Well-armed is well-prepared: Understanding the changing rules of e-discovery
Security | May 24, 2016
It would seem that the laws and procedures governing e-discovery would be stabilizing in 2016, right? As technology marches on, and we acclimate to an always-on digital world, it would stand to reason that attorneys, judges, plaintiffs and defendants completely understand how the proliferation of data on connected desktop devices and always-geotracking mobile phones and tablets can potentially be used in civil and criminal cases.
But that is far from the case. The reality is, according to legal experts on a panel at Enfuse, Guidance Software’s 16th annual cybersecurity and forensic investigation conference. Despite new e-discovery rules – sometimes conflicting – in the U.S. Federal Rules of Civil Procedure as well as the European General Data Protection Regulation (GDPR), e-discovery procedure for prosecution and litigation can vary widely from jurisdiction to jurisdiction and from judge to judge.
Interestingly, while Europe and the rest of the world tend to be two years behind the U.S. when it comes to e-discovery systems and procedures – and legal minds there tend to look to the U.S. legal system as a model shaping its own – the European Commission’s GDPR is a much more stringent privacy standard than those in America. The dichotomy is complicating evidence collection for trans-Atlantic cases.
In fact, e-discovery can be such a complex task that attorneys are seeing some judges more actively managing the process themselves. Complicating the problem is that some attorneys are unaware that the rules exist, let alone understand how they work.
Each of panelists -- which included moderator and English solicitor Chris Dale, who runs that country’s eDisclosure Information Project as well as U.S attorneys Ed McAndrew (partner, Ballard Spahr, LLP), Scott Cohen (director of E-Discovery Services, Winston & Strawn) and his colleague, legal forensics and privacy expert Sheryl Falk – discussed how attorneys hurt themselves going into cases unarmed with this knowledge.
The main advice the attorneys gave attendees to the session: Know the rules, and know the software used for e-discovery, to collect and perform tasks such as predictive coding, which automates the process of determining which documents may be relevant to a civil or criminal case. Even if you’re not in a position to use such sophisticated software because of financial or technical reasons, the panelists said, going into the process knowing nothing can be a losing strategy.
The e-discovery era might be a new boon to the judicial system, but it’s also forcing attorneys to become better data stewards on behalf of clients and their customers entrusting them with personally identifiable data. Attorneys themselves become the target of hackers themselves, as their networks are likely not even close to as secure as their clients’.
Two trends are forcing them to catch up quickly: The first is the “Panama Papers” saga, in which 11.5 million documents were made public via a hack of Mossack Fonseca, a Panamanian legal firm that handled financials and other sensitive matters for high-profile government and corporate clients around the world.
The other factor getting the legal profession to pay closer attention to data security is their clients themselves. Understanding the sensitivity of personally identifiable data, many companies are setting up policies and procedures for data handling of third parties – including attorneys – and also mandating security measures such as encryption of data both in transit and at rest.
While all this might paint a picture of an emerging policy and technology problem that will take years, perhaps decades to solve, the speakers were sanguine that new standards put forth by the U.S. National Institute of Standards and Technology (NIST), the SANS Institute and The Sedona Conference eDiscovery Working Groups will lead the charge to organize and make consistent the ways data is uncovered and used in court proceedings.