Justice statue with code on monitor device in background

One Ethics Rule Leads to Another: Technology Competence and the Duty of Supervision

There are two ways lawyers can satisfy their ethical duty of technology competence. One way is by learning about technology and becoming more proficient in the use of legal tech tools. The other is by working in association with tech savvy lawyers and legal professionals.

From an ethics standpoint there is a key distinction between competence by education and by association. A lawyer who directs others’ work has a duty to make reasonable efforts to assure compliance with all applicable Rules of Professional Conduct.

The supervisory duty is found in Rule 5.1 (work performed by other lawyers) and Rule 5.3 (work performed by non-lawyers). The duty has three distinct components.

With power comes responsibility: partners and firm-wide ethics

First, partners have added ethical responsibilities because of their managerial role. ABA Model Rule 5.1/5.3 (a) provides:

(a) A partner in a law firm [or a lawyer having comparable managerial authority] shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all [lawyers and staff] in the firm conform to the Rules of Professional Conduct.

These are a few steps partners can take to raise the level of technology competence at their firms:

  • Pay for continuing legal education and technology training for lawyers and staff.
  • Be supportive of scheduling requests to take advantage of education and training opportunities, especially when made by staff and junior lawyers.
  • Set an example by attending in-firm programs and following good security practices.

Managing a legal team brings ethical responsibilities

The next provision has a wider scope. It applies to any lawyer who directly supervises another’s work. ABA Model Rule 5.1/5.3 (b) reads:

(b) A lawyer having direct supervisory authority over [another lawyer or a non-lawyer] shall make reasonable efforts to ensure that the [other lawyer or non-lawyer] conforms to the Rules of Professional Conduct.

These are three ways to incorporate ethics into the collaboration playbook:

  1. Focus on decision making in project planning – It’s important to define roles and responsibilities at the outset of every project. The supervising lawyer’s key role when delegating technology-related tasks is decision maker. Lawyers are encouraged to rely on others for tech education, advice and support. But they are still in charge and responsible for making informed decisions. This responsibility is imposed by the rules of civil procedure in addition to the rules of ethics.
  2. Stay informed about project progress – Setting expectations for communications is likewise important in project setup. This relates directly to Rules 5.1 and 5.3 because knowing what’s going on is a prerequisite to meaningful supervision. The communications plan should cover frequency and means. Err on the side of over-communicating when supervising inexperienced lawyers and staff or working with a vendor for the first time.
  3. Evaluate ethics in vendor selection – Confidentiality is always a paramount concern in outsourcing legal work. Evaluate all potential vendors on security of confidential information and privileged communications. Other ethics rules may come into play depending on the legal matter or task. For instance, investigations often raise some of the numerous rules about communications. Ask targeted questions during vendor selection to cover these areas.

Active management (not to be confused with micromanagement!) is a key element of effective collaboration. Rules 5.1 and 5.3 make it an ethical duty too.

Outsourcing an unethical act adds up to two rules violations

Last but by no means least is the prohibition on unethical conduct by proxy. ABA Model Rule 5.1/5.3 (c) provides:

(c) A lawyer shall be responsible for [another’s] violation of the Rules of Professional Conduct if:

  1. the lawyer orders or, with knowledge of the specific conduct, ratifies the conduct involved; or
  2. the lawyer is a partner [or has comparable managerial authority] or has direct supervisory authority over the [other lawyer or non-lawyer], and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take remedial action.

Note that paragraph (c)(1) applies to all lawyers from the newly minted to senior partners. It’s just common sense that lawyers can’t get around the rules of ethics by instructing somebody else to do what they can’t do themselves.

In the technology arena, social media has repeatedly proved a top danger zone. It’s good practice to delegate social media investigations and discovery to law firm staff or vendors with the right skills and software tools. But in doing so lawyers must take care that everyone involved understands and abides by these three rules of professional responsibility:

  • 4.2 Communication with Person Represented by Counsel prohibits unauthorized direct communication with people represented by counsel.
  • 4.3 Dealing with Unrepresented Person provides a lawyer must not state or imply disinterest when communicating with an unrepresented person on behalf of a client.
  • 7.1 Communication Concerning a Lawyer’s Services prohibits false or misleading communications about the lawyer or the lawyer’s services.

Education and association are complementary answers to the problem of technology competence. Competence by association doesn’t just supplement education, it promotes it too. Delegating tech tasks is a prime opportunity to learn about relevant technology. Lawyers should seize the educational opportunity as they fulfill their ethical duty of supervision.

Fingerprint hud interface and people network

Departing Employees, Data Theft, and Digital Forensics

In late 2019, it was reported by Infosecurity Magazine that 72% of former employees admitted taking company data with them upon departure. Determining what actions a former employee took on a company device leading up to their departure can help assist in determining if company data was stolen or misappropriated. Did the departing employee retire or leave for a competitor? Where they forthcoming with their intent to depart or was it abrupt? Depending on the specifics of the situation, it may be advisable to perform a digital forensic investigation to help locate some answers.

It’s Never a Bad Idea to Preserve a Former Employee’s Devices

When an employee makes the decision to leave a company, it may be time to forensically preserve the contents of an employee’s business device(s), including cloud-based accounts. We are talking about devices provided by the employer for the employee to conduct their work and not personal devices. This will ensure the digital data has been collected in a manner that is admissible in court (should that be the outcome). If the device is not preserved and is reallocated to another employee, important information regarding the previous employee’s actions on the device may be overwritten.

Once the devices used by the employee have been forensically preserved, analysis may begin.

What Evidence May be Available?

USB device activity – This type of analysis includes determining what USB devices (removable storage devices) were plugged in during the system by the user. From reviewing the USB device activity in addition to file access records, it may be possible to determine whether or not file transfers to external devices have occurred on the device

Sent and received emails – Reviewing the  work email account may prove beneficial in locating possible file transfers via email to personal accounts, messages that have been deleted and who they were communicating with about their departure.

