Close
Enter your
text here

Security

Potential Data Breaches Still Happen the Old Fashioned Way, Too: eDiscovery Trends

Whether you’re a website that promotes cheating on your spouse, a first place major league baseball team (yay!) or a major health insurance provider, data breaches can happen to you.  Potentially, they can happen to law firms too, even the old fashioned way.

According to SC Magazine (Personal data on laptop stolen from attorney with California law firm, written by Adam Greenberg), California-based law firm Atkinson, Andelson, Loya, Ruud & Romo is notifying an undisclosed number of individuals that a personal laptop computer owned by an attorney from the firm was stolen, and their personal information may have been compromised.

According to the article, the laptop contained names, addresses, telephone numbers, Social Security numbers, and possibly certain financial information or medical records for those individuals.  The theft occurred on April 23 while the attorney was a passenger on the MTS Trolley in downtown San Diego, and was reported to the San Diego police department on April 24. The laptop has not been recovered.  Good luck recovering it at this point.

As the article notes, all potentially impacted individuals are being notified via a four page notification letter, which states “We have no reason to believe that the laptop was stolen for the information it contained,” and also “We also have no information indicating that this information has been accessed or used in any way.”   The recipients of the notification letter have been offered a free year of identity theft protection and credit monitoring services.

Sharon Nelson of the excellent Ride the Lightning blog surmised last week in her blog that, because the firm is notifying the individuals of the theft, the laptop was not encrypted.  That may be true, or it may be that the firm is just being cautious.  I can relate to being cautious and having had my own business laptop stolen last year, I can also feel their pain.  Even though my laptop was fully encrypted and I don’t store client data on my laptop, I still felt compelled to change every password I owned and watched my accounts like a hawk for some time to make sure that my financial data was not compromised.  It’s extremely unsettling.  Like the law firm, we reported the theft (my colleague’s notepad was also stolen), but, of course, nothing was ever recovered.

Nonetheless, as traumatic as that was, it was just a stolen laptop (and a few personal effects in the laptop bag) in the end.  I was glad that the laptop was encrypted and it kept the situation from being WAY worse.

Encrypt your laptop.  It only takes a moment to become a victim of a data breach, the old fashioned way.

So, what do you think?  Have you ever had a laptop stolen?  Was it encrypted?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Life is Short, But Can Seem Long if You’re a Cheater About to Be Exposed in the Ashley Madison Hack: eDiscovery Trends

One of the most discussed topics at LegalTech® New York 2015 (LTNY) earlier this year was cybersecurity.  We’ve started covering some of the trends related to security breaches with posts here, here and here and even my hometown baseball team, the Houston Astros, was recently hacked by a competitor.  The latest victims of cyber hacking – the purported 37 million subscribers of the online cheating site AshleyMadison.com – may find little sympathy in their plight.

According to Brian Krebs in Krebs on Security, an authoritative Web site that monitors hacking worldwide, large caches of data  have been stolen from the site and some has been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information.  The breach was confirmed in a statement from Toronto-based Avid Life Media Inc. (ALM*), which owns AshleyMadison as well as related hookup sites Cougar Life and Established Men. ALM stated that “We apologize for this unprovoked and criminal intrusion into our customers’ information” and also claimed that “At this time, we have been able to secure our sites, and close the unauthorized access points.”

That’s probably little comfort to the subscribers who have had their personal information compromised.

The hacker or hackers identify themselves as The Impact Team and is threatening to expose all customer records (including “profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails”) unless ALM takes AshleyMadison and Established Men offline “permanently in all forms.”

As stated in the article in Krebs on Security, “In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed.”  On Monday, ALM said it would offer all users the ability to fully delete their personal information from the site and waive the fee (presumably fully).

Ashley Madison’s slogan is “Life is short.  Have an affair.®”  For those that have chosen to do so, life may start to seem very long, at least for a while.

So, what do you think?  Is there anything that can be done to stem the tide of data breaches throughout the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

* Not to be confused with American Lawyer Media, which goes by the same acronym.  🙂

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

“Stealing Signs” in Baseball Takes on New Meaning in the Information Age: eDiscovery Trends

According to an article in the New York Times, one Major League Baseball team has defined a new way of playing “hardball” with the competition – hacking into the network of another team to capture closely guarded information about players.

