Security Archives

NIST Issues Draft Guide for “Securing Electronic Health Records on Mobile Devices”: eDiscovery Trends

August 6, 2015

As we’ve discussed previously, stolen health records are worth a lot in the black market and that was underscored when health insurance provider Anthem announced in early February that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people. Now, the National Institute of Standards and Technology (NIST) has released a draft guide that might help, at least with regard to securing electronic health record on mobile devices.

On July 23, the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, released a draft of its first cybersecurity practice guide – Special Publication 1800-1: “Securing Electronic Health Records on Mobile Devices”, designed for health IT professionals to use to bolster security for the use of mobile devices in the health care industry. As discussed in the press release issued by NIST, “Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access and transmit electronic health care records is outpacing the privacy and security protections on those devices.”

The draft guide was developed by industry and academic cybersecurity experts, with the input of health care providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback at multiple steps along the way.

The draft guide is comprised of five sections, as follows:

Each section is downloadable separately as a PDF, or you can download a .zip file of all volumes (4.82 MB), plus manifest and template files referred to in SP 1800-1c, from this page.

The comment period will run through September 25. You can submit comments on the guide through the form on this page or download the spreadsheet template from that page to collect feedback and email the worksheet to HIT_NCCoE@nist.gov.

As I discussed on Monday, potential data breaches can still happen the old fashioned way, via stolen mobile devices. I was glad my laptop was encrypted when it was stolen last year. Hopefully, this new guide from NIST can help medical professionals to secure their mobile devices and protect against data breaches on those devices.

So, what do you think? Do you think this new guide will reduce the number of data breaches within the medical profession? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Potential Data Breaches Still Happen the Old Fashioned Way, Too: eDiscovery Trends

August 3, 2015

Whether you’re a website that promotes cheating on your spouse, a first place major league baseball team (yay!) or a major health insurance provider, data breaches can happen to you. Potentially, they can happen to law firms too, even the old fashioned way.

According to SC Magazine (Personal data on laptop stolen from attorney with California law firm, written by Adam Greenberg), California-based law firm Atkinson, Andelson, Loya, Ruud & Romo is notifying an undisclosed number of individuals that a personal laptop computer owned by an attorney from the firm was stolen, and their personal information may have been compromised.

According to the article, the laptop contained names, addresses, telephone numbers, Social Security numbers, and possibly certain financial information or medical records for those individuals. The theft occurred on April 23 while the attorney was a passenger on the MTS Trolley in downtown San Diego, and was reported to the San Diego police department on April 24. The laptop has not been recovered. Good luck recovering it at this point.

As the article notes, all potentially impacted individuals are being notified via a four page notification letter, which states “We have no reason to believe that the laptop was stolen for the information it contained,” and also “We also have no information indicating that this information has been accessed or used in any way.” The recipients of the notification letter have been offered a free year of identity theft protection and credit monitoring services.

Sharon Nelson of the excellent Ride the Lightning blog surmised last week in her blog that, because the firm is notifying the individuals of the theft, the laptop was not encrypted. That may be true, or it may be that the firm is just being cautious. I can relate to being cautious and having had my own business laptop stolen last year, I can also feel their pain. Even though my laptop was fully encrypted and I don’t store client data on my laptop, I still felt compelled to change every password I owned and watched my accounts like a hawk for some time to make sure that my financial data was not compromised. It’s extremely unsettling. Like the law firm, we reported the theft (my colleague’s notepad was also stolen), but, of course, nothing was ever recovered.

Nonetheless, as traumatic as that was, it was just a stolen laptop (and a few personal effects in the laptop bag) in the end. I was glad that the laptop was encrypted and it kept the situation from being WAY worse.

Encrypt your laptop. It only takes a moment to become a victim of a data breach, the old fashioned way.

So, what do you think? Have you ever had a laptop stolen? Was it encrypted? Please share any comments you might have or if you’d like to know more about a particular topic.

