In Part I, Part II, and Part III of this series, we discussed the key takeaways from Principles 1-3, 4-6, and 7-9, respectively, of The Sedona Conference WG1’s “Commentary on Defense of Process: Principles and Guidelines for Developing and Implementing a Sound E-Discovery Process” (available for download here). The Commentary seeks to address what parties can do to avoid, or at the least prepare for, challenges to an eDiscovery process they apply in a given matter and how courts should address discovery disputes.

In today’s installment, we discuss the key takeaways from the remaining principles, Principles 10-13 of the Commentary.

Principle 10. A party may use any reasonable process, including a technology-assisted process, to identify and withhold privileged or otherwise protected information. A party should not be required to use any process that does not adequately protect its rights to withhold privileged or otherwise protected information from production.

Parties have a right to not reveal their privileged or otherwise protected information, and attorneys have a duty to protect such information belonging to their clients. The need to design an eDiscovery process that appropriately identifies and withholds privileged information is one of the highest priorities during any review and production undertaking. This is so because a party wishing to rely on the “claw-back” provisions of Federal Rule of Evidence 502(b) in case of inadvertent disclosure of privileged information would need to demonstrate that it “took reasonable steps to prevent disclosure.”

When it comes to privilege review, reasonableness and proportionality are evaluated depending on the circumstances at hand, including time constraints, resource limitations, the volumes of ESI, the complexity of the task, and the inevitability of human error. Case law suggests, for instance, that failing to review a sample of “non-hits” (documents that were not responsive to the search terms) to test the effectiveness of the selection criteria developed to identify privileged material, would be inherently “not reasonable.” See Victor Stanley Inc. v. Creative Pipe, Inc., 250 F.R.D. 251 (2008).Continue Reading Key Takeaways from The Sedona Conference Commentary on Defense of eDiscovery Process: Principles 10-13 (Part IV)

In Part I and Part II of this series, we discussed the key takeaways from Principles 1-3 and 4-6, respectively, of The Sedona Conference WG1’s “Commentary on Defense of Process: Principles and Guidelines for Developing and Implementing a Sound E-Discovery Process” (available for download here). The Commentary seeks to address what parties can do to avoid, or at the least prepare for, challenges to an eDiscovery process they apply in a given matter and how courts should address discovery disputes.

The following are the key takeaways from Principles 7-9 of the Commentary.

Principle 7. A reasonable e-discovery process may use search terms and other culling methods to remove ESI that is duplicative, cumulative, or not reasonably likely to contain information within the scope of discovery.

Comment 7.a. Eliminating ESI that Is Cumulative or Duplicative

This principle is focused on striking the right balance between producing significant, unique, relevant ESI and holding back cumulative or duplicative ESI. To help achieve this goal, the Commentary suggests the use of various techniques, including de-duplication and email threading.

Comment 7.b. Eliminating ESI that Is Outside the Scope of Discovery

The Commentary proposes that in most cases, a culling process that removes a significant volume of irrelevant or duplicative information is reasonable, even if it also removes some relevant information. Obviously, it is best to reach an agreement on the culling strategy with the requesting party before proceeding.Continue Reading Key Takeaways from The Sedona Conference Commentary on Defense of eDiscovery Process: Principles 7-9 (Part III)

In Part I of this series, we discussed the key takeaways from Principles 1-3 of The Sedona Conference WG1’s “Commentary on Defense of Process: Principles and Guidelines for Developing and Implementing a Sound E-Discovery Process” (available for download here). The Commentary seeks to address what parties can do to avoid, or at the least prepare for, challenges to an eDiscovery process they apply in a given matter and how courts should address discovery disputes.

The following are the key takeaways from Principles 4-6 of the Commentary.

Principle 4. Parties may reduce or eliminate the likelihood of formal discovery or expensive and time-consuming motion practice about an e-discovery process by conferring and exchanging non-privileged information about that process.

Comment 4.a. Benefits of Sharing Information

This principle is based on the importance of cooperation in the discovery process. This includes disclosures on the specifics of discovery processes, as contemplated by Rule 26(f) of the Federal Rules of Civil Procedure, and as encouraged or required by numerous courts.

