CCBJ: What trends are you seeing regarding the importance of document review?
Bill Piwonka: We’re seeing more corporations bringing document review in-house, as opposed to having a blanket policy of always using outside legal service providers or law firms to assist with it. There are several different reasons for this. One is an acknowledgement that there are several different business use cases that relate to document review. Certainly e-discovery review is a key use case. But organizations also need to do document review for internal investigations, or when they are complying with a data subject access request under GDPR or CCPA/CPRA. It’s also critical when responding to a security incident or breach to quickly determine if potentially compromised data contains personally sensitive data that would trigger regulatory reporting or notifications.
So, you now have all these different use cases that require document review and it just becomes so much more effective to do that in-house, depending on the size and scope. This certainly isn’t to suggest that document review will never be outsourced, because there may be very, very legitimate reasons for doing so: the size, scope, nature, resourcing and that sort of thing. But one of the trends that has been rock solid over the past seven or eight years is how much the C-suite is looking to legal to improve its productivity and efficiency and cut costs. And when you can do document review in-house, you’re going to gain efficiencies, productivity and visibility into the process and you’re certainly going to minimize your costs.
What are you advising clients about effective incident management?
There are several different things that need to be considered. First and foremost, you need to understand where your data is. In e-discovery, for years consultants and experts have said, “You’ve got to do data mapping.” And I just can’t emphasize enough how important having a comprehensive data inventory is because you must be able to very quickly identify where are the sources of the data that might relate to the incident or matter, and without an accurate, up-to-date, comprehensive data inventory, you just can’t do that.
The second thing is you’ve got to be able to connect to those data sources where that data resides—whether that’s an application, a network share, hardware, whatever it may be—because time is of the essence, because there are laws that dictate how quickly you must begin the reporting or notification process in situations where individuals or consumer data has been compromised).
In addition, from an incident management perspective, I would say you’ve got to be prepared. Nobody wants to be the victim of a security incident or a breach. I forget which analyst firm said it, but something like one third of all organizations will be breached every year. By that logic, everybody’s going to be breached at least once in the next three years. So you’ve got to have your plan in place before that happens. Think about your incident response not only from a security perspective, but also a legal and compliance perspective. How can you quickly review the data that was potentially compromised to identify whether you’ve triggered reporting and notification rules? How do you know what laws apply? Are you set up to quickly identify, “Yep. I’ve triggered the reporting notification in this or that state, so I need to do X, Y and Z.”
And you can’t effectively do that within the timelines required under the GDPR or CCPA unless you’re prepared for it prior. If you don’t want to be flying by the seat of your pants, you’ve got to have your plan in place, the technology in place and the team in place. And ideally, you’ve also done some tabletop exercises in preparation for it.
You mentioned that many organizations are bringing much of their document review in-house. Can you expand on this?
Well, I think it’s a natural evolution that began soon after organizations started bringing parts of the e-discovery process in-house. Certainly, it applied early on to legal holds. And, interestingly, we’re seeing a resurgence and interest in legal holds because while the early iterations of legal hold technology essentially ensured that you were complying with all laws in terms of notification and acknowledgement, with the arrival of technology enabling you to preserve data in place, you know that you’re not going to run afoul of spoliation of evidence laws, through either inadvertent or intentional unauthorized deletion of data, because you’re able to preserve it in place. And so, we’re seeing technology able to automate that first part of the e-discovery process.
We’re also seeing a move to integrated, unified platforms. Seven, eight, nine years ago, there was much more of a best-of-breed mentality. You chose the best legal hold provider, the best collection provider, the best processing provider, the best review provider, etc. Now, organizations are seeing the value of orchestrated workflow, where all of those capabilities and functionality is available in one seamless platform. Now you can easily, quickly put a ‘preservation in place’ on data. You can determine whether it’s potentially responsive. You can easily and quickly collect and process it and immediately begin the review process, as opposed to having to use one product, then upload to another, download, upload, handoff and so forth. Because there’s so much risk when you start doing the manual handoffs. So, one of the biggest trends is this move to integrated platforms that can manage the entire process include features like artificial intelligence and process orchestration that were unknown to many organizations as recently as five years ago.
There’s so much data to cull—structured, unstructured, voice, video, personal devices, alternative communications like Slack and text. What’s your advice to in-house executives struggling to navigate all these streams?
First, look for technology vendors that can connect to all these different technologies. Lots of technologies can integrate with Office 365, which is important because of its ubiquity in the market. But you’ve also got to worry about Slack, and archiving solutions like Druva and Proofpoint, and applications like Asana and ServiceNow and Salesforce.com. I could go on and on and on.
So, because data is so vast and variegated, and because it’s so widely dispersed, both on-premise and in the cloud, you’ve got to find technology vendors that have the ability to directly connect where that data is stored. Once you can do that, you now have the ability, with the right technology, to start the review process before collection. You can ask yourself, “Okay, within these parameters, is this data really potentially responsive so therefore I want to collect it and proceed to formal review?” Or “Can I cull before I’ve even collected?” And that’s incredibly important from both a time and a cost perspective. So that would be the biggest piece of advice: Look for a technology vendor that can connect to all of the different data sources that you use internally.