File sharing websites – From Dropbox to Google Drive, employees may use online file sharing websites and applications  to steal company data. A review of the web browser history, including active and deleted records, may show access to file sharing websites as well as possible file uploads. It’s also advisable to see if any file sharing programs have been installed on their work computer or mobile device.

Device activity prior to departure – This type of analysis can help determine what the user did on the device prior to leaving the company. Were a large number of files deleted? Were programs uninstalled or removed? This type of analysis can give you a good picture of what was going on in the days leading up to the separation

Deleted file recovery – If a former employee has deleted files before turning their device over, forensic software may have the capability to locate and restore these previously existing files.

Internet history and searches – Web browser history may play a helpful part in determining activity prior to leaving the company. Internet history analysis has the capability to show what websites were visited and when, as well as the ability to recover deleted web browser history and searches. You may also find file access records within the browser history cache which can show when files were accessed and from what location.

Conclusion

Engaging a digital forensics company to analyze a former employee’s business devices can ultimately act as a guard to protect an organization’s intellectual property. If nothing else, consulting with a digital forensics expert can assist in analyzing the situation and offering suggestions on the best way to move forward.

Cybersecurity and information or network protection. Future tech

Legal Tech: The Intersection of E-Discovery and Cybersecurity: You’ve Come a Long Way, Baby

Data is an asset and a liability. It fits into both accounting columns and will not fail to be used against a corporate entity if not secured properly. Databases contain trade secrets, personally identifiable information, HIPAA-protected health care information, proprietary information and classified data. They also house sensitive information and evidence of liability or criminal behavior. As the size of databases grew, one thing became apparent: the information stored in those repositories had to be kept secure. As the importance of data became more evident, so did the importance of information security and cybersecurity.

Lawyers and cybersecurity experts were forced together as soon as employees had access to the internet. Before data breaches became the norm, the ugly secret in the IT closet was the amount of pornography in databases. Employees were searching pornographic materials at work, from their work desktops, and they seemed to believe that no one would ever find out. Unfortunately for them, when lawyers conducted ediscovery for investigations and litigation, they uncovered large volumes of pornography in their clients’ databases. Attorneys were obligated to inform corporate executives of this behavior, including the who, what and when. It was not long before firewalls were installed to block pornographic websites and other nefarious sites.

Lawyers routinely battled over the discovery of electronic data and how to get more data from adversaries in court. Receiving more data also meant reviewing more data. Lawyers reviewed data by looking at every document for relevance and privilege. But what good is it to pore over documents and strategically produce data if a hacker can breach your client’s database, exfiltrate all of the most sensitive data and post it on the dark net? Lawyers needed information security and cybersecurity experts to help block access to the Internet.

Meanwhile, the military and intelligence community were light-years ahead of lawyers. They compiled classified data and kept it from being compromised. The IC was aware of the value of sensitive intelligence data and the hazards of that data falling into the wrong hands. Thus, the military created cybersecurity tools and protocols within the Air Force Computer Emergency Response Team in the late 1990s — primarily network defense tools. Lawyers were largely unaware of and had no access to them, but as corporations and other governmental agencies started looking for ways to protect their most valuable assets, they had to turn to the U.S. government for help. The two professions rarely speak the same language but have the same goals and are often in the room at the same time. For information security and data security, the federal government led the way, with corporations following closely behind, leaving only law firms still lagging.

In 2002, Congress enacted the Federal Information Security Management Act (FISMA), 44 U.S.C. S 3541, et seq. As part of the E-Government Act of 2002, FISMA created the foundation for information security in the federal government and recognized the importance of InfoSEC to the economy and national security.

As data grew, federal CIOs recommended moving data to the cloud to reduce the government’s on-site data storage and risk. Federal CIOs agreed with this protocol, but lawyers did not. Lawyers tend to be risk adverse, not familiar with cybersecurity and very busy. They had no intention of pushing their data outside of their agency. There was one exception, the Department of Justice has had a contract known as Mega for litigation support for over 20 years. Early on, the Mega contractors were primarily defense companies like Lockheed Martin and CACI. The DOJ controlled the environment and worked seamlessly with the Mega contractors for a couple of decades. All federal agencies could utilize that contract for litigation support help. It was convenient because the security component was handled by the DOJ and the contractors were in the defense business.

However, by 2010, federal agencies were looking to upgrade their ediscovery platforms to more modern and robust tools only available in the cloud. Law firms and corporations were using ediscovery vendors to host robust and revolutionary software applications in their environment. Technology-assisted review, computer-assisted review and predictive coding became the norm for the private sector. These tools were innovative and saved time and money, but for the private sector, there was no standard security protocol for hosting third-party data. In fact, while each vendor follows some form of security protocol today, there is still no standard in the private sector. Vendors cobble their security programs together based on ISO and NIST publications.

In 2011, the Office of Management and Budget authorized, via memorandum, the Federal Risk Authorization Program, and the FedRamp Program Management Office was established in 2012. The purpose of FedRamp was to provide a set of guidelines and protocols for securing government data in the cloud. A FedRamp authorization consists of 170+ controls and subcontrols that secure cloud infrastructures, networks and databases. Many of these controls are policies. The bulk of data in agencies that investigate and litigate is used by attorneys. To avoid breaches of legal data, federal agencies locked down their data behind firewalls.

FedRamp authorization allowed federal agencies to put their data in the cloud, but it was an expensive and painful process for those with no knowledge of cybersecurity. Until this year, only three ediscovery companies have made it through the FedRamp authorization process. Meanwhile, data breaches were becoming a common occurrence.

