Don’t be afraid to reach out and ask folks to benchmark. Peer experience can help each practitioner learn and move forward, solving challenging industry problems along the way.Open the lines of communication: Because the EDRM process is much more iterative and each step impacts other steps, it is incredibly important that the people working on those steps do not work in silos. Everyone should know the downstream impacts of their decisions and workflows.Test… and test again: Employ a testing framework to test the impact of eDiscovery workflows on the underlying platforms, and then have a feedback loop to apply changes. This will ensure your eDiscovery program is forward-thinking, as opposed to reactive. Automate where possible: When striving for repeatable, defensible eDiscovery processes, predictability is key. And automation, when feasible, is a great way to achieve that predictability. Automating workflows across the EDRM will not only help improve efficiency and lower costs, it will also help minimize risk and keep your eDiscovery program defensible.information-governance; ediscovery-review; chat-and-collaboration-datacloud, analytics, information-governance, ediscovery-process, blog, information-governance, ediscovery-review, chat-and-collaboration-data,cloud; analytics; information-governance; ediscovery-process; bloglighthouse
March 5, 2021
Blog

Now Live! Reed Smith's M365 in 5 Podcast Series

Lighthouse Microsoft 365 (M365) experts, John Holliday and John Collins, recently teamed up with Reed Smith to present the M365 in 5 Foundation Series on Reed Smith’s Tech Law Talks podcast. The series dives into operational considerations when rolling out M365 tools related to governance, retention, eDiscovery, and data security across a broad range of applications, from Exchange and SharePoint to all things Microsoft Teams.Check out the lineup below and click the titles of each podcast to give them a listen.M365 in 5 – Part 1: Exchange Online – Not just a mailboxDiscover the enhanced functionality of EXO, including new data types and the potential for enhanced governance.M365 in 5 – Part 2: SharePoint Online – The new file-share environmentHear about the enhanced file share and collaboration functionality in SharePoint Online, including real-time collaboration, access controls, and opportunities to control retention and deletion.M365 in 5 – Part 3: OneDrive for Business – Protected personal collaborationLearn about OneDrive for Business and how organizations can use it for personal document storage, such as giving other users access to individual documents within an individual’s OneDrive and acting as the storage location for all Teams Chats.M365 in 5 – Part 4: Teams – An introduction to collaborationListen to an introduction to Teams and how it is transforming the way organizations are working and communicating.M365 in 5 – Part 5: Teams Chats – Modern communicationsUncover the enhanced functionality of M365’s new instant messaging platform, including persistent chats, modern attachments, expressive features, and priority messaging, which enhance communication but can bring increased eDiscovery or regulatory risks.M365 in 5 – Part 6: Teams Channels – The virtual collaboration workspaceHear how Teams Channels are changing not only the way organizations work and collaborate, but also key legal and risk considerations that should be contemplated.M365 in 5 – Part 7: Teams Audio/Video (A/V) ConferencingDive into the functionality and controls of audio/video conferencing capabilities, including the integration of chats, whiteboards, translation, and transcription services.The Tech Law Talks podcast hosts regular discussions about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and other types of information technology. For more information regarding the show, follow the link here: https://reedsmithtech.podbean.com.If you have questions about how to develop and maintain legal and compliance programs around M365, reach out to us at info@lighthouseglobal.com.microsoft-365; information-governancemicrosoft, blog, microsoft-365, information-governancemicrosoft; bloglighthouse
March 30, 2022
Blog

New Opportunities, New Risks: A Disrupted Workforce Reshapes the Data Landscape

In case the complexities of corporate data weren’t creating enough turbulence to keep corporate and legal teams up at night, along comes a prolonged pandemic to really shake things up. Because now, a complex data landscape has also become a complex employee landscape.What has been dubbed the “great resignation” (approximately 38 million workers voluntarily quit their jobs in 2021) has left many companies shaken as they struggle to adapt their organizations to a reconfigured and remote workforce. With little time to plan for the risks and contingencies such a seismic shift would normally entail, companies are now playing catch-up, seeking ways to ensure proper data management, better responses to fast-moving litigation and internal investigations, and enhanced security as they grapple with offsite employees, transformative applications, and the impact of an exodus that may have caused company data to escape its bounds.These unique circumstances present a number of challenges for companies and their legal teams alike. In a webinar with Today’s General Counsel, I was pleased to join Scott McVeigh, industry principal from Onna, to discuss the ways in which many companies have been affected. We looked at the recent workplace disruption and considered the impact: What data risks have emerged or intensified? What efficiencies or advantages? What areas of the company data environment deserve renewed focus? What steps can internal teams take to help ensure that data concerns are addressed and legal imperatives met? A Shift to Remote Work Accelerates Transition to the CloudPrior to the pandemic, an estimated 20% of the U.S workforce was working remotely. By December, 2020, that number had increased to 71%. Even with offices now deemed safer as the pandemic wanes, it is anticipated that more than 51% of the U.S. workforce will continue to be remote or hybrid.The impact of this shift has already been profound, reshaping the use, format, and storage of data. As many as 81% of organizations say the pandemic accelerated their cloud timelines as they raced to engage with new tools and applications that flooded the market to accommodate the remote workforce. Online collaboration has now become the new normal, with document sharing apps, chat functionalities, and web conferencing becoming the dominant forces that underpin daily work. Enhanced Collaboration — A Mixed Blessing While this shift may have resulted in some efficiencies as more informal practices took hold, the explosion of collaborative data technologies has also created significant challenges, especially for data and records management, security, and legal teams. As a result, some important enterprise areas are ripe for renewed attention and innovation:Information governance models: The disrupted workforce has made information governance efforts more complicated—and more necessary. Remote collaboration and sharing applications mean more data in more places, making it harder for internal teams to create and maintain a cohesive vision of the data landscape to contain and control growing data volumes.Rapid data growth from both authorized and unauthorized tools and new forms of communication (think gifs, memes, and emojis) makes it easier for data to proliferate, morph, even disappear, which may call for modified or additional policies and procedures. From a data security standpoint, privacy breaches coupled with other security stressors are magnified as siloed data, a perennial problem, pressure-tests existing processes and policies.eDiscovery and preservation imperatives: In the implementation of cloud applications, preserving and collecting data in a defensible manner has not been a top priority. More tools enabling informal, dispersed, and fluid content challenge the paradigm of traditional collection and review. Where is a particular kind of data living and who controls it? Who is the custodian or author of content in shared collaborative spaces? With so many new data types, what is now the definition of a “document” or a conversation?Employee transitioning: As employees moved offsite or departed during the pandemic, company data may have gone with them — if not through malicious exfiltration, then just because HR and IT, with reduced teams as well, could not keep up with the onboarding and offboarding process. One top concern for organizations is that the lost data or IP could have gone to a competitor. Training requirements: With workers at a distance, training on company privacy, security, and preservation policies — which should be intensifying — may be taking a back seat to other business priorities impacted by the pandemic. Too, cultivating a data-sensitive culture is now more difficult with employees often untethered from the norms of company data access and storage and little to no face-to-face interaction with other employees and their own managers. Law Firms and Legal Departments Not Exempt from DisruptionTo complicate matters, as companies were transformed by the pandemic, so too were the law firms and legal departments that support them. Already in a state of flux, the legal market was highly impacted by both employee departures and the migration to remote work, relatively foreign to an entrenched in-office culture. Lack of attention to document management, often a law firm weakness, has just added fuel to the fire.The resignation-induced talent drain has likely affected workflows, adding to inefficiencies and duplicative work as corporate and legal knowledge, both in-house and outside, dissipated with the overall disruption of formerly routine processes and responsibilities. It has certainly impacted eDiscovery processes; legal professionals are still working to master the art of conducting discovery remotely from cloud-based data sources.Bucking the Trends: Take These Steps to Reduce RiskThe disrupted workplace calls for renewed diligence, nimbleness, and a certain amount of creativity on the part of internal teams responsible for data and its management. Most of all, it requires rigorous attention to potential risks exacerbated by a still-evolving landscape.Here are some important steps companies can take to reduce risk: Scrutinize what may now be a very different data landscape. As in pre-pandemic times, knowing where data resides and in what format is a big part of the battle. With new tools and cloud storage locations making everything even more complex, thinking through applications and the data they generate before they roll out can save time, effort, and grief down the line. Analyze: Who uses what applications? Where does the data go and how is it stored? Who has control over it? From an eDiscovery standpoint, with so much data in play, it pays to scale efforts to potential returns; focusing on the most-used data sources is more fruitful than “boiling the ocean.” Cultivate stakeholder partnerships. As the workforce transforms, partnerships among internal stakeholders, especially IT, compliance, data privacy, records management, and information security teams — in close coordination with business units — are more important than ever in controlling how and by whom data is created and used. Corporate silos only enhance risk, especially when workers are remote and unsanctioned applications may be proliferating. Remember, though, that data initiatives are most effective when they come from the top, especially if funding is required. Engage the C-suite as much as possible. Improve information governance capabilities. As data pools from multiple collaborative sources and cloud applications proliferate, making prior linear processes cumbersome and expensive, a shift in focus to the left side of the Electronic Discovery Reference Model (EDRM) makes even more sense now. With the right cloud-based tools and services, as well as good information governance models, teams can perform better upstream and reduce downstream costs.Foster a culture of data awareness and protection. Training, training, training — for both current and incoming employees — is critical. Sound policies mean nothing if employees are unaware of or don’t abide by them or don’t understand the nature of the risk they are meant to address. Educate employees on data “ownership” best practices. Encourage sound data hygiene and enhance onboarding and offboarding procedures to take data risks into account, especially those related to preservation imperatives. Remember that inbound data from new employees that works its way into the company can be just as problematic as data exfiltration. Review and, if necessary, update records management policies. Records management policies should be considered programmatically to align with the nature of the business. Reducing company exposure by updating policy gaps that may be caused by evolving privacy regulations (e.g., GDPR, CCPA/CPRA, etc.) should be a top priority for any company’s records and data management teams. Remember that training goes hand in hand with any policy changes.Engage experts where you need them. Data complexities of today, especially related to privacy and security, may require the expertise beyond that routinely found in-house. Be sure to work with providers and experts well-versed in today’s challenges.Leverage technology where possible, with expertise in mind. Various data automation tools can provide the power to import, manage, and modify records in ways never before possible. AI and categorization tools can be used to assess data in place, potentially mitigating the need for linear collection, processing, and review of data in discovery. Automated tools can enable a more managed examination of departing employee data. But technology not carefully deployed or without the right experts behind the scenes can diminish the potential benefits. Know what questions to ask. Be an informed and thoughtful user: implement wisely. If you are interested in this topic, feel free to reach out to me at dblack@lighthouseglobal.com. chat-and-collaboration-data; forensics; information-governanceemerging-data-sources, cloud-security, red-flag-reporting, departing-onboarding-employee, pii, blog, record-management, risk-management, chat-and-collaboration-data, forensics, information-governance,emerging-data-sources; cloud-security; red-flag-reporting; departing-onboarding-employee; pii; blog; record-management; risk-managementdaniel black
August 17, 2021
Blog

