As we have done for the past four years, Falcon’s team recently attended the Corporate Enterprise Investigations Conference (“CEIC”) in Las Vegas. CEIC is one of the largest international gatherings of legal, IT, corporate, law enforcement and government attendees that focus on the latest developments in the digital investigations and e-discovery fields.
This year the conference seemed to draw a far higher number of international participants than in past years, with a marked increase in the number of participants from the Asia Pacific region.
Here are some key takeaways from CEIC 2012:
Judicial Perspectives on Current Electronic Discovery Case LawJudge Andrew J. Peck, United States District Court, Southern District of New York, Judge John M. Facciola, United States District Court, The District of Columbia, Judge Herbert B. Dixon, Superior Court of DC, Ken Withers, The Sedona Conference
Judges on the panel underscored:
- The risks associated with moving corporate information into the cloud, particularly where the client/customer does not have a good handle on where their data is being stored and how it can be readily accessed for legal discovery.
- The dangers associated with corporate IT groups unilaterally moving ahead with cloud-based solutions without consulting legal about discovery and security implications.
- That the anticipated cost savings of moving data into the cloud may be outweighed by the additional costs associated with the cloud provider enhancing security and ensuring compliance with discovery obligations.
The admissibility of data retrieved from social media sources can be challenging, particularly since it is often difficult to establish through direct evidence who posted the information contained on the social media site.
- Circumstantial evidence is often the only way to establish ownership, but direct evidence could be relied upon if the social media content is preserved and collected similar to the way in which other data sources (e.g., laptops or desktops) are collected.
There was consensus among that panel that the use of advanced technology to perform document review will grow, and the hope is that it will be used more frequently in an effort to reduce the costs of privilege review. Additionally, the Judges commented on the following:
- The use of advanced technology for review does not implicate Rule 702 concerning experts, but instead the key factors in demonstrating the efficacy of the technology will be (i) explaining how the technology works and (ii) what has been done to test the accuracy of the technology.
- It is imperative to address the possibility of using advanced technology early-on in the meet and confer stage.
- The Department of Justice is implementing new guidelines for e-discovery, and these encourage an early meet and confer to address issues like the use of advanced technology. This is an important development because the high costs of discovery are forcing more defendants to request court-appointed counsel, which costs the taxpayers more money.
Government E-Discovery: Implementing Appropriate Processes and Solutions for Public Sector Legal NeedsJamie Brown (CFTC), U.S. Commodity Futures Trading Commission, David Shonka, FTC
The panelists highlighted a number of important points, including:
- E-discovery is a challenge for government agencies much the same way it is for the parties to whom the government issues requests. For example, government agencies often have to respond to congressional inquiries that require extensive discovery.
- As such, while government requests are often broad and far reaching at first (in order to preserve the government’s right to request additional information throughout an investigation), government agencies understand the challenges and dangers of ‘scorched earth’ discovery and will often negotiate the scope of discovery when asked.
- It is surprising how often outside counsel does not meet and confer with government agencies, and instead outside counsel appear to be telling clients that they must engage in a massive effort to deliver over everything that the government is requesting.
International E-Discovery: Data Protection, Privacy, & Cross-Border IssuesM. James Daley, Daley & Fey LLP, Dominic Jaar, KPMG Canada, Quentin Archer, Hogan Lovells International LLP, Chris Dale, eDisclosure Information Project
This was an engaging and lively discussion among the panel. Much of the discussion focused on the E.U. Data Protection Directive (95/46), and included a number of important points on the following topics:
“Processing” and “Personal Data”
- E.U. member States should implement laws to restrict all manner of “processing” of “personal data” and prohibits the transfer of personal data outside the E.U.
- Exception: the country to which it is transferred provides “adequate protection” of personal data (E.U. Directive Article 25).
- Consensus among the panel is that remotely accessing data in the E.U. from countries outside the E.U. may qualify as “processing” of data.
U.S. – E.U. “Safe Harbor” Framework
- The U.S. – E.U. “Safe Harbor” framework is only available for companies that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation.
- This framework is really intended for business to business transfer.
- Under the “Safe Harbor” framework data can be transferred to the U.S. but when it is transferred, it needs to be treated with same safeguards in the U.S. as it is in the E.U. (including the right of the data subject to be informed of the transfer and the ability to withdraw consent).
- Transmission of data outside the E.U. may require permission from the local Data Protection Agency in the applicable country.
New Technologies and New Problems for E-DiscoveryRenee Meisel, Dell, Andy Drake, Nationwide Insurance, Kia Hakimi, Best Buy
This panel focused heavily on new technologies and problems that impact in-house legal and IT teams. The panelists addressed a wide range of topics, including:
Cloud Computing and Privacy
- It is critical to get a commitment from the cloud provider to identify where the hosted data will be stored and how it can be accessed and collected for legal discovery.
- Remote access to ESI from the U.S. may be considered “processing” of data under the E.U. Data Protection Directive.
- As such, consider leaving ESI in the host country and performing review in that country in order to avoid the complications of transferring data outside the country.
In-House Discovery Management
- Nearly all panelists described an effort to move more discovery functions in-house, principally to gain better control of corporate information and to reduce outside legal costs.
- One challenge is that it is difficult to hire FTEs to carry out these functions, which underscores the need to enlist providers to deliver these services.
- Important to strike a balance between internal employees performing these functions and enlisting outside providers who can augment in-house staffing capabilities.
- Searching for the ‘cheapest’ vendor or technology solution can often have negative consequences.
Social Media and Instant Messaging
- Sharp increase in the use of social media for business purposes, which requires that companies create a formal policy and framework for how social media is to be used.
- It is taking some time to develop an effective workflow to identify and capture social media for litigation and regulatory requests.
- It is challenging to capture social media because the content is dynamically created and updated, and collections are only a snapshot in time.
- Collecting social media content created by employees often turns on whether the content was created for business purposes.
- Instant messaging content is also challenging to capture, and some companies simply turn off the logging of instant messaging as part of its records management policy.
- For such companies, the preservation of instant messaging for custodians on legal hold may require activating the logging or collection of the messages but this will depend on the nature and factual circumstances of the legal matter.
Bring Your Own Device (BYOD)
- While there is a push for employees to use their own devices at work, this presents unique security and privacy challenges.
The anticipated cost savings of encouraging employees to use their own device (rather than a corporate device) are often outweighed by the additional risk and costs associated with protecting and accessing information stored on the employee’s device when necessary.