Front-office personnel for the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, are under investigation by the F.B.I. and Justice Department prosecutors, accused of hacking into an internal network of my hometown team, the Houston Astros, to steal internal discussions about trades, proprietary statistics and scouting reports, among other competitive information.

According to law enforcement officials, investigators have uncovered evidence that Cardinals employees broke into a network of the Astros that housed special databases the team had built. The investigation is being led by the F.B.I.’s Houston field office and has progressed to the point that subpoenas have been served on the Cardinals and Major League Baseball for electronic correspondence.

In June 2014, the Astros claimed to have been victims of hackers who accessed their servers and published months of internal trade talks on the Internet. It was then that the team began working with the FBI and Major League Baseball security in an effort to identify who was responsible for the breach.

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager, who had been a successful and polarizing executive with the Cardinals until 2011, credited with building baseball’s best minor league system, and with drafting several players who would become linchpins of the 2011 world champion Cardinals team.

Investigators believe that Cardinals personnel, concerned that Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Luhnow and the other officials when they worked for the Cardinals. The Cardinals employees are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said.

Doesn’t Luhnow know that an insufficient password will leave you exposed? Or that almost thirty percent of data security incidents are due to human error?

That tactic is often used by cybercriminals, who sell passwords from one breach on the underground market, where others buy them and test them on other websites, including banking and brokerage services. The breach on the Astros would be one of the first known instances of a corporate competitor using the tactic against a rival. It is also, security experts say, just one more reason people are advised not to use the same passwords across different sites and services. It would not be a stretch (7th inning or otherwise) to see attacks like this happen among competitors in other industries. Or even between adverse parties in litigation.

Ironically, the Cardinals are accused of stealing the data last year, when the (dis)Astros were coming off three of the worst seasons in major league history. This year, they’re one of the best teams in baseball, at least for now. Hopefully (at least for Astros fans like me), they’ve improved their off-the-field cybersecurity protocols as well as they have improved on the field.

So, what do you think? Do you expect to see more breaches like this between competitors in various industries? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Law Departments and Law Firms Getting Smarter About Data Privacy and Security, According to Huron Legal: eDiscovery Trends

How are recent trends related to data privacy and security affecting the legal industry? Though one recent report was critical of law firms for failing to disclose data breaches, according to a new Q&A from Huron Legal, law departments, and law firms are getting smarter about addressing data privacy and security issues.

The new Q&A with Huron Legal director David Ray is titled Data Privacy and Security in the Legal Industry and discusses the efforts law departments, law firms, and other service providers are making to protect sensitive and confidential data.

“By nature, the legal industry deals with a large amount of potentially sensitive information, and as a result, data privacy is becoming increasingly more important,” said Ray, a data privacy and security expert. “Traditionally, legal professionals have seen themselves as somewhat immune to these issues. However, the increased overall focus on privacy and recent data breaches is affecting the legal sector just like any other. Law departments, law firms, and legal vendors are recognizing this growing pressure and have started to make changes accordingly.”

According to Ray, the five biggest trends in data privacy in the legal industry are in the following areas:

  • Law Departments are Getting Wiser: Law departments are becoming increasingly more involved with privacy issues as well as data breach responses and, accordingly, becoming wiser consumers of external legal services. Unsurprisingly, they are placing the information governance practices of their suppliers under much greater scrutiny than ever before.
  • Vendor Information Governance Scorecards: In fact, law departments are more often using metrics and scorecards to evaluate law firms and legal service vendors with the expectation they can meet or exceed the same privacy and security practices expected from non-legal service providers elsewhere within the organization. Scorecards allow organizations to know that the information that goes outside their walls is secure and protected by the appropriate practices.
  • Law Firms See Opportunity Rather than a Threat: One might expect to see pushback from law firms on newer stringent data security requirements. However, law firms seem to be responding to these heightened client demands and seeing them as a differentiator when competing for business. Demonstrating an ability to deal with sensitive and often high-value matters from an information perspective makes sense.
  • Legal Vendors are Playing Catch-up: Legal vendors are largely playing catch-up in data privacy issues. For a long time, the tools they provided for legal services were narrow. But now legal vendors need to rise to the same challenge. Additionally, these vendors need to design both the software and processes with privacy in mind, consulting the “privacy by design” principles before they become hindrances to the sale of services.
  • Data Privacy is Fast Moving: The most important consideration when dealing with privacy and security is understanding that it is an evolving field. The definitions and laws are changing, both within the U.S. and abroad. Everyone in the legal industry needs to be prepared for change and to be flexible. The laws today may be different in two years, so planning with that in mind is critical.

