If you missed our recent webinar where we went in-depth on hot topics in eDiscovery, you can view it here. We had a great Q&A session at the end of the webinar, and we wanted to share our answers here as many of our readers may have the same questions.
Who are some of the main vendors that offer electronic custodian questionnaires as a product?
A quick internet search will bring up a number of software solutions with new ones popping up all the time, but our preferred platform is TotalDiscovery. It’s completely online, instantly available, very affordable, amazingly secure and requires no software to be installed. It can be used and licensed just for Custodian Questionnaires, but it also has integrated Legal Hold, Data Collection, Processing & ECA functions that can be used if desired. That said, there are lots of good products available with varying capabilities and price tags. Know what features are ‘must haves’ for your organization and schedule some demos!
When self-destructing social media platforms (e.g., Snapchat) came on the scene, many people suspected that, in actuality, these services kept backups of users' data. Do we know that to be the case? If so, should we send preservation notices to them?
Unfortunately, there’s not a one-size-fits-all answer to this question. Some platforms never keep any permanent record of users’ communications (often the only instance is on the user’s device), while others will keep at least some information for a varying period of time. The first step is to identify which platforms are implicated in a given matter. Once you know that, you can either consult an expert (recommended) or research the retention practices of the identified solutions (checking the Terms of Service that everyone clicks through is an excellent starting point) yourself through general web research or by calling the company directly.
That all said, even if the company itself maintains some data, sending a preservation notice to a non-party like Snapchat is unlikely to result in any data being preserved. The non-party company itself really has no independent legal obligation to preserve such data, and thus, will often simply ignore a preservation notice. Indeed, many companies will reject or ignore a standard third-party subpoena, with only a court-ordered subpoena for production getting their attention.
The best approach is to retain an expert who can not only assist with better understanding how a given company’s solution retains data (or not), but more importantly, can assist you in determining the most efficient, effective and defensible way to collect and use that data.
What should be the single top priority for an organization to consider for 2020 in relation to eDiscovery practices?
We’ll give you two…
First, you should put serious thought into how you can use Social Media Discovery in every new case you start. Read more here about how Social Media Discovery is the new smoking gun that alone can make or break a case – and it’s not just for personal injury and medical malpractice cases anymore.
Second, embrace automation and AI solutions wherever possible. We’re not just talking TAR – nearly every step in the eDiscovery workflow can now be largely automated. And it’s not hard to do.
In days past, when collecting data for litigation, teams of forensics technicians had to be sent out, boots on the ground, to kick employees off their computer while they tore out the hard drives and made physical copies – often taking many, many hours per employee. The travel, expert cost, lost productivity, employee distress and more made those collections extremely costly and disruptive. But with today’s automated collections, a quick email, a simple click on a link, and that same data can be captured automatically, even while the employees continues their work without interruption, annoyance or distress. Oh, and it costs a lot less too. (Note, for criminal, fraud investigations and the like, a bit for bit forensic capture may be the appropriate method. Again, consult your experts.)
The Legal Hold Notification processes, too, used to be performed manually using emails and spreadsheets in most organizations. Some organizations with larger litigation portfolios even had one or more full-time employees who largely focused on nothing but legal hold notifications, record keeping and general management. Today, the entire legal hold process can be set up in minutes, with everything from routine reminders to reporting completely automated. And the same goes for Custodian Questionnaires.
There’s really not a single part of the eDiscovery workflow and process that hasn’t seen amazing leaps in automation and technology over the past several years. So how do you choose that one single thing? Find out what causes your organization the most stress, disruption and/or money and automate that first.
For one of our new clients, the biggest pain internally was their legal hold process. It was such a complex web of manual processes, spreadsheets going back years and never-ending custodian follow-ups, that it took a full-time team of three people to manage. And they barely kept their head above water. Fast forward a few months after they decided to migrate to our automated solutions, and now they collectively spend about 10-20 hours a week on legal holds (compared to about 120 hours collectively before). And it’s more secure, defensible and reliable than their previous solution too. Now they are looking at the next step – automating their data collections.
So, figure out where you’re spending the most time, the most money or simply experiencing the most frustration and start there. Not sure? We’d be glad to help with an overall process review.
What is the best AI software available in the market today to help legal professionals in eDiscovery?
Well, that’s a loaded question! For our purposes here, we’re going to assume the question is focused on AI solutions that assist in eDiscovery related areas like internal investigations, document reviews, second requests and general case and issue research and analysis.