Often parties are unwilling to share details about their discovery process until and unless the complaining party can show to the court that reasonable grounds exist for questioning some aspect of that process. This strategy sometimes results in nothing more than a short-term benefit, since courts typically require some disclosure on these issues once a discovery-dispute motion is filed.

The Commentary points out that voluntary disclosures of such information actually may be in the disclosing party’s self-interest, as it may help address concerns of the challenging party and, thus, eliminate unnecessary motions, hearings, and discovery about discovery. Furthermore, by reaching an agreement on discovery process, the responding party greatly reduces the chances that the requesting party will later complain about alleged deficiencies in the process. A good time to make some of these disclosures and to seek an agreement on the process is a Rule 26(f) conference.Continue Reading Key Takeaways from The Sedona Conference Commentary on Defense of eDiscovery Process: Principles 4-6 (Part II)

The Sedona Conference Working Group on Electronic Document Retention & Production (WG1) has proposed a set of principles and practical guidance for the eDiscovery process, in its recent publication, the “Commentary on Defense of Process: Principles and Guidelines for Developing and Implementing a Sound E-Discovery Process” (available for download here). The Commentary seeks to address what parties can do to avoid, or at the least prepare for, challenges to an eDiscovery process they apply in a given matter and how courts should address discovery disputes. The public comment period on the Commentary has now closed.

By focusing on the defensibility, the Commentary endeavors to provide guidance to parties and their counsel who design and execute eDiscovery plans and processes and who may be called upon to defend the appropriateness and efficacy of their discovery efforts. Indeed, considerations of defensibility of eDiscovery process underlie every decision in-house counsel and their eDiscovery attorneys make, from pulling the trigger on issuing a legal hold notice to completing the last production in the case.

The responsibility for the eDiscovery process is a shared one, falling “on counsel and client alike. At the end of the day, however, the duty to preserve and produce documents rests on the party.” Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 436 (S.D.N.Y. 2004). Failure to fulfill this responsibility, which by nature lacks bright-line rules, comes with potential for substantial monetary and case-destroying sanctions.

The Commentary proposes Thirteen Principles designed to establish the parameters for reasonable and defensible eDiscovery process within a given matter. Today, we will discuss the key takeaways found in Principles 1-3. We will address the remaining Principles over the next few days.Continue Reading Key Takeaways from The Sedona Conference Commentary on Defense of eDiscovery Process: Principles 1-3 (Part I)

At the 2016 International Masters’ Conference in Washington, D.C., eDIG Group Senior Counsel James Daley was awarded the Inaugural International Outside Counsel Award for eDiscovery and Data Privacy. Daley received the award for his work over the past twelve months in Founding and Chairing the work of The Sedona Conference Working Group Six in developing

Last Friday, Russia blocked LinkedIn based on a Russian court’s finding that LinkedIn violated Russian “localization” law that requires companies holding personal data of Russian citizens to store it on servers located within Russian borders.  This law came as an amendment to Russian data privacy laws, “Regarding information, information technologies and the protection of information,” “Regarding telecommunications,” and the Codex of Administrative Violations. The amendments, which came into law in September 2015, required websites and telecommunications providers to begin storing “on the territory of the Russian Federation information regarding the receipt, transfer, sending and/or processing of voice information, written text, images, sounds or other electronic messages of the users of Internet,” within six months after the law went into effect.

Russia took the position that the new requirements were necessary to ensure personal data on Russian consumers is properly protected, something the Russian government said can only be done if the servers are within Russian jurisdiction. The penalty for violating the law by companies was established at 500,000 roubles (approximately $8,000). The law also contemplated a punishment much worse than the monetary penalty. Specifically, the amendment empowered Roskomnadzor, the Russian federal agency charged with overseeing telecommunications services and information technologies, to investigate violations of the new law and to petition courts to block websites who refuse to comply.

Following the adoption of this law, many companies that collect and process Russian citizens’ information began working toward achieving compliance by ensuring that this data stayed on Russian soil. Some, however, decried the law as forcing businesses to needlessly invest in servers in Russia and rework established data workflows.