Making the Case for Information Governance and Why You Should Address it Now

You know that cleaning out the garage is a good idea. You would have more storage space and would even be able to put the car into the garage, which is better for security, for keeping it clean, and for ensuring an easy start on a frozen winter morning. Even if you don’t have a garage, you likely have an equivalent example such as a loft or that cupboard in the kitchen, yet somehow these tasks are often put off and rarely top of the “to do” list. Information governance often falls in this category; a great idea that struggles to make it to the top ahead of competing corporate priorities.For both the garage and information governance, the issue is the creation of a compelling business case. For the garage, the arrival of a new car or a spate of car thefts in the area is enough to push this task to the front. For information governance, the business case might be that a company is enlightened enough to realize that its data is an under-utilized asset or it might be a question of time and effort being wasted in the struggle to find the information when needed. However, these positive drivers might not be enough. Sometimes you need to look at the risk if nothing is done.In our view, building a strong business case for information governance will be a laconic combination of both the carrot and the stick. This blog will focus on the stick because that is often the hardest factor to spell out in clear terms. We will take you on a journey through the GDPR fines that have been levied since it came into force in May 2018, show how European regulators see information governance as an essential element of a companies’ data protection obligations, and give you the necessary background to prepare your business case.Why address information governance now? It is worth just pausing to ensure we are all talking about the same thing, so let’s define information governance. You can see Gartner’s definition here. For our purposes, we can talk in simpler terms and define information governance as “the people, processes, and technology involved in seeking to ensure the effective and efficient creation, storage, use, retention, and deletion of information.”Now, let’s turn to the GDPR. The total of fines under the GDPR, since it came into force in May 2018, approaches €300m. The big fines usually relate to processing personal data without good reason or consent (e.g. Google - €50m), or for inadequate security leading to data breaches (e.g. British Airways - £20m). As a result, many organizations prioritize this type of work.However, after a thorough trawl, we see a growing body of decisions where fines have been imposed by regulators for information governance failures. In our view, the top 5 reported “information governance” fines are:€15m Deutsche Wohnen (Berlin DPA) – set aside on procedural grounds​€2.25m Carrefour (France)​€290,000 HUF (Hungary)​€250,000 Spartoo (France)​€160,000 Taxa4x35 (Denmark)​GDPR fines, in detailThe largest fine is the Deutsche Wohnen matter. In 2017, the Berlin Data Protection Authority (DPA) investigated Deutsche Wohnen and found its data protection policies to be inadequate. Specifically, personal data was being stored without a necessary reason and some of it was being retained longer than necessary. In 2019, the DPA conducted a follow-up investigation and found these issues were not sufficiently remedied and thus issued a fine of €15m. The Berlin DPA explained that Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods, as such solutions are commercially available. In February 2021, Criminal Chamber 26 of the District Court of Berlin closed the proceedings on the basis the decision was invalid and not sufficiently substantiated. The Berlin DPA had not specified the acts by the management of the company that supposedly led to a violation of the GDPR. The Berlin DPA has announced it would ask the public prosecutor to file an appeal.​ It would be a mistake to interpret the nullification of the fine as evidence that information governance / data retention is not an important issue for DPAs. Such an interpretation would be ignoring that fact that there is no criticism as to the substance of the findings made by the Berlin DPA in relation to Deutsche Wohnen’s approach to data retention.Holding data without necessary purpose or not actively deleting data has been a theme of fines by other DPAs as well. In Denmark, the Data Protection Authority recommended fines for similar inadequacies as follows:1.2m DKK (€160,000) on Taxa4x35. A DPA inspection discovered that although customer names were deleted after 2 years, their telephone numbers remained for 5 (as a key field in the CRM database)1.1m DKK (€150,000) on Arp-Hansen Hotel Group. Personal data was being stored longer than was necessary and in breach of Arp-Hansen’s own retention policies​1.5m DKK (€200,000) on ID Design. A routine DPA inspection revealed old customer data not being adequately deleted.​ Although, like Deutsche Wohnen, this fine was subsequently reduced on technical grounds, the commentary on the corporate information governance policies still holds.In France, three fines have been imposed relating to the holding customer data well past what the regulators deemed necessary:In the Carrefour​ matter, there was a fine of €2.25m​ for various infringements including that Carrefour had retained the data of more than 28 million inactive customers, through its customer loyalty programme, for an excessive period.In SERGIC​, there was a fine of €400,000​ for various infringements including that SERGIC had stored the documents of unsuccessful rental candidates beyond the necessary time to achieve the purpose for which the data was collected and processed​.In Spartoo​, there was a fine of €250,000​ for reasons including that Spartoo retained data for longer than was necessary for more than 3 million customers​. In Spartoo, the regulators also called out that the company had not set up a retention period for customer and prospect data​, did not regularly erase personal data​, and retained names and passwords in a non-anonymised form for over 5 years​.Although the authorities in France and Denmark have been the most active, they are not alone. In Hungary, HUF​ was issued with a fine of approximately €290,000​ based on the absence of a retention policy for a database containing personal data. And in Germany, Delivery Hero failed to delete accounts of former customers who had not been active on the company’s delivery service platform for years ​and was fined €195,000.Other authorities may not yet have imposed fines, but their attention is turning in the direction of information governance. A number of DPAs have issued guidance, the scope of which includes data retention (e.g. the Irish DPA, in Sept 2020, on how long COVID contact details should be retained; the French DPA, in October 2020, on how long union-member files should be retained)​.How to get started on your business caseThere is a genuine threat to companies stalling in relation to information governance, particularly around personal data. The decisions to date represent a small percentage of the activity in this area, as many of the violations are dealt with by regulators directly. We don’t know what, if any, settlements have been agreed upon, but the decisions that we have located are helpful and instructive for building the business case for prioritizing this work.The first thing to do is create an internal overview for why this area matters – use the above to show that there is risk and that regulators are paying attention. Hopefully, our overview will help you to identify the size of the stick. As to the carrot, that will be very company-specific, but our clients who have successfully made the case focus on the efficiency gains that can be made if information is properly governed as well as the opportunity to mine more effectively their own information for its real business value. Next, take a look at your policies and areas that may require adjustment based on the above in order to gain some insight into the scale of the activity. Now your business case should be taking shape. You might also consider looking wider than the GDPR, such as the increasing number of state data protection frameworks within the US.We recognize this process is an oversimplification and each step requires a significant time investment by your organization, but spending time focusing on the necessity of retaining personal data, as well as the length of retention (and subsequent deletion), are critical elements in minimizing your risk.information-governancedata-privacy, blog, record-management, information-governance,data-privacy; blog; record-managementlighthouse
August 23, 2022
Blog

Legal's Balancing Act: Risk, Innovation, and Advancing Strategic Priorities

As legal teams expand their responsibilities and business impact throughout their organizations, there’s a delicate balance legal professionals must strike in their roles: be better partners and balance risk.To tease out this complex and dynamic relationship, Megan Ferraro, Associate General Counsel of eDiscovery and Information Governance at Meta, recently joined as a guest on Law & Candor.Highlights from that conversation are below.The legal function's bigger roleLegal departments are playing a more significant part in strategy and innovation because the role of in-house counsel has changed greatly in the past few decades. There's been a considerable shift in forward-thinking companies from viewing legal as a blocker to more of a strategic partner.Successful legal teams are partnering internally to ensure attorneys across their organization get early signals to address potential inquiries in litigation or investigations. Additionally, companies are now hiring in-house teams to fill roles where those legal partners can identify and assess legal risk early on.In-house counsel have become advocates for why legal deserves a seat at the table at all company levels, which contributes to the overall success of the business.A great example of how legal is partnering with other parts of their organizations to drive innovation is through the role of product counsel at technology companies. The most effective product counsel have a deep understanding of product goals early, which helps them to identify and address legal issues more quickly and accurately. By working closely with the product team through development, updates, and deployment, they also serve as a conduit between legal and product teams to help advance projects and address potential risks.Critical risks for legal teams todayOne of the most significant challenges for in-house legal teams is keeping up with the pace of their organization’s growth—whether it’s developing products and services, forging unique partnerships, or adopting new technology and software.Often, business teams do not appreciate how even the slightest difference in facts can contribute to different outcomes in the law. Managing the expectations of the business regarding the time it takes to do legal analysis is extremely important.It's normal to take the time to think about these challenging issues. An important adage for the business to remember is that the law is not “Minute Rice.”The balancing act between risk and innovationWeighing risk and innovation requires that you keep pace with changes throughout the organization, including pivots in strategic priorities, with a variety of stakeholders. Staying ahead of these developments and allowing counsel enough time to evaluate potential impacts is key to understanding if the benefits are worth the risk, and if not, how to adjust a business plan accordingly.Along with providing the guidance stakeholders need to assess risk and make decisions, legal teams also frequently manage how organizational data is stored and accessed with IT departments. If other teams throughout the business do not have the information they need, they can't move as fast to help the company innovate. How long to keep data, what format it is in, and who can access it are all questions that can have a huge impact on innovation.Cross-functional collaborationIn-house counsel are increasingly working with other leaders in their organizations to inform strategic decisions, but having a seat at the table requires listening and staying connected to “clients” within the business. Strategic priorities can change very often, especially in a fast-paced environment.Knowing not just what these priorities are but how the business interprets them and what success means to the company will contribute to the most successful legal partners for balancing risk factors and supporting innovation.To listen to the full conversation and hear more stories from the legal technology revolution, check out Law & Candor.ai-and-analytics; information-governanceblog, risk-management, ai-and-analytics, information-governanceblog; risk-managementlighthouse
July 17, 2020
Blog