If you are an attorney and you need ediscovery tools, having them behind the firewall of your corporation, firm or agency is no longer the best option. Having the technical expertise, budget and variable options for the management of terabytes and petabytes of legal data is not usually feasible. Multinational organizations and financial institutions are the only entities that can support such infrastructure, and most of them still use cloud-based vendors for ediscovery.

The best cybersecurity experts come straight out of the government. They are in our armed forces, the intelligence community and entities that include DHS and the White House, and they have been dedicated to protecting our government networks from attack. Therefore, using a FedRamp-authorized vendor is turning out to be the best option for agencies. The FedRamp guidelines work as private sector guidelines too. Legal departments, CISOs and vendors are working together to meet the FedRamp guidelines to build secure environments for the tools of their choice.

The fight to keep data safe has become an extremely complex and expensive endeavor. A 2019 study by Emsisoft reported that in 2019 at least 966 health care providers, government agencies and educational institutions in the U.S. were targeted by ransomware attacks. SeeThe State of Ransomware in the US: Report and Statistics 2019 (Dec. 12, 2019). The cumulative cost of those attacks to taxpayers was more than $7.5 billion. Id. The number of attacks on law firms and corporate legal departments is also increasing and jeopardizing attorney-client privilege. Let us look at some recent data breaches and what could have prevented them.

Federal Breach: OPM

In 2014 and again in 2015, the U.S. government discovered the theft of all personnel security clearance information including background investigation files and fingerprints. The attackers gained valid user credentials and employed malware which installed itself onto the Office of Personnel Management’s network and established a back door. More than 20 million records were exfiltrated. The Chinese government reportedly stole the entire database. The fallout from this breach is so wide-reaching that we may not know just how many Americans were targeted after China analyzed the data. Basic cyber hygiene could have helped prevent, identify and detect the initial attack in the early stages before the hackers had opened access to OPM’s network for almost 18 months. Routine patching, user awareness and trained network defenders would have significantly reduced risk. Also, using enhanced protections and monitoring around the OPM security file database could have reduced damage and exposure of millions of U.S. government employees’ security files.

State Breach: IDES

The Illinois Department of Employment Security contracted with a vendor to launch the Pandemic Unemployment Assistance Portal as an add-on to its unemployment system. The new PUA went live in May 2020. A few days later an outside entity discovered that a spreadsheet with the names, addresses and Social Security numbers of Illinois unemployment applicants was publicly visible on the website. Approximately 32,500 applicants’ personally identifiable information was exposed. This breach has been referred to by officials as a “glitch.” Free credit monitoring services are being offered to the victims.

New IT projects need to be put through an information assurance process, and data projects require quality assurance processes. A good IA process checks all the risks associated with the hardware, software and implementation of both. During the IA process is when any open portals should have been discovered. A good quality assurance program will check all permissions and access for data and would have discovered PII that was public facing. Neither process worked on this project. Contractors need to include these assurances before turning over a new system. The client must be involved and needs to see the results of both processes before going live.

Law Firm Breach: GSMS

Recently, Grubman Shire Meiselas & Sacks, a New York entertainment law firm to the stars, was hit with a ransomware attack. The attackers allegedly demanded 12 bitcoins for the decryption key. At the time of this writing, 12 bitcoins converts to about $111,265 — not a lot of money to a New York law firm. However, approximately 750 GB of attorney-client privileged data was also being offered on the Internet to the highest bidder. Ransomware is a particularly vicious cyberattack because it shuts your business down, destroys goodwill and breaches client trust. Law firms have been especially slow to seek out cybersecurity and information security experts before they get attacked. At least five law firms were hit with the so-called Maze ransomware in January 2020 alone.

Basic user awareness can help block ransomware. Initial attacks usually come in via phishing messages, phone calls and text messages. Never give up sensitive information nor click on links or attachments from unknown senders. Security email filtering and scanning for inbound email to law firms should be in place and only allow trusted file types. Finally, routine security updates for endpoint machines, mobile devices and servers need to be performed to close vulnerabilities.

E-Discovery Vendor Breach: Epiq Global

In February 2020, Epiq Global — an ediscovery vendor with 80 offices worldwide — was the victim of big-game hunting, a practice where Ryuk ransomware attackers go after large enterprises. Epiq Global hosts client data and third-party data for law firms and corporations. The attack followed a format usually used by the Ryuk attackers: A phishing scheme gathers administrator and user credentials to gain access to the network. This opens the door to spying, encrypting data and exfiltrating it or demanding a ransom and extorting the victims. Law firms and corporate legal departments around the world were impacted. The big question for law firms is whether these vendor breaches violate attorney-client privilege.

It comes down to end-user awareness, basic cyber hygiene and information separation as well as partitioned access for sensitive data. End users need to be able to identify potentially malicious messages and alert their cybersecurity team. If one user identifies a malicious message, there are likely nine other staff receiving the same message. Building an alert culture is key to helping secure sensitive data. Additionally, separating key databases and putting up enhanced protections such as access control and monitoring will help detect and identify anomalous behavior. Administrators must use a separate account and a separate machine for troubleshooting and maintenance of the crown jewel datasets. Finally, two-factor authentication for all users greatly reduces risk of user and administrator accounts being compromised.

As we see the ransomware attacks against law firms, state and local governments and corporations increase, the need for a set of cybersecurity standards for law firms that host client data also intensifies. The Association of Corporate Counsel is working on a new Data Steward program that will create a baseline for law firms and corporate counsel. In the meantime, lawyers would be wise to follow the FedRamp Moderate authorization requirements for the hosting of client data. In the long run, it is less expensive than paying a ransom and losing the goodwill and trust of your clientele. Moreover, some of these breaches may eventually constitute a breach of attorney-client privilege and lead the courts to start sanctioning lawyers. The intersection of cybersecurity and ediscovery is complete.


Originally appeared in Cybersecurity Law & Strategy. © 2020 ALM Media LLC. Reprinted with permission.

