Lighthouse Blog

While everyone hoped that 2021 would be less tumultuous than 2020, it certainly did not turn out that way in the end. The same was true in the world of data privacy – with sweeping new data protection regulations and guidance issued throughout the year that made significant ripples. Below is a summary of some of the most important data privacy changes that will impact companies operating in the United States, Europe, and China in 2022 and beyond.US Regulation ChangesVirginia Consumer Data Protection Act (VCDPA)What it Does: Similar to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (jointly, the first GDPR-like data protection regulations passed within the US), the new Virginia regulation is a comprehensive data protection law that bestows certain rights and protections to Virginia residents regarding the use of their personal data, including:The right to opt out of having their data sold or used for targeted advertising, as well as the right to opt out of having their data used for “profiling” (i.e., using a person’s personal data to evaluate, analyze, or predict aspects of their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements).The right to request that companies provide information about the personal data they have collected from them, and have it corrected or deleted.The right to request a free copy of their personal data in a portable, readily usable format.The law also requires companies to gain permission from citizens before collecting certain classes of highly sensitive personal data, including racial or ethnic origin, genetic data, and geolocation. The new law does not provide for a private right of action (i.e., it does not allow individuals to bring lawsuits against companies for data privacy rights violations). Instead, the law will be enforced by the state’s Attorney General.Who it applies to: All Virginia residents have rights under the VCDPA. Any company or organization that conducts business in Virginia and meets either of the following two criteria must comply with its requirements:Controls or processes personal data of at least 100,000 consumers; orDerives over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.Note that there are broad exemptions for financial institutions, as well as organizations or businesses that are governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.When it takes effect: Jan. 1, 2023When it was passed: March 2, 2021Other notes: Tech industry trade groups and businesses heavily supported the VCDPA. Colorado Privacy Act (CPA)What it Does: Following in the footsteps of California and Virginia, Colorado was the third state to pass a comprehensive GDPR-like data privacy law. The new law conveys data privacy rights to Colorado residents that are nearly identical to the VCDPA, including:The right to opt out of the use of their personal data for sale or targeted advertising, as well as for the use in profiling decisions that would have legal or significant effects to the consumer (such as the use of personal data that may affect decisions regarding consumer lending, financial, housing, and insurance decisions).The right to request that companies provide information about the personal data they have collected from them, and request that it either be corrected or deleted.The right to obtain their personal data from a company in a free “portable” and readily usable format.Similar to Virginia and California, the law also classifies “sensitive data” as a separate category of personal data that requires additional protection, including: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. Note that Colorado’s definition of sensitive data does not include precise geolocation data, whereas Virginia and California’s data protection laws do.Who it applies to: All Colorado residents have rights under the CPA. Any company or organization that conducts business or produces commercial products or services that are intentionally targeted to Colorado residents and meet either of the following two criteria must comply with its requirements: Controls or processes personal data of at least 100,000 consumers in a calendar year; orDerives revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.The law specifically does not apply to state and local governments, state institutions of higher education, personal data governed by certain state and federal laws, and employment records.When it takes effect: July 1, 2023When it was passed: July 7, 2021Other notes: Similar to the VCDPA and to the CCPA, the CPA does not create a private right of action. Enforcement is exclusively with the state’s Attorney General and District Attorneys. Additionally, the act specifically states that a violation of its requirements is a deceptive trade practice for purposes of enforcement. Utah Cybersecurity Affirmative Defense ActWhat it does: Utah’s Cybersecurity Affirmative Defense Act provides new affirmative defenses that businesses in Utah can use to defend themselves against lawsuits arising out of a data security breach. The law states that an organization can affirmatively defend itself against a data security breach lawsuit that alleges that the organization failed to implement reasonable information security controls, so long as that organization maintained and complied with a written cybersecurity program that meets certain requirements spelled out within the law.The new law also allows an organization to defend itself against claims that it failed to appropriately respond to a cybersecurity breach, so long as its cybersecurity program had reasonable protocols in place for responding to breaches.Additionally, an organization can defend itself against claims that it failed to appropriately notify individuals effected by a data breach if the organization’s