Leveraging Microsoft 365 to Reduce Your eDiscovery Spend

In the early days of electronic discovery, technologies that legal teams utilized were researched and procured by specialists independent of information technology teams. Getting IT, legal, compliance, records managers, and other stakeholders to come together to discuss and strategize as a team was almost impossible. The move to the Cloud is changing that dynamic, as corporations move to address data challenges including eDiscovery, information governance, data privacy, and cybersecurity, in a more holistic fashion. When a corporation leverages Microsoft 365 (M365), they have procured a technology that not only meets their data storage requirements but provides eDiscovery, privacy, data governance, and cybersecurity features as well.With the upside that a single platform can provide, there are also challenges including the continued growth in data and new data types that M365 presents. Most eDiscovery professionals are still working to understand how to leverage the functionality in M365 and how to incorporate it into their existing program. Teams usage, for example, has risen with the addition of 31 million new users in one month when the COVID-19 pandemic first hit. Based on that statistic, it is clear that Teams is new to many professionals and eDiscovery teams need to understand how to deal with Teams data in discovery.eDiscovery features in M365 vary based on licensing, but can include data culling, data processing, and even some high-level review. The functionality in no way is an end-to-end solution for discovery. It can achieve some basic needs and other technologies are still required to address limitations in the platform.M365 is also an incredibly dynamic program. It is a challenge to track modifications and updates to the system. Organizations need to invest in personnel to test their M365 environment proactively to identify potential issues that could occur in the discovery process, understand limitations, and capture benchmarking data on the time and effort certain tasks can take in the system. This information should be discussed with legal teams, as it can impact their discovery negotiations and should be considered for proportionality assessments. It’s vitally important to train internal and external legal teams on the capabilities and the limitations of the technologies.Keeping pace with M365 often requires multiple resources. Consider having a dedicated team to test the new tools and ensure any new updates get incorporated back into your workflows. Reach out to your peers at other organizations to learn from their experiences with the tool. Working with service providers who have deep expertise in the tool and the roadmap is extremely beneficial. Microsoft is open to receiving feedback on your experiences outside of simply support tickets. In fact, there is a formal design change request option available to M365 users. Contact your Microsoft representative to learn more about that alternative.When it comes to leveraging M365 for eDiscovery, keep these key takeaways in mind:The explosion of data, new technology, and cybersecurity risks have all led to a continual evolution of the M365 tool.Staying up to date with these continuous evolutions can be a challenge, be sure to (1) have dedicated resources to test new capabilities and report back; and (2) ensure these new updates get incorporated into training and workflow documentation.Train both your internal and external teams on your M365 needs.Collaborate with your various partners (i.e. providers, third-party vendors, outside counsel, etc.).To discuss this topic further, please feel free to continue the discussion by emailing me at PHunt@lighthouseglobal.com.microsoft-365; information-governance; chat-and-collaboration-data; legal-operationsmicrosoft, legal-ops, blog, microsoft-365, information-governance, chat-and-collaboration-data, legal-operationsmicrosoft; legal-ops; blogpaige hunt
July 19, 2021
Blog

Cybersecurity Defense: Recommendations for Companies Impacted by the Biden Administration Executive Order

As summarized in the first installment of our two-part blog series, President Biden recently issued a sweeping Executive Order aimed at improving the nation’s cybersecurity defense. The Order is a reaction to increased cybersecurity attacks that have severely impacted both the public and private sectors. These recent attacks have evolved to a point that industry solutions have a much more difficult time detecting encryption and file state changes in a reasonable timeframe to prevent an actual compromise. The consequence is that new and evolving ransomware and malware attacks are now getting past even the biggest solution providers and leading scanners in the industry.Thus, while on its face, many of the new requirements within the Order are aimed at federal agencies and government subcontractors, the ultimate goal appears to be to create a more unified national cybersecurity defense across all sectors. In this installment of our blog series, I will outline recommended steps for private sector organizations to prepare for compliance with the Order, as well as general best-practice tips for adopting a more preemptive approach to cybersecurity. 1. Conduct a Third-Party AssessmentFirst and foremost, organizations must understand their current cybersecurity posture. Given the severity and volume of recent cyberattacks, third-party in-depth or red-team assessments should be done that would include not only the organization’s IT assets, but also include solutions providers, vendors, and suppliers. Red teaming is the process of providing a fact-driven adversary perspective as an input to solving or addressing a problem. In the cybersecurity space, it has become a best practice wherein the cyber resilience of an organization is challenged by an adversary or a threat actor’s perspective.[1] Red-team testing is very useful to test organizational policies, procedures, and reactions against defined, intended standards.A third-party assessment must include a comprehensive remote network scan and a comprehensive internal scan with internal access provided or gained with the intent to detect and expose potential vulnerabilities, exploits, and attack vectors for red-team testing. Internal comprehensive discovery includes scanning and running tools with the intent to detect deeper levels of vulnerabilities and areas of compromise. Physical intrusion tests during red-team testing should be conducted on the facility, networks, and systems to test readiness, defined policies, and procedures.The assessment will evaluate the ability to preserve the confidentiality, integrity, and availability of the information maintained and used by the organization and will test the use of security controls and procedures used to secure sensitive data.2. Integrate Solution Providers and IT Service Companies into Plans to Address Above Executive Order StepsTo accurately assess your organization’s risk, you first have to know who your vendors, partners, and suppliers are with whom you share critical data. Many organizations rely on a complex and interconnected supply chain to provide solutions or share data. As noted above, this is exactly why the Order will eventually broadly impact the private sector. While on its face, the Order only seems to impact federal government and subcontractor entities, those entities’ data infrastructures (like most today) are interconnected environments composed of many different organizations with complex layers of outsourcing partners, diverse distribution routes, and various technologies to provide products and services – all of whom will have to live up to the Order’s cybersecurity standards. In short, the federal government is recognizing that its vendors, partners, and suppliers’ cybersecurity vulnerabilities are also its own. The sooner all organizations realize this the better. According to recent NIST guidance, “Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services.” NIST recommends focusing on foundational practices, enterprise-wide practices, risk management processes, and critical systems. “Cost-effective supply chain risk mitigation requires organizations to identify systems and components that are most vulnerable and will cause the largest organizational impact if compromised.[2]In the recent attacks, hackers inserted malicious code into Orion software, and around 18,000 SolarWinds customers, including government and corporate entities, installed the tainted update onto their systems. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges. Locking down your networks, systems, and data is just the beginning! Inquiring how your supply chain implements a Zero Trust strategy and secures their environment as well as your shared data is vitally important. A cyber-weak or compromised company can lead to exfiltration of data, which a bad actor can exploit or use to compromise your organization.3. Develop Plan to Address Most Critical Vulnerabilities and Threats Right AwayThird-party assessors should deliver a comprehensive report of their findings that includes the descriptions of the vulnerabilities, risks found in the environment, and recommendations to properly secure the data center assets, which will help companies stay ahead of the Order’s mandates. The reports typically include specific data obtained from the network, any information regarding exploitation of exposures, and the attempts to gain access to sensitive data.A superior assessment report will contain documented and detailed findings as a result of performing the service and will convey the assessor’s opinion of how best to remedy vulnerabilities. These will be prioritized for immediate action, depending upon the level of risk. Risks are often prioritized as critical, high, medium, and low risk to the environment, and a plan can be developed based upon these prioritizations for remediation.4. Develop A Zero Trust StrategyAs outlined in Section 3 of the Order, a Zero Trust strategy is critical to addressing the above steps, and must include establishing policy, training the organization, and assigning accountability for updating the policy. Defined by the National Security Agency (NSA)’s “Guidance on the Zero Trust Security Model”: “The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.”[3]Properly implemented Zero Trust is not a set of access controls to be “checked,” but rather an assessment and implementation of security solutions that provide proper network and hardware segmentation as well as platform micro-segmentation and are implemented at all layers of the OSI (Open Systems Interconnection) model. A good position to take is that Zero Trust should be implemented using a design where all of the solutions assume they exist in a hostile environment. The solutions operate as if other layers in a company’s protections have been compromised. This allows isolation of the different layers to improve protection by combining the Zero Trust principles throughout the environment from perimeters to VPNs, remote access to Web Servers, and applications. For a true Zero Trust enabled environment, focus on cybersecurity solution providers that qualify as “Advanced” in the NSA’s Zero Trust Maturity Model; as defined in NSA’s Cybersecurity Paper, “Embracing a Zero Trust Security Model.”[4] This means that these solution providers will be able to deploy advanced protections and controls with robust analytics and orchestration.5. Evaluate Solutions that Pre-emptively Protect Through Defense-In-DepthIn order to further modernize your organization’s cybersecurity protection, consider full integration and/or replacement of some existing cybersecurity systems with ones that understand the complete end-to-end threats across the network. How can an organization implement confidentiality and integrity for breach prevention? Leverage automated, preemptive cybersecurity solutions, as they possess the greatest potential in thwarting attacks and rapidly identifying any security breaches to reduce time and cost. Use a Defense-in-Depth blueprint for cybersecurity to establish outer and inner perimeters, enable a Zero Trust environment, establish proper security boundaries, provide confidentiality for proper access into the data center, and support capabilities that prevent data exfiltration inside sensitive networks. Implement a solution to continuously scan and detect ransomware, malware, and unauthorized encryption that does NOT rely on API calls, file extensions, or signatures for data integrity.Solutions must have built-in protections leveraging multiple automated defense techniques, deep zero-day intelligence, revolutionary honeypot sensors, and revolutionary state technologies working together to preemptively protect the environment. ConclusionAs noted above, Cyemptive recommends the above steps in order to take a preemptive, holistic approach to cybersecurity defense. Cyemptive recommends initiating the above process as soon as possible – not only to comply with potential government mandates brought about due to President Biden’s Executive Order, but also to ensure that organizations are better prepared for the increased cybersecurity threat activity we are seeing throughout the private sector. ‍[1]“Red Teaming for Cybersecurity”. ISACA Journal. October 18, 2018. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-5/red-teaming-for-cybersecurity#1 [2] “NIST Cybersecurity & Privacy Program” May 2021. Cyber Supply Chain Risk Management C-SCRM” https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/C-SCRM_Fact_Sheet_Draft_May_10.pdf [3] “NSA Issues Guidance on Zero Trust Security Model”. NSA. February 25, 2021. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2515176/nsa-issues-guidance-on-zero-trust-security-model/[4] “Embracing a Zero Trust Security Model.” NSA Cybersecurity Information. February 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDFdata-privacy; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporatelighthouse
May 18, 2020
Blog

Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production

Now more than ever, data security has become priority number one, especially in the context of litigation and eDiscovery. And as the worlds of eDiscovery, information governance, and cybersecurity continue to rapidly converge, cybersecurity incidents are alarmingly on the rise, showcasing all of the weaknesses in an organization’s information governance system. Addressing cybersecurity continues to be a top challenge in eDiscovery. Many are unsure if their own internal processes are safe, not to mention those of the vendors who manage their outsourced eDiscovery.So, how can you protect your ESI all the way from preservation and collection to review and production? In a Law and Candor podcast episode, special guest David Kessler, Head of Data and Information Risk at Norton Rose Fulbright US LLP, discussed with our hosts the diverse set of challenges that arise with data security at each stage of the EDRM. Most understand the right methods start with implementing the fundamentals of cybersecurity, but some have learned the hard way that you can’t fix a house built on a shaky foundation after a cybersecurity disaster strikes. With the protection of client ESI first and foremost top of mind, here are the some of the most pressing cybersecurity challenges in eDiscovery as well as actionable solutions.Cybersecurity Challenges in eDiscoveryThe intersection of information governance, eDiscovery, and data security: The nature of data has evolved such that eDiscovery and information governance naturally intersect with data privacy and security. We’ve learned that issues around data access are very similar to eDiscovery issues and the next challenge is learning how to operate the areas together cohesively. In addition, with the shift to scrutiny on privacy and what can be done with personal data, now we know almost all cases that involve ESI have tremendous privacy concerns.The important role eDiscovery plays in cybersecurity: No longer are the days where confidential data relevant to litigation is primarily found in email and simply on computers. Now, data is created and stored across a wide variety of mediums and the amount of data continues to grow at an exponential rate. For cybersecurity criminals, this is a gold mine of confidential data available to steal and access.The outstanding security gaps throughout the EDRM: Historically, we’ve been focused on the responding parties’ obligations to securely undertake discovery. The business process of eDiscovery is primarily about collecting, copying, and transferring data outside of an organization, which creates concerns about securing that information at every stage of the process. Both the responding and requesting parties need to find a way to collaboratively and cooperatively work together at the beginning of a case to ensure data is protected through the entire EDRM lifecycle.The weakest part of the cybersecurity chain is when you hand over sensitive data: How do we help clients make sure their data isn’t accidentally or intentionally taken from them during the eDiscovery process? Everyone from eDiscovery vendors to law firms has an obligation to shore up their security and organizations have a responsibility to thoroughly vet those partners as they hand over their most sensitive data. In the EDRM, attention has shifted to making sure cybersecurity protections span the entire EDRM and the last step that hasn’t received much attention is making sure the requesting party is taking the appropriate steps to secure the data once they receive it.Cybersecurity Solutions in eDiscoveryShore up cybersecurity contracts and repurpose existing security riders: When an organization engages law firms and eDiscovery vendors to handle discovery, it’s important they work closely with their data security IT team. These teams can help to repurpose some of the standard security riders from other contracts and use it to create new contracts with the appropriate protections in place.Establish comprehensive protective orders at the beginning of cases: With respect to the requesting party, who you will ultimately be producing the data to, ensure that early in the case you’ve negotiated a comprehensive protective order that includes reasonable and proportionate requirements for the protection of data. In that protection order (and a step that’s often forgotten), follow up and confirm the data you produced has been deleted after a case is over.Keep open lines of communication with law firms and eDiscovery vendors: Your discovery partners understand and have a significant stake in their security reputations. They have a strong motivation to work with you to execute risk assessments and other agreements that contain the necessary security provisions to ensure your data is safe at every step of the process. Also, include a breach notification order if data is accidentally lost or there’s an attack.Focus on things you can do to strengthen your productions: Think about the most efficient ways to reduce the number of copies involved in productions where appropriate. For example, use redaction as much as possible and consequently less copies of data. Don’t produce sensitive and irrelevant portions of data – redact it instead.Ultimately, most people have become acutely aware of the vulnerabilities that exist in data security as it travels through the EDRM, and as law firms and eDiscovery vendors become accustomed to deeper vetting, it’s at the production stage where the biggest security vulnerabilities seem to remain. To get ahead of all aspects of potential cybersecurity failures, the use of well-written protective orders will get you a long way. Requirements in protective orders can ensure all parties take reasonable steps to protect data from third-party hackers and unauthorized access, as well as include protections based on encryption, access controls, passwords, etc.data-privacy; information-governance; ediscovery-reviewcybersecurity, cloud-security, ediscovery-process, preservation-and-collection, blog, data-privacy, information-governance, ediscovery-review,cybersecurity; cloud-security; ediscovery-process; preservation-and-collection; bloglighthouse
January 22, 2021
Blog

Cloud Security and Costs: How to Mitigate Risks Within the Cloud

When it comes to storing organizational data in the Cloud, a few phrases come to mind: the train has left the station; the ship has sailed; the horse is out of the barn, etc. No matter how you phrase it, the meaning is the same – the world is moving to the Cloud, with or without you. It is no longer an oncoming revolution. The revolution is here and your organization needs to prepare for dealing with data in the Cloud, if it hasn’t already. With that in mind, let’s talk cloud logistics – namely, security and cost.First up to the Plate – Cloud Security You might have heard the analogy circulating in technology forums recently that storing your data within the Cloud is akin to storing data on someone else’s hard drive. Unfortunately, from a security perspective, that’s not quite an accurate analogy (although life would be much easier if it were true).Don’t get me wrong - a significant benefit of moving to the Cloud is that it allows an organization to transfer much of the day-to-day security management to a technology company with the resources and expertise to handle that risk. Thus, if you are moving to a private cloud (i.e., renting data center space for your equipment), you can ease security concerns by ensuring that the hosting company maintains widely recognized security attestations/certifications and has a demonstrated commitment to data center security in accordance with strict vendor management risk processes. And of course, there’s always the reassurance when moving to a public cloud (Microsoft’s Azure or Amazon’s AWS) that you’re entrusting your data to companies with seemingly infinite security resources and expertise. That all certainly helps me sleep better at night.However, working within the Cloud still poses unique internal security challenges that will only amplify any of your existing security weaknesses if you’re not prepared for them. To put it another way: ISO certifications from cloud service providers cannot protect you from yourself. Risk, governance, and compliance teams will need to identify, plan for and adapt to internal security challenges. To do so, be sure to have a change management and review approval process in place (ideally before moving to the Cloud, but if not, as soon as possible once you’ve migrated). Also, ensure that your company has someone on hand (either through a vendor or within your IT staff) with the expertise needed to manage your internal cloud security who can stay abreast of all updates and changes.Next up – CostTo plan for a cloud migration, all stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) should have a seat at the table and a plan in place for scaling up in the Cloud. Each team should understand the plan and process, as well as the role their team plays in controlling cost and risk for the company.Cloud Security and Costs Best PracticesTo plan for security risk in the Cloud, companies should ensure that:All cloud service providers are fully vetted, security certified, and have the requisite posture in place to fully protect your data.Company internal processes are evaluated for security risks and gaps. Have a change management and review approval process in place and ensure that you have the experts on hand to manage your cloud security practices and stay abreast of all updates and changes.To plan for costs, companies should ensure that:All stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) collaborate and have a plan in place for scaling up within the Cloud when needed.Each team understands the plan and process, as well as the role their team plays in controlling cost and risk for the company.data-privacy; information-governancecloud-security, cloud-migration, blog, data-privacy, information-governancecloud-security; cloud-migration; blogmarcelino hoyla
July 16, 2021
Blog

Cybersecurity Defense: Biden Administration Executive Order a Great Start Towards a More Robust National Framework