Justice statue with code on monitor device in background

Beyond Competence: Technology and the Duties of Candor and Fairness in Litigation

Technology competence is an ethical requirement in more than 40 states. Beyond Rule 1 Competence, knowing technology helps lawyers comply with the duty of confidentiality and other rules of professional conduct. For litigators that includes the duties of candor and fairness.

Technology regularly meets the duty of candor in litigation

The duty of candor governs statements to the court. ABA Model Rule 3.3 Candor toward the Tribunal provides in pertinent part:

(a) A lawyer shall not knowingly:

(1) make a false statement of fact or law to a tribunal or fail to correct a false statement of material fact or law previously made to the tribunal.

These are some commonplace scenarios in discovery that illustrate the importance of electronically stored information (ESI), eDiscovery workflows and litigation technology:

  • Case management plan has a section for the parties’ electronic discovery statements, including ESI sources and anticipated use of technology assisted review (TAR);
  • Telephonic discovery conference is held to resolve a dispute over the production format of mobile data;
  • Motion to limit the scope of discovery based on proportionality factors such as cost and burden to collect and review voluminous ESI;
  • Motion for sanctions for spoliation of text messages and instant messages alleges insufficient legal hold notice and failure to disable auto-delete settings;
  • Expert report cites date- and timestamps from metadata for key documents;
  • Attempted clawback of unintentionally produced privileged documents hinges on the reasonableness of producing party’s review protocol and quality control measures.

Technology intersects with fairness at many eDiscovery stages

Where candor is a duty owed to the court, fairness is a duty owed to the opposing party and counsel. ABA Model Rule 3.4 Duty of Fairness intersects with eDiscovery in two subsections.

First, subsection (a) provides:

[A lawyer shall not] unlawfully obstruct another party’s access to evidence or unlawfully alter, destroy or conceal a document or other material having evidentiary value.

The connection to preservation is obvious. Preservation failures, both unintentional and deliberate, consistently provide the most dramatic examples of lost discoverable data.

Spoliation can and does occur at other eDiscovery stages as well. In particular, metadata is easily altered during copying. It’s important to use defensible tools and processes during collection and processing. 

Second, subsection (d) provides:

[A lawyer shall not] in pretrial procedure, make a frivolous discovery request or fail to make reasonably diligent effort to comply with a legally proper discovery request by an opposing party.

Today technology is part and parcel of complying with discovery requests.

On the left side of the Electronic Discovery Reference Model (EDRM), litigators must navigate the clients’ systems to identify and collect responsive data sources. On the right side, litigation technology is used to effectively and defensibly search, analyze and review ESI.

What litigators need to know about technology to satisfy the duties of candor and fairness

As lawyers we have an ethical duty to make honest and accurate statements to the court and reasonable efforts to comply with our clients’ discovery obligations. A pragmatic paraphrase is that we have to know what we’re talking about and what we’re doing.

Competence in these core areas of eDiscovery technology provides a solid foundation for candor and fairness in litigation:

  • ESI – main types and sources relevant to the lawyer’s practice area;
  • Metadata – what it is, how to use it and spoliation risks;
  • EDRM – at a minimum a high-level understanding of the stages and progression of the eDiscovery workflow;
  • Preservation – preservation in place vs. preservation collection, high-risk areas (e.g., auto-delete settings, BYOD, employee separation);
  • Collection – importance of forensically sound collection and risks of client self-collection;
  • eDiscovery tech tools – best practices for using review platforms, search tools and analytics;
  • Production format – basic terminology and common pitfalls.

Arguably the most significant eDiscovery trends of the last few years are exploding data volumes and proliferating data types. Litigation technology continues to develop rapidly in response. As both the problem and the solution technology is an inescapable part of discovery.

eDiscovery Considerations with Business Use of Zoom

eDiscovery Considerations with Business Use of Zoom

As companies nationwide shifted from in person to remote working overnight, there has been a concurrent increase in the use of video conferencing tools to collaborate internally and interact with clients. There are many different video conferencing tools currently experiencing a huge uptick in usage including Microsoft Teams, Cisco WebEx, Skype, and the focus of this article, Zoom.

The number of daily meeting participants in Zoom jumped from 10 million in January to 300 million in April, a nearly 3000% increase in three months. It is evident from these numbers that Zoom usage has increased exponentially as companies have had to shift to a new way of working. As with any electronic data, any new source of data a company is using must be carefully considered in terms of retention policies and potential legal obligations.

The use of Zoom as a business communication tool was likely implemented quickly and without enough time to consider all the potential eDiscovery implications. Consider Zoom as a new source of electronic data, like mobile phones, or Slack, or social media. It is important to understand what kind of data is being created and how that data should be handled. Additionally, because Zoom allows individual users to record meetings, the location of the data can also become very important. The bottom line is that Zoom is creating discoverable data. The goal of this article is to advise on the potential eDiscovery issues that could arise if a comprehensive and clear policy around the use of Zoom is not created and implemented now. 

Zoom Meetings that Are Not Recorded

Most companies can clearly see data containment issues if video is being preserved. But what if a Zoom meeting is not recorded? It is important to understand what types of records are being created when the meetings are not recorded to understand how it could impact discovery obligations in the future. Any time that a zoom meeting occurs, Zoom retains a record of that meeting. As a basic user, you can view under the Meetings tab, a record of every Zoom meeting that you have scheduled or attended. The information contained on that tab includes the date, time, meeting ID, and title of the meeting. This area also allows the individual user to delete a meeting from their history. From a discovery and collection perspective, this information would be both hard to collect and not substantively very useful.

Administrators and owners of the account, however, have much deeper visibility into their organization’s usage of the platform. An administrator can view monthly reports on every Zoom meeting that has occurred, regardless of whether the meeting was recorded. Under the Reports tab, and then under Usage Reports, the Administrator can view and export daily usage reports that identify the number of new users, meetings, participants, and total of meeting minutes for each day. They can also drill down further for reports on their Active hosts and export a meeting report for any 30-day period of all the meetings that an organization has conducted over Zoom.

