The Storm is Coming: The Storm is Here

ACEDS and our media partner, HipCounsel, participated in the CLOC conference this week.  CLOC2018, held at the Bellagio in Las Vegas, was more than double last years’ attendance and from the looks of it, almost triple the exhibitors.

Who doesn’t want to be in a casino with a legal entrepreneur named Cash Butler?  Cash, the CEO of ClariLegal, brought his brother (#ButlerBroz) to work the floor with his NewLaw procurement platform.

The swagger and power of the corporate legal operations professionals was on full display. The mood was a bit LegalTech-ish regarding booth and demo avoidance, with many activities and deals off the floor and in ancillary hotels.

Susan Hackett, CEO of Legal Executive Leadership, LLP and former GC of the Association of Corporate Counsel (ACC) pointed to the irony of the announced revenue and profit rankings of the AmLaw 100 while the Corporate Legal Operations professionals were focused on saving money for their organizations.  The profits listed in the rankings are up for a “distribution of wealth” according to Susan.  [Susan Hackett keynoted the ACEDS National Conference in 2015].

Major realignments seemed to be the talk of the week, with Elevate, Valorem and Jeff Ford combining with a “moonshot goal” of a 70% reduction in via a new law firm called elevateNext.  All three have real street cred for disrupting:  Jeff was one of the GC’s driving the Association of Corporate Counsel’s Value Challenge, the precursor to CLOC.  Nicole Auerbach and Patrick Lamb of Valorem shocked the legal market over a decade ago with their fixed fee models.  Elevate is a highly successful NewLaw entrant.

Erik Laykin and the team Duff and Phelps acquired from Kroll were out in force, as was Mark Yacano who introduced a new advisory service from Major, Lindsay & Africa.  Drawing from his experience at Wright Robinson where he was one of the first eDiscovery attorneys to provide metrics to his corporate clients, and his work with LPO as a business leader at Hudson Legal, Mark has a paragraph based AI and human capital offering which optimizes contract analytics.  We’re very excited he will also be taking his CEDS exam soon.

ACEDS was well represented with Chapter Leaders Matt Mahon and Shaun Sullivan from San Francisco, David Kinnear from New York, Doug Kaminski from Chicago, Caroline Sweeney from the Twin Cities and James MacGregor from the UK participating with their organizations.  We are very grateful to James MacGregor for volunteering to work in the ACEDS booth, one of our betas.  Our Chapter leaders joined ACEDS and Relativity for a Guild dinner at Beauty & Essex, a wonderful venue.

Another beta was conference coverage via webinar.  While we didn’t quite get video for livestreaming over our ON24 webinar platform, we did get audio.   At one point we had four reporters interviewing our affiliate partners.  David Kinnear, James MacGregor and Kaylee Walstad interviewed teams Ricoh, ZyLAB, Exterro, Hire Counsel, Catalyst and Relativity, along with a few new friends.  The conference bandwidth supported livestreaming sporadically, so look for some recorded videos about the substantive content over the next couple weeks.

David Kinnear, founder and CEO of High Performance Counsel introduced HPC TV – a ground-breaking new video channel for the legal industry. The channel will help highlight individuals, organizations and solutions driving change and innovation in the legal industry over the next ten years. One of its stated aims is to help clients and providers alike in visually distilling what’s out there and how product “X” or provider “Y” is different from ”Z.” David speaks to a wave of consolidation and intensely competitive markets with new players coming into the sector. Says David: “There is an energy in the room like the tension before a tropical storm, which I sense will play out over the next year and a half to two years.  Not all the players that will emerge victorious are yet visible, but the rumblings are there for those who can hear the early thunder. The storm is imminent.”

Making the Most of a Meet and Confer

Meet early. Meet often.