The full Q&A can be found here, with a podcast of the Q&A available here.

So, what do you think? Do you think the legal industry has made significant strides in dealing with data security and privacy? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Almost Thirty Percent of Data Security Incidents are Due to Human Error: eDiscovery Trends

Last year, the term “data breach” became part of the broader public vernacular with The New York Times devoting more than 700 articles related to data breaches, versus fewer than 125 the previous year. And, as we’ve discussed recently, data breaches are on the rise. However, according to a new report, almost thirty percent of data security incidents are due to human error.

According to Verizon’s 2015 Data Breach Investigations Report released last week, the single biggest cause of data security incidents in 2014 was “miscellaneous errors”. These “miscellaneous errors” comprised 29.4% of data security incidents in 2014 (up from 25% in 2013), according to the report.

As Verizon notes in its report, if you take the top four causes of data security incidents – two through four respectively are crimeware (25.1%), insider misuse (20.6%) and physical theft/loss (15.3%) – “the common denominator across the top four patterns – accounting for nearly 90% of all incidents – is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC (problem exists between keyboard and chair) and ID-10T (get it?) über-patterns.” As they somewhat playfully observe, “At this point, take your index finger, place it on your chest, and repeat ‘I am the problem,’ as long as it takes to believe it. Good – the first step to recovery is admitting the problem.”

While some of the errors are due to issues such as a computer malfunction or a misconfigured system, nearly 60% of the time, they’re due to a relatively simple user mistake (especially system administrators who were the “prime actors in over 60% of incidents”). Verizon breaks these down as:

  • “D’oh!”: Sensitive information sent to incorrect recipients (usually via email) comprised 30% of the miscellaneous errors that led to a data breach;
  • “My bad!”: Publishing non-public data to public web servers comprised 17%; and
  • “Oops!”: Insecure disposal of personal and medical data accounted for 12% of miscellaneous errors.

Overall, the report identifies 79,790 reported security incidents (with 2,122 confirmed data breaches) affecting at least 20 industries in 61 countries (not surprisingly, no breakout for legal). In terms of volume, two-thirds of incidents occurred in the U.S., but as Verizon notes, “that’s more reflective of our contributor base (which continues to expand geographically) than a measure of relative threat/vulnerability.”

The 70 page report covers topics ranging from victim demographics and breach trends to specific types of breach causes, including phishing and malware. It also breaks down incident types, including point-of-sale intrusions (the number one cause of confirmed data breaches at 28.5%), denial-of-service attacks and cyber-espionage. It even provides a “year in review” chronology of notable breaches (in case you missed them). The report is very informative and, at times, wryly written, which makes me forget – almost! – that Verizon dinged me for several hundred dollars of roaming charges in Europe during my honeymoon last fall (don’t get me started!).

Anyway, you can get a copy of the report here. You can register and download the report or just choose to download the report (which I did). An interesting read.

So, what do you think? Has your organization experienced any data security incidents due to human error? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Cyber Liability Insurance Policies are Becoming More Popular for Law Firms: eDiscovery Trends

Last Friday, we discussed a report in The New York Times that discussed the unwillingness of most big US law firms to discuss or even acknowledge data breaches. But, despite the unwillingness to disclose breach information, more and more law firms are apparently purchasing or considering the purchase of cyber liability insurance to protect against potential data breaches.

An article in ABA Journal from earlier this month (Cyber liability insurance is an increasingly popular, almost necessary choice for law firms, by David L. Hudson, Jr.) reported the increasing trend.

“We’ve seen a noticeable increase in the number of firms who have purchased separate cyber policies over the past 24 months,” said Chris Andrews, vice president of professional liability at AIG. “We’re probably not yet at the point where we can say it’s a common purchase, but it’s certainly trending in that direction. Many firms are consulting their clients on privacy and regulatory issues, and at the same time those clients are now asking questions as to how firms use, store and protect information. Given this heightened level of awareness, it makes sense that firms are now looking inward to make sure their own house is in order and cyber coverage is part of the solution.”

