Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

DSARs 101: What to Expect When Doing Business with EU Customers

For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk.

Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges.

What is a DSAR?

On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system).

Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU.

The General Data Protection Regulation

The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located.

According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

DSARs are the direct result of the right of access provided for in the GDPR. Such requests might ask for specific personal details or could demand a full list of the personal data being stored. Either way, an organization is required to provide the requester with a copy of any relevant information about them.

The UK Data Protection Act 2018

Countries across the EU have passed or will soon enact their own data protection legislation, and the Data Protection Act 2018 is the UK’s implementation of the GDPR. The DPA provides individuals in the UK with the right to obtain a copy of their personal data and extends the lawful bases for processing sensitive personal information beyond what the GDPR provides. The DPA also sets the minimum age of consent for processing a subject’s data at 13, as opposed to 16 in the GDPR.

According to a 2019 survey conducted by Lexology, since the introduction of the GDPR and the DPA, a growing trend is rapidly emerging: DSARs are increasingly being used by those more aware of their rights surrounding their personal information. This tendency is expected to grow, amplifying the need for businesses to put clear policies and procedures in place that will not only keep them in compliance with the GDPR and the DPA, but also help them avoid costly enforcement action.

 

Next up in this series: How to Respond to a DSAR Request. Do you have other thoughts to add regarding DSARs? Tell us about them in the comments!

Block chain network/Blockchain network concept , Distributed register technology , Block chain text and computer connection with blue background

The Increasing Promise of Technology-Assisted Review: How to Tame the Vulgar Expense of E-Discovery

In my first major case using technology-assisted review, our team had to review documents in Korean, which brought with them privacy and cross-border transfer concerns. The technology was very helpful, but we still had to employ two rooms filled with Korean-speaking lawyers to support the effort. Needless to say, it was a very expensive production.

During a more recent matter in the second half of 2019, we collected nine-million documents and applied basic and broad keyword searches at the outset to quickly reduce that dataset to two-and-half-million records. We then applied Brainspace and its continuous active learning functionality to the remaining information and were able to quickly categorize each document, including those categories that were uniquely valuable to our case, to immediately and painlessly eliminate millions of documents from consideration.

The contrast between the two experiences was striking. Instead of multiple rooms filled with reviewing lawyers, we enlisted a skilled, but relatively small team of contract attorneys to code 25,000 records in two weeks. When all was said and done, the client told us that this project was far less expensive than the similarly sized project he had just completed on another case, and I am very comfortable that we identified the correct documents in a highly defensible manner.

As a result, leveraging artificial intelligence in this way is not just an option, it is the only one if you want to tame the vulgar expense of e-discovery.

This more effective model is not without its challenges, which include the following:

You Need Skilled Lead Counsel

Given that lead lawyers on matters of this type heavily rely on technology to determine which documents are relevant, it is essential that they have the requisite skill and understanding of the current technology to complement their legal talent. While they once simply designated documents as privileged or responsive in a linear manner, using mapping and other visualization tools allow them to highlight conversations, issues, windows in time, and specific types of documents, all in a manner that can quickly identify the most important documents related to a specific issue and cleave out those with no relevance. In other words, to fully harness the technology, counsel must not only have deep knowledge of the case, but must understand what can be done with the AI and how to do it.

Contract Attorneys Require Training

While contract attorneys may have fewer documents to review because of the technology, human eyes still need to review whatever the technology identifies as relevant.  Accordingly, and possibly even to a greater extent than when they reviewed “everything,” contract attorneys must be deeply trained on the matter in order to optimize their efforts. Insufficient preparation may result in inconsistent document coding, i.e., responsive vs. non-responsive, which could materially delay the process. In fact, the more you rely on computers perform key tasks, the more disciplined the human interaction and input needs to be.

Client Collaboration is Critical

Full transparency and client buy-in about the process is critical.  New tools are launching regularly so even sophisticated, large organizations may not understand the significant benefits and savings on the back end that usually result from the slightly higher front-end cost of the initial computerized data analysis. This may require preparing a cost-benefit analysis demonstrating the overall savings, which again, I have found to be increasingly substantial.  We were certain that our advanced approach would result in a substantial cost reduction and it turned out to be one of the smoothest productions we had ever completed. Our collaboration ensured that the client’s sophisticated team collected efficiently and transferred it to the host.  With well-documented culling followed by the AI analysis, we were able to save thousands in monthly hosting fees alone.

Choose the Right Technology

In our case, the head of litigation support technology at our firm recommended Brainspace because it integrated with our existing portfolio of tools. What I derisively call the golden age of big-law document review, with teams of associates reviewing every document in a linear manner, thankfully no longer exists. Increasingly, even the more restrained days of law firms simply supervising lower-cost contract reviewers are also in the rearview mirror. Now, the law firm’s role is to optimize the use of AI-driven review tools, manage the technology, ensure the contract lawyers are well trained, and produce a defensible production.

While the firm associates still must participate in reviews, often performing quality-control aspects of the job, they are now supported by our manager of technology-assisted review. That manager can compare what the reviewers are finding with the broader database as a whole, essentially performing a statistical QC of the overall findings that further validates the integrity of the production.

And the emerging new model is not a bad thing for those like me in “big law.”  Although the “golden age” ended—as it should have—with much of the rote review work being outsourced to contract reviewers, when AI is involved on large cases, the tech-savvy partners and associates are reemerging with new roles that actually create the kinds efficiencies that really justify their fees.

Key Best Practices

To maximize the value of your efforts and optimize efficiency:

  1. Remember that data security is the most important issue; it must be addressed with every vendor, contract lawyer, and team member.
  2. Surround yourself with the right people; people who truly understand the technology are worth their hourly rates and contribute to real savings overall.
  3. Carefully consider the roles of each member of the team. Often, it will be important to have a chief technologist liaising with both the client and professionals handling other aspects of the case.
  4. Hire the most talented contract lawyers, train them well, QC their work, and immediately let go of those who are not working out. Document review cannot be forgiving. One bad reviewer can infect the entire process.
  5. Quality control is key and must be done in a rigorous and consistent manner.
  6. Memorialize everything, from search terms, to AI processes, to the metrics on each stage of the review. I put everything into a defensibility memorandum so that if needed in two years I can explain to a court or tribunal exactly what was done and why it was reasonable.