On May 12, President Biden issued a landmark Executive Order (“the Order”) aimed at improving the country’s cybersecurity threat defense. This Order is an attempt to create a “whole of government” response to increasingly frequent cybersecurity incidents that have wreaked havoc in the United States in recent months, affecting everything from energy supplies to healthcare systems to IT infrastructure systems. In addition to becoming more frequent, recent cyberattacks have also become increasingly more sophisticated – and even somewhat professional. In response to these attacks, the Biden administration seeks to build a national security framework that aligns the Federal government with private sector businesses in order to “modernize our cyber defenses and enhance the nation’s ability to quickly and effectively respond to significant cybersecurity incidents.” Prior to this Order, there has been no unified system to report or respond to cybersecurity threats and breach incidents. Instead, there is currently a patchwork of state legislation and separate federal government agency protocols, all with differing reporting, notification, and response requirements.In the first of this two-part blog series, I will broadly outline the details of this Order and what it will mean for private sector companies in the coming years. In the second installment, Rob Pike (CEO and Founder of Cyemptive Technologies) will provide guidance on how to set up your organization for compliance with the Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. What is in President Biden’s Executive Order on Improving the Nation’s CybersecurityThere are nine main sections to the Order, which are summarized below.Section 1: PolicyThis section outlines the overall goal of the Order – namely that, with this Order, the Federal government is intent on making “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” To do so, the Order states that the government must improve its efforts to “identify, deter, protect against, detect, and respond to” cybersecurity attacks. While this may sound like a purely governmental task, the Order specifically states that this defense will require partnership with the private sector. Section 2: Removing Barriers to Sharing Threat Information As noted above, prior to this Order, there was no unified system for sharing information regarding threats and data breaches. In fact, separate agency procurement contract terms may actually prevent private companies from sharing that type of information with federal agencies, including the FBI. This section of the Order responds to those challenges by requiring the government to update federal contract language with IT service providers (including cloud service providers) to require the collection and sharing of threat information with the appropriate government agencies. While the Order currently only speaks to federal subcontractors, it is expected that this information-sharing requirement will have a trickle-down effect across the private sector, with purely private companies falling in line to share threat information once federal subcontractors are required to do so. Section 3: Modernizing Federal Government CybersecurityThis section calls for the federal government to adopt security best practices – and is specifically aimed at adopting Zero Trust Architecture and pushing a move to secure cloud services, including “Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).” It requires that each government agency update plans to prioritize the adoption and use of cloud technology and develop a plan to implement Zero Trust Architecture, in part by incorporating the migrations steps outlined by the National Institute of Standards and Technology (NIST).Section 4: Enhancing Software Supply Chain SecurityThis section deals with increasing the cybersecurity standards of software sold to the government. It specifically calls out the fact that the development of commercial software “often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” It, therefore, calls for “more rigorous and predictable mechanisms for ensuring that products function securely.” Thus, this section calls for NIST to issue new security guidelines for software used by the government. These new guidelines will include encryption requirements, multi-factor and risk-based authentication requirements, vulnerability detection and disclosure programs, and trust relationship audits, among others.Section 5: Establishing a Cyber Safety Review BoardThis section establishes a federal Cyber Safety Review Board, which will convene following significant cyber incidents, providing recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. It will be made up of federal officials, as well as representatives from private sector entities.Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and IncidentsThis section again speaks to the patchwork of differing vulnerability and incident response procedures that currently exists across multiple federal agencies. The goal here is to create a standard set of operational procedures (or a playbook) for cybersecurity vulnerability and incident response activity. The playbook will have to incorporate all appropriate NIST standards, be used by all Federal Civilian Executive Branch (FCEB) Agencies, and spell out all phases of incident response.Sections 7 and 8: Improving Detection, Investigation, and Remediations of Cybersecurity Vulnerabilities and Incidents on Federal Government NetworksThese two sections focus on creating a unified approach to the detection, investigation, and remediation of cybersecurity vulnerabilities and incidents. Section 7 focuses on improving detection – mandating that all FCEB agencies deploy an “Endpoint Detection and Response (EDR)” initiative to support proactive detection of cybersecurity incidents and establishes a procedure for the implementation of threat hunting and detection, as well as inter-agency information sharing around threat detection. Section 8 is focused on improving the government’s investigative and remediation capabilities – namely, by establishing requirements for agencies and their IT service providers to collect, maintain, and share specified information from Federal Information System network logs.Section 9: National Security SystemsThis section requires the Secretary of Defense to adopt National Security System requirements that are at least equivalent to the requirements spelled out by the above sections in the Order.Who Will This Impact?As noted above, while the Executive Order is aimed at shoring up the federal government’s cybersecurity detection and response systems – its impacts will be felt throughout much of the private sector. That isn’t a bad thing! A patchwork cybersecurity system is clearly not the best way to respond to the increasingly sophisticated cybersecurity incidents currently threatening both the United States government and the private sector. Responding to these threats requires a robust, unified national cybersecurity system, which in turn requires updated and unified cybersecurity standards across both government agencies and private sector companies. This Executive Order is a great stepping stone towards that goal.As far as timing for private sector impacts: the first impacts will be felt by software companies and other organizations that directly contract with the federal government, as there are direct requirements and implications for those entities spelled out within the Order. Many of those requirements come into play within 60 days to a year after the date of the Order, so there may be a quick turnaround to comply with any new standards for those organizations. Impacts are then expected to trickle down to other private sector organizations: as government subcontractors update policies and systems to comply with the Order, they will in turn require the companies that they do business with to comply with the new cybersecurity standards. In this way, the Order actually creates an opportunity for the federal government to create a cybersecurity floor above which most companies in the US will eventually have to comply.ConclusionDetecting and defending against cybersecurity threats is an increasingly difficult worldwide challenge – a challenge to which, currently, no perfect defense exists. However, with this Order, the United States is taking a step in the right direction by creating a more unified cybersecurity standard and network that will encourage better detection, investigation, and mitigation.Check out the second installment of this blog series, where Rob Pike, CEO and Founder of Cyemptive Technologies, provides guidance on how to set up your organization for compliance with the Executive Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. If you would like to discuss this topic further, please reach out to me at erubenstein@lighthouseglobal.com.data-privacy; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporateerin rubenstein
December 22, 2021
Blog

Cloud Adaptation: How Legal Teams Can Implement Better Information Governance Structures for Evolving Software

There is much out there about cloud solutions and how they improve the lives of users, offer flexibility for expansion and contraction of business, and can lighten the lift for IT. There is even a lot of specific commentary about how cloud can help legal teams and enable change management for the department. But what about the day-to-day tasks? How does the cloud change the legal team’s work and what new governance and skills are necessary to handle that change? This blog will tackle these questions so you can be more prepared and agile as cloud technology advances.Why does a shift to the cloud matter for legal teams?From a practical perspective, it means having to be reactive in areas where legal has traditionally been more proactive. Things like data storage timelines and locations, internal access permissions, and document history are now ever-changing with software updates being automatically pushed to corporate software environments. Many organizations that manage on-premises software have historically had an effective software governance structure in place. They can meet, discuss upcoming upgrades and their impacts, and make decisions about when to execute a software upgrade. Now, in an agile cloud approach, upgrades come frequently, without much notice, and sometimes have highly impactful changes. Traditional governance structures are no longer sustainable given the new timing and volume of updates – sometimes hundreds in a week. Legal and IT teams now need to collaborate more often to quickly analyze any impacts updates will have on the organization and what, if anything, needs to be done to mitigate cloud security risks.Given this, how should corporate legal teams adapt?A typical legal department is organized around areas of expertise – you may have employment, litigation, business advice, and contracts, for example. The department may also have a legal operations function, or a member of the team assigned to certain process improvement and/or corporate programs. One of these programs covers technology changes at an organization. It is this latter set of responsibilities that become much more important, and more voluminous, in an agile software environment. Analyzing the potential risks of cloud updates, advising the business on how to mitigate those risks, and changing any associated legal workflows can become a full-time or close to full-time set of responsibilities. In addition, the culture of the department must change to one that embraces frequent change, understands change management, and is consistently updating and improving processes and procedures.Traditionally, in an on-premises environment, an IT organization would typically manage an upgrade governance structure. They would plan for a software upgrade every six months, outline the changes that are due with each upgrade, and analyze what departments it impacts and the risks of those impacts. Finally, they would present this information to a cross-functional committee who would discuss when the upgrade can be made and what kind of work needs to precede the upgrade. Legal was typically part of that committee. Now, in a cloud environment dozens (or even hundreds) of changes get pushed out weekly and, although there may be some advanced warning, the timing isn’t as flexible, it isn’t uniform across users, and there is usually less time to prepare. In addition, changes may be pushed out, rolled back, and potentially reversed. Updates may also occur without any warning, which can contribute to the cloud challenges for corporate legal departments[1]. To minimize risk in this agile environment some specific steps can be helpful: a similar governance committee needs to meet more frequently, the analysis of impact and risk needs to be done very quickly, and changes need to be made almost immediately to ensure you get ahead of any potential impacts. Due to the frequent nature of these changes, and supervising process updates to mitigate risk associated with the changes, managing cloud updates can be more time-consumingWithout structure, these cloud updates can add stress and increase reactive work. However, with some structure and clearly delineated oversight, they can be managed more efficiently. Although many organizations may not have a structure in place, those that do pull together a committee for each enterprise technology. This committee has IT, legal, compliance, and business-focused representation. It may have multiple representatives from some of these groups, depending on the perspectives needed. The goal is for the business representative to advocate for users of the technology, the legal and compliance representatives to mitigate risk and take into account regulatory, litigation and privacy considerations, and the IT team to represent management of the platform and be a voice for the platform provider. The committee should have access to a sandbox-type environment where they can test changes and should be empowered to lead companywide changes – or at least be able to work with a project management office or other resource to make these changes.Most legal departments run pretty lean so creating a new governance structure can be a significant challenge, but there are ways to make the process easier. First, you can hire outside support to handle all, or some, of this work. For example, outsourcing the creation of the governance structure to manage software updates and staffing that group with your own resources or have your external partner staff and manage it until a time when you are ready to take it over. Second, instead of hiring outside support, you can share your risk concerns with IT and rely on them to raise any potential impact that upgrades may have on risk and legal processes. For example, when IT receives an email from a software provider outlining updates, they would analyze them for potential impact to legal workflows, retention policies, or any other issues you have flagged. They would then test the updates and remediate any negative impacts. Finally, you can rotate governance committee membership so that the work is being shared across your team. Whatever approach you choose, keep in mind that changes in the cloud environment are happening frequently and having someone within your company watching from a legal perspective will pay dividends when it comes to accessing data for legal, compliance, investigative, or other reasons down the line.[1] Victoria Hudgins, “Big Adjustment: Legal Departments Struggle with Lack of Control Over Cloud Technology,” Legaltech news, November 29, 2021, law.com information-governance; microsoft-365; lighting-the-path-to-better-information-governancecloud-security, cloud-migration, blog, risk-management, information-governance, microsoft-365cloud-security; cloud-migration; blog; risk-managementlighthouse
November 6, 2020
Blog