Given the fact that many law firms hold sensitive data for their clients, such as personal injury firms which take credit card payments from clients and firms handling medical-malpractice cases who could have personal health information (which is particularly valuable), those firms are prime targets for hackers.

“Law firms today are responsible for massive amounts of electronic and nonelectronic information,” said AIG’s Andrews. “Depending on a firm’s areas of practice, this information can range from personally identifiable information to protected health information to confidential corporate information, such as intellectual property, contracts, and details on mergers and acquisitions. This information represents significant liability exposure in the event of a security failure. Even if the failure doesn’t lead to an actual lawsuit, a firm may still need to deal with costs associated with notification, possible regulatory investigations, fines and penalties, forensic expenses, public relations expenses and more.”

Cyber risk policies were introduced in the 1990s but have experienced a dramatic growth in recent years, according to Washington, D.C.-based attorney Thomas H. Bentz Jr., head of Holland & Knight’s team on directors and officers and management liability insurance. “Corporate America has seen a huge increase in the purchase of cyber policies in the last three to five years. Law firms have been slower to follow,” Bentz says. “In my experience, it is still not common for law firms to purchase cyber liability coverage. I expect that this will change in the next several years as the potential exposure becomes clearer and the coverage more certain.”

Cyber liability insurance can coverage can include data breaches and privacy crisis management, as well as multimedia, extortion, and network security liability. Like, with any insurance policies, it’s important to understand the parameters of the policy and also what you can do to not only reduce the risk of a breach, but also the cost for the policy premium. For example, it’s important to understand security controls you can put into place that will reduce the premium, will you get a reduction for each year you do not file a claim and if you do file a claim, how will that affect your premiums.

So, what do you think? Does your organization have, or is considering, a cyber liability insurance policy? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscoveryDaily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Has the Law Firm Holding Your Data Ever Suffered a Breach? You May Never Know.: eDiscovery Trends

In February, we discussed a report about data breach trends in 2014 and how those trends compared to data breaches in 2013. That report provided breach trends for several industries, including the healthcare industry, which suffered the most breaches last year (possibly because stolen health records are apparently worth big money). But, according to a recent report, you won’t see any trends for law firms because the legal profession almost never publicly discloses a breach.

According to a recent article in The New York Times (Citigroup Report Chides Law Firms for Silence on Hackings, written by Matthew Goldstein), the “unwillingness of most big United States law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years.” This information was according to a recent internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms.

“Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,” according to the report, a copy of which was reviewed by The New York Times and discussed in Goldstein’s article.

Issued in February, the report (according to Goldstein’s article) included several observations, such as:

  • It is “reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies”;
  • Bank employees “should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries”;
  • Law firms are at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

According to the article, the bank’s security team also “highlighted several ways hackers had intruded on law firms, by directly breaching their systems, attacking their websites or using their names in so-called phishing efforts to trick people into disclosing personal information”. As a result, Wall Street banks are putting pressure on law firms to do more to prevent the theft of information and are also demanding more documentation from them about online security measures before approving them for assignments.

The report mentioned a handful of law firms who had suffered reported hacks, which apparently led to Citigroup’s distancing itself from the report and stop distributing it.

“The analysis relied on and cited previously published reports. We have apologized to several of the parties mentioned for not giving them an opportunity to respond prior to its publication in light of the sensitive nature of the events described,” said Danielle Romero-Apsilos, a Citigroup spokeswoman.

While law firms apparently aren’t publicly disclosing breaches, they are apparently choosing cyber liability insurance at an increased rate. We will discuss that on Monday.

Thanks to Sharon Nelson and her always excellent Ride the Lightning blog for the tip – her post regarding the story is here.

So, what do you think? How much information do you know about your outside counsel’s security measures? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscoveryDaily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Big Money for Stolen Health Records: eDiscovery Trends

Last month, we discussed how the number of data breaches was up in 2014, but the number of records breached was down. Of course, this year already got off to a rocky start when health insurance provider Anthem announced in early February that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people. It turns out that those hacked health records are worth a lot in the black market.

In Fox Rothschild’s HIPAA, HITECH & HIT blog article Hacked Health Records Prized for their Black Market Value (that I found via Rob Robinson’s ever valuable Complex Discovery site), author William Maruca notes that the relative value of health records and financial data can be considerably more valuable than financial data alone.

