Insight into where e-discovery, information governance cybersecurity, and digital transformation are heading – who is doing what now or in the future, what works and what doesn’t, and what people wish they could do but can’t – gleaned from recent publications
ABOVE THE FOLD
Relativity Fest Oct. 20-23 – Join us this fall at Relativity Fest in Chicago where my colleagues and I will be speaking on four sessions:
- PD311742 – A Call to Action: Building an e-Discovery Pro Bono Platform and Network (10/21 at 11:00 am)
George Socha - PR325354 – Global Expansion with RelativityOne (10/21 at 2:35 pm)
Jenna Aira-Ventrella with Luke Balloch of Relativity, Chris Morris of Control Risks, Daryl Teshima of FTI Consulting, Andrew Caspersonn of Allen & Overy, and Andrew Malarkey or KordaMentha - LIE291972 – Is It Time to Rethink the EDRM? (10/22 at 8:30 am)
George Socha with Mike Quartararo of eDPM Advisory Services, Darcie Spruance, Constantine Pappas of Relativity, and Phil Favro of Driven - PR311751 – Let’s Take This Online: Managing Mobile Data in Relativity Short Message Discovery (10/22 at 2:45 pm)
George Socha with Martha Louks of McDermott)
BDO knows CCPA – BDO’s California Consumer Privacy Act resource page enables privacy executives to stay abreast of the impending regulation and learn about overarching privacy and governance considerations in one convenient location.
ELECTRONIC DISCOVERY
Legal hold series – Brad Harris of Zapproved has published a five-part series on legal hold practices:
- Part 1: Why Create a Preservation Plan
- Part 2: Recognizing a Trigger Event
- Part 3: Defining the Scope of Preservation
- Part 4: Preservation Plan: Taking Action
- Part 5: Preservation Plan: Monitoring Compliance
Predictive coding survey results – Rob Robinson published the results of his twice-a-year survey of predictive coding technologies and protocols. There were 100 responses (39 law firms, 37 service or software providers, 12 consultancy, 6 corporation, 3 government, and 3 other). Some of the findings are:
- 86% have at least one primary predictive coding platform; 14 % have no primary platform.
- 86% use active learning; 51% use only one predictive coding technology and 48% use more than one; and 1% do not use any predictive coding technology.
- Rob groups predictive coding into three categories: TAR 1.0, TAR 2.0, and TAR 3.0. 66% use TAR 2.0 workflows, 13% use TAR 3.0, and 12% use TAR 1.0
CYBERSECURITY & DATA PRIVACY
DoD released draft Cybersecurity Maturity Model Certification – Susan B. Cassidy, Samantha Clark, Ryan Burnette, and Ian Brekke of Covington reported that the Department of Defense’s Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification for public comment along with an overview briefing. Cassidy et al. also gave their own overview of the current CCMC framework and discussed open questions and issues for contractors.
Cybersecurity alarms continue to ring for law firms – As reported in ABA News, at the American Bar Association Annual Meeting last month the push continued to raise awareness among lawyers and law firms about cybersecurity threats and the need for attorneys and firms to take necessary steps before an attack.
ISO 27001 recommended for law firms – Joseph Lamport of PinHawk posted his interview of Greg Spicer, CRO at Braintrace, in which Greg discussed the growing importance of information security management and option law firms have to register under ISO 27001.
COPPA Rule comment period ends Oct. 23 – Timothy Tobin, Laurie Lai, Catherine Essig, and Marco Peraza of Hogan Lovells posted a reminder that the Federal Trade Commission is taking public comments on the Children’s Online Privacy Protection Rule (“COPPA Rule”), in particular the effectiveness of the 2013 amendments. Comments are due Oct. 23.
Recent changes to U.S. state data breach notification laws – Caleb Skeath and Brooke Kahn of Covington offered a round up of amendments made to state data breach notification laws over the past several months, looking at Arkansas (HB1943), Illinois (SB1624), Maine (LD 696), New Jersey (S52), New York (S5575B), Oregon (SB 684), Texas (HB 4390), Virginia (HB 2396), and Washington (HB 1071).
Recently enacted biometric privacy legislation – Thomas F. Zych, Steven G. Stransky, and Brian Doyle-Wenger of Thompson Hine gave an update on existing and recently enacted biometric privacy legislation.