cybersecurity program had reasonable protocols in place for notifying individuals about breaches and those protocols were followed after the breach.In this way, the law provides an incentive for Utah businesses to implement updated cybersecurity programs to protect Utah residents’ personal data more effectively, by providing defenses to data breach lawsuits if such programs are implemented and followed.Who it applies to: Any person (which the law defines as an individual and most business organizations) that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements spelled out within the act, and is in place during the relevant cybersecurity breach.When it takes effect: May 5, 2021When it was passed: March 11, 2021Other notes: The affirmative defenses are not available where the organization had advanced notice of a cybersecurity threat or risk. The law also states that it does not provide for a private right of action for failing to comply (thus private citizens may not sue organizations who don’t implement cybersecurity programs that meet the requirements spelled out within the law). California Consumer Privacy Act AmendmentsWhat it does: The amendments update the California Consumer Privacy Act (passed in 2018) to include three general changes relating to a consumer’s right to opt out of the selling of their personal information, and one change to authorized agent requests for information related to a consumer’s personal information.The three changes relating to a consumer’s right to opt out of the selling of their information include the following:Any business that sells personal information that it collected offline must now inform consumers in an offline method of their right to opt out, including instructions on how to do so.Authorizes the use of a specific “opt-out” icon that can be used in addition to posting the notice of the right to opt out (but not in lieu of that notice).Mandates that a business’s method for consumer request submissions to opt out must be easy to execute, require minimal steps, and not designed in a way that purposefully or substantially subverts or impairs a consumer’s choice to opt out.The change regarding authorized agent requests to a business on behalf of a consumer related to the consumer’s personal information includes the following:When a consumer uses an authorized agent to submit a request for information about the personal data a company has collected from the consumer (or requests to change or delete that personal data), the responding business may now require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:(1) Verify their own identity directly with the business.(2) Directly confirm with the business that they provided the authorized agent permission to submit the request.This is a change from the previous version of the law, which mandated that the consumer provide the authorized agent’s signed permission, in addition to the other two requirements listed above.Who it applies to: All California residents have rights under the CCPA. Any for-profit business that does business in California and meets any of the following criteria must comply with the CCPA:Has a gross annual revenue of over $25 million.Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; orDerives 50% or more of their annual revenue from selling California residents’ personal information.When it takes effect: March 15, 2021When it was passed: March 15, 2021 GDPR ChangesNew Standard Contractual Clauses (SCCs) Issued by the European CommissionWhat it Does: The SCCs are a contractual device used to help ensure that personal data transferred outside the EU is kept secure and complies with GDPR requirements, wherein the entity receiving the data contractually agrees to protect the transferred personal data according to stringent GDPR requirements. After the 2020 invalidation of the EU-US Privacy Shield, SCCs are now one of the only viable GDPR-compliant methods for entities within the US to receive personal data from entities in Europe.The new SCCs take into account the decision-making behind the invalidation of the EU-US Privacy Shield. Whereas the old SCCs were rigid, the new SCCs provide a bit more flexibility. They are now “modular,” meaning entities can now choose from a selection of four different models, depending on the type of transaction: controller to controller; controller to processor; processor to sub-processor; and processor to controller. They also expand the rights given to data subjects, including the right to enforce SCC provisions against both the data exporter and data importer. Additionally, the SCCs mandate that data importers must agree to EU jurisdiction (including EU courts as well as compliance with applicable EU data protection laws). There is also a new optional clause (Clause 7) that allows new parties to be added to the SCCs, as well as new Annexes that must be customized for each transaction.Who it applies to: A data importer located in a country without an EU adequacy decision (like the US) that is not itself subject to the GDPR should utilize the new SCCs to transfer personal data from the EU – unless exceptions apply (i.e., the parties are able to rely on an alternate transfer mechanism, etc.). However, Recital 7 of the new SCCs appears to state that when the data importer is itself subject to the GDPR (for example, because the company provides services or goods to individuals living in the EU), the new SCCs cannot be used. This language has left open questions around what transfer mechanism companies should use in that situation (see below for a summary of additional guidance issued by the European Data Protection Board surrounding this issue).Additionally, due to Brexit, the new SCCs do not apply in the UK. The UK Information Commissioner’s