Life is Short, But Can Seem Long if You’re a Cheater About to Be Exposed in the Ashley Madison Hack: eDiscovery Trends

July 22, 2015

One of the most discussed topics at LegalTech® New York 2015 (LTNY) earlier this year was cybersecurity. We’ve started covering some of the trends related to security breaches with posts here, here and here and even my hometown baseball team, the Houston Astros, was recently hacked by a competitor. The latest victims of cyber hacking – the purported 37 million subscribers of the online cheating site AshleyMadison.com – may find little sympathy in their plight.

According to Brian Krebs in Krebs on Security, an authoritative Web site that monitors hacking worldwide, large caches of data have been stolen from the site and some has been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The breach was confirmed in a statement from Toronto-based Avid Life Media Inc. (ALM*), which owns AshleyMadison as well as related hookup sites Cougar Life and Established Men. ALM stated that “We apologize for this unprovoked and criminal intrusion into our customers’ information” and also claimed that “At this time, we have been able to secure our sites, and close the unauthorized access points.”

That’s probably little comfort to the subscribers who have had their personal information compromised.

The hacker or hackers identify themselves as The Impact Team and is threatening to expose all customer records (including “profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails”) unless ALM takes AshleyMadison and Established Men offline “permanently in all forms.”

As stated in the article in Krebs on Security, “In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed.” On Monday, ALM said it would offer all users the ability to fully delete their personal information from the site and waive the fee (presumably fully).

Ashley Madison’s slogan is “Life is short. Have an affair.®” For those that have chosen to do so, life may start to seem very long, at least for a while.

So, what do you think? Is there anything that can be done to stem the tide of data breaches throughout the world? Please share any comments you might have or if you’d like to know more about a particular topic.

* Not to be confused with American Lawyer Media, which goes by the same acronym. 🙂

“Stealing Signs” in Baseball Takes on New Meaning in the Information Age: eDiscovery Trends

June 18, 2015

According to an article in the New York Times, one Major League Baseball team has defined a new way of playing “hardball” with the competition – hacking into the network of another team to capture closely guarded information about players.

Front-office personnel for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, are under investigation by the F.B.I. and Justice Department prosecutors, accused of hacking into an internal network of my hometown team, the Houston Astros, to steal internal discussions about trades, proprietary statistics and scouting reports, among other competitive information.

According to law enforcement officials, investigators have uncovered evidence that Cardinals employees broke into a network of the Astros that housed special databases the team had built. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

In June 2014, the Astros claimed to have been victims of hackers who accessed their servers and published months of internal trade talks on the Internet. It was then that the team began working with the FBI and Major League Baseball security in an effort to identify who was responsible for the breach.

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011, credited with building baseball’s best minor league system, and with drafting several players who would become linchpins of the 2011 world champion Cardinals team.

Investigators believe that Cardinals personnel, concerned that Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Doesn’t Luhnow know that an insufficient password will leave you exposed? Or that almost thirty percent of data security incidents are due to human error?

That tactic is often used by cybercriminals, who sell passwords from one breach on the underground market, where others buy them and test them on other websites, including banking and brokerage services. The breach on the Astros would be one of the first known instances of a corporate competitor using the tactic against a rival. It is also, security experts say, just one more reason people are advised not to use the same passwords across different sites and services. It would not be a stretch (7th inning or otherwise) to see attacks like this happen among competitors in other industries. Or even between adverse parties in litigation.

Ironically, the Cardinals are accused of stealing the data last year, when the (dis)Astros were coming off three of the worst seasons in major league history. This year, they’re one of the best teams in baseball, at least for now. Hopefully (at least for Astros fans like me), they’ve improved their off-the-field cybersecurity protocols as well as they have improved on the field.

So, what do you think? Do you expect to see more breaches like this between competitors in various industries? Please share any comments you might have or if you’d like to know more about a particular topic.