As a preliminary note, it’s important to understand that AI solutions not only can help determine responsiveness to document demands (e.g., Predictive Coding or TAR), but they can also assist counsel in general investigative work, deposition preparations, motion practice and more. For example, the same technology that helps you determine whether documents are generally responsive or not can be tuned and focused to help find the needles in the haystack on a given topic when reviewing documents produced by the opposing party. We also use those same tools to help ensure all potentially privileged materials are identified, that responsive and issue coding among similar documents is consistent, and much more.
That all said, what platforms do we recommend? Well, here at BIA, we currently use Brainspace more than any other platform, but we’re also beginning to use the NextLP platform as well, which has some interesting “emotional” intelligence functions that help highlight more emotional communications, for example. We also use Veritone specifically for audio file analysis. One thing we like about those solutions is that they plug into a number of different review tools, so your choice of analytics platform doesn’t necessarily lock you to a specific review platform too.
Beyond that, we’ve used a number of different tools over the years, as not every nail should be hit with the same hammer. We’ve found that it’s best to have the team trained and proficient in a number of core tools, but to always be on the lookout for new ones and be willing to give new solutions a try.
Will AI eventually substitute the need for "humans" to do electronic discovery?
No. We wrote a recent blog on AI generally that included that topic and another blog on the human question specifically a while back. Long story short, AI is best – at least for the foreseeable future – on very regimented, predictable and often mundane tasks. What we expect AI to do is to eliminate or at least reduce those mundane tasks, hopefully allowing attorneys to focus that much more on the legal theories, arguments, and strategies in a given case.
Is MS O365 eDiscovery Basic Services good enough?
For many cases and companies, the basic eDiscovery functions in Microsoft’s Office 365 (O365) are going to be sufficient to meet most basic eDiscovery needs that a company generally handles internally. Larger more complex organizations should bring in an expert to evaluate their needs and make recommendations for how best to leverage the built-in solutions to O365.
However, it’s important to remember O365’s eDiscovery limitations. The most significant being that regardless of whether you use the basic or advanced eDiscovery features in O365, those functions and solutions are still limited to the O365 universe, and that means most servers, desktops and other common data locations must still be handled separately. So, for nearly all organizations, O365’s eDiscovery solutions will only handle part of your overall eDiscovery data collection needs.
It’s also worth noting that O365 doesn’t have complex proximity and other searching functions commonly used in eDiscovery practice. It’s largely geared toward high-level data identification, collection and basic filtering (think date filtering and basic Boolean search functions). And of course, there are little to no review or production capabilities built in, so you’ll still need a review tool solution nonetheless.
Re: Facebook accounts, Is there a difference between "deactivation" vs "deletion"?
Those terms provide an interesting juxtaposition. Deactivation can lead to deletion. In many spoliation claims specific Facebook posts are deleted from a user’s account. The Katiroll case is an excellent example of that. The offended party knew posts had been there and the court ordered them to be restored. Facebook’s Terms of Service address the notion that once an account is deactivated Facebook will delete any posts to that account within a short time frame. They also state that while there may be residual copies in various back up locations, those too will be deleted over time. We have not yet seen a case where Facebook has tried to recover data from those backups.
What are the best practices to hold the data from social media platforms? Will a simple snippet work in legal framework or do we need specialized tool and technology to preserve the post or content?
There really is no black-letter guideline on this question. When it comes to admitting evidence, that’s a decision left exclusively to the judge in a given case, and thus, open to wide discretion. We’ve seen cases were judges have allowed the admission of simple webpage printouts of a social media site and others that have rejected the same for lack of foundation.
That said, when it comes to data collection of any type, we don’t mess around. After all, whether you’re collecting a Facebook page or the CEO’s email, the single most important consideration is to ensure it’s done defensibly. Without a defensible collection process, everything else is a waste.
So, we recommend hiring an experienced professional to do perform any type of social media (or really any other) data collection. Not only will that professional take steps to help ensure the foundation of the evidence for admissibility, but if you need someone to testify regarding the collection, you’ll be prepared. What’s more, you’ll likely be surprised how inexpensive it can be to collect a few social media sites.
For IoT, I understand in criminal cases or personal injury they are but what about antitrust matters, criminal white collar? Are people talking through these? Or is it for their location, meetings, etc.?
The use of information from IoT devices is limited only to your imagination. As nearly everything becomes connected to the internet, the vast amount of possibilities that opens up is simply staggering. Location data in your smart watch might prove you were at the office the weekend before you quit, which might play into employee data theft cases. Tracking of your activities, heart rate and more might play into medical malpractice or medical device lawsuits. Tracking of your sleep quantity and quality could potentially be used in professional malpractice cases. Chatting through unconventional resources such as gaming consoles is something to consider as well.