On this report is some particularly valuable information including the topic of the meeting, meeting ID, the user who set up the meeting, the email of that user, department, group, creation of the meeting time, start and end time of the meeting, duration of the meeting, the name and email addresses of the attendees, join time and leave time for each participant, along with duration. Administrators are also able to export reports about inactive users, upcoming events, meeting registration or poll reports, and an overview of the cloud recording storage capacity. These reports can be retrieved for the previous twelve months limited by a 30-day search range. The reports are exported as CSVs. The only way for an administrator or owner to delete the usage activity is to delete the user. Deleting a user will permanently remove the user, including their meetings and recordings from Zoom. 

Although the information that is retained for non-recorded meetings is not as expansive as a recorded meeting would be, there are many situations in which the failure to retain this data could run counter to preservation obligations. Federal and most local rules of civil procedure allow discovery regarding any non-privileged information relevant and proportional to the needs of the case. Depending on the litigation, a spreadsheet outlining that certain people were attending certain meetings on certain dates could be relevant. Companies need to be cognizant of the way this information is being maintained, saved, and collected to ensure they can comply with discovery obligations later. 

Zoom Meetings that Are Recorded

Zoom also allows for the recording of meetings, either locally to the computer or to the cloud. When a meeting is recorded, the following files are created: MP4 video file; M4A audio file; and a txt file of any chats that occurred during the meeting. Zoom also offers the ability to transcribe the meetings so you have a text record of what was said during the meeting. If you enable the audio transcript option under Cloud Recording, Zoom will automatically transcribe the audio of the meeting and include a separate .vtt text file. In addition to the data preserved for any meeting outlined above, these are additional data sources created by the Zoom meetings that are recorded. Zoom will retain the cloud recordings, including the files listed above, until the storage capacity of the account is exceeded. Administrators can access and preserve any cloud stored meetings. These meetings are located under the Account Management, Recording Management area of the Administrator profile. However, the administrator can only access the recordings that have been stored to the cloud.

Depending on the account settings, as determined by the administrator or owner of the account, individual users or participants are also able to locally store recorded copies of their meetings. This means that anyone who attends a meeting can keep a permanent copy of the meeting’s audio, video, and chat. From a discovery perspective, this is a data mapping nightmare. If you have a company with 50 people who are using Zoom on a daily basis to conduct business, and each one of those people is recording all their meetings locally, there are now 50 locations that could contain discoverable data. Picture the costs associated with collecting 50 different people’s local zoom recordings folder from their work or personal computer?

Companies should be proactively thinking about what types of meetings need to be recorded and providing constructive guidance to their employees. There are industries where there is a legal obligation to record transactions such as banking and publicly traded companies. There are industries where recording communications with clients can turn into an ethical morass, such as law firms or in-house counsel at a corporation. Obviously, there is no one size fits all approach to the duty to record or not. Another area to consider is whether you have employees that despite retention and compliance policies are still creating unauthorized recordings. If your company gets sued, and those recordings fall under the relevance and proportionality rules, how are you going to locate and preserve that information?

The major question that should be considered and outlined clearly in policies is the types of meetings that should be recorded. The second is when or if you should delete these recordings. If you hold a Zoom meeting where senior leadership is discussing the termination of an employee that could potentially turn litigious, are you under an obligation to record that because there is a reasonable anticipation of litigation and the duty to preserve applies? There is no clear-cut answer to that question as these cases have not yet been litigated. However, companies should be carefully considering how, when, and why they deploy the recording function.

From an eDiscovery perspective, the Zoom recordings create an expensive proposition. Consider the example outlined above, if you have 50 relevant recordings and they are all located on each person’s individual computer, the company must then go and collect and process all of these files into a platform so they can review. Video and audio files typically are very large file sizes which makes the hosting of this data expensive. Complicating matters further, if a user does not opt for a transcript of the meeting, the video and audio files require significant customization to be searchable. How will a company know if a specific meeting is subject to a legal hold if you can’t text search the content of that meeting?

Best Practices and Considerations

Next, we want to outline some best practices and considerations surrounding the use of Zoom in a business context. Companies should, if they have not already, be drafting and implementing policies regarding the usage of Zoom. These policies should encompass when and how Zoom should be used, when the meetings should be recorded, and where the recordings should be stored. Companies should also be authorizing the Zoom administrators to create system wide permission settings to ensure that the data they retain is contained in one central repository. Employees should not be able to save locally, rather a universal save to the cloud requirement should be enforced. An administrator can enforce company-wide objectives for all users that require how and when they record and where that recording is stored. As administrators can also delete recordings on the cloud, they should be provided with clear instruction of what should be saved and what can be deleted. This way companies can easily identify and collect potentially discoverable information.

Administrators should be cognizant of the timelines for deletion previously outlined, and ensure they download any available reports or recordings monthly. They should also be aware of the storage capacity in Zoom so potentially relevant data is not accidentally lost. It would also be beneficial for companies to create an audit log for meetings that occur and ensure that employees update continuously. The audit log would contain the date, time, attendees, and what was discussed. Adding transcription to recorded meetings will also make the information far more searchable and functionally useable in the future.

As we have outlined, there are many business decisions that must be developed around the use of Zoom to collaborate. Companies should be proactively providing guidance to their workforce around the use of these types of applications. We can provide further guidance on best practices.

sharing smart location on a smart phone

The Data Most People Don’t Know Exists

Technology has transformed our world, mostly for the better. We can take a road trip without a map in hand, get groceries delivered to our homes and keep track of our physical activity level in real time. But the tradeoff is that the devices we rely on are constantly collecting data about us — including some types of information that we never even think about.

