How to Take Advantage of the Cloud for ediscovery

Transcription

1 How to Take Advantage of the Cloud for ediscovery LegalTech NY 2015 Eric Crespolini HP, Moderator Alan M. Winchester Harris Beach, Panelist Robert Levy Exxon Mobil Corporation, Panelist Johnny Lee, MD Grant Thornton LLP, Panelist

2 Where is the data? Does it matter? What is the Cloud, and How Does it Affect Discovery and Disclosures? Ability to retrieve data for litigation, arbitration and regulatory proceedings Managing Trepidation: Security in absence of control Jurisdiction: Data can be here and there Privacy and Cross-Border Complications: Just pushing the button to retrieve and disclose personal data may be actionable 2

3 Considerations for Cloud-Based ediscovery Benefits Flexibility, limited upfront investment that can scale based on actual need Typically enables organizations to leverage experience of the provider and reduce their own risk The cloud may be tailored to meet specific hosting and production requirements Allows legal teams to be more efficient and agile in collecting and reviewing documents Drawbacks Dollar for dollar may be more expensive for organizations that have somewhat predictable caseloads Must give up a certain amount of operational control over the process Linked to the provider and as such can be adversely impacted if they close up shop Concerns with hacking and restricting access to information 3

4 Corporate Cloud Applications and ediscovery Infrastructure Where is the data stored? Many U.S. based providers without a global presence may run afoul of international privacy statutes. Mission critical applications What is the capacity for redundancy and disaster recovery? Are there guaranteed uptime or other SLA s? Managing ediscovery against these applications What is the applications capacity to manage retention, preservation, and collections from within the applications? What is the capacity for exporting? Many times applications are not designed with ediscovery in mind and my provide bottlenecks in extracting ESI. Does the application maintain the original metadata upon export? Is there a risk that spoliation will occur in collection? 4

5 Evaluating a Cloud-based ediscovery solution Security How is access to the data and application managed, and how is this access monitored? Functionality How does the provider handle indexing, search technologies, language dependence, production formats, et al? Privacy Issues Where will the client s data be located? Safe-harbor or other regional based privacy considerations; Single vs. Multi-tenancy Data deletion What is the capacity and procedures for deletion when it no longer needs to be kept? Data kept by a provider may be subject to discovery in a new litigation Data ownership and terminating the relationship What happens to the data when a provider relationship ends? Are there fees for the deletion of return of data and work product? Allocation of liability Who bears the responsibility (and costs) associated with mistakes made by the provider? 5

6 Into the [Data] Breach Once More Sony Entertainment- Potential Victim of Foreign Government Hacking Apple icloud- High profile celebrities had personal pictures stolen JP Morgan- Gigabytes of data stolen Target- 40 million card records and 70 million customer records Neiman Marcus- 1.1 million cards Home Depot- 56 Million credit cards potentially exposed Sally Beauty- 282,000 cards 6

7 What is the threat? [H]ackers are using spear phishing s with malicious payloads to exploit U.S. law firms -Federal Bureau of Investigation (full text available Computer hackers are targeting top international law firms to steal intellectual property data and trade secrets - Tribune-Review ( 7

8 Where are the threats? Mobile Devices Remote Desktop/Terminal services Wireless Access Access rights Outsourcing managed services Unencrypted data over the network SQL injections Weak controls 8

9 The Threat Can Be Very Close A computer systems engineer at the Silicon Valley law firm Wilson Sonsini Goodrich & Rosati was charged with trading on inside information about potential mergers and acquisitions he learned on the job the second employee in three years at the Palo Alto, California-based firm to be charged with insider trading. -Bloomberg ( A used computer dealer in Canada claims he discovered a trove of Ernst & Young customer business data on Dell servers bought back in Bloomberg ( 9

10 Who Else is Worried? ABA Model Rule 1.6 (c) - A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. HIPAA - ( Various State Regulations EU Data Protection Directive ( Presidential Executive Order on Cybersecurity ( 10

11 Why is this important? Increasing reliance on technology means the frequency of attacks is going to increase These attacks are getting increasingly advanced even implicating state sponsored actors Lots of money can be made from stealing the data Public image can be tarnished quickly, both as a result of the sensitive information as well as the mere fact that there was a breach Business information is moving to the cloud opening up new avenues of attack What Should We Do? Understand what your organizations rules are Make your Law Firms and Vendors follow your rules Educate, educate, educate educate! Reserve the right to audit and then conduct an audit Develop data breach reporting requirements around when you need to be notified 11

12 Some Questions to Ask Do your employees use mobile devices for business? If so are these firm owned or may employees use personal devices? What sort of training around information security do you conduct how frequently do you follow-up with your employees? What sort of procedures and technology does your firm have for detecting and preventing data breaches? What procedure does the firm have for notifying clients in the event of a data breach? Will client be notified in the event of a potential breach or only when it is confirmed to have affected a your specific data? 12