Consider these sources:

As the Pittsburgh Post-Gazette reported, “The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company and reported by Reuters last year (before the Anthem breach). Jackson obtained the data by monitoring underground exchanges where hackers sell the information.

According to an FBI bulletin from last April (again, before the Anthem breach), Cyber criminals are selling the information on the black market at a rate of $50 for each partial electronic health record (HER), compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

With so much at stake, it’s no wonder that the healthcare industry more breaches in 2014 (333) than any other industry, and that the potential cost for breaches in the healthcare industry is estimated to be as much as $5.6 billion annually. With numbers like these, expect data security and data privacy to continue to be hot topics within the legal technology community.

So, what do you think? Have you personally had your data stolen? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Craig Ball of Craig D. Ball, P.C.: eDiscovery Trends

This is the eighth (and final) of the 2015 LegalTech New York (LTNY) Thought Leader Interview series. eDiscovery Daily interviewed several thought leaders at LTNY this year and generally asked each of them most of the following questions:

  1. What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?
  2. After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?
  3. Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?
  4. What are you working on that you’d like our readers to know about?

Today’s thought leader is Craig Ball. A frequent court appointed special master in electronic evidence, Craig is a prolific contributor to continuing legal and professional education programs throughout the United States, having delivered over 1,500 presentations and papers. Craig’s articles on forensic technology and electronic discovery frequently appear in the national media, and he currentlyblogs on those topics at ballinyourcourt.com.

What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?

My impression is that the crowd is down. I’m not sure whether that was the challenging travel conditions (many people, daunted by winter storms and flight diversions, may have headed home), but looking at today’s keynote address, it wasn’t a full house. Still, it was a quality house. Fewer browsers isn’t bad for the exhibitors when the quality of leads improve. The folks that come to grab tchotchkes aren’t necessarily the folk vendors want to engage.

This is the first time in quite some time that I was able to peruse 100% of the exhibitors’ booths. That ALM wasn’t using the top floor this year suggests that, the number of exhibitors must be down, too. I’d attribute that to marketplace consolidation and to the ranks of vendors who’ve decamped to other venues, believing they can glean the benefits of being at LegalTech without exhibiting. I find myself in meetings at the Warwick Hotel as often as at the Hilton.

LegalTech has grown more important through the disappearance of other venues of this scale and breadth.  LTNY dominates as the one place where you see everybody and everything in the marketplace. But, that’s a cyclic phenomenon and competition will return. ILTA has grown in scale and import, and it serves as an influential alternative venue for kicking tires. It’s probably as important to be at ILTA as it is to be here in New York. The West Coast LegalTech has lost steam, but should be energized by its move to the Bay Area. The biggest challenger to these big tent events is improved communication tools. Screen sharing has made it as easy to be at your desk and see a high quality demo as fight the crowd.

There was also a different vibe, a “changing of the guard” feel. Underscoring the late Browning Marean’s absence, the temporary shuttering of the Hilton lobby bar was metaphorical, as was Monica Bay’s retirement. It signals the handing over of the reins to a new generation of disruptive competitors, and of established players seeking to reinvent and present themselves in fresh ways. That’s exciting. I’ve attended LegalTech since the latest technology was fire (we called it “Environmental Governance”), and I’m seeing many new faces, people I don’t recognize when I scan the cocktail lounge. That’s renewal: positive, but bittersweet.

As for the educational sessions, I’m biased as a member of the educational advisory board that plans the curriculum; but, the sessions I attended were first rate. The presenters did their homework; panelists weren’t “winging it.” The content was substantive and engaging. Has electronic discovery eaten the show? Sure, but many other offerings are here. They just don’t sponsor as many educational tracks, buy the big booths or host the prominent events. I know that some lament the extent to which electronic discovery has taken over; but, that’s a function of demand. Content follows the money.

Having said that, I feel that there’s a sense of ennui that pervades the industry. Many are tired of eDiscovery, manifested as efforts to shift the conversation to other things. When I plan eDiscovery programs, there’s a push to bring in privacy and cybersecurity or blow the topic up into information governance. All of those are valuable; but, they aren’t the core curriculum of eDiscovery, and we haven’t yet mastered the fundamentals of electronic discovery. Those hot topics serve to displace education still needed and topics more central to electronic discovery. We are still laying the foundation.