Promoting the Promise of TAR

We have been discussing the promise of technology assisted review for years.  Whether called TAR or AI, I believe the technology is now well in the mainstream, and am very impressed with its effectiveness. The challenge for junior lawyers is that technology is limiting the work that formerly provided them with foundational experience. Document review, though arduous, helps one learn about the business of a client. I remember spending many months as a young lawyer sitting at document repositories flipping moldy pages of old client files.  It’s a great, if expensive, way for young lawyers to learn not only about the case, but about the ways of the business world.  While automated review is better for clients in the long run, it does reduce the amount of work for human lawyers, so that supply and demand will have to re-balance over time.

Justice and Law concept image

Sean O’Shea: Tips for Paralegals and Litigation Support Professionals – May 2020

5/1/2020: (California Styling)
The California style is distinguished by enclosing citations in parentheses and putting the venue and year between the case name and reporter cite.

5/2/2020: Predicting the number of top level clusters
The general rule that a higher generality setting will lead to fewer top-level clusters in Relativity will not always turn out to be true.

5/3/2020: Companies are sharing your data with Facebook
What is Off-Facebook activity?  By default, your Facebook account permits businesses to share information concerning your online activity with Facebook.

5/4/2020: Pivot Table Cache Limit
Excel creates a cache of a pivot table’s outside data source (which shows the totals listed in the table itself based on the original complete data source) but only retains the first 65,536 rows of the data source.

5/5/2020: Excel formula to pull column headings when given value is entered
A formula in Excel to extract the column headings in a range of data for which a given value is entered.

Excel formula to pull column headings when given value is entered

5/6/2020: PowerShell Script to Get Hash Values of Multiple Files in Multiple Folders
PS C:\Users\SeanKOShea> Get-FileHash -Algorithm MD5 -Path (Get-ChildItem “C:\FooFolder\baseball2\*.*” -Recurse -force) | export-csv c:\FooFolder\Batch01b.csv

5/7/2020: certutil command to generate hash values for multiple files
You can use this script to generate a list of hash values for multiple files in a single folder: for %F in (*) do @certutil -hashfile “%F” MD5 | find /v “hashfile command completed successfully” >>list.txt

5/8/2020: INDEX MATCH divided is faster than Excel
A nested INDEX MATCH formula only runs slightly faster than VLOOKUP, but when the INDEX and MATCH formulas are placed in separate cells, results can be obtained almost five times faster than with than with VLOOKUP.

5/9/2020: Speeding up VLOOKUP
To run a binary search but avoid an approximate match, use a VLOOKUP inside a IF . . . THEN formula

=IF(VLOOKUP(A3,I:K,1,TRUE)=A3,VLOOKUP(A3,I:K,3,TRUE),NA())

5/10/2020: Renaming Tables and Queries in Access Can Crash Your Database
If you select the option to ‘Track name AutoCorrect info’, and ‘Perform name AutoCorrect’ under File . . . .Options . . . Current Database, Access can avoid errors by updating object names automatically.

5/11/2020: Relativity Integration Points
Relativity Data Transfer uses integration points to transfer saved searches; folders; and production from a Relativity workspace to another workspace or a load file.  Integration Points also substitute for Relativity Desktop Client in importing load files or Office 365 directories into a workspace.

5/12/2020: N.D. Cal. 26(f) ESI Checklist
The United States District Court for the Northern District of California has posted a checklist on its site, for parties to consult when addressing ESI issues at Rule 26(f) meet and confer.

5/13/2020: Draft Declarations – 28 U.S.C. § 1746
When filing a declaration in federal court, reference 28 U.S.C. § 1746 which provides that a matter may be supported by an unsworn declaration as being true under the penalty of perjury.

5/14/2020: Excel formula to parse out Nth words in cell
The number of the string to be extracted is referenced in cell $B1

=TRIM(MID(SUBSTITUTE($A2,” “,REPT(” “,LEN($A2))), (B$1-1)*LEN($A2)+1, LEN($A2)))

Cell $A2 references the cell with multiple strings that is to be reviewed.   The formula uses the LEN formula to calculate the position of the string, and the MID formula to extract the string.

5/15/2020: Running Regex searches in an Access database
Visual Basic code creates a RegEx function that you can use in SQL query.

5/16/2020: Garner’s Guide to Making Briefs More Persuasive: Tip 9 – Allow time for a full citation check of both the record and the caselaw
It will take a full day to check the fact and legal citations in a brief.

5/17/2020: Calculated Items in Pivot Tables
When you’ve created a pivot table in Excel, you can easily add two fields together and list the result in new field – one not present in your original data source.

5/18/2020: DAT-daddy to parse by ¶ and þ in Excel
ENF Discovery has a great add-in for Excel that can help you parse out fields in Concordance .dat load files.

5/19/2020: PowerShell script to merge .csv files
A PowerShell script posted on the Microsoft Scripting blog here, can be used to merge multiple .csv files together.

5/20/2020: vba code to unprotect Excel worksheet
I tested this macro tonight on a workbook protected with Excel 2019 using a four-digit number, a dictionary word, a short phrase, and an eight character alphanumeric code and it cracked each one in seconds.

5/21/2020: Finding Hidden Dialog Boxes with WinLister
If you’re having trouble finding a hidden dialog box that’s preventing you from accessing an application, try downloading another great utility from Nirsoft: WinLister.

5/22/2020: Cornell Survey of Juror Thoughts on Trial Technology
“Many jurors are accustomed to learning through technology, and technologically enhanced presentations present an ideal platform to summarize and connect the dots between the evidence presented at trial and the applicable law in a way that is especially useful for visual learners.”

5/23/2020: D. Colo. Applies Alice Test for Hierarchical Data Storage System
The Supreme Court Alice test was applied for a patent on a hierarchical data storage system used for security and surveillance.