Hardly any eDiscovery seminar concludes without one of the speakers – be it a judge, in-house counsel, or law firm attorney – addressing the importance of early and comprehensive discussions between parties. Specifically, Federal Rule of Civil Procedure 26(f) requires parties to meet and attempt to agree on a proposed discovery plan before submitting that plan to the court. This conference is an opportunity to proactively address common discovery issues and propose approaches to streamline the process and lower costs for both sides. Local scheduling orders or practice rules may also require parties to meet and confer at other times as well, such as prior to submitting any discovery motion. In short, in this post-2015 FRCP amendments era, the meet and confer is more important than ever.

Judges Demand eDiscovery Conferences between Parties

Judges are increasingly urging or requiring parties to meet and confer on thorny discovery issues. A quick search of judicial opinions reveals ample amounts of schooling in the importance of the meet and confer. These opinions were all issued in the last 30 days, showing how judges are wielding this sword to bring parties together.

For example, on April 6, 2018, Chief Magistrate Judge Paul M. Warner from the District of Utah expressed how he feels about the importance of a meet and confer. “The court considers a meaningful meet and confer to be essential to the parties’ obligation to secure the speedy and inexpensive resolution of this action.” Craft Smith v. EC Design, Case No. 2:16-cv-01235-DB-PMW (D. Utah Apr. 6, 2018). Magistrate Judge Warner went on to state that he would not consider further motions that did not contain a certification that the parties met and conferred.

Magistrate Judge Warner’s resolve on this issue is not an exception. In fact, with regularity, judges are encouraging or ordering parties to meet and confer on a broad range of eDiscovery topics: custodian lists, search terms, status of discovery, and development of a discovery plan. Sometimes, parties are even sanctioned for their refusal to meet and confer. Take these recent examples:

  • Parties must meet and confer on a protective order, if requested by the Defendant. Raquedan v. Centerplate of Del., Case No. 5:17-cv-03828-LHK (HRL) (N.D. Cal. Apr. 13, 2018)
  • Parties must meet and confer to develop search terms. Kimble v. Specialized Loan Servicing, LLC, Case No.: 16cv2519-GPC (BLM) (S.D. Cal. Apr. 6, 2018).
  • Parties ordered to meet and confer on scope of discovery (which parties did and could not reach agreement). Ratner v. Kohler, No. 17-00542 HG-KSC (D. Haw. Apr. 5, 2018).
  • Judge issued sanctions for a party’s “defiance and refusal” to meet and confer. Hauck v. Walker, Case No. C13-5729 BHS (W.D. Wash. Apr. 4, 2018).

However, case law is also bursting with examples where judges are disappointed with parties’ attempts to meet and confer. For example, in Raquedan v. Centerplate of Del., the judge stated:

“Well, whatever meeting and conferring took place between the attorneys following the January 24th court hearing (which reportedly included a face-to-face one hour meeting between lead counsel) did not produce a resolution of the discovery impasse. In fact, it produced no substantive discovery responses at all.”

Similarly, in Norkfolk S. Ry. Co. v. Judge Warehousing, CV416-265 (S.D. Ga. Apr. 12, 2018), the judge stated:

“What is clear, however, is that the parties have demonstrably failed to meaningfully meet and confer on these issues. The first issue was moot, and had the parties talked that would have been obvious. The second issue too could have been resolved without court intervention.”

How can parties avoid these trappings and engage in a meaningful meet and confer?

Rule 26 Conference Topics

Preparation is the key to a productive the Rule 26(f) conference, or any discovery related meet and confer. Ideally, parties will have collaborated on the agenda for the meet and confer, and exchanged proposed language, prior to sitting down in a conference room together. Further, counsel should enter the room informed and ready to make reasonable proposals and agreements with regards to each of the topics below.

