Sandline Discovery - Masters Conference NYC Top 5 Insights
Aug 7th, 2018
Sandline Discovery - Insight, Ideas and eDiscovery
The Master’s Conference NYC, hosted by the Benjamin N. Cardozo School of Law, was a content-rich day with topics including Information Governance, Cyber Security and many aspects of Discovery. Before I get into the content, I’d first like to compliment the host, Benjamin N. Cardozo School of Law, by saying this was a great venue with extremely comfortable accommodations and a perfect layout for this type of format.
The day was full of great sessions and conversations between speakers and attendees. While it was a lot to process, once boiled down, there were five top takeaways:
1. Investigations and Discovery
Investigations naturally expand to require access and review of practically all types of data. The key to a successful investigation is getting to the important conversations and key documents as quickly as possible. Savvy teams know to leverage cutting edge technology to expedite the process. But the best take away, which gave the room a chuckle, also turned on the proverbial lightbulb for a lot of folks in the room. Since many professionals now know that any business-related documents are discoverable, they are usually careful when using traditional business systems BUT they’re often “sloppy” when it comes to texting or using other forms of communication outside of the corporate ecosystem.
This is a great segue into the next topic which illustrates the importance of carefully considering case strategies around disparate data types.
2. Social Media
Although I’m partial to this subject because I moderated the panel, there were many great ideas packed into this topic.
When scoping for discovery, peripheral forms of data like social media, messaging technologies, enterprise social networking and international platforms are often-times overlooked. However, these data sources can all be very important. The overwhelming point made was to consider all sources of potential data in the initial and informal scoping meetings.
Once relevant data is identified, a collection plan should implemented and investigative tools should be considered to ensure that costs don’t become unwieldy. The experience from the panel was that collections and initial investigations of social media data is fairly inexpensive, especially when compared to the richness of information that may be found (See the point above on “being sloppy with non-business-related platforms”).
3. Cyber Security
It likely wouldn’t surprise you that the “human element” is the number one reason for corporate security breaches. Panelists also agreed that old Wi-Fi routers, firmware upgrades and IOT devices are a few of the other main culprits. While the typical sources of a data breach have been widely reported, a few items surfaced as ways to prevent or manage breaches quickly.
Attacks on universities or medium sized businesses are subject to many breaches where attackers are looking for IP or other valuable business-related information. The main point was that these places are constantly targeted as hackers know that a percentage of these companies will contain some data of value. Hackers play the long game when targeting these organizations knowing that they’ll eventually pay a dividend.
From a corporate counsel perspective, it was stated that no cyber security team can handle the whole process alone and third-party providers are necessary for prevention and remediation of attacks. These providers should always be “on the ready.”
Alert Fatigue – Many breaches happen as teams can become fatigued when an organization is under constant attack. Panelists likened this to a car alarm constantly going off in your neighborhood. It eventually becomes white noise and is no longer checked.
There were a lot of great points on prevention from the FBI, but they offered www.IC3.gov as a place to report a breach whether personal or a business.
4. Information Governance
First, Barclay Blair is quite a comedian. The blend of dry humor and cynicism with the right timing is not easy (especially in an information governance keynote) though Barclay did it well. His keynote speech was packed with information and he had the most realistic approach to IG that I have seen in a presentation. Since I have pages of notes, I will simplify with some bulleted “take-aways.” It’s worth noting the irony here since Barclay made a few jokes about how there are no real “take-aways” in his presentation.
- The best information governance plan would look almost like GDPR.
- IG is not a legal or even an IT problem to be solved; it is a business problem and should be treated that way.
- In many organizations, 40-75% of unstructured data could go away tomorrow, yet millions of dollars are spent protecting this worthless data because the proper team doesn’t want to make the decision to destroy it.
- The decision, a business one, is not up to the lawyers and is rather a risk choice.
- IG is a business activity in a tech environment. Aligning the right teams to make the proper decisions doesn’t have to be as daunting as once believed.
- There is no such thing as a “data explosion” in the sense that explosions happen immediately and drastically, with an ending. Data and its growth is more akin to a data flood, simply rising while we are building higher dams. However, we could simply manage it better through defensible deletion policies to keep data at a reasonable level.
To boil this down:
- Be Pragmatic about what data exists.
- Run data management like a business.
- Make decisions based on the data itself.
5. RFI Processes and Legal Purchasing
Cash Butler with ClariLegal ran a great panel on legal purchasing practices. The panel agreed that, even though projects may vary in need and scope, following a specific map when vetting providers is helpful for all parties. One straightforward approach discussed by the panel offers a great way to streamline the process by pairing firms with providers based on project scope and need:
Step 1. Security Assessment – This has become the baseline standard to vet a provider based on client data security requirements. The law firm client profile typically consists of banks or other financial institutions that have their own set of security protocols. This is simply organized and given to the provider as a requirement to do business.
Step 2. Technological Capabilities – Can the business and technical infrastructure handle the business needs of the firm or define a realistic understanding of capabilities so all teams can successfully deliver without being strained?
Step 3. Presentation of Services – The provider will present the company history, skills, culture, playbooks etc. to the requestor to align as a partner.
Step 4. Selection – The selection process puts companies in two categories:
Category 1 – Approved, but not preferred (yet*)
Category 2 – Approved and Preferred
*As an approved vendor there is a period where case data are managed by the service provider until there is a high comfort level with that provider to become approved and preferred. Nearly all vendors go through this process and the length of this period is subject to the alignment with the project requirements and the project fulfillment processes.
Like most multi-track conferences, there was so much to offer that I wished I could be in two sessions at the same time. As I sifted through a packed day of content, these are the items I believe can be helpful, but feel free to reach out and let us know your thoughts as well!
If you missed our takeaways from Masters Conference Denver, check it out here.
Written by Rick Clark, Co-Founder of The Master’s Conference