Enhanced Illinois data breach notification requirements – Joseph J. Lazzarotti, Jason C. Gavejian, and Maya Atrakchi of Jackson Lewis wrote that the Illinois governor signed into law an amendment to Illinois’ Personal Information Protection Act, SB 1624. The amendment, which goes into effect on Jan. 1, 2020, requires that if a data collector is required to notify more than 500 Illinois residents of a single data breach, the data collection also must notify the Illinois Attorney General’s office.
New Maryland Insurance Administration reporting requirement – Patrick H. Haggerty of BakerHostetler reported that the Maryland Insurance Administration has issued Bulletin 19-14, which informs insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents, and third-party administrators of a new security breach reporting requirement effective Oct. 1.
BEC insurance filings outpace ransomware and data breach ones – Catalin Cimpanu of ZD Net reported that according to AIG last year business email compromise has become the dominant reason companies filed cyber-insurance claims in the EMEA region (Europe, the Middle East, and Asia), surpassing ransomware and data breaches.
CCPA –
- Navigating Disclosures and Sales of Personal Information under the CCPA
Brian Hengesbaugh and Amy C. de La Lama (Baker McKenzie) (Aug. 30) - The California Consumer Privacy Act Series Part 2: Gap Assessments
Elliot R. Golding, Lydia de la Torre, and Shalin R. Sood (Squire Patton Boggs) (Sept.) - What Businesses Can Be Doing Now to Prepare for the CCPA
David M. Stauss and Robert J. Bowman (Husch Blackwell) (Sept. 4) - CCPA Privacy FAQs: Under the CCPA, can a company send mass marketing emails to clients or prospects to invite them to a conference or trade show?
David Zetoony (Bryan Cave Leighton Paisner) (Sept. 4) - The CCPA’s ‘Verifiable Consumer Request’ Requirement and Data Breach Risks
Donald G. Shelkey and Christopher C. Archer (Morgan Lewis) (Sept. 5) - CCPA Security FAQs: What factors will courts look to when determining what statutory damages to award?
David Zetoony (Bryan Cave Leighton Paisner) (Sept. 5) - Summer Is Over – It’s CCPA and NV Crunch Time
Alan L. Friel (BakerHostetler) (Sept. 9) - CCPA Privacy FAQs: If a company collects personal information through a cookie, is it required to provide a consumer with a privacy policy?
David Zetoony (Bryan Cave Leighton Paisner) (Sept. 9) - CCPA Update: With Legislative Session to End Friday, CCPA Amendments Slated for Final Vote
Alysa Zeltzer Hutnik and Alex Schneider (Kelley Drye) (Sept. 10)
GDPR –
- Transferring Data Under GDPR
Lynn Engel (Relativity) (Sept. 4) - Understanding Privacy Rights Under the GDPR
Tess Blair, Vincent M. Catanzaro, and Thoth V. Weeda (Morgan Lewis) (Sept. 5)
Getting ready for Brazil’s new data protection law – Mauricio F. Paez, Artur L. Badra, Guillermo E. Larrea 0f Jones Day and José Eduardo Pieri of Barbosa, Müssnich, Aragão offered guidance on preparing for the Brazilian General Data Protection Law, which goes into effect in August 2020.
Turkey extended Data Controller registry registration deadline – Ekin Inal of Norton Rose Fulbright wrote that the Turkish Data Protection Authority announced that the registration requirement under Turkey’s data protection legislation has been postponed for some data controllers until the end of the year.
LEGAL TECHNOLOGY & DIGITAL TRANSFORMATION
On law firm transformation more generally – Anders Spile of Contractbook suggested that law firms need to move from a fortress mentality to an open ecosystem model, one that includes legal tech incubators and similar initiatives.
ISO 27001 for law firms – Joseph Lamport of PinHawk posted his interview of Greg Spicer, CRO at Braintrace, in which Greg discussed the growing importance of information security management and option law firms have to register under ISO 27001.