How do you collect e-mail from someone who may be the target of an investigation and resides in the EU and yet all of their e-mail data resides in the USA? It doesn't make sense to obtain consent for a potential target.
This is a difficult question to answer however, the GDPR does attempt in its drafting to take the position that it governs data of EU residents wherever that data is located. Hence the need for caution. We are not aware of actions by the EU governing body yet that address this particular issue. Our advice here is to proceed with caution.
Have you come across any situations wherein the Custodian withdrawing their consent, when for example, the custodian signs an agreement with the company that they are employed by understanding the company reserves the right to access their computers? Can they legitimately withdraw their consent?
If the provided consent is a condition of employment and specifically references employer provided computers and other devices (tablets, smart phones), those are company assets then it stands to reason that the custodian/employee can be forced to allow access. Typical consent forms do include a provision that there is no expectation of privacy with respect to company provided devices. If the custodian is using personal devices for work purposes, the same holds true and the custodian can be forced to provide access, typically through a court order. We have seen this in many matters over the years, and it does happen with frequency. As to withdrawal of consent, and there is a legitimate purpose to obtain access, then, you may need to resort to motion practice seeking an appropriate court order.
It seems like TAR is geared toward relevancy, not hot vs. cold. Any improvements in the future?
The simple answer is yes – we expect Artificial Intelligence (AI) solutions, which include TAR solutions, to improve more and more rapidly as they continue to evolve. Indeed, we’ve seen these systems already rapidly advance in the few years since the legal industry embraced the use.
While we address this in the question above about AI generally, in short, it’s not a correct assumption that TAR can only be used for relevancy reviews. AI platforms currently used in eDiscovery are driven by statistics and the characteristics you deem important. So, what that means is that it’s all in how you use the platform and the statistics and characteristics you tell it are important. As we mentioned above, for example, we use TAR platforms not just for relevancy, but for privilege reviews, consistency and quality control and more. A lot of that just comes down to experience.
Remember, these systems aren’t the self-thinking artificial intelligence brains of science fiction; instead, they are analytical tools that are trained to do a specific job using a specific set of criteria and advanced mathematical statistics. If you train the AI system by showing it what documents and information you consider hot or cold, it can apply that to identify other similar hot documents or eliminate other cold documents. Indeed, above we mention how NextLP has created an “emotional intelligence” aspect to their platform. That doesn’t mean they’ve somehow trained their system to understand human emotions. What they’ve done is train their system on the common characteristics, content and other aspects generally found in communications that are more emotional in nature.
In the end, what you get from these platforms depends on what you feed them and how you design the workflows. As the saying goes, anyone can drive a Ferrari, but not quite like Mario Andretti. Similarly, a truly excellent AI/TAR consultant can really make those platforms sing and accomplish a lot more than you might expect!
Why is it important to keep custodian eDiscovery questionnaires/surveys outside of organization through vendor?
It’s not – companies can and often do manage their own solutions around Custodian Questionnaires. Indeed, most of our clients to whom we sell a license to TotalDiscovery (our preferred platform) run the Legal Hold and Custodian Questionnaire process themselves, relying on us for expert advice when needed. We’re even seeing more and more law firms license TotalDiscovery and then resell it to their clients on a case-by-case basis.
When deciding on which technology to use for Custodian Questionnaires, the important question isn’t whether it’s inside the organization or not, but rather, the overall cost, efficiency and data security of the system. And while just about any commercial survey engine can accomplish the basic tasks of a Custodian Questionnaire, not all will do it as effectively – and securely – as those designed for legal use.
Let’s first look at the worst choice you should avoid: free online survey engines. Those platforms may allow you to get the job done, but nearly all will retain the right to review and use your survey result data for their own purposes (in other words, there’s no such thing as a free lunch). Given that Custodian Questionnaires can gather very rather sensitive and privileged data, such free solutions can very quickly become extremely risky.
Whatever solution you use, then, must first and foremost, have robust data security practices and clear privacy policies.
To the extent this question asks whether organizations should consider building their own custom software themselves, that’s not recommended. While we have seen many organizations in years past develop their own Legal Hold Notice and Custodian Questionnaire solutions (the two tasks often go together), that’s unheard of today. Indeed, we often migrate customers out of such custom solutions they created in years past and into new solutions like TotalDiscovery, as it’s simply much cheaper, easier, and more effective than building and maintaining their home-grown solution. And the commercial solution usually has much better data security controls than anything most organizations can build or maintain internally.
Thanks again to those who joined us for our recent webinar. If you missed it, you can still view it here.