5/24/2020: The CSI Effect
Dramas which focus on forensic investigation in criminal cases have led to there being a large number of people in jury pools who expect to presented with extensive forensic evidence.  This in turn raises the standard of proof for public prosecutors.  Circumstantial evidence may not be given as much importance as it should.

5/25/2020: In-Depth Study on the CSI Effect
The study reached the conclusion that, “participants who demonstrated a higher level of pro-prosecution forensic evidence bias perceived weak DNA evidence to be of higher probative value in this murder trial scenario.”

5/26/2020: Unicode compliance
MS Exchange uses unicode for PST archives.  However individual email messages saved with a .msg extension don’t use unicode for the email header fields.  Tools which collect local .msg files may garble the text of email headers unless an adjustment is made for the Outlook encoding.

5/27/2020: Windows’ Character Map
Don’t miss that Windows includes an application called Character Map which you can use to look up the alt codes and unicodes of thousands of different characters.

5/28/2020: DATEVALUE to force Excel entries into the Date format
Don’t miss that you can use the DATEVALUE function in Excel to correctly format dates entered in a column, if selecting the cells and right clicking and selecting Format Cells and picking the date format on the Number tab doesn’t do the trick.

5/29/2020: Excel formula to go from A to ZZ
=IF(G9>25,CONCATENATE(CHAR(MOD(QUOTIENT(G9-26,26),26)+65),CHAR(MOD(G9-26,26)+65)),CONCATENATE(CHAR(MOD(G9,26)+65)))

5/30/2020: Garner’s Guide to Making Briefs More Persuasive: Tip 10 – Revise. Then proof carefully
Make several passes: once for punctuation; once for formatting; once for transitions; once to confirm the headings are consistent.

5/31/2020: Editing marks
Many common editing marks used in proofreading can be entered with Unicode references. 2050 gives you the close up space mark: ⁐

Macro photo of tooth wheel mechanism with PROJECT concept related words imprinted on metal surface

Paralegals Are Project Managers Too!

I wrote this piece a few years ago for my own personal blog because I thought then and I still think now that paralegals are e-discovery project managers. I also wrote something similar for NALA’s Facts & Findings publication, and again, my argument holds up.

Whether you’re traveling a long distance, going on a short road trip, or just heading out to buy dinner, the most important piece of information you need is where you’re going, right? To figure out how you are going to get somewhere, you must know your destination. While this is more difficult as we traverse our goals in life, when it comes to success in e-discovery and the world of legal and litigation support this analysis is much easier.

Managing a project is like managing a case

Every case and each part of a case can and should be viewed as a project. A project is a temporary, non-routine endeavor limited by scope, time, and cost that creates a unique product, service, or result. Projects have a start and an end, and they are unique. Paralegals are drafting motions, performing research, working on discovery, or a trial –all of these are projects or sub-projects of a larger case. Project management principles will help get the work done more effectively and more efficiently.

Who’s a project manager?

Project management, defined, is the structured application of skill, knowledge, tools and techniques to organize project activities and efficiently bring about a desired outcome. Paralegals do this day in and day out as they apply their skills to casework at law firms and corporations around the world.

Paralegals and legal assistants are as much project managers as any attorney leading a case. A project manager is the person possessing the applicable skills, knowledge, and talent who is assigned by an organization and responsible for overseeing and actively managing, among other things, the scope, time, and cost of a project to achieve project objectives. A project manager, like paralegals, must manage the interests and expectations of stakeholders and ensure that the project is completed at scope, on time and within budget. Along the way, they also measure and manage risk, ensure the quality of deliverables, and manage the personnel and other resources associated with a project.

If this doesn’t describe the role of paralegals working on a case, then it’s not clear what does. From the time their phone rings and they receive a new case assignment, paralegals are helping to manage and organize as the case moves through the stages of the litigation spectrum. Drafting, filing, organizing, researching, managing documents or discovery, cite checking – each of these are projects that require specialized skills, have dependencies, and must be performed efficiently. Without a doubt each of these tasks have time constraints and cost limitations. So, lest there remain any doubt—paralegals are project managers.

What does Done look like?

But confusion remains regarding exactly how project management principles integrate with legal work. Perhaps the most important question a project manager can ask when he or she leads a project is “What does done look like?” That question, as simple as it seems, together with the answer, should resonate throughout the project. Otherwise, the scope of the project lacks definition, and when a project lacks proper scope definition the outcome will likely not be successful. When you take on a new case or assignment, it’s important to gather all the information, requirements, and parameters. Remember, successful projects have a vision, a purpose, and a goal, and they have time and cost constraints.

But scope management is just one aspect of project management. There are several components to project management that should be understood, starting with an understanding of the project lifecycle.

The Project Management Lifecycle

Projects have a life; they have a beginning and an end. The project lifecycle begins with the five pillars of traditional project management, called Process Groups. Process simply refers to the discreet steps, actions, or operations one takes to achieve project objectives, the tools used, and an understanding of what each part of a project will look like as well as the final result. Process is identifying the inputs, tools and techniques, and the outputs required to produce results.

The Five Project Management Process Groups

To begin a project, it makes sense to have an orderly framework. The project management process groups provide that framework:

The Five Project Management Process Groups

At each stage of a project, the project team should consider the following:

  • Initiating: Should we take on this project? What are the alternatives? Should we make it or buy it? Do we have necessary agreements in place?
  • Planning: What does done look like? What is and what is not included? What resources do we need? Who will lead the project? How much is it going to cost? How long will it take? What risks are involved? How will quality be maintained?
  • Executing: Project work begins and deliverables are prepared.
  • Monitoring & Controlling: Are we on time? On budget? Are we maintaining quality? How are we monitoring changes?
  • Closing: Document what was done, record metrics and perform post-project review.