E-DISCOVERY CASE LAW
Recent e-discovery decisions
8/6/2019 – In a case of first impression, the North Carolina Court of Appeals “address[ed] the contours of eDiscovery within the context of North Carolina common and statutory law regarding the attorney-client privilege and work-product doctrine.” Defendants appealed an order setting forth a protocol that would allow plaintiffs’ discovery expert access to a school’s entire computer system prior to any opportunity for defendants to review and withhold documents that were potentially privileged or otherwise immune from discovery. The appellate court held that the trial court abused its discretion by compelling production through a protocol that would provide plaintiff’s agent with access to ESI in a way that would preclude reasonable efforts by defendants to avoid waiving any privilege, and vacated the protocol order. The appellate court identified several ways in which the trial court could resolve the discovery dispute in light of the court’s decision: (1) employ a special master or court-appointed independent expert; (2) provide defendants with some opportunity to review keyword search hits before production to plaintiffs; and (3) order that any documents produced under the protocol be treated as confidential and subject to a clawback without waiver of any privilege or work-product immunity. Crosmun v. Trustees of Fayetteville Technical Community College, No. COA18-1054 (N.C. App. Aug. 8, 2019).
8/7/2019 – U.S. District Judge Timothy Brooks granted plaintiff’s motion for relief regarding spoliation. Defendant, a deputy, used his personal cell phone to take photos of plaintiff and his injuries, pursuant to standard operating procedures at the time. The photos were used in the resulting investigation of the incident. Contrary to apparent usual practice, the photos were either never uploaded into the jail’s internal incident reporting system or were updated and then were subsequently misplaced or deleted. Either way, they were not produced during discovery. Plaintiff claimed the evidence was intentionally destroyed or make unavailable to him by defendant and requested an adverse inference instruction. The Court granted the motion for sanctions, based on defendant’s lack of candor in the discovery process and repeated failure to answer plaintiff’s discovery requests. Wilmoth v. Deputy Austin Murphy, No. 5:16-CV-5244 (W.D. Ark. Aug. 7, 2019).
8/14/2019 – U.S. Chief District Judge G. Murray Snow granted in part and denied in part plaintiff’s motion for sanctions. Plaintiff was arrested and brought an action alleging excessive force. Plaintiff sought spoliation sanctions, arguing that a non-party city allowed the automatic deletion of video footage automatically captured by the cameras in various officers’ vehicles and as a result violated a duty to preserve evidence. The Court found that there was evidence that the police units had recorded relevant footage whose loss would have prejudiced plaintiff; that the non-party city, which is paying for defendant’s legal representation and will indemnify him for any judgment entered against him, had a duty to preserve the footage but failed to do so; and that the spoliation can be imputed to defendant. The Court ordered that (1) the jury will hear evidence concerning the potential existence of video footage, (2) the jury will be instructed that it may consider that evidence, (3) the jury will be instructed that if it finds defendant intended to deprive plaintiff of use of the footage it may infer that the footage would have been favorable to plaintiff, but (4) declined to give the instruction requested by plaintiff as the question of intent will be submitted to the jury. Woods v. Scissons, No. CV-17-08038-PCT-GMS (D. Ariz. Aug. 14, 2019).
ANNOUNCEMENTS
| Date | Focus | Organization | Title |
| 9/4/2019 | ED | XDD | XDD Acquires Beyond IT Forensics to Expand Talent and Expertise Nationwide |
ADDITIONAL ARTICLES
UPCOMING EVENTS
Conferences, webinars, and the like can provide insight into where e-discovery, information governance cybersecurity, and digital transformation are heading
9/12/2018-10/11/2019 EVENTS
SEE PAST WEEKLY TREND REPORTS
Named an “E-Discovery Trailblazer” by The American Lawyer, George has assisted corporate, law firm, and government clients with all facets of electronic discovery, including information governance, domestically and globally. He served clients in a variety of industries including pharmaceutical, energy, retail, banking and technology, among others. As a renowned industry thought leader, he has authored more than 50 articles and spoken at more than 200 engagements across the world on a variety of e-discovery topics. His extensive knowledge has also been utilized more than 20 times to provide expert testimony.
Co-founder of the Electronic Discovery Reference Model (EDRM), a framework that outlines the standards for the recovery and discovery of digital data, and the Information Governance Reference Model (IGRM), a similar framework specific to information management, George is skilled at developing and implementing electronic discovery strategies and managing electronic discovery processes.