  1. Preservation Efforts. Parties should discuss the status of each side’s litigation hold. How broadly is data being held – subjects, devices, people, and locations? What are the procedures being used to track holds? Have automated deletion programs or other IT upgrades been suspended to avoid loss of data?
  2. Initial Disclosures and Scope of Discovery. Rule 26(a)(1) requires parties to disclose various information before formal discovery requests are made. The initial disclosure deadline arises quickly after the complaint and answer are issued. The Rule 26(f) conference is a good early opportunity to ask questions about the information contained in the initial disclosures and set the stage for scope of discovery discussions. This is where a deep understanding of data volume, sources, types, locations, custodians, systems, and potential data collection difficulties will be advantageous. Similarly, parties will want to discuss searching methodologies, such as keyword lists and use of predictive coding.
  3. Phasing of Discovery. Parties may list specific topics and reach agreements on timing for production of data. To most effectively accomplish rolling productions, parties must have a comprehensive understanding of the likely issues in the case.
  4. Production Format. Parties needs to know the desired production format at the outset of discovery to prepare for data processing and review. Be prepared to discuss the handling of metadata, extracted text, and images. Sometimes parties will also ask for all native files or native files for specific file types, such as spreadsheets. Lastly, be ready to talk over production format for nonstandard data sources, such as databases.
  5. Privilege Claims. Parties must address the possibility of inadvertent production of privileged or work product protected documents. Most courts encourage parties to adopt a clawback agreement, which provides for the return of inadvertently produced materials without the waiver of privilege. Judge Andrew Peck (Ret.) issued a helpful model Federal Rule of Evidence 502 order that parties will want to reference in drafting clawback language.

Agreements reached at the Rule 26(f) conference should be memorialized in the discovery plan, which is ultimately submitted to the court. Importantly, the court should be made aware of issues the parties can and cannot reach agreement on, so that he or she can intervene if necessary.

To sum it up, the Rule 26(f) conference sets the tone going forward for cooperation between parties on discovery issues. Should discourse arise during early conversations, discovery is likely to be a rocky road.

Top 10 Tips to Upgrade eDiscovery Security

Beyond two factor authentication and encryption of client data, these are the top 10 security vulnerabilities for eDiscovery practitioners to assess and, if appropriate, mitigate:

  1. Team communication.  Masking client, case and custodian names goes a long way to safeguarding conversations in public or if emails go awry.  Pseudemizing names works well.  Assign “Custodian 123” to “Custodian Jones, Jim”.  Call the 2nd request case “Project Green” rather than “BigCo Merger.” Regularly scheduled live meetings can eliminate reductions to writings of team disagreements or perceived crises.  Emails can persist in multiple systems and backups.  Case management systems can isolate and centralize communication.
  2. Collection or preservation in place.  Most eDiscovery systems require an elevated level of security to collect data in an enterprise.  It is now more common for security teams to set up a procedure for temporary access. Approval of more than one department or person to allow the access is known as separation of function and least privilege.  “God” accounts that allow unrestricted collection access to sensitive areas used to be a standard emergency operating protocol.  The circuit breaker, emergency access to data is very rare in this environment.
  3. Passwords.  Some teams send encrypted data with the password in the transmittal document or on a post it note attached to the hard drive.  Worse, they send unencrypted data.  Do not send unencrypted data. Communicate passwords through a distinct and different channel, preferably not in clear text.
  4. Erasing or writing over logs.  Access logs can take up quite a bit of space.  Logs are essential for breach detection and remediation.  They can be moved to less expensive storage automatically to be available if necessary.
  5. Extra, unencrypted copies of work in progress due to ingestion, processing, early case assessment, staging to review, batches, production sets and privilege logs.  While it might be important to keep those files to be able to rollback, if necessary, there should be a step later in the process where work in progress can be securely erased.
  6. Indices.  Just because the ESI documents are encrypted, the indices may be in plain text.  Pay attention to index security.  A common technique is to restrict access to a specific “service account” for a specific subdirectory. (Thank you to Craig Ball for noticing this vulnerability).
  7. Mistakes in shipping productions.  Quality control checks at the end of the process to verify that the organization, address and production set (ex. privileged included for law firm, privileged excluded for opponent) is the right set to send to the right organization.  Sending the production “Signature required” helps in tracking productions.  For online transfers, capturing the logs or having a communication that the production set was received helps data accountability.
  8. Reviewer caches, especially those who work at home or on laptops on sensitive documents. IT can require options to be set on remote machines to minimize and empty caches.
  9. No real disaster recovery. DLA Piper was down for days due to a ransomware attack.  It is essential to test business continuity and disaster recovery plans by at least walking through a tabletop exercise.  Nearline backups have replaced offline and offsite backups for faster backup and recovery.   To avoid malware and ransomware infecting the backups, reconsider offline and offsite backups.
  10. Finally, social engineering, in person, via phone or spear-phishing.  Someone social engineering will pretend to be someone on the team to get through a security door, to elicit information to break in or to cause a click to download malware.  All staff should be trained in avoiding social engineering, including partners, associates, paralegals, IT, reception and facilities services. Here is an example phishing email that fooled Jared Kushner’s attorney, Abbe Lowell of Norton Rose, about spoliation. This email has everything: a close spelling of an incorrect email, familiar language, and a context that would likely get a click: https://twitter.com/sinon_reborn/status/912686341594460161?lang=en