Trend-wise,we’re always a bit late to the party in eDiscovery. We aren’t doing enough to acknowledge that, like Elvis, much of the information we must address in discovery has left the building. It’s gone mobile, and we lack the scalable processes and tools to effectively and efficiently preserve and process mobile data. I’m hoping that the things I’m saying to vendors (and that I hope others are saying as well) will get them to look toward the hill, or even over it. Mobile and cloud are not “coming.” They’re here in a big way, and they’re not going away or becoming less important.

Finally, if it were my call, I’d swap the dates for the east and west events, giving three years notice. But, a wintry convention probably costs much less, so fuggedaboudit.

After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?

I am comfortable with the end result and think there is a virtual certainty that the amendments will sail through Congress with no more than a tweak or two, becoming our rules in December. With respect to their impact on preservation (which was the principal impetus behind the efforts to change the rules), it will make absolutely no difference. I’ve been asking people what they will not retain or do once the amendments take hold that they weren’t saving or doing before, and I’ve not had a single person articulate the savings they expect to realize on the strength of Rule 37(e). That said, I think 37(e) significantly immunizes negligent spoliation from significant sanctions. If there was going to be a 37(e)–and the millions spent by businesses lobbying for same sealed that deal–then Judge Grimm and others crafted the best 37(e) we could hope for.

Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?

I don’t think enough are struggling with it. I think many have simply chosen to move on, whether they get it or not. They’re tired of eDiscovery, and they’re changing the conversation. That was my point earlier about, “Oh, you want to have an eDiscovery conference? Talk about cybersecurity or privacy instead.” They hate having to deal with the nitty-gritty of eDiscovery competency, like preservation and forms for production. Most still view “legal hold” as a document instead of a process. On the other hand, much of eDiscovery has been enshrined as a repeatable process. It may be a lousy process, but look how well it replicates! That’s a bit cynical. I do see incremental improvement and I see it in a variety of areas.

Those managing discovery in their organizations have gotten savvier and more refined in their thinking. Many organizations are in capable hands. Others have gotten what they wanted, but not what they need. By that I mean they acquired buzzwords, a few rules of thumb and a checklists to trot out without much understanding of what they are doing.

As much as I criticize lawyers for their intransigence in seeking out information about electronic discovery and refusing to master the barest fundamentals of information technology, as a profession, we have done a poor job of making materials available that are engaging and accessible. Even those lawyers willing to put effort into learning don’t know where to go for “eDiscovery 101, let alone 201 and 301.” Where are the primers and training tools? Other education supplies a pattern, a path for learning that we know how to follow. But, for electronic discovery, we’ve never had that path set before us. We’re starting to build curriculums in electronic discovery in a variety of law schools and more law schools are offering electronic discovery courses. Some of which are quite impressive and some of which are rather ministerial and give short shrift to the all-important “e” that makes eDiscovery different.

But, I’m encouraged that the coming year and the year after are going to be threshold intervals for leaps forward that we can take some pride in with regard to generating educational resources. Things are happening. Judge John Facciola’s retirement also fuels that “end of an era”, “handing over the reins” sense I mentioned; but it frees Judge Facciola’s up to concentrate more on teaching and leadership. I’m encouraged by that, and I look forward to working with him and following him in a variety of endeavors.

What are you working on that you’d like our readers to know about?

The coming year, I hope to focus on pulling together a group of educators to develop a core curriculum for electronic discovery – at the law school level, a curriculum that can be taught by those whose strength is the law and one that can be taught by those whose strength extend into the technology. I see a need to rethink professional development. We keep repeating in CLE much of the same stuff over and over again. We need to educate lawyers and litigation support, paralegals, legal assistants, IT – the people “in the trenches” – opening a path to meaningful skills and accreditation (not just a certificate and some letters to stick after one’s name). We need to offer the means to acquire genuine expertise and competence. So, I will concentrate on working with others to develop materials that can be freely circulated to law students and used by law professors, such as distilled case law, discussion questions, workbooks, tools, hands-on exercises and all the rest that serve to help schools offer practical skills courses and new lawyers gain talents that make them more valuable to firms and clients.

As I look around, I’m impressed at how much difference an individual can make in this young field. People like Richard Braman, Browning Marean, George Socha, Bill Hamilton, Tom Allman, Ariana Tadler, the rock star eDiscovery judges and others inspire me to keep on the oars and beat on, boats against the current, and unlike Gatsby, bearing ceaselessly toward tomorrow.