Law Departments and Law Firms Getting Smarter About Data Privacy and Security, According to Huron Legal: eDiscovery Trends

May 13, 2015

How are recent trends related to data privacy and security affecting the legal industry? Though one recent report was critical of law firms for failing to disclose data breaches, according to a new Q&A from Huron Legal, law departments, and law firms are getting smarter about addressing data privacy and security issues.

The new Q&A with Huron Legal director David Ray is titled Data Privacy and Security in the Legal Industry and discusses the efforts law departments, law firms, and other service providers are making to protect sensitive and confidential data.

“By nature, the legal industry deals with a large amount of potentially sensitive information, and as a result, data privacy is becoming increasingly more important,” said Ray, a data privacy and security expert. “Traditionally, legal professionals have seen themselves as somewhat immune to these issues. However, the increased overall focus on privacy and recent data breaches is affecting the legal sector just like any other. Law departments, law firms, and legal vendors are recognizing this growing pressure and have started to make changes accordingly.”

According to Ray, the five biggest trends in data privacy in the legal industry are in the following areas:

Law Departments are Getting Wiser: Law departments are becoming increasingly more involved with privacy issues as well as data breach responses and, accordingly, becoming wiser consumers of external legal services. Unsurprisingly, they are placing the information governance practices of their suppliers under much greater scrutiny than ever before.
Vendor Information Governance Scorecards: In fact, law departments are more often using metrics and scorecards to evaluate law firms and legal service vendors with the expectation they can meet or exceed the same privacy and security practices expected from non-legal service providers elsewhere within the organization. Scorecards allow organizations to know that the information that goes outside their walls is secure and protected by the appropriate practices.
Law Firms See Opportunity Rather than a Threat: One might expect to see pushback from law firms on newer stringent data security requirements. However, law firms seem to be responding to these heightened client demands and seeing them as a differentiator when competing for business. Demonstrating an ability to deal with sensitive and often high-value matters from an information perspective makes sense.
Legal Vendors are Playing Catch-up: Legal vendors are largely playing catch-up in data privacy issues. For a long time, the tools they provided for legal services were narrow. But now legal vendors need to rise to the same challenge. Additionally, these vendors need to design both the software and processes with privacy in mind, consulting the “privacy by design” principles before they become hindrances to the sale of services.
Data Privacy is Fast Moving: The most important consideration when dealing with privacy and security is understanding that it is an evolving field. The definitions and laws are changing, both within the U.S. and abroad. Everyone in the legal industry needs to be prepared for change and to be flexible. The laws today may be different in two years, so planning with that in mind is critical.

The full Q&A can be found here, with a podcast of the Q&A available here.

So, what do you think? Do you think the legal industry has made significant strides in dealing with data security and privacy? Please share any comments you might have or if you’d like to know more about a particular topic.

Almost Thirty Percent of Data Security Incidents are Due to Human Error: eDiscovery Trends

April 22, 2015

Last year, the term “data breach” became part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year. And, as we’ve discussed recently, data breaches are on the rise. However, according to a new report, almost thirty percent of data security incidents are due to human error.

According to Verizon’s 2015 Data Breach Investigations Report released last week, the single biggest cause of data security incidents in 2014 was “miscellaneous errors”. These “miscellaneous errors” comprised 29.4% of data security incidents in 2014 (up from 25% in 2013), according to the report.

As Verizon notes in its report, if you take the top four causes of data security incidents – two through four respectively are crimeware (25.1%), insider misuse (20.6%) and physical theft/loss (15.3%) – “the common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC (problem exists between keyboard and chair) and ID-10T (get it?) über-patterns.” As they somewhat playfully observe, “At this point, take your index finger, place it on your chest, and repeat ‘I am the problem,’ as long as it takes to believe it. Good – the first step to recovery is admitting the problem.”