In legal matters, all this collected information has great potential value, as attorneys can use it to establish guilt or innocence in legal matters. Let’s look closer at a few of the different types of data that we may not realize is being retained by our devices:

iPhone data collection

A number of different smartphone apps — Google Maps and Waze, for example — require access to users’ locations in order to be useful. Though some of these apps do continue to track users when they’re not in use, they often offer users an easy way to adjust that if they prefer. However, iPhones also track users using a separate feature that’s set to “on” by default. It’s the reason your phone always magically seems to know what time zone you’re in. (If you want to switch the feature off, you can go to Settings → Privacy → Location Services → System Services.)

One way in which iPhones are unique is that they provide information we need before we even realize we need it. It’s a convenience when my phone tells me the estimated drive time to work as I get into my car in the morning. And how many of us have realized, with great relief, that we can use the Find My feature to locate a missing device? Both of these features use location data, which, in a legal matter, could potentially be used as evidence to help establish either guilt or innocence.

Forensics professionals can extract a phone’s location history and use the data and metadata to place its user at a specific place at a certain time — either providing an alibi or disproving one. Some of this data, by the way, can be viewed with your phone’s System Services menu (tap on Significant Locations for a list of frequently visited places).

Android phones and Google

Android phone users aren’t immune to having their location data secretly collected — it’s just that the data is collected in a slightly different way. Because Android phones require users to create a Gmail account, any information the phones collect goes back to Google. Google also records the activity of people who use Google Maps and the company’s Chrome browser, tying the information to those Gmail accounts. CNBC estimates that there are around 1.5 billion active Gmail accounts in the world — about 40 percent of the total number of email users worldwide.

Google collects about 50 categories of user data in total. A few examples:

  • Web searches and browser history
  • YouTube viewing history
  • Previous locations
  • Credit card numbers and shopping information
  • Health activity provided by connected fitness devices
  • Audio recordings of voice commands used with smart speakers

If you’re interested in seeing the activity that your Android device has stored, go to Settings → Google → Google Account → Data & Personalization → Activity & Timeline → My Activity.

Data on the internet

In addition to the data we leave on our personal devices, we share data on the internet — sometimes intentionally — for instance, on websites that require visitors to agree to some kind of privacy policy — and sometimes not. Take a look back through your Facebook or Twitter timeline and you might be surprised at what you’ve shared with friends or even the public without realizing it. Both of those social media platforms have a 30-day deletion policy, meaning that a deleted user account and all its information are preserved for 30 days before being removed.

Social media content can be tremendously useful in legal matters, but those managing the electronic discovery process must take steps to preserve any relevant information before the 30-day window passes. If too much time passes and the data is removed, a court request or a subpoena might be required to get access to it, assuming that it’s even attainable. However, the action of deleting data could be used in court to help establish knowledge of guilt, leading to a court victory by itself in some circumstances. To have your best chance at using social media data during litigation, try to be aware of the privacy policies of websites where the data could exist.

Advice for attorneys

Forensics professionals are the undisputed experts in tracking down and using data in a legally defensible way, so turn to them with any questions involving digital evidence in legal matters. If you’re an attorney working on a case in the discovery phase, here are four general guidelines to keep in mind:

  1. If it’s connected to the internet, it can be forensically collected: All of us have some amount of personal data on our phones and in the cloud. Even home devices like video doorbells or gaming consoles can contain information about user activity that might be relevant in a legal matter. Don’t automatically assume that this data isn’t retrievable. Make sure to ask a forensics professional about what data sources might be most relevant to your case and what evidence they might contain.
  1. Urgency is key: Just because certain data is available now doesn’t mean it always will be as easily accessible. As soon as you become aware of digital evidence of any kind, be sure to issue a legal hold so that it can’t be deleted. Depending on a device’s settings, data is usually retained for a certain amount of time, then gradually overwritten. A user might choose for their device to auto-delete text messages after 30 days, or even a shorter time period. Some messaging apps allow for irrevocable deletion, so even if a legal team discovers that text messages older than 30 days contain relevant information, they might be out of luck.
  1. Technology is constantly improving: Smartphones didn’t exist until 2007, and fitness trackers are only about 10 years old. Now both are ubiquitous. Fitness devices, in particular, track the location, activity level and health stats of users, providing potentially valuable information in legal matters — a tool that seemed inconceivable 15 years ago. Digital forensics is an evolving field, providing additional capabilities and options with each passing year. So, just because something seems impossible now doesn’t mean it will always be that way.
  1. The professionals know best: Computers and cellphones might be the primary places where data is stored, but they’re not the only sources of relevant material. Forensic investigators are going to be your best source of information about other potentially rich sources that might be out there. They also understand how to collect data in a way that captures any accompanying metadata and, crucially, maintains the integrity of the information so it can be used in a legal matter. Even experts in other areas of technology might not understand the best practices for evidence preservation, potentially making it unusable if a legal matter were to arise.

Because so much of our personal information is in some digital form, it’s essential in any legal matter to comb through all potential data sources to make sure the full story is being told. Sometimes, the data you didn’t know you had is exactly what you need to corroborate your side of the story.

Connection network in servers data center room storage systems 3D rendering

Remembering eDiscovery Defensibility in a Crisis

Notwithstanding containment efforts, the coronavirus has spread worldwide.  According to a recent McKinsey & Co. report, the U.S. economy could be in a state of recovery until as late as 2023. The hardest-hit sectors – commercial aerospace, air & travel, and oil & gas – might not even restart until sometime in 2021.

The COVID-19 pandemic is having a massive impact on a wide range of industries, including the eDiscovery space. However, despite the global crisis, litigation has not stopped and the eDiscovery process continues. Data is being collected, preserved, reviewed, and produced, hopefully in a cost-effective manner and fully-defensible manner.