Thanks, Craig, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Ralph Losey of Jackson Lewis, LLP: eDiscovery Trends

This is the seventh of the 2015 LegalTech New York (LTNY) Thought Leader Interview series. eDiscovery Daily interviewed several thought leaders at LTNY this year and generally asked each of them the following questions:

  1. What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?
  2. After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?
  3. Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?
  4. What are you working on that you’d like our readers to know about?

Today’s thought leader is Ralph Losey. Ralph is an attorney in private practice with the law firm of Jackson Lewis, LLP, where he is a Shareholder and the firm’s National e-Discovery Counsel. Ralph is also a prolific author of eDiscovery books and articles, the principal author and publisher of the popular e-Discovery Team® Blog, founder and owner of an online training program, e-Discovery Team Training, with attorney and technical students all over the world, founder of the new Electronic Discovery Best Practices (EDBP) lawyer-centric work flow model. Ralph is also the publisher of LegalSearchScience.com and PreSuit.com on predictive coding methods and applications.

What are your general observations about LTNY this year and how it fits into emerging trends? Do you think American Lawyer Media (ALM) should consider moving LTNY to a different time of year to minimize travel disruptions due to weather?

It seems to me that attendance is up. I got here a little late, but I was only delayed two hours – I know that some were delayed as much as two days. Despite that, I think it was a good turnout. When I was walking the floor, there seemed to be crowds of people, so I think it was pretty well attended this year.

The programming this year had a slightly different orientation. I had a presentation on predictive coding (which I’ve presented on predictive coding topics for the last four years or so) and, in past years, it seemed that my presentation would be one of a dozen or more at the show whereas this year, it seemed like there were only three or four presentations on predictive coding. So, maybe the “fad” part of predictive coding is over and more people are into the topic in depth. The presentation that we gave was more on an advanced level – we didn’t discuss whether or not you should use it or review the basics; instead, we went into a deeper level. And that was fun for me to do.

Instead, I think the hot item this year was information governance, which is somewhat of a general “catch-all”. Then, the other two things that I saw in the presentations and in the “buzz” on the floor when talking to people were two things that I’m very concerned about as well: security (cybersecurity is the word I prefer to use) and privacy. I think those are two long-term issues that have been brewing and are now coming to the forefront where lawyers are realizing that these are important issues that are coming out of technology.

As for whether they should consider moving the show, well, I’m from Florida and I love to see snow every now and then – it’s a real rarity where I live. I left a 72 degree paradise to arrive here and it was 18 degrees. In spite of that, I think the show should remain in New York at this time of year and I fully believe that this is the event of the year. If anything, I think it’s growing in importance. For me, the older I get, the more I try to limit my travel and appearances and this would be one that I would not take off my list of must attend events, if for no other reason than because everyone is here. I love walking around and running into judges and old friends, so that is one of the reasons that I think it is the premier event of the year.

After our discussion last year regarding the new amendments to discovery provisions of the Federal Rules of Civil Procedure, additional changes were made to Rule 37(e). Do you see those changes as being positive and do you see the new amendments passing through Congress this year?

I don’t think there will be any issues passing the rules amendments through Congress, I think they will sail through and be part of our rules soon enough. I don’t really feel that the rules changes will make that much difference. I just recently litigated the existing Rule 37(e) and in my memos, I quoted the new Rule 37(e). At the end of the day, it didn’t really make any difference in the court’s adjudication whether it was the old rule or the new rule. So, I still continue to think that the changes are a positive move, but I don’t think they will be a savior or “cure-all” that people might hope. In that sense, I may be a little pessimistic about it. I’ve seen rules changes before, such as ’06.

This leads to a slightly different topic, but I ultimately feel that all these (as I call them) cosmetic rules changes will fail. I think that, in maybe ten years, there is going to be a major overhaul. I think the rules committee and the federal judges will realize that you can’t just do these periodic slight “tweak” of the rules. I think they will eventually consider and, possibly enact, a complete overhaul or our rules and procedures – focused on discovery. I don’t think discovery is working and I don’t think the discovery rules are really working and I don’t think that they can be patched up. They’ve been trying to patch up discovery for 35 years now with various rules changes and they’ve never worked. I have no reason to believe that 2015 will be any different than 1989 or before that. I think that they’re going to be forced to take drastic measures. That’s my prediction – we’ll see.