The Project Management Knowledge Areas

The lifecycle does not end here. Within each process group are specific areas of responsibility that a project manager focuses on throughout a project. Known as the Knowledge Areas, these are the core elements in each of the five process groups that a project manager must manage:

  • Integration management
  • Scope management
  • Time management
  • Cost management
  • Quality management
  • Human resource management
  • Communication management
  • Risk management
  • Procurement management
  • Stakeholder management

The Knowledge Areas help to structure, categorize, and navigate the order of project work. They must be consistently integrated, managed, and monitored across the five process groups during a project.

Together, the five process groups and ten knowledge areas provide a consistent framework for project work. This framework has been time-tested and it works.

The Ins and Outs of PM

Within the framework, a project manager is responsible for the Inputs, Tools & Techniques, and Outputs in each knowledge area. The project manager first gathers information and identifies the requirements of the project (Inputs). Second, decisions are made about the equipment, methodologies, and resources necessary to achieve project success (Tools & Techniques). And third, the completed tasks and activities become deliverables and, ultimately, the final product, service or result (Outputs).

To illustrate the point, an example is helpful. Tasked with collecting electronically stored information (ESI) from a client for discovery, what Inputs are needed before beginning the project? What information is necessary to enable the collection project to move forward? In the very least you need the location, the names of custodians, and the sources from which you will collect the ESI.

Next consider the Tools & Techniques. Is there a particular collection methodology suitable to the case? What tools are required? Are there written protocols or best practices for performing a collection? Here you need to know if you’re going to forensically collect the ESI or use other less formal procedures. Ideally, you’re going to use a trained technician who employs software or hardware that write-protects the ESI to prevent it from being altered.

And finally, what is the Output? Obviously, one output is the collected ESI. But how is it maintained? What form is it in post-collection? Are there any other requirements or documentation that is required at the conclusion of an ESI collection? The expectation when collecting ESI is that it will be in native form and all the metadata will be intact. Additionally, you are going to want a collection log and, because the ESI is potentially evidence, you will need to prepare a chain of custody form showing who handled the ESI.

This is but one example of the how the traditional project management methodology works. The project management framework above and the process of moving from inputs to tools to outputs are a proven methodology. More than 1 million project managers across the globe in nearly every industry, including the legal business, use this methodology to achieve effective results. Paralegals should adopt these processes as well.

Conclusion

I began my career as a paralegal and made the move into legal technology, litigation support and e-discovery. Through hard work I built a reputation for getting things done, for educating and training attorneys and paralegals, and for managing people and successful projects. I have managed some of the largest class-action securities litigations ever filed. At some point, it occurred to me that there is a better way and so I began to look at the principles of project management and their applicability to case work in the legal industry. Doing so has served me well over the past two decades. My point here is simple: paralegals and legal assistants, like anyone working in any industry, are project managers too. They perform important project-oriented work that can only improve with the use of project management principles.

Old Coins

A Matter of Pricing? A Running Update of Semi-Annual eDiscovery Pricing Survey Responses

The Semi-Annual eDiscovery Pricing Survey

Based on the complexity of data and legal discovery, it is a continual challenge to fully understand what is representative of industry-standard pricing for the delivery of eDiscovery products and services. With this challenge in mind, the semi-annual eDiscovery Pricing Survey is designed to provide insight into eDiscovery pricing through the lens of 15 specific questions answered by legal, business, and information professionals operating in the eDiscovery ecosystem. The survey was first administered in December of 2018 and has been conducted four times during the last two years with 334 aggregate individual responses.

Survey Background

The eDiscovery Pricing Survey is a non-scientific and non-comprehensive survey and consists of 15 multiple choice questions focused on information and metrics related to eDiscovery pricing for collection, processing, and review tasks. The survey is open to legal, business, and information technology professionals operating in the eDiscovery ecosystem, and individuals are invited to participate semi-annually primarily by direct email invitation from ComplexDiscovery and leading industry educational partners to include the Association of Certified E-Discovery Specialists (ACEDS).

Aggregate Results

While individual respondent answers to the pricing survey are confidential, the anonymized aggregate results for all previously administered surveys are published below without commentary. These results highlight eDiscovery pricing on selected collection, processing, and review tasks as seen by survey respondents since the inception of the survey in December of 2018. The aggregate results of all surveys as shared in comparative charts may be helpful for understanding pricing and its impact on purchasing behavior on selected services over time.


Comparative Charts: A Look at Four Surveys

n=334 Respondents (Aggregate All Surveys)

Collection Pricing

1. What is the per hour cost for a collection by a forensic examiner?

1-Collection-Pricing-Per-Hour-Cost-for-a-Collection-by-a-Forensic-Examiner

2. What is the per device cost for a collection by a forensic examiner?

2-Collection-Pricing-Per-Device-Cost-for-a-Collection-by-a-Forensic-Examiner

3. What is the per hour cost for analysis and expert witness support by a forensic examiner?

3-Collection-Pricing-Per-Hour-Cost-for-Analysis-and-Expert-Witness-Support-from-a-Forensic-Examiner

Processing Pricing

4. What is the per GB cost to process electronically stored information based on volume at ingestion?

4-Processing-Pricing-Per-GB-Cost-to-Process-ESI-Based-on-Volume-at-Ingestion

5. What is the per GB cost to process electronically stored information based on volume at completion of processing?

5-Processing-Pricing-Per-GB-Cost-to-Process-ESI-Based-on-Volume-at-Completion-of-Processing

6. What is the per GB per month cost to host electronically stored information without analytics?

6-Processing-Pricing-Per-GB-Cost-Per-Month-to-Host-ESI-without-Analytics

7. What is the per GB per month cost to host electronically stored information with analytics?

7-Processing-Pricing-Per-GB-Cost-Per-Month-to-Host-ESI-with-Analytics

8. What is the user license fee per month for access to hosted data?

8-Processing-Pricing-User-License-Fee-Per-Month-for-Access-to-Hosted-Data

9. What is the per hour cost of project management support for eDiscovery?

9-Processing-Pricing-Per-Hour-Cost-of-Project-Management-Support-for-eDiscovery

Review Pricing

10. What is the per GB cost to conduct predictive coding as part of technology-assisted review during the document review phase of eDiscovery?