 

 

Judy Selby: 3 Cyber Insurance Tips for E-Discovery Professionals

Over the past few years, ediscovery professionals have been on the front lines of tremendous changes impacting how organizations and their business partners deal with electronic data. Hyper connectivity, increased regulation, and relentless security threats have created new risks that need to be understood and addressed on a daily basis by today’s ediscovery professionals. But although ediscovery professionals are on the front lines of dealing with data-related risks, they may be far removed from those in their organizations who are responsible for considering insurance to address those risks.

This article discusses three steps ediscovery professionals can take to help their organizations get the right insurance coverage and mitigate the chances that they will violate important cyber insurance policy requirements.

Overview of Cyber Insurance

Cyber insurance can provide much-needed tactical and financial support for entities confronted with a cyber incident. Generally speaking, the cyber policy’s first-party coverage applies to costs incurred by the insured when responding to a covered cyber event, while third-party coverage responds to claims and demands against the insured arising from a covered incident.

First-party coverage usually can be triggered by a variety of events, including data breach, malicious destruction of data, accidental damage to data, IT system failure, cyber extortion, viruses and malware. Generally available first-party coverages include legal and forensic services to determine whether a breach occurred and, if so, to assist with regulatory compliance, costs to notify affected employees and/or third parties, network and business interruption costs, damage to digital data, repair of the insured’s reputation, and payment of ransom costs.

Third-party coverage can be implicated in a variety of ways, including by claims for breach of privacy, misuse of personal data, defamation/slander, or the transmission of malicious content. Coverage is available for legal defense costs, settlements or damages the insured must pay after a breach, and electronic media liability, including infringement of copyright, domain name and trade names on an Internet site, regulatory fines and penalties.

There are no standard cyber insurance policies, and no two policies are the same.  Therefore, it’s important to review any proposed cyber policy in light of the individual organization’s cyber risk profile. Because of their proximity to the risks involving much of an their electronic data, ediscovery professionals can play an important role in helping their organization’s procure and keep their cyber insurance coverage.

Tip 1 – Communicate Data Risks

Some cyber policies provide coverage only for a breach impacting the organization’s own data, not third party data. A policy also may limit coverage to security events affecting the insured’s own computer network. If the organization’s ediscovery processes include possession of third-party (including client and client’s adversary) data and utilization of vendors to host and/or handle such data, that information can be passed on internally so that the organization’s cyber risk profile can be better understood and appropriate coverage can be purchased.

Tip 2 – Appropriately Escalate Suspected Cyber or Privacy Incidents

Cyber insurance policies may require the insured to provide notice of claim under the policy when an employee first discovers or becomes aware of an incident. Failure to provide timely notice may jeopardize coverage for an otherwise insured claim. Ediscovery professionals should work with the appropriate people within their organization to establish procedures to internally report any suspected incidents so a determination can be made as to whether or not insurer notification is required.

