Hon. Ronald J. Hedges
I expect that 2018 will see a convergence of trends that have been developing over the past several years and that these trends will lead to both spectacular failures and innovative solutions. Failures will, of course, lead to “bad press” driven by the pervasiveness of electronic media. Innovative solutions, on the other hand, may not be publicized per se but will lead to enhanced corporate reputations and customer confidence.
What trends am I alluding to? First and foremost, the inexorable expansion of electronic information generated by, among other things, new sources of data such as social media, interactive websites and apps. These new sources are creating a staggering amount of data and that expansion of data – and the need to capture, store and utilize it for business purposes – is itself advancing technology development such as Artificial Intelligence or, in litigation, Technology Assisted Review (TAR). Private and public corporate entities are dealing with more and more data, those businesses must address privacy and security concerns. 2017 was a standout year for significant data breaches, and there is no indication that 2018 will see the number and severity of breaches reduced. Additionally, governments are imposing data frameworks, such as the General Data Protection Regulation (GDPR) and the New York State Department of Financial Services (NYDFS) regulations, on corporations that must be evaluated and integrated into broader corporate governance policies and procedures.
While data expansion and security trends have been developing for years, there are specific occurrences playing out in 2018 that I believe may impact electronically stored information (ESI) for corporations. Those include:
- Net neutrality repeal — We may get to see if preferential data speeds by internet service providers (ISPs) have an impact on costs and speed of transfer for ESI.
- Cross-border data localization requirements — As China’s 2017 Cybersecurity Law and the start of the GDPR impact global businesses, we’ll see if this constitutes the beginning of increased data localization requirements by nations.
- Industry-specific data requirements — The 2017 NYDFS provides cybersecurity regulation for financial services businesses. I think the possibility of industry-specific data regulations increasing may follow.
- Legal Process Outsourcing — Moving data by definition creates another layer of complexity for legal compliance. As corporations and the law firms they contract outsource portions of their legal process to third party vendors, the complexities for data security, integrity and tracking grow.
2017 was a standout year for significant data breaches, and there is no indication that 2018 will see the number and severity of breaches reduced.
With all of these trends in mind, how might corporations react in the context of litigation? Litigation may not be a favorite topic for corporate leadership, but civil litigation is a fact of life that requires planning for. Federal and state agency investigations are a looming possibility at all times, with circumstances requiring law enforcement to demand access to corporate data. This range of possibilities makes it clear that corporate leadership needs to be forward-thinking, developing anticipatory strategies for litigation response. To my mind, the consideration of those steps start here:
1. Understand your data completely
A corporation should be aware of, and be able to account for, every pieces of data it is involved with. That sound relatively straight forward. However, consider all that implies. You must account for who creates the data, where and how it is stored, how and when it is transmitted, and how it is accessed. That sounds like a data map. However, data can be created and stored by officers and employees on devices both within and without what might be a traditional firewall, leading to questions further down the rabbit hole — do personnel work from mobile devices such as smartphones? Or on personal computers at home? Moreover, what corporate data is created through third-parties or stored in the cloud? Look to create detailed data maps that are dynamic in nature as your data is a living, constantly changing beast.
2. Enable access to the data, whatever and wherever it might be
Again, this sounds like a simple matter on the surface. However, should a corporation seek data from, for example, an employee’s smartphone or a third-party vendor, are there contracts or corporate policies that allow such access? If so, are there terms and conditions that might make access burdensome? These questions become of central importance under federal and state rules that allow discovery of data within the possession, custody or control of a corporate party. Look for review and, as appropriate, revisions to contracts and corporate policies.
3. Keep litigation in mind
Always lurking in the background, there will be questions about preservation and collection of data for litigation. We can move to the side retention obligations imposed on corporate entities by federal, state or local law. Corporations should plan for and adopt reasonable procedures to identify data relevant to specific litigation, preserve that data, and collect the data for review and production. Given the volume of data referred to above, centralization and automation of those procedures should be considered as corporations design their information governance and retention policies.
Ronald J. Hedges is Senior Counsel with Dentons US LLP. He served as a United States Magistrate Judge in the District of New Jersey from 1986 to 2007, and has extensive experience in ediscovery, frequently speaking and writing as an expert on the subject. He has authored numerous publications, including Managing Discovery of Electronic Information, Third Edition.