How Evolving Media Types and Cybersecurity Concerns Impact E-Discovery

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

The sheer volume and complexity of data, the availability of AI for review, heightened concerns about privacy and security are the primary factors shaping the evolution of e-discovery.

This roundtable discussion features:

• Christine Payne, litigation partner at Kirkland & Ellis and vice chair of the firmwide Electronic Discovery Committee;
• Heather Kolasinsky, senior counsel, Humana and a member of the litigation and investigations team with a focus on electronic discovery, information governance and legal operations;
• Amy Mushahwar, partner, Davis Wright Tremaine LLP, handling data privacy, security, and management; and
• Julia Brickell, executive managing director and general counsel at H5, an information retrieval and e-discovery service provider, share their experience and insight on the evolving nature of e-discovery and its intersection with AI, cybersecurity and privacy.

Cybersecurity Law & Strategy editor-in-chief Adam Schlagman, served as the moderator.

Q: E-Discovery is pretty much a staple in litigation, but it's facing some pretty significant change agents as new data sources and new review methods (using AI, for example) evolve. How is this affecting the role of counsel?

CP: Obviously, keeping up with developing technology allows you to recommend cutting-edge tools for your clients where appropriate. And a tool may be shiny and new, promising efficiencies in terms of time and cost, but what are you giving up strategically if you choose to use it? Now more than ever, lawyers must be able to explain the strategic implications of a given technology (and most still cannot).

JLB: Very true, Christine. The ability to explain the impact of technology choices is something we need to be cognizant of, as the rules of professional responsibility call for full communication with clients about the implications of such choices. Separately, as in-house counsel, we need to stay aware of new technologies our business colleagues use to create, communicate or store information because that information needs to be managed and, in the event of litigation, preserved and collected. That is something on the legal radar, but often not on the business radar. Yet early consideration allows preservation and retrieval to be addressed in initial contractual arrangements at a lower cost than if requesting a time-sensitive change in services.

HK: Not seeing it yet, but trying to educate myself on blockchain and other emerging technology. Lawyers that work in e-discovery are routinely educating themselves on the relevant technology and then figuring out a way to distill it to our peers that may not live in e-discovery every day.

AM: I'm a data privacy, security and information management attorney. I'll leave the e-discovery brilliance to the litigators. But, I am seeing an increased pressure for digital architecture to legal risk translation. This is often very difficult for a legal audience without a technical background. For example, how can attorneys understand if they have the relevant logs to evaluate a data breach, if they do not know the points at which network appliances, systems, and applications should be logging—physically, virtually and in the cloud?

Q: Equifax, Yahoo, eBay—it seems there's another breach every day. This must be putting security departments on edge. Are reverberations being felt when it comes to e-discovery? What is counsel's role in addressing protection here?

CP: One challenge is how to quickly identify and preserve necessary data that has a short life span but will be critical for data-breach investigations. Here we're thinking beyond standard server-side data or email and talking more about log data that rolls off periodically. We often tell clients to preserve all of their logs in data-breach situations, but that gets expensive very quickly. It could mean that clients need to temporarily scale up in storage, or it could mean that targeted preservation is the better option. In certain circumstances, a cloud-based solution might make sense. Counsel needs to be prepared to jump into a crisis and educate the client as to the data types that are potentially relevant to a data-breach investigation, and work with them through reasonable steps for preservation and effective analysis.

HK: It seems like every few years there is the new big thing in the law. Cyber became the hot topic for boards and chief legal officers a few years back. There was (and continues to be) a push to make sure any vendor, service provider, law firm or other provider that holds or transmits company data or accesses your systems is compliant with your company's standards. Counsel needs to form a relationship with the company's security/ information protection/ IT department and then work as a conduit between the outside legal vendor and company's IT department. In-house counsel has to advocate and motivate law firms and legal services vendors to comply with the standards.

JLB: Protecting data from breach has certainly become of paramount importance and should be top of mind for any company—be it an e-discovery vendor or other service provider that handles data of its clients or a company handling its own sensitive information. It is helpful if outside counsel is savvy and communicative about the regulatory and compliance schemes that apply to the data that will be transferred. That enables service providers to respond appropriately and facilitates alignment between the service provider and the outside counsel; otherwise outside counsel may be focused on speed and ease of access whereas the nature of the data may require additional steps counsel doesn't duly appreciate.