10-Review-Pricing-Per-GB-Cost-to-Conduct-Predictive-Coding-in-a-Technology-Assisted Review

11. What is the cost per hour for document review attorneys to review documents during the review phase of eDiscovery?

11-Review-Pricing-Per-Hour-Cost-for-Document-Review-Attorneys-to-Review-Documents

12. What is the cost per document for document review attorneys to review documents during the review phase of eDiscovery?

12-Review-Pricing-Per-Document-Cost-for-Document-Review-Attorneys-to-Review-Documents

Background Information

13. In which geographical region do you primarily conduct eDiscovery-related business?

13-Survey-Respondents-by-Geographic-Region

14. Which of the following segments best describes your business in eDiscovery?

14-Survey-Respondents-by-Organizational-Segment

15. What area best describes your primary function in the conduct of your organization’s eDiscovery business?

15-Survey-Respondents-by-Primary-Function

An Aggregate Overview of Survey Responses (Four Surveys)

16-Survey-Respondents-Aggregate-Overview

Past eDiscovery Pricing Surveys

Additional Research

Source: ComplexDiscovery

Palm Trees

Encryption’s Impact on Potential Liability Under CCPA

(This article is brought to you courtesy of the International Association of Privacy Professional (IAPP) and first appeared in The Privacy Advisor, IAPP’s original content publication for privacy professionals).

In the last decade, California has suffered twice as many data breaches as any other state, with roughly 1,493 breaches affecting nearly 5.6 billion records. For an organization that handles the data of California consumers, adopting a robust security system is prudent.

Encrypting consumer data is one strategy that an organization can adopt as part of a comprehensive information security and privacy program. Encryption benefits consumers by rendering compromised data unreadable, so that even if encrypted data is disclosed, the risk of harm to an individual, such as identity theft or physical safety, is significantly limited. Where California’s privacy laws apply to an organization, encrypting customer data will provide immunity from the private right of action under the California Consumer Privacy Act and limit obligations of notification in the event of a data breach under California’s data breach notification law.

How will encrypting data benefit your organization in California?

Under CCPA, California consumers are provided a private right of action, which permits them to file civil suits against businesses for certain types of data breaches and potentially recover either statutory damages of up to $750 or actual damages, whichever is greater. In class-action litigation involving millions of consumers, these damages can add up quickly. Compared to the EU General Data Protection Regulation, which allows for fines of up to 4% of global turnover, damages under the CCPA do not have a similar liability cap. As a result, a business’s damages under the CCPA could conceivably dwarf the fines permitted by the GDPR.

As mentioned above, this private right of action only applies to certain types of data breaches. First, the breach must consist of a California resident’s first name (or first initial) and last name in combination with one of the following: Social Security number, some unique identification number issued on a government document that is commonly used to verify an individual’s identity, account number or credit or debit card number in combination with any required security code, medical information, health insurance information, or unique biometric data used to authenticate an individual. Collectively, all these categories are referred to as “covered personal information.”

Even if covered personal information is compromised, the private right of action under the CCPA only applies to breaches of nonencrypted or nonredacted covered personal information resulting from a business’s failure to implement and maintain reasonable security procedures and practices. In determining reasonableness, the attorney general may look to the 20 security controls promulgated by the Center for Internet Security, which the California Department of Justice identified in 2016 as establishing the minimum controls required to show a reasonable security system. These controls recommend encryption. Thus, for an organization seeking to limit liability under the CCPA, encrypting covered personal information of California consumers is a very effective way to do so.

Moreover, under California’s data breach notification law, an organization that does business in California and maintains personal information of California residents may be required to notify the residents if they have been affected by a data breach. However, if the compromised personal information is encrypted, it falls outside the scope of the data breach notification law and the obligation to notify is not triggered. Though the definitions of personal information are not identical under the CCPA and California’s data breach notification law, there is a significant amount of overlap.

Like the CCPA, California’s data breach notification law also provides consumers with a right of private action if they have been injured by a violation of the law. Unlike the CCPA, though, the data breach notification law does not provide statutory damages. As a result, if an organization encrypts the personal information it maintains on California consumers, it can avoid the obligation to notify consumers of a data breach and it reduces the likelihood of civil actions.

CCPA in action

On Feb. 3, a California consumer filed a class-action suit, arising from a data breach, against high-end children’s clothing retailer Hanna Anderson and Salesforce, a software-as-a-service company specializing in customer relationship management. The claim alleges, among other things, a violation of the CCPA and states that consumers’ unencrypted and unredacted personal information, including financial information, was compromised by a breach. The complaint alleges the information accessed by the hackers was for sale on the dark web. Had the personal information stored been encrypted, the plaintiff’s chances at recovering any damages under the CCPA would be significantly limited as their claims would not be covered by the CCPA’s private right of action. Moreover, any harm to consumers would have been limited or eliminated due to the hacker’s conceived inability to decrypt the data.

If your organization handles covered personal information, encrypting it would be a smart decision. Not only does it help mitigate the risks of harm consumers face in the event of a security incident, but it shields your company from liability under the CCPA’s private right of action.

Photo by Ev on Unsplash

A Pandemeconomic Indicator? Summer 2020 eDiscovery Pricing Survey Results

Editor’s Note: According to the International Monetary Fund, the COVID-19 pandemic has pushed the world into a recession. Initial estimates are that for 2020, pandemic-driven economic conditions may be worse than the global financial crisis that stressed financial markets and banking systems between mid-2007 and early 2009. The current pandemic has already dramatically influenced the eDiscovery ecosystem in areas such as the delivery of services, the pulse rate of investigations and litigation, and the frequency of merger and acquisition activities. However, we are still in the early stages of understanding how the pandemic will directly impact the economics of eDiscovery. With the need for this understanding in mind, the summer 2020 eDiscovery Pricing Survey from ComplexDiscovery may be helpful for legal, business, and information technology professionals as they seek to comprehend current sentiment and certainty regarding the pricing of core eDiscovery tasks.