Office (ICO) has launched a public consultation on drafting a new set of SCCs for use within the UK.When it takes effect: The new SCCs became effective on June 27, 2021. Any new contracts and processing transactions taking place after September 27, 2021 must use the new SCCs. Any contracts entered into prior to September 27th, 2021 must be updated with the new SCCs by December 27, 2022.When it was issued: June 4, 2021 New Guidance for Cross-Border Data Transfers Issued by the European Data Protection Board ("EDPB")What it Does: The invalidation of EU-US Privacy Sheild in 2020, along with the new SCCs (above), has led to uncertainty around how to comply with the GPDR when transferring data between the EU and countries such as the US that do not have an adequacy decision (i.e., a decision by the European Commission that a country outside the EU offers adequate levels of data protection to safely protect EU personal data that is transferred there). In particular, language within the Recitals of the SCCs states that the new SCCs only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR. This language has left open questions around what type of transfer mechanism (if any) is needed for a transfer of data to an importer that is already subject to the GDPR.New guidance issued by the EDPB provides some concrete answers to a few of these questions, as well as resolved some other long-standing murkiness about cross-border transfers (even if the guidance does not resolve all uncertainty).For example, the guidance now definitively states that data transfers from an EU-based data exporter to a data importer based outside the EU is, in fact, a transfer within the meaning of Article 44 of the GDPR and therefore would require the importer to enter into an SCC (or possibly adopt Binding Corporate Rules). However, as noted above, if the importer is itself subject to the GDPR, Recital 7 of the new 2021 SCCs state that the new SCCs cannot be used, leaving open the question of what SCC should be used in that situation. Note that the minutes to the European Data Protection Board plenary meeting held in September of 2021 mention that the EU Commission will issue a new set of SCC to govern this type of data transfer.The guidance also settled some long-standing questions around other types of transactions that are not considered transfers of data under Article 44 of the GDPR. For example, the new guidance affirmatively states that “direct collections” of personal data from individuals located within the EU does not constitute a transfer of data (because when the information is collected directly, there is no transfer between controller and processor). It also clarified that “intra-company” data transfers are not considered a transfer of data under Article 44 because a transfer requires two parties. However, note that while these transactions are not considered “transfers” under Article 44, all other applicable GDPR protections still apply and must be followed.Who it applies to: The guidance will be particularly useful for any non-EU organization that needs to transfer or collect data from within the EU. When it takes effect: November 19, 2021When it was issued: November 19, 2021 Other New RegulationsChina’s Personal Information Protection Law (PIPL)What it does: China’s new Personal Information Protection Law is a GDPR-like comprehensive data protection law aimed at protecting the personal information of “natural persons” located within China. It governs how companies collect, process, and transfer personal data of people within China and like the GDPR, is exterritorial in its reach – meaning it applies to companies outside of China that handle the personal data of someone located in China. Also like the GDPR, it allows individuals in China to request access to their personal data that a company has collected and ask for it to be corrected or deleted. And like the GDPR, the regulation includes the risk of large fines against companies that fail to comply with its mandates – including up to five percent of a company’s annual revenue. However, unlike the GDPR, failure to comply also includes the risk of being “blacklisted” by the Chinese government, as well as possible criminal penalties.Multinational organizations with Chinese employees should also be aware that the law contains specific regulations regarding transferring the personal information of Chinese employees across the country’s borders. This means that companies cannot transfer internal employee information (including typical information routinely handled by a company’s HR department) outside of China’s borders without the consent of the employee and meeting other specifications spelled out within the law.Who it applies to: The PIPL protects the personal data of people located in China. It applies to companies operating in China, as well as organizations outside of China that process the personal data of people within China for any of the following reasons:(1) To provide products or services to people in China;(2) To analyze or assess the behavior of people in China; or(3) Any other circumstances that falls under unspecified Chinese laws and regulations.When it takes effect: November 1, 2021When it was issued: August 20, 2021data-privacydata-privacyblog; data-protectionsarah moran