AM: Information security breaches are putting security departments, business teams, senior executives and the boards of companies on edge. Safeguarding consumer data, company confidential data and intellectual property is a paramount concern for all companies, and reverberations are being felt in the e-discovery industry in a number of ways, such as:

• Certifications: E-discovery providers are now actively seeking various security certifications to win business (e., ISO, PCI-DSS, HiTech, NIST)).
• Client Audits: E-discovery providers are finding that clients are: 1) preparing due diligence security audit questionnaires pre-engagement; 2) reserving the right to audit for security compliance; and 3) acting on their audit rights to monitor compliance.
• Security as a Discovery Dispute: Companies can be reluctant to release underlying consumer data in discovery and fear that opposing counsel might not be a good steward of that data.
• Security Discussions Occur in E-discovery Services Delivery: E-discovery providers are finding that they have to discuss security-specific workflow at the outset of an engagement and during performance of services. For example, e-discovery providers are asking questions such as: who will manage access provisioning and terminations for reviewers, what should be done with malware-infected files that must be processed for review and is the reviewing law firm capable of receiving regulated data?

Q: The GDPR, going into effect this May, affects how an organization must secure data and respond to a breach if it retains personal information of any EU individuals. There are some pretty stringent demands with very short timelines. Is this affecting e-discovery processes?

CP: New security requirements and breach responses are important, but data-transfer requirements remain the paramount concern for discovery planning when you're talking about GDPR. It is crucially important that clients understand and are able to document where their data is housed. This is true both for self-hosted data and data held by a third party. Of equal importance, clients need to understand what their data contains. Personal information? Trade secrets? Other sensitive information? Clients, outside counsel, and service providers must collaborate even earlier in the lifecycle of a matter. Together they must think strategically about what can be collected, how data can be assessed (and by whom), and how they can review and transfer data across borders. In reality, you need a soup-to-nuts game plan before any parts of the e-discovery process can start moving.

JLB: GDPR is imposing significant requirements on those in the United States to whom EU personal information is transferred. And the work to get ready for GDPR compliance should be underway now. Clients should push the obligation to comply with GDPR onto their service providers. There are data inventories and data flows to prepare so that every location of the personal data is known. The data must be handled throughout in accordance security standards that would pass muster for the numerous EU data privacy authorities. And more. And there are novel outcomes that need to be achieved—for example the ability to find and remove all references to an individual's personal data pursuant to the data subject's “right to be forgotten.”

AM: I agree with both Christine and Julie. To add a few slight points here, the GDPR will require more discipline from companies engaging e-discovery providers. Often, e-discovery providers must be ready to receive all forms of data that could be relevant to a case — without a true understanding of what privacy and security standards might apply to that data. Given the stringent fines that could result from violating the GDPR, savvy companies and counsel are likely to run more onsite test searches and planning to determine if data should be transferred to the e-discovery provider. Given that more discovery planning is becoming necessary, data savvy counsel must get more comfortable communicating the time needed to plan the discovery process responsibly to ensure underlying data security and regulatory compliance.

Q: The traditional e-discovery data model is also changing as IoT and AI ascend. It's not just Word docs and spreadsheets anymore—there could be Fitbit data for the Worker's Comp case, digital data from the driverless car, voice recordings from Alexa—all potentially assessed for relevance by AI algorithms. What changes do you see due to the evolution of such data types, sources and review methods?

CP: We've been talking about IoT for several years but haven't really seen major penetration into e-discovery practice thus far, at least not in large-scale litigation. There are outliers, to be sure. For the most part, however, evidence in hotly-litigated cases still focuses on person-to-person communications or financial inputs, as opposed to IoT data. That said, lawyers must remain vigilant and be on the lookout for opportunities to use new tools creatively. We just finished a project where we coupled auto-transcription of audio/video files with analytic sorting, which was a great way to use new technology to more efficiently handle and sort an old data type.