Case Preparation - Thinking out Loud! Summarized…

Long gone are days when the majority of discovery records were kept in paper format. Documents, invoices, and other related evidence needed to be scanned and printed in the tens (if not hundreds) of thousands. Today, a huge number of discovery efforts (internal or external) revolve around digital content. Ergo, this article will highlight the collection of digital evidence and how to best prepare your case when it comes to preservation and collections as well as processing and filtering.But, before we get into that, one of the core factors to keep in mind here is time, which will always be there irrespective of what we have at hand. It is especially complicated if multiple parties are involved, such as vendors, multiple data locations, outside counsels, reviewers, and more. For the purposes of this blog, I have divided everything into the following actionable groups - preservation and collection as well as processing and filtering.Preservation and CollectionIn an investigation or litigation there could be a number of custodians involved, for example, people who have or had access to data. Whenever there are more than a handful of custodians the location may vary. It is imperative to consider where and what methods to use for data collection. Sometimes an in-person collection is more feasible than a remote collection. Other times, a remote collection is the preferred method for all those concerned. A concise questionnaire along with answers too frequently asked questions is the best approach to educate the custodian. Any consultative service provider must ensure samples are readily available to distribute that will facilitate the collection efforts.Irrespective of how large the collection is, or how many custodians there are, it is best to have a designated coordinator. This will make the communication throughout the project manageable. They can arrange the local technicians for remote collections and ship and track the equipment.The exponential growth in technology presents new challenges in terms of where the data can reside. An average person, in today’s world, can have a plethora of potential devices. Desktops and laptops are not the only media where data can be stored. Mobile devices like phones and tablets, accessories such as smartwatches, the IoT (everything connected to the internet), cars, doorbells, locks, lights…you name it. Each item presents a new challenge and must be considered when scoping the project.User-generated data is routinely stored and shared on the Cloud using a variety of platforms. From something as ancient as email servers to “new” rudimentary storage locations, such as OneDrive, Google Drive, Dropbox, and Box.com. Others include collaborative applications, such as SharePoint, Confluence, and the like.Corporate environments also heavily rely on some sort of common exchange medium like Slack, Microsoft Teams, and email servers. These applications also present their own set of challenges. We have to consider, not just what and how to collect, but equally important is how to present the data collected from these new venues.The amount of data collected for any litigation can be overwhelming. It is imperative to have a scope defined based on the need. Be warned, there are some caveats to setting limitations beforehand, and it will vary based on what the filters are. The most common and widely acceptable limitation is a date range. In most situations, a period is known and it helps to set these parameters ahead of time. In doing so, only the obvious date metadata will be used to filter the contents. For example, in the case of emails, you are limited to either the sent or received date. The attachment's metadata will be ignored completely. Each cloud storage presents its own challenges when it comes to dates.Data can be pre-filtered with keywords that are relevant to the matter at hand. It can greatly reduce the amount of data collected. However, it is solely dependent on indexing capabilities of the host, which could be non-existent. The graphical contents and other non-indexable items could be excluded unintentionally, even if they are relevant.The least favored type of filter among the digital-forensics community is a targeted collection, where the user is allowed to guide where data is stored and only those targeted locations are preserved. This may not be cost effective, however, it can restrict the amount of data being collected. This scope should always be expected to be challenged by other parties and may require a redo.Processing and FilteringOnce the data collected goes through the processing engine the contents get fully exposed. This allows the most thorough, consistent, and repetitive filtering of data. In this stage, filtering relies on the application vetted by the vendor and accompanied by a process that is tested, proven, and updated (when needed).The most common filtering in eDiscovery matters is de-NIST-ing, which excludes the known “system” files from the population. Alternatively, an inclusion filter can be applied, which only pushes forward contents that typically a user would have created, such as office documents, emails, graphic files, etc. In most cases, both de-NIST-ing and inclusion filters are applied.Once the data is sent through the meat grinder (the core processing engine) further culling can be done. At this stage, the content is fully indexed and extensive searches and filters will help limit the data population even further to a more manageable quantity. The processing engine will mark potentially corrupt items, which are likely irrelevant. It will also identify and remove any duplicate items from all collected media from the entire matter data population. Experts can then apply relevant keyword searches on the final product and select the population that will be reviewed and potentially produced.I hope this article has shed some light on how to best prepare your case when it comes to preservation and collections as well as processing and filtering. To discuss this topic further, please feel free to reach out to me at MMir@lighthouseglobal.com.digital-forensics; information-governance; chat-and-collaboration-datacollections, ediscovery-process, preservation-and-collection, processing, blog, digital-forensics, information-governance, chat-and-collaboration-data,collections; ediscovery-process; preservation-and-collection; processing; blogmahmood mir
September 30, 2020
Blog

Cloud Based Collaboration Tools are not Just Desirable, but Necessary for Keeping Workforces Productive

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com, where she interviews Lighthouse's Matt Bicknell. Lighthouse business development director EMEA Matt Bicknell talks to The Lawyer about how in today’s remote environment, cloud based collaboration tools are not just desirable but a necessity – but also the challenges they pose for eDiscovery processes.What is the driving force behind the massive migration to cloud-based environments over the last few years?There are a few factors at play here. Prior to the Covid-19 pandemic, companies were already moving their data to the Cloud (both public and private) in droves, in order to take advantage of unlimited data capacities and drastically lower IT overhead. The move to the Cloud is also being driven by a younger workforce that feels at home working with cloud-based chat and collaboration tools, like M365 or G-Suite. However, the worldwide shift to remote work due to the pandemic really broke the dam when it comes to cloud migration. We’ve seen a seismic shift to cloud-based tools and environments since March of 2020. In a completely remote environment, cloud-based collaboration tools are not just desirable, they are necessary to keep workforces productive. Migrating to the Cloud can greatly reduce the need for workers to be physically present in an office building.What are some of the challenges that cloud migration can pose to the eDiscovery process?Unlimited storage capacity at low cost can be a great thing for an organisation’s bottom line, but can definitely cause issues when it comes time to find and collect data that is needed for a litigation or investigation. Search functions built for cloud-based tools are often built for business use, rather than for the functionality that legal and compliance teams require in order to find relevant information. In addition, collecting and producing from collaboration tools like Teams or Slack can be much more complicated than a traditional email collection. Relevant communications that previously would have happened over email now happen over chat, through emoticon reactions, or through collaboratively editing a document. All of this relevant data may be stored in several different places, in a variety of formats within the Cloud. Even attachments are handled differently in cloud-based applications – instead of sending a static document as an attachment via email, Teams defaults to sending a link to the document in Teams. This means that the document could look significantly different at the time of collection than it did when the link was sent. Collecting from those types of sources, producing them in a format that makes sense to a reviewer/opposing counsel, and accounting for all the dynamic variables can be a difficult hurdle to overcome if the organisation hasn’t planned for it.How can companies prepare for eDiscovery challenges in a cloud environment?First, make sure compliance, legal and IT all have a seat at the table and have input into decisions that may affect their workflows and processes. Understand where your data resides and have effective retention, data governance, and compliance policies in place. Your policies should spell out which cloud-based applications employees may use and also have rules in place regarding how they can be used and where work product should be stored. Understand your legal hold policy and what type of data it encompasses. Make sure you have the right talent (either within your organisation or through a vendor) who understands the underlying architecture behind Teams, G-Suite, or any other cloud-based tool your organisation uses and also knows how to collect relevant information when needed. Ensure that your IT team or vendor has a system in place to monitor application and system updates. Cloud-based updates can roll out on a weekly basis; those changes may significantly impact the efficacy of your data retention and collection policies and workflows.As cloud technology continues to evolve, what does the future hold for eDiscovery? Because of the near endless storage capacity of the Cloud, the amount of data companies generate will just continue to exponentially expand. As a result, the technology behind AI and analytics will continue to improve, and those tools will eventually be less of an option to use in certain matters and more of a necessity to use for most matters. I also think as more companies feel comfortable moving their data to the Cloud, we will start to see more and more of these companies bring their eDiscovery programs in house. Vendors are already beginning to offer subscription-based, self-service, spectra eDiscovery programs which hand over the eDiscovery reigns to the organisation, while the vendor stores and manages the data in the Cloud (both public and private). This type of service allows companies to eliminate the middleman, control their own eDiscovery costs, and easily scale up or down to meet their own needs, while leaving the burden of data storage security and maintenance with the vendor. Finally, look for vendors to start offering subscription-based services to help organisations manage the near-constant stream of application and system updates for cloud-based services.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud, g-suite, blog, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; cloud; g-suite; blogthe lawyer
May 18, 2022
Blog