Pandemic-Proofing Your eDiscovery Defensibility

Covid-19 has vast potential to expose flaws in the eDiscovery workflow, making the need for a defensible process more critical than ever. Here are some ways to strengthen your procedure:

  • Collect data defensibly. Data collection from a custodian’s laptop may not be possible with social distancing guidelines unless remote enterprise-level forensic technology is available. Work with your outside and in-house counsel to formulate and document a plan ranking critical custodians’ availability. Then prioritize available network sources like file shares and email servers while deprioritizing physical media until collection is deemed safe for both collectors and collectees. The active data collection approach will vary from data source to data source, so work with your outside counsel and collection specialist on the best practices for a data source type. If your organization uses Microsoft O365, it might be time to develop a plan and approach for using the eDiscovery & Legal Hold modules in the Security and Compliance Center to streamline and document your collection efforts from Microsoft systems.
  • Document your chain of custody. As the data transitions from its original source (e.g., Exchange, file shares, SharePoint, etc.) to the collection destination such as a data landing zone, maintaining step-by-step documentation in the chain of custody will be critical. Using hash values to track the data packages in your collection process is the best practice for authenticating your data downstream. Whether your organization is using basic spreadsheets or leveraging automated workflow technologies, identifying the individuals on the team who will be responsible and accountable for managing your data and paper trail is vital.
  • Review provider reports. In the face of the pandemic, eDiscovery processing and hosting providers are being pushed to the brink in the management of their businesses, possibly putting significant pressure on their pre-COVID best practices and workflows. As a best practice, work closely with your eDiscovery providers to verify their chain-of-custody documentation, exception reports, and other standard reports that track data and physical media through the entire workflow. Then take the time to review the materials with your provider’s project manager to ensure full documentation.

Defensibility is the foundation of any eDiscovery workflow. Your organization needs to go the extra mile during this crisis to ensure that nothing falls through the cracks.

Do you have further recommendations regarding enhancing eDiscovery defensibility in a crisis? Tell us about them in the comments!

Justice statue with code on monitor device in background

Legal Ethics and Technology: The Duty of Competence

As lawyers we must be guided by the Rules of Professional Conduct in all aspects of our work. Today that includes competence in relevant technology. Technology is deeply embedded in contemporary legal practice, while data security is a universal concern across the legal sector. Litigators additionally must contend with the evolving demands of eDiscovery.

The duty of competence includes competence in relevant technology

Competence is the first rule for lawyers – in every sense. ABA Model Rule 1.1 reads:

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

In 2012, the ABA amended Comment 8 to Rule 1.1 to read (emphasis added):

To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.

At last count, 38 states had adopted this language verbatim or with minor wording changes. A few other states have issued formal opinions to the same effect. Requiring lawyers to have a basic degree of competence in technology has graduated from trend to clear majority opinion.

Relevant technology, part 1: legal practice tech tools

The key phrase in Comment 8 is “relevant technology” in conjunction with “reasonably necessary for the representation.” Technology has become an essential and inescapable part of the law in all practice areas.

From solo practitioners to BigLaw, lawyers use technology for:

  • Documents and operations – document management systems, cloud storage, e-rooms, file-sharing, time and billing software;
  • Communications and collaboration – email, messaging, chat, phone conferences and video conferences;
  • Litigation practice – online legal research, e-filing, eDiscovery software, video depositions, remote depositions, evidence presentation equipment and software.

Using legal practice tech helps us be good stewards of our time and our client’s money. The not-so-secret key to learning to use technology effectively is training and practice.

Tech competence extends beyond personal use however. Staying informed about associated risks and benefits includes evaluating and selecting the best tech tools for the job. At times it involves counseling clients about technology options and costs. Finally, it means knowing when and how to delegate (with appropriate supervision) or automate tasks to get the most from technology.

Relevant technology, part 2: data security

Legal practice tech wins for variety. Data security wins for urgency.

Confidential personal and business information is the legal sector’s stock in trade. We copy, transfer, access and store sensitive client files as a matter of course. A law firm is a one stop shop for a sizable trove of data from multiple individuals and companies. Data that has been pre-selected for its value.

The common law duty to protect confidential and privileged information is reinforced by ABA Model Rule 1.6:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Data security intersects with legal practice technology at many points. Data must be secured in transit (file sharing, lawyer-client communications, etc.). It must also be secured at rest (law firm server, cloud storage, copies held by service providers and experts, etc.). Remote working has recently highlighted the importance of updating privacy and security settings in videoconferencing and other collaboration tools.

Following security best practices is essential technology competence for all lawyers. For example:

  • Use strong, unique passwords;
  • Make sure data is regularly backed up;
  • Watch out for phishing emails;
  • Never connect to unsecured wifi;
  • Utilize secure file transfer means;
  • Enable auto-lock on inactivity; and
  • Comply with information security policies and procedures.

And of course, be vigilant against security threats and use common sense.

Relevant technology, part 3: eDiscovery

It’s hardly an overstatement to say that all document discovery is eDiscovery. The vast majority of “documents” is ESI. The remaining paper is digitized for business use and/or discovery.

Technology competence is necessary for four general categories of eDiscovery tasks:

  1. Representations to opposing counsel and the court – Discovery involves numerous representations in written discovery responses, initial disclosures, meet and confers, discovery plans and discovery motions. Making accurate representations requires knowledge of ESI types and sources, production format and the significance of proportionality factors like data volume, cost and burden.
  2. Preservation – Knowledge of ESI types and sources also comes into play in writing effective preservation demand letters and legal hold notices. Some other tech-related aspects of preservation are auto-deletion (a high-risk area in preservation), IT protocols for employee separation and forensic imaging.
  3. Managing the eDiscovery project – Managing an eDiscovery project demands both wide-ranging and deep understanding of technology. This is especially true of the collection, processing and production stages of the EDRM workflow. Some cases additionally involve digital forensics.
  4. Document review – Document review is a complex operation. Reviewers need software training and experience to use review platforms effectively. Filtering, searching and utilizing advanced analytics tools requires a) knowledge of the ESI types in the dataset, b) review goals and c) review tool capabilities. Quality control similarly must be tailored to the review project, and can be technologically sophisticated; for example, statistical sampling in predictive coding reviews.

