LITIGATION SUPPORT TIP OF THE NIGHT

Today I participated in a webinar presented by Duke Law School's EDRM entitled, "Inside BDO's E-Discovery & Beyond Survey: Lessons for Inside Counsel and Law Firms". See a report on the survey posted here. The speakers were George Socha of BDO; Robert Keeling, a partner with Sidley Austin LLP; and James Waldron, the director of the EDRM.

BDO USA, LLP, an accounting and consulting network, asked 148 in-house counsel a set of 16 questions about how their business handle electronic discovery; cybersecurity; data privacy and information governance.

The following, for me, were the key highlights of the presentation:

• 48% of the surveyed businesses are using Technology Assisted Review

• There was a jump in businesses who listed 'Big Data' as one of their top three e-discovery issues from 28% in 2017 to 47% in 2018.

• Half of the respondents did not have an information governance committee.

• Nearly half of the surveyed businesses put their CIO in charge of their information governance program, and only 17% had a separate chief information governance officer, with only 1% putting her or him in charge of the program.

• 63% of respondents said that they planned to invest in cybersecurity risk assessment in the next 12 months, 48% in incident response planning; and 37% in cyber insurance.

• 71% planned to spend the same amount on e-discovery next year, and only 23% planned to spend more.

• 42% planned an increase in their information governance budget, while 53% will maintain their current budget.

National Association of Securities Dealers Rules 3010 and 3110 were amended in 1997 and 1998, in part to respond to the increased use of email in business communications. The rules required correspondence with the public relating to the investment banking or securities business to be retained. A firm was required to have policies and procedures for the review of correspondence, and monitor compliance with these policies and procedures. It was also necessary to specify what types of correspondence would be reviewed before and after its distribution.

A NASD notice to its members about this amendments to these rules stated that, "In conducting reviews, members may use reasonable sampling techniques. As an example of appropriate evidence of review, e-mail related to the member’s investment banking or securities business may be reviewed electronically and the evidence of review may be recorded electronically." So here we see that the securities industry faces a strong recommendation to perform statistical sampling of its email.

Importantly the notice also states that, "NASD Regulation would expect members to prohibit correspondence with customers from employees’ home computers or through third party systems unless the firm is capable of monitoring such communications." Surely, this is a regulation often broke by individual employees, and one would imagine that few companies have effectively developed email monitoring programs in response to it.

In December 2014, FINRA's new consolidated rule 3110 replaced the old NASD rules, but the general requirements are still very similar.

Dark Data is a term coined by Gartner. It refers to data that is collected and retained by an organization, which it does not actually analyze. The data may only be retained for the purposes of regulatory compliance. Categorizing and securing the data may cost more than its actual value.

Everyone's favorite document storage company, Iron Mountain, has posted a report online on the problem of identifying and remediating dark data in law firms. The task force that prepared the report consisted of information governance professionals at WilmerHale, Troutman Sanders LLP, Morrison & Foerster LLP, and other law firms. The report was prepared in July 2015.

A survey conducted by the task force concluded that approximately 15% of law firms have a dark data policies in place, 45% are developing such policies, and 40% have no policies on dark data.

The report recommends the use of file analysis software to archive valuable data and destroy data with no value. This software can be useful in identifying and remediating personally identifiable information (PII) and protected health information (PHI). Where is the dark data located? "Dark data lives in dormant servers, legacy applications, unclassified email messages, departed attorney mailboxes and network share drives", as well as repositories maintained by third party vendors.

Most firms assign responsibility for dark data to Records, but it may fall under the purview of IT, or other administrative departments. Most dark data is data from closed matters. Even firms that don't have a document retention policy can safely delete dark data, but they must document the steps they take in doing so.

While more than 30% of firms evaluate their dark data annually, 10% only do so as part of a system upgrade, 10% when decommissioning a server, and 20-25% never or are unsure of when dark data is reviewed.

When dealing with legacy data, several steps should be considered:

1. Review matters for legal holds.

2. Notification of matter data destruction to responsible attorney.

3. Notification of matter data destruction to client.

4. Review engagement letter and outside counsel guidelines.

5. Check local rules of professional responsibility.

6. Destroy boxes based on lack of information and inactivity.

7. Contact General Counsel to confirm decision to proceed.

Several different procedures are used to eliminate dark data growth.

1. Management of data by records or IT.

2. Data locations are assigned by administrative record owners.

3. Data locations have structured classifications.

4. Data locations are regularly monitored.

5. Data locations are periodically purged of old information.

6. Size limitations on file shares.

7. Enumeration of shared drive into document management system.

Appendices to the report provide a sample checklist for the collection of dark data; a data map; and a sample data flow diagram.