Tip 3 – Understand Prior Written Consent Requirements

Many policies require the insured to get the insurance company’s written consent prior to hiring any outside professionals, such as a lawyer, forensic consultant, and public relations firm, in the event of cyber incident. While in the throes of confronting such an incident, however, obtaining prior consent may not be top of mind within the organization. It may be helpful, therefore, for ediscovery professionals to inquire as to the existence of any such requirements in their organization’s cyber insurance policy and to add that information to their incident response plan.

The Sedona Conference’s FRCP 34(b)(2) Primer

In March 2018,  The Sedona Conference published another useful guide for e-discovery professionals, Federal Rule of Civil Procedure 34(b)(2) Primer: Practice Pointers for Responding to Discovery Requests. This guide is the result of months of effort by Working Group 1 members.

The document was previously released for public comment in September 2017, and editors considered those public comments before releasing this final version. You can download the document free of charge from The Sedona Conference website.

In this paper, the Working Group tackles the December 2015 amendments to Federal Rule of Civil Procedure 34(b)(2), which addresses problems in requesting and responding to discovery. Throughout the paper, the working group provides sample language and practice pointers when drafting requests, responding to productions, or crafting objections. Further, the appendices are full of recent judicial opinions referencing Rule 34(b)(2). Also in the appendices, readers will find a list of links to standing orders, checklists, and pilot programs issued by various courts across the country.

If you can’t devote time right now to study the 48 page document from The Sedona Conference, this blog summarizes the key ideas included in this helpful e-discovery resource.

The Language of the Rule

The Rule 34 amendments attempted to address problems in the e-discovery process that increased delay and costs. These challenges included the following discovery behaviors:

  • Overly broad, non-particularized discovery requests
  • Overuse of boilerplate objections
  • Failure to clarify whether responsive documents were being withheld on the basis of objections
  • Failure to provide any indication of when production would begin in discovery responses

Specifically, the language of the new rule requires:

  • A response to requests for production within 30 days of service
  • Objections to production requests to be stated with specificity
  • Responses must state if responsive materials are being withheld on the basis of objections
  • Responses may state that the responding party “will produce documents” but must do so within 30 days “or another reasonable time specified in the response”

Requests for Production

Requests for production should be well-tailored, and not overly broad or disproportionate to the needs of the case. Parties should, where possible, avoid beginning requests with “any and all documents and communications that refer or relate” to a particular subject. In a post-2015 era, this language only increases the likelihood of objections. Instead, The Sedona Conference guides parties to classify their production requests into three categories:

  • Requests for specific documents – Documents that are readily identifiable (e.g., tax returns, a personnel file, bank records, board meeting minutes). Here is an example of a specific document request: “Produce plaintiff’s work performance evaluations from 2012 to 2015.”
  • “Sufficient to show” requests – Documents on a topic for which information is needed, but the responding party does not need to find and produce every document. For example, “Sufficient to show all locations where Company A did business in 2012 to 2015” would be more appropriate than a request for “all ESI that reflects or relates to the locations where Company A did business.”
  • Everything else – Subjects on which the requesting party has limited information regarding the existence of responsive documents. To assist in narrowing, provide examples of documents that might fit the description. In most cases, a discovery conference will help target the request.

Responding to a Request for Production

Unless stipulated otherwise by the court, the responding party must respond to production requests in writing within 30 days of service. This deadline applies to the written response, not the actual date of production. When it comes to the timing of the production, generically stating that “documents responsive to this request will be produced” is insufficient. Rather, the production must be completed by the time specified in the request or another reasonable time specified in the response.

When objecting to or withholding discovery documents, parties need to provide specific reasoning. Boilerplate objections are not allowed, even if used cautiously. Instead, the responding party should identify objectionable aspects of the request, citing the reasoning behind the objection. If possible, a party should also indicate which portions of the request are not objectionable, describing the scope of what it is willing to produce.