Complexity, resiliency, adaptability are some of the defining traits from the past year, with good reason. From navigating hybrid workplaces and new collaboration platforms to weathering economic uncertainty and new regulatory postures, the legal industry, and workforce overall, have faced extraordinary challenges. But, with the adversity came great innovation and problem solving. Developments in communications, artificial intelligence (AI), and data have opened new, and often unexpected, possibilities for years to come.With these dynamics in mind, below we've compiled some of our best thinking from 2021, covering critical topics in eDiscovery such as data privacy, AI, information governance, analytics, privilege, and big data. Explore the posts below for some fresh thinking to enter a new year:Navigating the Intersections of Data, Artificial Intelligence, and PrivacyMaking the Case for Information Governance and Why You Should Address it Now Is Your AI Algorithm Admissible in Court? Some Things to ConsiderBig Data Challenges in eDiscovery (and How AI-Based Analytics Can Help)Privilege Mishaps and eDiscovery: Lessons LearnedFour Ways a SaaS Solution Can Make In-House Counsel Life Easierediscovery-reviewblog, ediscovery-reviewbloglighthouse

There is much out there about cloud solutions and how they improve the lives of users, offer flexibility for expansion and contraction of business, and can lighten the lift for IT. There is even a lot of specific commentary about how cloud can help legal teams and enable change management for the department. But what about the day-to-day tasks? How does the cloud change the legal team’s work and what new governance and skills are necessary to handle that change? This blog will tackle these questions so you can be more prepared and agile as cloud technology advances.Why does a shift to the cloud matter for legal teams?From a practical perspective, it means having to be reactive in areas where legal has traditionally been more proactive. Things like data storage timelines and locations, internal access permissions, and document history are now ever-changing with software updates being automatically pushed to corporate software environments. Many organizations that manage on-premises software have historically had an effective software governance structure in place. They can meet, discuss upcoming upgrades and their impacts, and make decisions about when to execute a software upgrade. Now, in an agile cloud approach, upgrades come frequently, without much notice, and sometimes have highly impactful changes. Traditional governance structures are no longer sustainable given the new timing and volume of updates – sometimes hundreds in a week. Legal and IT teams now need to collaborate more often to quickly analyze any impacts updates will have on the organization and what, if anything, needs to be done to mitigate cloud security risks.Given this, how should corporate legal teams adapt?A typical legal department is organized around areas of expertise – you may have employment, litigation, business advice, and contracts, for example. The department may also have a legal operations function, or a member of the team assigned to certain process improvement and/or corporate programs. One of these programs covers technology changes at an organization. It is this latter set of responsibilities that become much more important, and more voluminous, in an agile software environment. Analyzing the potential risks of cloud updates, advising the business on how to mitigate those risks, and changing any associated legal workflows can become a full-time or close to full-time set of responsibilities. In addition, the culture of the department must change to one that embraces frequent change, understands change management, and is consistently updating and improving processes and procedures.Traditionally, in an on-premises environment, an IT organization would typically manage an upgrade governance structure. They would plan for a software upgrade every six months, outline the changes that are due with each upgrade, and analyze what departments it impacts and the risks of those impacts. Finally, they would present this information to a cross-functional committee who would discuss when the upgrade can be made and what kind of work needs to precede the upgrade. Legal was typically part of that committee. Now, in a cloud environment dozens (or even hundreds) of changes get pushed out weekly and, although there may be some advanced warning, the timing isn’t as flexible, it isn’t uniform across users, and there is usually less time to prepare. In addition, changes may be pushed out, rolled back, and potentially reversed. Updates may also occur without any warning, which can contribute to the cloud challenges for corporate legal departments[1]. To minimize risk in this agile environment some specific steps can be helpful: a similar governance committee needs to meet more frequently, the analysis of impact and risk needs to be done very quickly, and changes need to be made almost immediately to ensure you get ahead of any potential impacts. Due to the frequent nature of these changes, and supervising process updates to mitigate risk associated with the changes, managing cloud updates can be more time-consumingWithout structure, these cloud updates can add stress and increase reactive work. However, with some structure and clearly delineated oversight, they can be managed more efficiently. Although many organizations may not have a structure in place, those that do pull together a committee for each enterprise technology. This committee has IT, legal, compliance, and business-focused representation. It may have multiple representatives from some of these groups, depending on the perspectives needed. The goal is for the business representative to advocate for users of the technology, the legal and compliance representatives to mitigate risk and take into account regulatory, litigation and privacy considerations, and the IT team to represent management of the platform and be a voice for the platform provider. The committee should have access to a sandbox-type environment where they can test changes and should be empowered to lead companywide changes – or at least