IT at the Helm: Change Management for Cloud-Based SaaS is Key to Minimizing Risk

Cloud computing dates to the mid-1990s – so why is this relatively old concept still such a hot topic? Haven’t we figured it all out by now? And isn’t the benefit of today’s SaaS cloud environments that someone else, namely the SaaS provider, handles software management? What else is there to figure out? Having spent the last several months talking to legal, compliance, and IT professionals about their Microsoft 365 environments, I am confident that there is still a lot that corporate IT departments are grappling with. In fact, a recent survey conducted by Lighthouse of 106 IT managers and executives found that although most organizations had a change management process in place for on-premises feature updates and upgrades, and most organizations planned to have change management in place for enterprise-wide SaaS technology updates in the next five years, only 16% had something in place today.[1] To better harness this technology as it continues to evolve and to minimize risks along the way, it’s important to understand why these change management gaps exist, what their impact is, and how legal and IT teams can work together in new ways to close them.Managing the Evolution of SaaSThe adoption of enterprise SaaS cloud technologies has only become prevalent in the last decade and growth has skyrocketed over the last couple of years. In fact, Microsoft 365 had 23.1 million consumer subscribers five years ago (Fiscal Year 2016) and that number has grown to 58.4 million. As such, IT organizations have not had to support SaaS enterprise offerings at scale until very recently and today most IT departments are supporting both on-premises and SaaS cloud environments. The first priority in supporting this explosive adoption was to implement and migrate over to the new system. It is only recently that focus has shifted toward governance and processes around these systems.Even with a newer focus on process, one of the touted benefits of SaaS cloud technology is less maintenance and software support by the in-house IT team. Of course, there is the need to set up process to resolve user questions and to ensure systems have been set up to facilitate the business running properly. But, planning and executing hardware or software upgrades is mostly managed by a third-party provider so there is not an urgent need to set up robust change management. In addition, the old change management process where major developments are analyzed, tested, and timed for deployment to desktops still applies to Microsoft 365.However, using the old process for new applications can have drawbacks. First, not all updates that Microsoft or others make are configurable updates where there is a choice on how, and whether, to implement. Second, if users are logging into a web environment (as opposed to desktop apps), IT teams don’t necessarily have control over the version their users are utilizing. Finally, given that most organizations have differing levels of IT permissions, meaning some groups are upgraded sooner than others, teams must move quickly to handle unpredictable and varied update schedules. With the speed and variability of new feature updates, the old process may not be agile enough to handle them. The differences between SaaS and on-premises environments (where you have full control of the upgrade schedule) can leave some gaps even when organizations review, analyze, and test the roadmap and updates from the Microsoft Message center.The old process often fails to prepare the business for these changes because IT, legal, and other teams are not always communicating about the broader risk or implementation implications. Because the IT team is focused on availability and scalability, it often misses how certain changes can introduce business risks outside of their ken. Solely relying on IT professionals to determine the broader impact of updates can mean that business, regulatory, and other risks outside of IT’s awareness are overlooked.Measuring the Impact of UpdatesWhether these management gaps are tolerable is a risk decision that each organization must make—one that can put the user experience in tension with a developed IT process. In discussions with legal, compliance, and information governance professionals that focus on SaaS services, handling the cadence and speed of these updates is a concern that keeps them up at night. But, quickly providing users new features has considerable benefits for the business too. It’s important for IT to prioritize ensuring that users can access their business data and that the business can continue without interruption over cumbersome update management.When weighing these risks and benefits it’s important to fully appreciate their potential impacts. An example of where these priorities conflict is highlighted in a change around Microsoft Teams meeting transcripts. In March 2021, Microsoft made an update that allows for a live transcript of certain Teams meetings. In November 2021, Microsoft expanded that functionality to Teams Channel meetings and upgraded the features of live transcripts to include name attribution to the speaker. This is helpful functionality for users and, given that it is an automatic upgrade, there may be little to do from an IT perspective. From a risk and legal perspective, however, there are a couple of key considerations. First, where is the transcript stored after the meeting and do retention policies apply? Second, is the data subject to ongoing regulatory or litigation requests and how is it accessed? The answers to those questions are complicated by the fact that the location of the data depends on whether a user downloaded the transcript after the meeting. Many IT organizations caught this change by reviewing the Microsoft Message center for updates—and in doing their own testing they determined that disabling the functionality was the best course of action. This was an update with obvious data ramifications that outweighed the potential benefits in a risk assessment from both IT and legal. For updates that are less obvious, IT may not have consulted legal. For updates where the value to users may seem to outweigh the risk, where the risks aren’t initially apparent, or when there are no configuration options—IT may have a more challenging decision to make.Reimagining a Change Management ProcessHaving a cross-functional framework in place to discuss and implement these types of updates is key to managing changes. Many organizations have some sort of accountability in place around updates—an individual or group of people are responsible for reviewing the Microsoft Message center. Although this structure is lower in cost and requires fewer resources, it has a few drawbacks. First, if only IT is involved, you may have only one perspective on the impacts of updates and that can be too narrow to determine the effects on the broader business. Second, many organizations do not have a tracking mechanism to determine what Microsoft updates they have read, evaluated, tested, and taken action against. With dozens of messages, many of which don’t need action, it is easy to lose track of what has been evaluated. Finally, if there isn’t clear accountability with dedicated resources the process can lose legitimacy and fail. Organizations who choose to minimize their business risk do not have to put in place a heavy structure to manage updates. In fact, the process around on-premises software upgrades can easily be adapted to the cloud situation.The single most important thing that an IT team can do for an effective SaaS support practice is to adapt and enforce existing change management and organizational controls. More specifically, IT organizations should consider:Dedicating a resource to track and review changes from service and cloud providers to ensure updates and changes are properly evaluated for risk and business continuity.Relying on a robust change management system with stakeholders throughout the organization to provide clearly articulated approval, risk identification, testing, and risk management.Partnering with your compliance team to ensure adherence to governance frameworks, organizational commitments, and client requirements. The compliance function is trained to manage risk and is uniquely chartered with authority and independence with a company’s governing body.Collaborating with legal. Lawyers are trained to spot issues and manage risk for the entire business. Often times, individual departmental stakeholders are responding to team-level incentives. Legal teams are also learning to adapt their governance structures to evolving cloud solutions.Leveraging the Project Management Office to ensure that stakeholders and risks are identified at the start of any specific project (i.e., measure twice, cut once).One of the most effective ways to get the right stakeholders’ input is to create a Change Approval Board (“CAB”) with subject matter experts from every business group to meet on a periodic basis. The CAB provides a framework that ensures IT has input from across the business while still giving it the opportunity to own and manage the support of the software.One of the benefits of SaaS technologies is the ability to utilize and optimize with the newest features and to take some of the hardware management burden off IT. By putting in place a cross-functional team to review and manage the update process, you can mitigate your organizational risk while allowing users take full advantage of the benefits.[1] In February 2022, Lighthouse surveyed 106 IT managers or above who had Microsoft on-premises and now have Microsoft 365. The survey found that only 16% had implemented a change management process for M365 and 62% of organizations planned to implement one in the next 5 years.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud-migration, cloud-services, blog, microsoft-365, chat-and-collaboration-data, information-governance,bloglighthouse
October 12, 2022
Blog

As Employees Move, Keeping Data in All the Right Places Is Crucial

As the corporate workplace continues to evolve—encompassing hybrid work environments, bring your own device policies, and cloud-based storage—companies are well-advised to consider areas of increased vulnerability and whether their policies, procedures, and forensic tools are keeping pace with reality. A hybrid or remote workforce and a more collaborative data infrastructure only exacerbate data risks that were easier to manage when employees were comfortably situated at their desks. Adding even more complexity to these risks are broader labor trends, including “the Great Resignation and Reshuffle” and an aging work force, which are changing staffing and recruiting strategies and impacting knowledge transfer and IP creation.Employee intake and departure: crucial points of data security Two areas likely needing renewed attention are the moments of employee onboarding and offboarding, when a company’s most prized assets—people and data—are on the move. Departing employees present a particular risk as the potential for data exfiltration of IP and other sensitive information, whether intentional or not, is high. Often, employees take corporate IP with them inadvertently, a situation bound to get worse as turnover rates grow (Gartner anticipates a 20% jump in turnover from the pre-pandemic national average).Since people usually take jobs similar to the ones they leave (and often with competitors), taking company data along with their coffee mug and potted plant may seem justified (I wrote this stuff, so it’s mine)—or simply inconsequential. Cloud storage services such as Dropbox, Box, or Google Drive, and collaborative apps such as Microsoft Teams or Slack make it all the easier to appropriate files, lending credence to a feeling of personal data ownership. No matter how it happens, the escape into the wild of proprietary items such as source code, strategy documents, contact lists, and financial information exposes the company to untold risk, including the danger of running afoul of any number of privacy regulations if personal data is exfiltrated from its protected environment—an additional headache for the company if things go south. Are current entry and exit protocols enough? Although most companies have entrance and exit protocols usually siloed as HR and IT functions, the recent surge in employee turnover has put those very teams under pressure as they face their own personnel and budget deficits. Further, responsibilities have become less defined at a time when offboarding tasks—many now carried out at a distance—should be fortified to include proactive data monitoring and oversight, activities such teams may not be equipped to handle. The challenge, of course, is the growing complexity of the data landscape. Knowing what information is where, who accesses it, and for what purpose becomes more difficult to track as software and storage options grow, yet this is key to keeping important data protected. Data security: start training early and reinforce often Onboarding procedures can play a key role in keeping data where it belongs and helping employees navigate through and understand their responsibilities in this increasingly intricate data terrain. First, a sound onboarding protocol can ensure that new employees aren’t bringing troublesome data into the environment. No company wants to deal with the fallout of being in possession of some other company’s IP or sensitive information. More importantly, onboarding offers the most opportune time to clearly communicate expectations regarding data management and safety—information that should be reinforced with frequent (and up to date) training that emphasizes data protection and ownership. It's easy to forget as time goes on what data may be confidential or sensitive, and even easier to forget that data belongs to the business, not the employee. In short, data awareness should be instilled as part of the company culture right from the start. Seize the moment: identify and monitor offboarding risksThe recent and ongoing workplace disruption calls for a hard look at offboarding data risks and an evaluation of potential vulnerabilities to protect data before an employee leaves the company, bolster the exit protocols to have in place when they do, and have the proper forensic and analytic tools to handle data monitoring and address potential wrongdoing. Most companies do have standard offboarding checklists that address employee assets, data access, and preservation obligations as they leave the company. But there’s more to data protection at this crucial moment than ticking off boxes. Expand and optimize the offboarding checklistSavvy companies implement a more proactive, programmatic approach that begins earlier, with monitoring procedures that include defensible and repeatable processes to guard against the exfiltration of company data while helping to fortify the company’s position in case of a breach. A few important things to consider as part of the offboarding process:Know which employees warrant departure attention. Develop risk profiles with business stakeholders to identify which classes of employees, whether based on role, circumstance of departure, seniority, or access to sensitive information could present an exfiltration risk.Understand the company’s data landscape. Make sure there are mechanisms in place for tracking where sensitive data and IP may reside and when such data has been accessed.Explore activity and assets with the employee prior to their departure. An expert, friendly review of a departing employee’s recent computer activity with the employee, including an audit of their recent network activities, use of peripherals, cloud uploads, and email sends, can reveal and help mitigate potential trouble.Preserve employee devices and data as warranted with state-of-the-art forensic tools. Forensic preservation is critical to ensuring valid evidence down the line, especially since investigations today regularly involve new and novel devices, data sources, and artifacts that must be diagnosed and understood.Document all offboarding information. A paper trail of findings during the exit procedure is important if further analysis is recommended or necessary and will be crucial for subsequent investigation, if it comes to that. Have a plan if there is evidence of wrongdoing. Part of any data security effort is having an action plan to execute if there are signs of a breach. Preservation, collection, and a forensic analysis may be required should legal action ensue. ConclusionThe recent upheaval in employee turnover along with more collaboration tools and storage options present increasing risk for today’s enterprise. Companies that acknowledge new vulnerabilities and leverage opportunities to revamp outdated policies and protocols are better positioned to stop data exfiltration before it becomes a problem. The best solution: Implement robust onboarding and offboarding solutions that include data monitoring, reporting, and forensic analysis to enable a quick pivot to actionable remediation steps if trouble is brewing. digital-forensics; information-governancedeparting-onboarding-employee, blog, risk-management, digital-forensics, information-governancedeparting-onboarding-employee; blog; risk-managementdaniel black
June 29, 2021
Blog