Last year, most thought leaders agreed that, despite numerous resources in the industry, most attorneys still don’t know a lot about eDiscovery. Do you think anything has been done in the past year to improve the situation?

In my world (which is a fairly large world, but it’s all in employment law), I see employment law cases all over the country of an asymmetric type: small plaintiff against the big corporation. The change that I see is mainly on the corporation defendant level – they are getting their acts together much better on the preservation front. In fact, all across the whole spectrum, the corporations are slowly but surely getting there. There is still a long way to go, but I do see improvement. I see improvement in the defense bar in general and, of course, with my own attorneys, which for five years I have put through intensive training. We have 800 lawyers and I would say that 600 of them are litigators, so, after five years, there are certain things that have penetrated and they have developed a core level of competence, particularly on preservation. Preservation is in every case, so that’s the most important thing to get down pat and I have seen definite improvement in that.

Now, on the plaintiff side, it’s still amazingly slow. The plaintiffs’ bar is slow to catch up, they are still untrained and, for the most part, unknowledgeable. And, some of the ones that are active in eDiscovery are using it as a tool to be a “pain in the ass” really. They’re not doing it for true discovery; instead, they’re doing it more as a harassment tactic. And, they don’t really know what they’re doing. So, we have to deal with that. On the other hand, we are seeing more and more sincere plaintiff’s counsel too, so it’s not all bad. Just not as many as we would like, since cooperation really is the best way to go.

But, we are also seeing situations where we’re making requests and wanting to see the Facebook pages and wanting to see the plaintiff’s email. Although it is still asymmetric, there essentially isn’t a plaintiff in the world that doesn’t have an email account. We still need discovery from them. The impact is what I call the “boomerang effect” – be careful what you throw out there, it can come back right at you. When the tables are turned and we ask the plaintiff’s counsel “what are you doing about preservation”, we get big blank stares. In a way, the fact that the plaintiffs have their own ESI has leveled the playing field a bit.

What are you working on that you’d like our readers to know about?

I’d like the readers to check out what I’m working on to create a best practices and standards for the legal practice of electronic discovery, and I call that Electronic Discovery Best Practices (EDBP). It’s not EDRM, it’s about what lawyers do. That’s what I’ve been doing for the past eight years, helping lawyers do electronic discovery. That continues to evolve.

The thing that’s new that I’ve been working on is cybersecurity. So, one of my websites is eDiscoverySecurity.com where I talk about the need for lawyers and companies when they’re doing eDiscovery to be concerned about keeping it secure. We’re often assembling very sensitive documents, which are a target for hackers, including foreign governments. The Chinese are famous for this and law firms are being hacked. The final thing that I would point out is that I’ve got HackerLaw.org, which is another new web site that I’ve created associated with my interest in cybersecurity. I consider myself a “hacker” in the positive sense of someone who is hands on, working with computers – that’s what “hacker” really means. But, there’s also the “dark hat” hackers that are my enemies and there’s a whole war going on out there. This site pertains to that and also talks about the positive side of being a hacker (for example, Steve Jobs and Steve Wozniak were proud to call themselves “hackers”). Believe it or not, the term “hacker” started out in model railroading – the famous computer lab at MIT grew out of the model railroad club at MIT. They were hands on building railroad tracks and, out of that grew the whole computer culture – little known historical point.

As for the e-Discovery Team® Blog, the three part series that I just finished on ei-Recall was the hardest blog post series that I have ever written. I put a lot of time into it as a public service because I worried about what is the best way to confirm and verify your results when you’re doing a review. I call it “Quality Assurance” and there are so many ways to do it that I came up with this approach for recall and consulted a number of scientists during the process. I didn’t do it because I’m trying to sell anything. But, I hope it will become the de-facto standard and I wrote it, at length, so that anybody with a little study can do it on their own. People have started to tell me that they have studied the blog and are starting to do it, so that’s encouraging. The whole point of “I’ve attained 80% recall” – that’s wrong, you can never know exact recall, it has to be a range. I’ve had some scientists after the fact tell me that’s what they’ve been doing all along, they just didn’t call it “ei-Recall”. You only calculate it at the end of a project, but that’s when you need to do it. So, I think it has been one of my major accomplishments and I hope everyone will check it out.

Thanks, Ralph, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.