The eDiscovery Pricing Survey

The eDiscovery Pricing Survey is a non-scientific and non-comprehensive survey designed to provide general insight into eDiscovery pricing as shared by individuals working in the eDiscovery ecosystem.

The survey consists of 15 multiple choice questions focused on information and metrics related to eDiscovery pricing for collection, processing, and review tasks. The survey is open to legal, business, and information technology professionals operating in the eDiscovery ecosystem. Individuals are invited to participate semi-annually primarily by direct email invitation from ComplexDiscovery and leading industry educational partners to include the Association of Certified E-Discovery Specialists (ACEDS).

Summer Survey Results

The summer 2020 survey response period was initiated on May 11, 2020, and closed on May 20, 2020. This was the fourth eDiscovery pricing survey conducted by ComplexDiscovery, the initial survey being conducted in December of 2018. This survey had 105 respondents.

While individual respondent answers to the pricing survey are confidential, the anonymized aggregate results for the 15 questions of the multiple-choice survey are published below without commentary. These results highlight eDiscovery pricing on selected collection, processing, and review tasks as seen by survey respondents in the summer of 2020.


eDiscovery Pricing Survey Questions (Required)

n=105 Respondents

Collection Pricing

1. What is the per hour cost for a collection by a forensic examiner?

  • Less than $250 per hour. 23.8% (Up from 18.8%)
  • Between $250 and $350 per hour. 61.0% (Down from 62.5%)
  • Greater than $350 per hour. 6.7% (Up from 2.5%)
  • Do not know. 8.6% (Down from 16.2%)
1-Collection-Pricing-Per-Hour-Cost-for-a-Collection-by-a-Forensic-Examiner

2. What is the per-device cost for a collection by a forensic examiner?

  • Less than $250 per device. 12.4% (Down from 12.5%)
  • Between $250 and $350 per device. 30.5% (Up from 16.2%)
  • Greater than $350 per device. 43.8% (Down from 51.3%)
  • Do not know. 13.3% (Down from 20.0%)
2-Collection-Pricing-Per-Device-Cost-for-a-Collection-by-a-Forensic-Examiner

3. What is the per hour cost for analysis and expert witness support by a forensic examiner?

  • Less than $350 per hour. 15.2% (Up from 15.0%)
  • Between $350 and $550 per hour. 62.9% (Up from 60.0%)
  • Greater than $550 per hour. 7.6% (Up from 5.0%)
  • Do not know. 14.3% (Down from 20.0%)
3-Collection-Pricing-Per-Hour-Cost-for-Analysis-and-Expert-Witness-Support-from-a-Forensic-Examiner

Processing Pricing

4. What is the per GB cost to process electronically stored information based on volume at ingestion?

  • Less than $25 per GB. 33.3% (Up from 23.8%)
  • Between $25 and $75 per GB. 45.7% (Down from 52.5%)
  • Greater than $75 per GB. 10.5% (Down from 13.7%)
  • Do not know. 10.5% (Up from 10.0%)
4-Processing-Pricing-Per-GB-Cost-to-Process-ESI-Based-on-Volume-at-Ingestion

5. What is the per GB cost to process electronically stored information based on volume at completion of processing?

  • Less than $100 per GB. 44.8% (Up from 32.5%)
  • Between $100 and $150 per GB. 31.4% (Down from 42.5%)
  • Greater than $150 per GB. 9.5% (Up from 8.8%)
  • Do not know. 14.3% (Down from 16.2%)
5-Processing-Pricing-Per-GB-Cost-to-Process-ESI-Based-on-Volume-at-Completion-of-Processing

6. What is the per GB per month cost to host electronically stored information without analytics?

  • Less than $10 per GB per month. 30.5% (Down from 23.8%)
  • Between $10 and $20 per GB per month. 50.5% (Down from 62.5%)
  • Greater than $20 per GB per month. 10.5% (Up from 5.0%)
  • Do not know. 8.6% (Down from 8.7%)
6-Processing-Pricing-Per-GB-Cost-Per-Month-to-Host-ESI-without-Analytics

7. What is the per GB per month cost to host electronically stored information with analytics?

  • Less than $15 per GB per month. 37.1% (Up from 28.7%)
  • Between $15 and $25 per GB per month. 32.4% (Down from 45.0%)
  • Greater than $25 per GB per month. 16.2% (Down from 15.0%)
  • Do not know. 14.3% (Up from 11.3%)
7-Processing-Pricing-Per-GB-Cost-Per-Month-to-Host-ESI-with-Analytics

8. What is the user license fee per month for access to hosted data?

  • Less than $50 per user per month. 21.0% (Up from 13.8%)
  • Between $50 and $100 per user per month. 60.0% (Down from 66.3%)
  • Greater than $100 per user per month. 12.4% (Down from 13.8%)
  • Do not know. 6.7% (Up from 6.1%)
8-Processing-Pricing-User-License-Fee-Per-Month-for-Access-to-Hosted-Data

9. What is the per hour cost of project management support for eDiscovery?

  • Less than $100 per hour. 6.7% (Up from 2.5%)
  • Between $100 and $200 per hour. 65.7% (Down from 73.8%)
  • Greater than $200 per hour. 22.9% (Up from 20.0%)
  • Do not know. 4.8% (Up from 3.7%)
9-Processing-Pricing-Per-Hour-Cost-of-Project-Management-Support-for-eDiscovery

Review Pricing

10. What is the per GB cost to conduct predictive coding as part of a technology-assisted review during the document review phase of eDiscovery?

  • Less than $75 per GB. 49.5% (Up from 40.0%)
  • Between $75 and $150 per GB. 13.3% (Down from 25.0%)
  • Greater than $150 per GB. 8.6% (Up from 5.0%)
  • Do not know. 28.6% (Down from 30.0%)
10-Review-Pricing-Per-GB-Cost-to-Conduct-Predictive-Coding-in-a-Technology-Assisted-Review

11. What is the cost per hour for document review attorneys to review documents during the review phase of eDiscovery?

  • Less than $25 per hour. 2.9% (Up from 1.3%)
  • Between $25 and $40 per hour. 42.9% (Up from 31.3%)
  • Greater than $40 per hour. 42.9% (Down from 52.5%)
  • Do not know. 11.4% (Down from 14.9%)
11-Review Pricing-Per-Hour-Cost-for-Document-Review-Attorneys-to-Review-Documents

12. What is the cost per document for document review attorneys to review documents during the review phase of eDiscovery?