While some of the errors are due to issues such as a computer malfunction or a misconfigured system, nearly 60% of the time, they’re due to a relatively simple user mistake (especially system administrators who were the “prime actors in over 60% of incidents”). Verizon breaks these down as:

“D’oh!”: Sensitive information sent to incorrect recipients (usually via email) comprised 30% of the miscellaneous errors that led to a data breach;
“My bad!”: Publishing non-public data to public web servers comprised 17%; and
“Oops!”: Insecure disposal of personal and medical data accounted for 12% of miscellaneous errors.

Overall, the report identifies 79,790 reported security incidents (with 2,122 confirmed data breaches) affecting at least 20 industries in 61 countries (not surprisingly, no breakout for legal). In terms of volume, two-thirds of incidents occurred in the U.S., but as Verizon notes, “that’s more reflective of our contributor base (which continues to expand geographically) than a measure of relative threat/vulnerability.”

The 70 page report covers topics ranging from victim demographics and breach trends to specific types of breach causes, including phishing and malware. It also breaks down incident types, including point-of-sale intrusions (the number one cause of confirmed data breaches at 28.5%), denial-of-service attacks and cyber-espionage. It even provides a “year in review” chronology of notable breaches (in case you missed them). The report is very informative and, at times, wryly written, which makes me forget – almost! – that Verizon dinged me for several hundred dollars of roaming charges in Europe during my honeymoon last fall (don’t get me started!).

Anyway, you can get a copy of the report here. You can register and download the report or just choose to download the report (which I did). An interesting read.

So, what do you think? Has your organization experienced any data security incidents due to human error? Please share any comments you might have or if you’d like to know more about a particular topic.

Cyber Liability Insurance Policies are Becoming More Popular for Law Firms: eDiscovery Trends

April 13, 2015

Last Friday, we discussed a report in The New York Times that discussed the unwillingness of most big US law firms to discuss or even acknowledge data breaches. But, despite the unwillingness to disclose breach information, more and more law firms are apparently purchasing or considering the purchase of cyber liability insurance to protect against potential data breaches.

An article in ABA Journal from earlier this month (Cyber liability insurance is an increasingly popular, almost necessary choice for law firms, by David L. Hudson, Jr.) reported the increasing trend.

“We’ve seen a noticeable increase in the number of firms who have purchased separate cyber policies over the past 24 months,” said Chris Andrews, vice president of professional liability at AIG. “We’re probably not yet at the point where we can say it’s a common purchase, but it’s certainly trending in that direction. Many firms are consulting their clients on privacy and regulatory issues, and at the same time those clients are now asking questions as to how firms use, store and protect information. Given this heightened level of awareness, it makes sense that firms are now looking inward to make sure their own house is in order and cyber coverage is part of the solution.”

Given the fact that many law firms hold sensitive data for their clients, such as personal injury firms which take credit card payments from clients and firms handling medical-malpractice cases who could have personal health information (which is particularly valuable), those firms are prime targets for hackers.

“Law firms today are responsible for massive amounts of electronic and nonelectronic information,” said AIG’s Andrews. “Depending on a firm’s areas of practice, this information can range from personally identifiable information to protected health information to confidential corporate information, such as intellectual property, contracts, and details on mergers and acquisitions. This information represents significant liability exposure in the event of a security failure. Even if the failure doesn’t lead to an actual lawsuit, a firm may still need to deal with costs associated with notification, possible regulatory investigations, fines and penalties, forensic expenses, public relations expenses and more.”

Cyber risk policies were introduced in the 1990s but have experienced a dramatic growth in recent years, according to Washington, D.C.-based attorney Thomas H. Bentz Jr., head of Holland & Knight’s team on directors and officers and management liability insurance. “Corporate America has seen a huge increase in the purchase of cyber policies in the last three to five years. Law firms have been slower to follow,” Bentz says. “In my experience, it is still not common for law firms to purchase cyber liability coverage. I expect that this will change in the next several years as the potential exposure becomes clearer and the coverage more certain.”