be able to work with a project management office or other resource to make these changes.Most legal departments run pretty lean so creating a new governance structure can be a significant challenge, but there are ways to make the process easier. First, you can hire outside support to handle all, or some, of this work. For example, outsourcing the creation of the governance structure to manage software updates and staffing that group with your own resources or have your external partner staff and manage it until a time when you are ready to take it over. Second, instead of hiring outside support, you can share your risk concerns with IT and rely on them to raise any potential impact that upgrades may have on risk and legal processes. For example, when IT receives an email from a software provider outlining updates, they would analyze them for potential impact to legal workflows, retention policies, or any other issues you have flagged. They would then test the updates and remediate any negative impacts. Finally, you can rotate governance committee membership so that the work is being shared across your team. Whatever approach you choose, keep in mind that changes in the cloud environment are happening frequently and having someone within your company watching from a legal perspective will pay dividends when it comes to accessing data for legal, compliance, investigative, or other reasons down the line.[1] Victoria Hudgins, “Big Adjustment: Legal Departments Struggle with Lack of Control Over Cloud Technology,” Legaltech news, November 29, 2021, law.com information-governance; microsoft-365; lighting-the-path-to-better-information-governancecloud-security, cloud-migration, blog, risk-management, information-governance, microsoft-365cloud-security; cloud-migration; blog; risk-managementlighthouse

The approach of a new year is often a good time to step back and take stock of the eDiscovery industry, so that we can be better prepared to move forward. One of the most dramatic changes over the past few years has been the seismic shift across the legal and corporate data landscapes. That shift has slowly been expanding the concept of eDiscovery beyond a single-litigation focus, to encompass data governance, data privacy and security, and an overall more holistic, strategic approach to review and analysis.As we prepare to move forward in this brave new world, it’s important to understand how those industry changes affect the traditional framework of the eDiscovery process: the Electronic Discovery Reference Model (EDRM). Recently, I was lucky enough to join a panel of industry experts, including Microsoft’s EJ Bastien, TracyAnn Eggen from CommonSpirit Health, and Lighthouse’s Sarah Barsky-Harlan, to dive deeper into that specific issue. Together, we tackled questions like: Does the EDRM still apply in today’s more complex eDiscovery environment? If so, how is the evolving data and eDiscovery landscape reshaping how organizations and law firms think about the EDRM? How can the EDRM be used to meet today’s more complex communication, data, and business challenges?Below are some of the key themes and ideas that emanated from that discussion: A Brave New Data World: Dynamic Changes in eDiscoverySince its inception, the EDRM has been the industry’s standard approach to the eDiscovery process (i.e., identification, collection, processing, review, analysis, and production of electronically stored information (ESI)). However, what we’re seeing today is that organizations and law firms now must think about eDiscovery in much broader terms than that traditionally very linear method. There are three primary reasons for this change:New cloud-based and Software as a Service (SaaS) systems: Enterprise systems are not nearly as controlled by the underlying organization as they used to be. Even five years ago, IT departments could more closely manage what software was installed, as well as when, how, and what upgrades were rolled out. Now those updates and installations are managed by cloud providers, with upgrades rolling out on an almost weekly basis – often with no notice to the organization. All those changes have downstream eDiscovery impacts, which must be dealt with at each stage of the EDRM process.New data formats: Data is no longer structured in the traditional document “family” of an email parent with attachment children. The shift to chat and collaboration platforms within organizations means that communications and workflows generate more data across multiple data sources and are much more fluid and informal. For instance, instead of an employee working on a static document saved on a desktop and then passing that document back and forth to co-workers via email, those employees may work on that document together while it’s saved on a cloud-based collaboration platform, chat about it via an in-office chat application, post updates on it via the collaboration tool channel, as well as email copies back and forth to each other. This means counsel must analyze how relevant data ties together and analyze the relationships between data sources in order to understand the full story of a communication during an investigation or litigation.New capabilities with eDiscovery technology: There are many new types of capabilities that are native to enterprise systems, as well as new types of analytics and artificial intelligence (AI) that can handle more data at scale. These new capabilities are allowing case teams to leverage past data on new cases and get to key data more quickly in the EDRM process. The Impact: How Those Changes Affect the EDRM FrameworkThinking of the EDRM as a monolithic linear process that flows straight from beginning (collection) to end (production) does not fit the way eDiscovery takes place in