  • Less than $0.50 per document. 4.8% (Down from 11.3%)
  • Between $0.50 and $1.00 per document. 31.4% (Down from 35.0%)
  • Greater than $1.00 per document. 36.2% (Up from 26.3%)
  • Do not know. 27.6% (Up from 27.4%)
12-Review Pricing-Per-Document-Cost-for-Document-Review-Attorneys-to-ReviewDocuments

Background Information

13. In which geographical region do you primarily conduct eDiscovery-related business?

  • North America – United States. 86.7% (Down from 87.5%)
  • North America – Canada. 2.9% (Down from 5.0%)
  • Europe – United Kingdom. 2.9% (Up from 2.5%)
  • Europe – Non-UK. 2.9% (Up from 1.2%)
  • Asia/Asia Pacific. 2.9% (Up from 0.0%)
  • Middle East/Africa. 1.9% (Down from 3.8%)
  • Central/South America. 0.0% (No Change)
13-Survey-Respondents-by-Geographic-Region-Summer-2020

14. Which of the following segments best describes your business in eDiscovery?

  • Law Firm. 40.0% (Down from 52.5%)
  • Software and/or Services Provider. 37.1% (Up from 27.5%)
  • Consultancy. 11.4% (Up from 10.0%)
  • Corporation. 8.6% (Up from 5.0%)
  • Government Entity. 1.9% (Down from 2.5%)
  • Media/Research Organization/Educational Association. 1.0% (Down from 2.5%)
14-Survey-Respondents-by-Organizational-Segment-Summer-2020

15. What area best describes your primary function in the conduct of your organization’s eDiscovery business?

  • Legal/Litigation Support. 71.4% (Down from 78.7%)
  • Business/Business Support (All Other Business Functions). 22.9% (Down from 18.8%)
  • IT/Product Development. 5.7% (Up fro 2.5%)
15-Survey-Respondents-by-Primary-Function-Summer-2020

Past eDiscovery Pricing Surveys

Additional Research

Source: ComplexDiscovery

Cellebrite ACEDS Partnership

ACEDS Partners with Cellebrite

May 19, 2020EAGAN, Minn. – The Association of Certified E-Discovery Specialists (ACEDS), the world’s leading e-discovery training and certification professional association and part of The BARBRI Group, today announced a partnership with Cellebrite, Inc., the global leader of Digital Intelligence (DI) solutions for law enforcement, government and enterprise organizations. As an ACEDS Affiliate Partner, Cellebrite will work hand in hand with ACEDS to address the data deluge that its global membership of eDiscovery professionals are facing with education, training and professional development.

“We are proud to join the ACEDS community of leaders and experts in e-discovery training, to help shape the legal profession’s technological evolution,” said Steve Altman, Senior Vice President at Cellebrite. “This partnership will help us expand our reach to educate the global community about the importance of Digital Intelligence in mobile, computer and cloud forensics.”

The partnership will drive collaboration with ACEDS global members, leveraging and contributing to the community’s collective knowledge and expertise, as well as the association’s education, marketing, training and professional development resources. Employees and partners of Cellebrite can now access ACEDS’ breadth of job tools and networking forums, global chapter network and events, and best-practice-oriented worldwide community of professionals.

“We are excited to provide Cellebrite’s Digital Intelligence solutions to our global membership of eDiscovery professionals so that they can more effectively collect, process, integrate, and manage customer needs,” said Mike Quartararo, President, ACEDS and Professional Development.

About ACEDS
The Association of Certified E-Discovery Specialists (ACEDS), part of leading legal education provider The BARBRI Group, is a global member-based association for professionals who work in e-discovery, information governance, compliance and the broader legal community. ACEDS provides training and certification in e-discovery and related disciplines to corporate legal departments, law firms, the government, service providers and institutions of higher learning. Our CEDS certification is recognized around the world and used to verify skills and competence in electronic discovery for organizations and individuals through training, certification and ongoing education. The CEDS credential is held by practitioners at the largest Fortune 500 companies, Am Law 200 firms and government agencies. ACEDS has 23 chapters, with locations in most major US cities, the UK, Ireland, Canada, the Netherlands and South Africa (with Australia and South America chapters coming soon). Our goal is to help professionals and organizations reduce the costs and risks associated with e-discovery while helping to improve and verify their skills and advance their careers and overall technology competence in e-discovery and related fields. http://www.aceds.org/

About Cellebrite
Cellebrite is the global leader of Digital Intelligence solutions for law enforcement, government and enterprise organizations. Cellebrite delivers an extensive suite of innovative software solutions, analytic tools, and training designed to accelerate digital investigations and address the growing complexity of handling crime and security challenges in the digital era. Trusted by thousands of leading agencies and companies in more than 150 countries, Cellebrite is helping fulfill the joint mission of creating a safer world. To learn more visit us at www.cellebrite.com

 

FOR IMMEDIATE RELEASE
Contact: Cindy Parks
913.526.6912
cindy@parkscommunications.com

Apple iphone pro on laptop keyboard

Apple iPhone Forensics: An Update from the Trenches

Since the first-generation iPhone model released in 2007, thirteen years have passed with more than twenty different style iPhones being released. With each model comes better hardware specs alongside newer features contained within every major iOS update. Digital forensic capabilities have grown over time and examiners are able to recover and analyze more data than ever before that may prove vital to your case during litigation. The increase in capability allows for new types of data to be extracted and recovered, including communications and other important user generated data.