Cyber liability insurance can coverage can include data breaches and privacy crisis management, as well as multimedia, extortion, and network security liability. Like, with any insurance policies, it’s important to understand the parameters of the policy and also what you can do to not only reduce the risk of a breach, but also the cost for the policy premium. For example, it’s important to understand security controls you can put into place that will reduce the premium, will you get a reduction for each year you do not file a claim and if you do file a claim, how will that affect your premiums.

So, what do you think? Does your organization have, or is considering, a cyber liability insurance policy? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscoveryDaily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Has the Law Firm Holding Your Data Ever Suffered a Breach? You May Never Know.: eDiscovery Trends

April 10, 2015

In February, we discussed a report about data breach trends in 2014 and how those trends compared to data breaches in 2013. That report provided breach trends for several industries, including the healthcare industry, which suffered the most breaches last year (possibly because stolen health records are apparently worth big money). But, according to a recent report, you won’t see any trends for law firms because the legal profession almost never publicly discloses a breach.

According to a recent article in The New York Times (Citigroup Report Chides Law Firms for Silence on Hackings, written by Matthew Goldstein), the “unwillingness of most big United States law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years.” This information was according to a recent internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms.

“Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,” according to the report, a copy of which was reviewed by The New York Times and discussed in Goldstein’s article.

Issued in February, the report (according to Goldstein’s article) included several observations, such as:

It is “reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies”;
Bank employees “should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries”;
Law firms are at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

According to the article, the bank’s security team also “highlighted several ways hackers had intruded on law firms, by directly breaching their systems, attacking their websites or using their names in so-called phishing efforts to trick people into disclosing personal information”. As a result, Wall Street banks are putting pressure on law firms to do more to prevent the theft of information and are also demanding more documentation from them about online security measures before approving them for assignments.

The report mentioned a handful of law firms who had suffered reported hacks, which apparently led to Citigroup’s distancing itself from the report and stop distributing it.

“The analysis relied on and cited previously published reports. We have apologized to several of the parties mentioned for not giving them an opportunity to respond prior to its publication in light of the sensitive nature of the events described,” said Danielle Romero-Apsilos, a Citigroup spokeswoman.

While law firms apparently aren’t publicly disclosing breaches, they are apparently choosing cyber liability insurance at an increased rate. We will discuss that on Monday.

Thanks to Sharon Nelson and her always excellent Ride the Lightning blog for the tip – her post regarding the story is here.

So, what do you think? How much information do you know about your outside counsel’s security measures? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscoveryDaily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Big Money for Stolen Health Records: eDiscovery Trends

March 31, 2015

Last month, we discussed how the number of data breaches was up in 2014, but the number of records breached was down. Of course, this year already got off to a rocky start when health insurance provider Anthem announced in early February that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people. It turns out that those hacked health records are worth a lot in the black market.

In Fox Rothschild’s HIPAA, HITECH & HIT blog article Hacked Health Records Prized for their Black Market Value (that I found via Rob Robinson’s ever valuable Complex Discovery site), author William Maruca notes that the relative value of health records and financial data can be considerably more valuable than financial data alone.

Consider these sources:

As the Pittsburgh Post-Gazette reported, “The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company and reported by Reuters last year (before the Anthem breach). Jackson obtained the data by monitoring underground exchanges where hackers sell the information.

According to an FBI bulletin from last April (again, before the Anthem breach), Cyber criminals are selling the information on the black market at a rate of $50 for each partial electronic health record (HER), compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

With so much at stake, it’s no wonder that the healthcare industry more breaches in 2014 (333) than any other industry, and that the potential cost for breaches in the healthcare industry is estimated to be as much as $5.6 billion annually. With numbers like these, expect data security and data privacy to continue to be hot topics within the legal technology community.

So, what do you think? Have you personally had your data stolen? Please share any comments you might have or if you’d like to know more about a particular topic.

Craig Ball of Craig D. Ball, P.C.: eDiscovery Trends

March 11, 2015

This is the eighth (and final) of the 2015 LegalTech New York (LTNY) Thought Leader Interview series. eDiscovery Daily interviewed several thought leaders at LTNY this year and generally asked each of them most of the following questions:

What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?
After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?
Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?
What are you working on that you’d like our readers to know about?