HK: I view the new IOT data sources as being new forms of structured data. Or maybe I just tell myself that to make it feel more attainable. I also think with all of the new IOT data sources there is going to be further need for counsel to collect data in such a way in order to take advantage of the changes to the Federal Rules of Evidence 902(13) and (14) allowing evidence that is self-authenticating by a written certification as opposed to a witness at trial.

JLB: New sources of data often need to be preserved and collected by specialists. We see relatively little appearance in litigation until business and consumer use becomes prevalent. Facebook became an active source of information in matrimonial and worker's comp cases but has comparatively little focus in other business litigation. Typically, new applications and forms of communication bring new preservation, collection and analytic challenges. I anticipate the use of technology, including technology-assisted review in its many forms, will continue to grow as these sources evolve.

AM: As a data privacy, security and management specialist, I'm seeing this issue on the product counseling side of my practice. Companies are evaluating what data points their products are collecting, storing, generating and transferring. Where possible, companies are trying to anticipate the data points that could be valuable to litigators within discovery and the government in the subpoena process. Companies are making tough calls regarding their ability to store data, for how long and how to search stored data once collected.

Q: Are new data sources and the AI tools now available to use for e-discovery impacting the litigation process itself? How?

CP: Yes, absolutely. The more you learn about your client's data and the other side's data at the very beginning of a case, the better. It allows you to make strategic choices about what type of technology you might use, and what you'd like to see from the other side. Of course, as the mousetraps get better, expectations rise too. It's important to remind clients, opposing counsel, and courts that even with the rise of AI, there remains a lot of human work to be done within the e-discovery process.

HK: I can put in place certain cyber requirements with my service providers, but once data is produced to the other side I have to hope that their law firms and legal services providers are also taking some precautions around data security. I see conversations around data security becoming part of the meet and confer.

JLB: I also see impact in the burden on counsel to stay abreast of changes in technology and to understand what particular technologies can and cannot do well. In addition, we need to understand the competences needed to deploy the technology effectively and efficiently and ensure that those competencies are being deployed. We need to know, or align with a team that knows, how to measure the results to understand what has actually been achieved so we can determine if we've met our goals and our obligations. As we turn to technology, we may lose the ability to understand the inputs and biases that are imbedded in decision-making. The algorithms that drive a software's decision-making are often intentionally opaque. And even if we could see them, most of us wouldn't understand them. Yet there are strengths, weaknesses, and biases that are implicit in pre-programmed inputs and that play out based on use. Measurement of results—what the output tells you and what it doesn't—provides the basis for ascertaining if we are meeting our goals and obligations.

AM: I can't speak to the use of specific technologies within e-discovery record processing and recall. However, I can say that more clients are coming to me with data security concerns while data is held for purposes of e-discovery and subpoena response processing.

Q: What do you see as the biggest future data challenges that counsel and their service providers will have to address?

CP: I'd really like to see the bar up its collective game in terms of advocacy in e-discovery. It's only going to get harder as data types and analytics systems become collectively more complex. If you've ever listened to oral arguments on e-discovery issues, you know what I mean—the judges are bored before they walk in the room, and lawyers are tongue-tied within 30 seconds of speaking. Both written and oral advocacy within the sphere of e-discovery are specialized skills. Clients need to demand talent here, which will in turn drive results within the bar.

HK: For me, it is always going to be cost. Volumes of data are growing every year and with the new data sources there is more to potentially have to preserve, collect, review and ultimately produce. As IOT grows so does the data volumes and e-discovery cost. I think it is going to create further consolidation of the legal services market.

JLB: I'd say data security and compliance with disparate regulatory schemes. In the face of ever-evolving regulations, methods of attack and data types as well as ever-changing infrastructure, duly protecting data will continue to grow as a challenge for both our companies and our legal and non-legal service providers. Secondarily, staying aware of the business, security, and preservation risks (and benefits) associated with evolving technologies will continue as a challenge as well.

AM: The biggest future data challenge is our current challenge—attorneys must understand and be able to translate data risk. This means that lawyers must have an understanding of the tools used to process and secure data (with their attendant benefits and limitations).