Deleted Data

One of the most common types of forensic analysis performed on Apple iPhones is the recovery of deleted data. It is often possible to recover significant amounts of deleted information, including internet history, search queries, along with communications and attachments (iMessages, text messages, and third-party chat applications.) When information is deleted from an Apple iPhone device, data is stored within the free space of the device or the structure of a database file (mainly SQLite format) and can potentially be overwritten with new information coming onto the phone. Unfortunately, overwritten data is unrecoverable. Attorneys should be wary if an expert guarantees the recovery of any specific deleted information the attorney is seeking.

Since Apple’s implementation of the encrypted file system on its iPhones, when images and videos are deleted they are immediately removed from the device and cannot be recovered. However, deleted images and videos may exist within a previous backup of the device, so be sure to ask users about those. iPhone backups can exist within Apple’s iCloud Service or as a locally created backup stored on a computer system. In addition, thumbnail views of the deleted images may be recoverable from the device.

Location Data

Phones rely upon location data to improve overall user functionality and experience. Examples of this include using GPS coordinates for travel directions, health information – such as how far you walked, and location data that is collected and used for targeted advertisements. Location data can be stored within photographs taken from the device, just one of many Exchange image file format (“EXIF”) metadata values stored within a photograph. On iPhones, location data is stored by default within photos taken with the device. There may also be additional metadata of interest such as the creation date, time, and the model of the original device the photo was taken with.

Communication Data

Another popular type of forensic analysis is examining the recovered communication history, including active and deleted content. Messages from third party applications may not be stored locally on the device but rather a server. Messages contained within these applications cannot be recovered during a forensic examination of an image, but possibly through the “live” application itself. Consulting with a digital forensics expert will be your best bet if messages from a third-party application are of the utmost concern. This will allow your expert to determine the best course of action to preserve and obtain the third-party communications.

New Capabilities

Recently, a new Apple iPhone exploit has surfaced allowing even more data to be collected and extracted from iPhones. This game changing exploit has been named “checkm8” (pronounced: ‘checkmate’) and is a potential evidence goldmine for forensic examiners everywhere. This bootrom jailbreak allows for alternative software to load at device start up when the phone is powered on, providing the examiner access to additional areas of the file system not previously available through the typical acquisition process of an iOS device.

The forensic science and capabilities of Apple iPhone examinations are rapidly changing, just like the technology and software of the devices. It is best to consult with a forensic expert who specializes in mobile device forensics before any steps are taken to extract content from the device to ensure best practices are followed when dealing with potential evidence that may be vital to the case.

globe_world

How to Manage Global Data Under CLOUD Act Governance

(This article is brought to you courtesy of the International Association of Privacy Professional (IAPP) and first appeared in The Privacy Advisor, IAPP’s original content publication for privacy professionals).

It’s common knowledge that the U.S. government, with a subpoena or warrant, can compel companies to disclose data about companies and individuals. All governments have some type of legal capability to request data from information providers.

What is surprising to many, even those of us in IT, is that with the 2018 Clarifying Lawful Overseas Use of Data Act, the U.S. government can compel a U.S. company that is hosting data in another country to comply with such information requests. For example, if a Malaysian company is hosting data in Amazon Web Service’s Singapore region, Amazon will have to comply with U.S. subpoenas and warrants to disclose the data.

The CLOUD Act was passed to amend the Stored Communication Act of 1986, after Microsoft took a case all the way to the U.S. Supreme Court to not disclose data that was stored on a Microsoft server in Ireland. There are also similar laws in other countries, such as Australia, that go beyond the CLOUD Act, as they can be executed without disclosure.

Banks, health care providers and other large companies are highly concerned about the U.S. government having access to their data outside of their own countries’ legal process for accessing data.

If your company is storing German data and the German government can legally request the data, this should, of course, always be complied with and be expected by your German customer. If your company is storing Kuwaiti data in Canada, the Kuwaiti customer will be very concerned if the Australian government can access that data without following either Kuwaiti or Canadian laws and processes.

So how can a U.S.-based company that is storing regulated data globally alleviate these customer concerns?

Disclose governmental access possibilities to prospects and customers

First off, when selling to international customers, be proactive in describing the jurisdictional controls that would apply to their data. It is better to address these issues head-on and upfront rather than when your software deal hits legal and compliance. Being proactive will save both your prospect and you wasted time and effort in case they are not willing to have their data disclosed to the U.S. government outside of their country’s legal procedures.

Restrict where data is hosted and which staff can access data

One option is to avoid U.S. cloud vendors and evaluate foreign clouds promoting themselves as hosting solutions beyond the reach of the CLOUD Act. It’s also important to have controls in place that restrict access to data. Specifically, for technology companies, engineers should never have access to production data. Do you think the front-end engineer that works on your bank’s website should make their debugging job easier with access to your personal bank records? Absolutely not. Every company needs to have strict data controls. 

Move your US-based company to a data-friendly jurisdiction

If storing regulated data is a company’s primary business, consider moving your company’s headquarters to a data-friendly jurisdiction. Countries like Singapore and free trade zones like Abu Dhabi General Market are increasingly attracting high tech companies that need to instill customer trust in data storage. In countries where data disclosure of foreign data can be compelled, employees should work for a distinct subsidiary with absolutely no access to data or the right to direct employees in other countries to access data. For example, a company that is headquartered in the United Arab Emirates would have subsidiaries in the U.S. and Europe. The U.S. subsidiary would comply with U.S. government subpoenas and warrants for U.S. data but would not be able to comply with U.S. government subpoenas and warrants for Russian data.

Work with a systems integrator or local hosting partner to manage customer data

New technology trends, such as cloud native and Kubernetes, enable a partner to deploy and manage a software deployment on their own servers. With this mechanism, a systems integrator or local hosting provider can host your software on behalf of a customer. This may sound familiar to those that have been around IT for a while because it is very similar to a customer or partner running an on-premises version of your software. You provide the software, but you have no control or access to the servers running the software or the data within the servers. This type of deployment may not be suitable to your company as it requires a very modern software stack and deep technical support team.

As the world’s data laws become increasingly fragmented, companies that store and manage regulated data need to seriously consider exactly under which jurisdictions they are storing data. International customers are making this part of their selection criteria.

Photo by Kyle Glenn on Unsplash