Today’s thought leader is Craig Ball. A frequent court appointed special master in electronic evidence, Craig is a prolific contributor to continuing legal and professional education programs throughout the United States, having delivered over 1,500 presentations and papers. Craig’s articles on forensic technology and electronic discovery frequently appear in the national media, and he currentlyblogs on those topics at ballinyourcourt.com.

What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?

My impression is that the crowd is down. I’m not sure whether that was the challenging travel conditions (many people, daunted by winter storms and flight diversions, may have headed home), but looking at today’s keynote address, it wasn’t a full house. Still, it was a quality house. Fewer browsers isn’t bad for the exhibitors when the quality of leads improve. The folks that come to grab tchotchkes aren’t necessarily the folk vendors want to engage.

This is the first time in quite some time that I was able to peruse 100% of the exhibitors’ booths. That ALM wasn’t using the top floor this year suggests that, the number of exhibitors must be down, too. I’d attribute that to marketplace consolidation and to the ranks of vendors who’ve decamped to other venues, believing they can glean the benefits of being at LegalTech without exhibiting. I find myself in meetings at the Warwick Hotel as often as at the Hilton.

LegalTech has grown more important through the disappearance of other venues of this scale and breadth. LTNY dominates as the one place where you see everybody and everything in the marketplace. But, that’s a cyclic phenomenon and competition will return. ILTA has grown in scale and import, and it serves as an influential alternative venue for kicking tires. It’s probably as important to be at ILTA as it is to be here in New York. The West Coast LegalTech has lost steam, but should be energized by its move to the Bay Area. The biggest challenger to these big tent events is improved communication tools. Screen sharing has made it as easy to be at your desk and see a high quality demo as fight the crowd.

There was also a different vibe, a “changing of the guard” feel. Underscoring the late Browning Marean’s absence, the temporary shuttering of the Hilton lobby bar was metaphorical, as was Monica Bay’s retirement. It signals the handing over of the reins to a new generation of disruptive competitors, and of established players seeking to reinvent and present themselves in fresh ways. That’s exciting. I’ve attended LegalTech since the latest technology was fire (we called it “Environmental Governance”), and I’m seeing many new faces, people I don’t recognize when I scan the cocktail lounge. That’s renewal: positive, but bittersweet.

As for the educational sessions, I’m biased as a member of the educational advisory board that plans the curriculum; but, the sessions I attended were first rate. The presenters did their homework; panelists weren’t “winging it.” The content was substantive and engaging. Has electronic discovery eaten the show? Sure, but many other offerings are here. They just don’t sponsor as many educational tracks, buy the big booths or host the prominent events. I know that some lament the extent to which electronic discovery has taken over; but, that’s a function of demand. Content follows the money.

Having said that, I feel that there’s a sense of ennui that pervades the industry. Many are tired of eDiscovery, manifested as efforts to shift the conversation to other things. When I plan eDiscovery programs, there’s a push to bring in privacy and cybersecurity or blow the topic up into information governance. All of those are valuable; but, they aren’t the core curriculum of eDiscovery, and we haven’t yet mastered the fundamentals of electronic discovery. Those hot topics serve to displace education still needed and topics more central to electronic discovery. We are still laying the foundation.

Trend-wise,we’re always a bit late to the party in eDiscovery. We aren’t doing enough to acknowledge that, like Elvis, much of the information we must address in discovery has left the building. It’s gone mobile, and we lack the scalable processes and tools to effectively and efficiently preserve and process mobile data. I’m hoping that the things I’m saying to vendors (and that I hope others are saying as well) will get them to look toward the hill, or even over it. Mobile and cloud are not “coming.” They’re here in a big way, and they’re not going away or becoming less important.

Finally, if it were my call, I’d swap the dates for the east and west events, giving three years notice. But, a wintry convention probably costs much less, so fuggedaboudit.