For instance, consider these objection examples provided in The Sedona Conference primer:

  • Too general: “Company A objects to these Requests to the extent they are not limited in time.”
  • More specific: “The Requests do not specify the date range for the requested production. Unless otherwise stated in the response below, Company A will search for responsive documents between January 1, 2014, the date the contract negotiations began, and June 1, 2014, the date the contract was executed.”

Update Your Form Files

E-discovery professionals that do not change behaviors to consider Rule 34 amendments risk the consequences. Before issuing or objecting to your next discovery request, cross-check your language against the guidance provided in The Sedona Conference’s newest paper. Are you using one of the proscribed phrases or is your e-discovery lexicon up to date?

Does Artificial Intelligence Have a Place in Law?

Already, automation has a foothold in the legal profession. Early adopters are embracing artificial intelligence (AI) for functions ranging from contract analysis to regulatory compliance to document review and production. David Kinnear, CEO of High Performance Counsel, observes that “the advent of this technology wave also bodes of change from the outside for the legal space — as non-law technology participants see a new opportunity to enter and compete in the legal space from a technology vantage point. With the central role of labor displaced, this clearly has commercial implications for the sector, which has hitherto enjoyed the robust protections of being viewed only as a regulated profession.”

Joining the debate
As AI gains a foothold in law, naysayers are shouting that AI can and should never replace a seasoned attorney, and proponents are shouting that AI can replace the majority of legal functions and solve the access to justice problem.

AI was originally sold as a way to supplant the highly paid attorneys. Specialized attorneys who create solutions to complex problems apply cases, laws and regulations to a particular circumstance or fact pattern can bill at $150-1500/hour. Now, the selling strategy is to offer to replace paralegals and fledgling associates who bill at $30-250/hour, rather than replace the attorneys who might purchase such a system.

David Greetham, an eDiscovery Business Unit leader and patent holder for Ricoh USA, has a different moniker for AI. Greetham believes “the attorneys who embrace AI and Intelligent Support Technology [IST] will powerfully position themselves for success in future law.”

Kelly Twigger, Principal of ESI Attorneys, points to Susan Wojcicki, CEO of YouTube, who confirmed that YouTube will increase the number of people working to oversee content to more than 10,000 next year. “Human reviewers remain essential to both removing content and training machine learning systems because human judgment is critical to making contextualized decisions on content,” she said in a 2017 blog post.

Much ado about AI
In legal, software platforms and tools routinely use AI or IST to classify and categorize photos, improve upon Optical Character Recognition and to create indices of sounds. Document review and production is augmented and organized by algorithms that find near duplicates, clusters of related documents, timelines and relationship graphs. Documents are created using decision trees and document assembly.

However, it is in the synthesis of input and the creation of alternatives that AI/IST will augment a smaller and smaller number of human attorneys. In besting the human champion of Go, AI proved that it could handle an infinite number of permutations. In late 2017, DeepMind’s AlphaGo Zero, armed only with a skeleton of information and rules and the computing power to play games against itself, became the champion within a month of unsupervised learning.

As AI algorithms are deployed to determine employment, custody, sentencing, immigration and other fundamental decisions, it is important to be able to deconstruct the inputs algorithmic structures, included datasets and quality control. For example, a visual AI was able to distinguish a white hand and not a black hand.  It is not hard to imagine an algorithm using past case data and current laws to calcify social change and development if left to its own devices. It is also not difficult to imagine an AI optimizing conditions for its survival over other humans or machines.

It is time for the AI/IST community to enhance the Three Laws of Robotics from Isaac Asimov toward a core ethic for artificial intelligence:

“Artificial intelligence may not injure a human being or, through inaction, allow a human being to come to harm. Artificial intelligence must obey orders given it by human beings except where such orders would conflict with the First Law. Artificial intelligence must protect its own existence as long as such protection does not conflict with the First or Second Law.”