An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations

Increasingly, opportunities for cloud-based collaboration and efficiencies, and challenges presented by the rapid proliferation of complex data, are incentivizing organizations to transform their corporate data governance and eDiscovery operations from traditional self-managed infrastructure to the Microsoft 365 (M365) Cloud. Benefits in terms of convenience, security, robust functionality, and native capabilities related to eDiscovery and compliance are the primary drivers of this move.While there are many benefits to moving into the M365 ecosystem, it requires legal and compliance teams to take on new considerations regarding the constant evolution that characterizes cloud software. With continually changing applications, establishing static workflows for eDiscovery, legal holds, data dispositions, and other legal operations is not enough. As the M365 software and functionality changes, workflows must be constantly evaluated to ensure their validity, relevance, and defensibility.Exacerbating this challenge is the reality that the traditional IT change management paradigm designed to preemptively address cross-organizational considerations (including impacts to legal, compliance, and eDiscovery operations) does not fit the Cloud/SaaS framework. Organizations must now rethink their change management approach as they modernize with M365.This is the first in a series of blog posts devoted to highlighting key changes that have been released into the M365 production environments. One of the biggest challenges for organizations is identifying which of the myriad of updates pose potential risks to eDiscovery operations. Distinguishing the changes that do and do not pose a significant eDiscovery impact can be extremely difficult unless the reviewer has some level of subject-matter expertise and understands the specific workflows deployed within the organization. Here are some common scenarios with potential eDiscovery impact that could easily go unnoticed by the untrained eye:Updates that create a new data sourceUpdates that change a backend data storage locationUpdates altering the risk profile of features that were previously disabled due to legal / privacy riskUpdates that render an existing eDiscovery process obsoleteEach subsequent blog post in this series will highlight an example of a software update related to our key software scenarios, detailing the nature of the change, the potential impact, as well as when and why organizations should care.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, compliance-and-investigations, blog, cloudcompass, advisory-services, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; compliance-and-investigations; blog; cloudcompass; advisory-serviceslighthouse
October 27, 2020
Blog

Achieving Information Governance through a Transformative Cloud Migration

Recently, I had the pleasure of appearing as a guest on Season 5, Episode 1 of the Law & Candor podcast, hosted by Lighthouse’s Rob Hellewell and Bill Mariano. The three of us discussed cloud migrations and how that process can provide a real opportunity for an organization to transform its approach to information governance. Below is a summary of our conversation, including best practices for organizations that are ready to take on this digital and cultural cloud transformation process.Because it is difficult to wrap your head around the idea of a cloud transformation, it can be helpful to visualize the individual processes involved on a much smaller scale. Imagine you are simply preparing to upgrade to a new computer. Over the years, you have developed bad habits around how you store data on your old computer, in part because the tools on that computer have become outdated. Now that you’re upgrading, you have the opportunity to evaluate your old stored data to identify what is worth moving to your new computer. You also have the opportunity to re-evaluate your data storage practice as a whole and come up with a more efficient plan that utilizes the advanced tools on your new computer. Similarly, the cloud migration process is the best opportunity an organization has to reassess what data should be migrated, how employees interact with that data, and how that data flows through the organization before building a brand new paradigm in the Cloud.You can think of this new paradigm as the organization’s information architecture. Just like a physical architecture where the architect designs a physical space for things, an organization’s information architecture is the infrastructure wherein the organization’s data will reside. To create this architecture effectively, you first must analyze how data flows throughout the company. To visualize this process, imagine the flow of information as a content pipeline: you’ve got a pile of papers and files on your desk that you want to assess, retain what is useful to you, and then pass on to the next person down the pipe. First, you would identify the files you no longer need and discard those. Next, you would identify what files you need for your work and put those aside for yourself. Then you would pass the remaining pile down to the next person in the pipeline, who has a different role in the organization (say, accountant). The accountant will pull out the files that are relevant to their accounting work, and pass the files down to the next person (say, a lawyer). The lawyer performs the same exercise for files that are relevant to their legal role, and so on until all the files have a “home.”In this way, information architecture is about clearly defining roles (accounting role, legal role, etc.) and how those roles interact with data, so that there is a place in the pipeline for the data they utilize. This allows information to flow down the pipeline and end up where it belongs. Note how different this system is from the old information governance model, where organizations would try to classify information by what it was in order to determine where it should be stored. In this new paradigm, we try to classify information by how it is used – because the same piece of content can be used in multiple ways (a vendor contract, for example, can be useful to both legal and accountant roles). The trick to structuring this new architecture is to place data where it is the most useful. Going hand-in-hand with the creation of a new information architecture, cloud migrations can (and should) also be an opportunity for a business culture transformation. Employees may have to re-wire themselves to work within this new digital environment and change the way they interact with data. This cultural transformation can be kicked off by gathering all the key players together and having a conversation about how each currently interacts with data. I often recommend conducting a multi-day workshop where every stakeholder shares what data they use, how they use it, and how they store it. For example, an accountant may explain that when he works on a vendor contract, he pulls the financial information from it and saves it under a different title in a specific location. A lawyer then may explain that when she works on the same vendor contract, she reviews and edits the contract language, and saves it under a different title to a different location. This collaborative conversation is necessary because, without it, no one in the organization would be able to see the full picture of how information moves through the organization. But equally important, what emerges from this kind of workshop is the seeds of culture transformation: a greater awareness from every individual about the role they play in the overall flow of information throughout the company and the importance of their role in the information governance of the organization. Best Practices for Organizations: Involve someone from every relevant role in the organization in the transformation process (i.e. everyone who interacts with data). If you involve frontline workers, the entire organization can embrace the idea that the cloud migration process will be a complete business culture transformation.Once all key players are involved, begin the conversation about how each role interacts with data. This step is key not only for the business cultural transformation, but also for the organization to understand the importance of doing the architecture work.These best practices can help organizations leverage their cloud migration process to achieve an efficient and effective information governance program. To discuss this topic further, please feel free to reach out to me at JHolliday@lighthouseglobal.com. information-governancemicrosoft-365, legal-operationscloud; information-governance; cloud-migration; bloglighthouse
April 10, 2020
Blog

Adopting a Compliant & Defensible Remote Collections Strategy

One of the unanticipated consequences of the COVID-19 pandemic and the ensuing shift of office employees being forced to work from home, is the impact on counsel who must continue to direct forensically defensible collections for eDiscovery, investigations, and regulatory response scenarios. As employees adjust to remote work, they are increasingly commingling personal data sources, home networks, and corporate data, which in turn creates a wealth of new data sources that will need to be collected as potentially-relevant ESI.In my recent webinar, I discussed this significant shift to the “new normal” of digital digital-forensics and how information governance policies and IT security practices should be proactively extended to remote employees, as well as ways to mitigate future complications around forensic collections that will now need to be almost exclusively remote. Here are a few of the most important aspects to consider on how working from home impacts digital digital-forensics, and practical workflow strategies for handling remote ESI collections.Working from Home: The Digital digital-forensics ImpactThere’s a behavioral impact that automatically comes with working entirely from home, with less delineation between the workday and home life, and subsequently more temptation to use your work laptop for personal reasons. This behavioral impact is also mirrored in the reverse scenario where personal devices become more convenient to use for work. Although we were already seeing quite a bit of intermingling of data pre-COVID-19, this habit is dramatically increasing as home has quickly become the only workplace and there hasn’t been time for organizations to adopt new IT policies to tackle these issues.With the advent of this new remote workplace era, data (mis)management will remain with us for future matters and there will be a permanent impact on collections going forward. Among the top adjustments that need to be made is custodian questionnaires must be enhanced to scrutinize whether any relevant work-related data or communications reside on the custodians’ home devices. The same scrutiny will need to be applied to personal data potentially residing on work laptops as the opportunities for this type of data intermingling or “contamination” will undoubtedly continue to increase.ESI Collections: Practical Workflow StrategiesEven though we’re currently not able to travel onsite to acquire device and data source evidence, we can continue collections by relying on sound and defensible forensic remote strategies that are already in place. Collections from the Cloud are status quo and conducted remotely by definition, but for other ESI sources, we will favor targeted and logical collections over full physical forensic images.For remote collections on premise at an office that’s closed, if there’s a skeleton IT crew in place, screen sharing can be utilized to mimic the exact scenario of a digital-forensics professional being onsite to help load a hard drive or provide access into a server. For custodians sitting at home, the same process can apply and technical guidance can be provided remotely. If shipping is a safety concern, data can be uploaded by secure encrypted file transfer protocol (FTP) using software that can resume broken uploads or by utilizing fast data transfer solutions such as Aspera. Whether figuring out a safe way to transport encrypted hard drives back and forth or using remote data transfer technology, we’ll need to plan for increased turnaround times due to varying upload speeds from home and/or decontamination procedures that are implemented for shipping protocols.Key TakeawaysAs company and personal custodian data commingling grows during COVID-19, a permanent shift is happening in digital digital-forensics and eDiscovery. From a legal standpoint, it’s settled that company-related communication on personal devices is subject to discovery, thus custodian interviews and other information-gathering techniques to identify the relevant scope of a collections effort must be enhanced. And although data preservation and evidence acquisition tasks may take longer to conduct when onsite collections is not an option, the technology is already in place to ensure forensically sound and defensible remote collections now and in the future.To discuss this topic further, please feel free to reach out to me at JBui@lighthouseglobal.com.digital-forensics; information-governancelegal-operations, digital-forensics, information-governancecloud; collections; cloud-security; bloglighthouse
No items found. Please try different search parameters.