After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?

I am comfortable with the end result and think there is a virtual certainty that the amendments will sail through Congress with no more than a tweak or two, becoming our rules in December. With respect to their impact on preservation (which was the principal impetus behind the efforts to change the rules), it will make absolutely no difference. I’ve been asking people what they will not retain or do once the amendments take hold that they weren’t saving or doing before, and I’ve not had a single person articulate the savings they expect to realize on the strength of Rule 37(e). That said, I think 37(e) significantly immunizes negligent spoliation from significant sanctions. If there was going to be a 37(e)–and the millions spent by businesses lobbying for same sealed that deal–then Judge Grimm and others crafted the best 37(e) we could hope for.

Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?

I don’t think enough are struggling with it. I think many have simply chosen to move on, whether they get it or not. They’re tired of eDiscovery, and they’re changing the conversation. That was my point earlier about, “Oh, you want to have an eDiscovery conference? Talk about cybersecurity or privacy instead.” They hate having to deal with the nitty-gritty of eDiscovery competency, like preservation and forms for production. Most still view “legal hold” as a document instead of a process. On the other hand, much of eDiscovery has been enshrined as a repeatable process. It may be a lousy process, but look how well it replicates! That’s a bit cynical. I do see incremental improvement and I see it in a variety of areas.

Those managing discovery in their organizations have gotten savvier and more refined in their thinking. Many organizations are in capable hands. Others have gotten what they wanted, but not what they need. By that I mean they acquired buzzwords, a few rules of thumb and a checklists to trot out without much understanding of what they are doing.

As much as I criticize lawyers for their intransigence in seeking out information about electronic discovery and refusing to master the barest fundamentals of information technology, as a profession, we have done a poor job of making materials available that are engaging and accessible. Even those lawyers willing to put effort into learning don’t know where to go for “eDiscovery 101, let alone 201 and 301.” Where are the primers and training tools? Other education supplies a pattern, a path for learning that we know how to follow. But, for electronic discovery, we’ve never had that path set before us. We’re starting to build curriculums in electronic discovery in a variety of law schools and more law schools are offering electronic discovery courses. Some of which are quite impressive and some of which are rather ministerial and give short shrift to the all-important “e” that makes eDiscovery different.

But, I’m encouraged that the coming year and the year after are going to be threshold intervals for leaps forward that we can take some pride in with regard to generating educational resources. Things are happening. Judge John Facciola’s retirement also fuels that “end of an era”, “handing over the reins” sense I mentioned; but it frees Judge Facciola’s up to concentrate more on teaching and leadership. I’m encouraged by that, and I look forward to working with him and following him in a variety of endeavors.

What are you working on that you’d like our readers to know about?

The coming year, I hope to focus on pulling together a group of educators to develop a core curriculum for electronic discovery – at the law school level, a curriculum that can be taught by those whose strength is the law and one that can be taught by those whose strength extend into the technology. I see a need to rethink professional development. We keep repeating in CLE much of the same stuff over and over again. We need to educate lawyers and litigation support, paralegals, legal assistants, IT – the people “in the trenches” – opening a path to meaningful skills and accreditation (not just a certificate and some letters to stick after one’s name). We need to offer the means to acquire genuine expertise and competence. So, I will concentrate on working with others to develop materials that can be freely circulated to law students and used by law professors, such as distilled case law, discussion questions, workbooks, tools, hands-on exercises and all the rest that serve to help schools offer practical skills courses and new lawyers gain talents that make them more valuable to firms and clients.

As I look around, I’m impressed at how much difference an individual can make in this young field. People like Richard Braman, Browning Marean, George Socha, Bill Hamilton, Tom Allman, Ariana Tadler, the rock star eDiscovery judges and others inspire me to keep on the oars and beat on, boats against the current, and unlike Gatsby, bearing ceaselessly toward tomorrow.

Thanks, Craig, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Security