Soon after the law went into effect, Roskomnadzor began exercising its investigative powers and taking suspected violators to court. To keep track of the adjudicated violators, Roskomnadzor created a special registry of websites marked for blocking in case of continued noncompliance following the adjudication. LinkedIn, which has over 6 million registered Russian users, made Roskomnadzor’s “black list” registry and, on Friday, November 18, became the first website to be blocked in Russia for the violations of the localization law.Continue Reading Russia Blocks LinkedIn

The Article 29 Working Party has issued a statement about the so-called EU-U.S. Umbrella Agreement, which, while not providing legal basis for any data transfers, sets forth a high-level data protection framework for transatlantic cooperation on criminal law enforcement. The Agreement covers all personal data, including names, addresses, and criminal records, exchanged between the EU and the U.S. for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement, signed by EU and the U.S. on June 2, 2016, after five years of negotiations, requires the consent of the European Parliament to be ratified.

In its statement, the Working Party cautiously welcomed the conclusion of the Umbrella Agreement. The Working Party expressed hope that the Agreement will complement the existing law enforcement treaties between the U.S. and EU and its Member States, aid the negotiation of future data sharing agreements, and set forth the minimum data protection standard for data transfers between criminal law enforcement in the U.S. and EU.Continue Reading Article 29 Working Party Issues Statement on the EU-U.S. Umbrella Agreement

We have all heard this before, but just how bad things really are? According to Verizon’s 2016 Data Breach Investigations Report (“DBIR”), insider and privilege misuse was once again one of the leading causes of incidents and breaches in 2015, accounting for 10,489 total incidents, 172 with confirmed data disclosure. Some of this misuse is perpetrated by malicious actors driven by motivation of financial gain and some of it is due to actions of well-meaning employees who either lacked cybersecurity awareness or simply made a mistake.

While there are no perfect answers for addressing the multitude of possible insider attacks, which can range from privilege abuse, to data mishandling, to the use of unapproved hardware, software, and workarounds, to email misuse, implementing the steps below can go a long way in reducing the risks.

Five Steps to Reduce Insider MisuseContinue Reading Employers, Your Worst Cybersecurity Threat May Already Be on Your Payroll

On October 31, 2016, PCI DSS v3.1 will be retired and the requirements of PCI DSS v3.2, released in April, will take effect as the new payment data security “best practices” applicable to the merchants, financial institutions, and vendors accepting major credit cards, including American Express, MasterCard, and Visa. The amendments are designed to improve payment card security and prevent payment data breaches.

To help ease the transition, the PCI Security Standards Council will allow the industry participants a grace period until January 31, 2018 to implement these amendments. Beginning on February 1, 2018, the amendments will graduate from “best practices” into full-fledged requirements. The changes encompass clarification of the existing security requirements, additional guidance on several topics, and evolving requirements for addressing emerging data security threats.

PCI Data Security Standard consists of twelve requirements aimed at the following six goals:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measure
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

The majority of the amendments are in the nature of “additional guidance” or “clarification” and are helpful in addressing some of the uncertainties for how to implement certain existing requirements into practice. The industry participants should pay particular attention to the “evolving requirements,” which signal substantive changes. The highlights of the “evolving requirements” include:Continue Reading New PCI DSS Version to Take Effect on October 31

As the companies doing business in Europe are trying to get their arms around the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), but so far not making substantial headways, the European Data Protection Authorities (DPAs) are doing their own GDPR preparation by securing increased budgets and additional workforce.

Last week, the Irish Data Protection Commissioner (DPC), Helen Dixon, has “welcomed” the additional funding of €2.8 million for her office’s 2017 budget, as announced by the Government, bringing the total funding allocation to the DPC to over €7.5 million. The 2017 budget increases are in line with the increases in 2015 and 2016, representing a 59% increase on the 2016 allocation and over four times the €1.9 million provided to the DPC in 2014.

Commenting on the 2017 funding allocation, Helen Dixon stated:

“The additional funding being provided by Government in 2017 will be critical to our preparations for the implementation of the EU General Data Protection Regulation in May 2018. In 2017 we will continue to invest heavily in building our capacity and expertise, including the recruitment of specialist staff, to administer our new enforcement powers and all of our additional responsibilities under the new law.

Continue Reading Irish Data Protection Commissioner Welcomes Increases in Budget in Preparation for the GDPR Enforcement