Lawyers depend on law practice tech tools. Clients’ information is electronic. Litigation involves eDiscovery. The conclusion is inescapable: technology is an inextricable part of contemporary legal practice. Using technology well is our professional responsibility to our clients.

Locked chain on laptop as computer protection and cyber safety concept. Private data protection from hacker malware

DSAR Best Practices and Workflows an Organization Should Follow

In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests.

Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance:

Review and Update Privacy Notices and Policies

The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to:

  • Obtain certain information from the controller beforehand, and without asking for it
  • Be made aware of whether a controller is processing their data and how it was collected
  • Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data
  • Demand that their personal data be erased and no longer processed (right to be forgotten)
  • Ask the controller to restrict the processing of their data
  • Receive their data in a structure, commonly-used format for transmission elsewhere (data portability)
  • Object to the handling of their data at any time (in certain circumstances)
  • Not be subject to decisions based solely on automated processing
  • Withdraw consent at any time during processing

In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018.

Create and Implement a DSAR Process

Your company needs to have a process in place to address:

  • How you will enable DSARs, e.g., offering a standardized online form for submission
  • What those who receive DSARs will be required to do
  • How requests to obtain or delete data will be processed
  • How to efficiently and securely handle responses to the data subject

According to the GDPR, controllers must demonstrate compliance with the law and monitor the requests received. This should be done by tracking how many DSAR requests are made each month, how many requests are being accepted and rejected, and prioritizing the oldest requests to ensure that a response is made within one month, as required by law. Monitoring your process will allow you to revise it if necessary, allocate the appropriate amount of resources, and identify any gaps in your workflow.

Weigh Your Options for Hosting and Automation

You will need to consider your hosting options for providing the data to the requestor: either in-house servers hosted behind the organization’s firewalls, or externally through the use of a communication portal.

Automation can often be seamlessly integrated into your internal systems, and can be extremely helpful in the handling of DSARs by ensuring that:

  • Critical deadlines are met
  • Requests are verified
  • Data exempt from disclosure requirements is identified
  • Assignments to facilitate responses are made
  • Extensions are requested promptly
  • You are tracking your response process

Freeing up your team from manually tracking and storing data will increase efficiency, cut operational overhead, enable a more accurate response, and prevent your organization from wasting time on inauthentic DSAR requests.

Educate Employees

One of your biggest challenges will probably be how to train critical employees. Those requiring training will likely include:

  • Support personnel and other employees who receive the requests
  • Those who will be responsible for implementing the requests
  • Your internal privacy team

To minimize the risk of costly sanctions for noncompliance, your staff will need to understand the importance of prompt response to a DSAR request.

Do you know of any other best practices to follow when responding to DSAR requests? Tell us about them in the comments!

Microsoft outlook app icon. Microsoft OutLook application

Microsoft 365 eDiscovery Practical Resources for Law Firms

Microsoft 365 eDiscovery Practical Resources for Law Firms

During our recent webinar, “How Law Firms Can Support Their Clients Who Use Microsoft 365”, we promised attendees some practical resources and an overview of Microsoft 365 (M365) plans and licensing options that would be useful for law firm personnel.

The recording of the webinar can be accessed here: “How Law Firms Can Support Their Clients Who Use Microsoft 365

M365 Plans and Licenses

M365 offers plans for Enterprise, Government, and Education. The features vary depending upon license structure and organization type. For the purposes of our discussion we will share differences within “E3” vs. “E5” licenses. Please note that licensing plans, availability, and functionality will vary and be modified over time.

Compliance Functions in E3 vs E5

Compliance Functions in E3 vs E5

  • Core eDiscovery has hold, search, and export features. It can be accessed with an E3 license.
  • Advanced eDiscovery adds hold notifications, review, and redaction to the above. It can be accesses with an E5 license or an E3 license with a “buy-up” SKU.

Resources from M365 Compliance Documentation

In most instances, law firm personnel do not have access to  M365 and are entrusted with guiding and advising client personnel with performing various tasks within M365. Microsoft has very detailed documentation for M365 compliance. Access documentation on eDiscovery in M365.

Below are some of the  most common tasks and questions that arise while performing eDiscovery in a given matter. All images below are from Microsoft’s website.

  1. Creating searches: M365 allows you to run content search and displays estimated number of search results in the search statistics. The results can be previewed or exported to a local computer. View the documentation.
    Search Query
  2. Reviewing and downloading search statistics: This is very useful when case teams are trying to get a sense of hit counts;the results can be downloaded to a csv file and shared with counsel. Microsoft limits 20 rows in the keyword list of a search query. – View the documentation.
    Search Statistics
  3. Exporting search results: The search results can be exported as a PST file or individual messages for emails. Copies of native files are exported for OneDrive and SharePoint content. M365 generates a clean log of what is exported – the export includes a Results.csv file that contains information about every item that’s exported and a manifest file (in XML format) that contains information about every search result is also exported. View the documentation
    Export Results
  4. Search limitations within M365 content search documents can be found at https://docs.microsoft.com/en-us/microsoft-365/compliance/limits-for-content-search?view=o365-worldwide
  5. Partially indexed items within M365: Partially indexed items are Exchange mailbox items and documents on SharePoint and OneDrive for Business sites that for some reason weren’t completely indexed for search. Detailed overview can be found at https://docs.microsoft.com/en-us/microsoft-365/compliance/partially-indexed-items-in-content-search?view=o365-worldwide