practice anymore. There is a world of complexity within each step of the EDRM – one that is highly dependent on the data source. And the decisions made along the way for each data source at each new step will impact what happens next – often in a non-linear fashion: Sometimes that next step will send practitioners back to collection again, because they found another data source during review. Sometimes review takes place simultaneously with collection or processing phases, depending on the data source and those newer capabilities discussed above. In short, the old model of collecting all data, exporting it all, and then reviewing it all, in large chunks, one step at a time, is no longer applicable nor practical.Instead, a “mini-EDRM” framework might make more sense, where organizations prepare workflows for the preservation, collection, processing, and review of each particular data source. Thinking of the EDRM in this way also helps the framework stay relevant and future-proof as practitioners deal with the sea-change happening across our data landscape. Practitioners need to be agile enough to handle new data sources as they pop up, for each step of the EDRM process, and then be prepared to do it all over again when someone in a deposition mentions another new data source, and to adapt it when something changes in the data source. A mini-EDRM framework would help organizations and practitioners better meet those challenges.The EDRM and Data-in-PlaceAs noted above, the eDiscovery process is now much broader and has much more of an impact on organizational information governance and data-in-place than ever before. This presents an opportunity to use learnings from across the EDRM to more effectively manage data “to the left” of that traditional process. For example, if a particular data source was problematic during review, that information can be disseminated at the organizational level and help inform how that source is used within the organization moving forward. Or if practitioners notice a large volume of irrelevant data during review that shouldn’t exist in the system at all, that information can be used to redraft document retention policies. In this way, eDiscovery (and the EDRM framework) can now be a force for change over the entire organization.Thinking Beyond a Single MatterIn today’s more dynamic and voluminous data landscape, the work we did in the past is more valuable than ever before and it can be used to inform and impact current processes across the EDRM.This can come in the form of people and institutional knowledge: experienced and consistent staff and outside partners are an invaluable resource. These organizational experts can use their understanding and experience with an organization’s past matters, system architecture, data sources, workflows etc. to improve eDiscovery efficiency and solve current problems more effectively. It can also come in the form of technology: when the EDRM first evolved, data analytics were a much heavier lift. The process and tools were expensive and the amount of data that they could be applied to was much smaller than today. Advancements in AI capabilities now allow us to analyze much larger volumes of data with much more accurate results. Thus, this newer, advanced AI technology is now capable of leveraging the goldmine of millions of previous decisions made by attorneys on an organization’s past matters. That work product is baked into the data, and advanced AI can use it to make more accurate decisions on current data at a much larger scale than ever before.Tips to Keep the EDRM Applicable in an Evolving Data LandscapeStrive to retain institutional knowledge across matters: The constantly evolving eDiscovery landscape makes continuity and retaining institutional knowledge incredibly important. Starting from scratch each time you confront a new data source or problem along the EDRM is no longer practical with today’s diversified and larger data volumes. Work to cultivate valuable partners and staff who will work to understand your organization’s data architecture, as well as the eDiscovery workflows that are effective within your environment.Lean on your peers: Chances are, if you’re facing a problem with a challenging data source at one stage of the EDRM, someone in your peer group has also faced the same or a similar problem. Don’t be afraid to reach out and ask folks to benchmark. Peer experience can help each practitioner learn and move forward, solving challenging industry problems along the way.Open the lines of communication: Because the EDRM process is much more iterative and each step impacts other steps, it is incredibly important that the people working on those steps do not work in silos. Everyone should know the downstream impacts of their decisions and workflows.Test… and test again: Employ a testing framework to test the impact of eDiscovery workflows on the underlying platforms, and then have a feedback loop to apply changes. This will ensure your eDiscovery program is forward-thinking, as opposed to reactive. Automate where possible: When striving for repeatable, defensible eDiscovery processes, predictability is key. And automation, when feasible, is a great way to achieve that predictability. Automating workflows across the EDRM will not only help improve efficiency and lower costs, it will also help minimize risk and keep your eDiscovery program defensible.information-governance; ediscovery-review; chat-and-collaboration-datacloud, analytics, information-governance, ediscovery-process, blog, information-governance, ediscovery-review, chat-and-collaboration-data,cloud; analytics; information-governance; ediscovery-process; bloglighthouse

Legal professionals often take for granted that the eDiscovery software they leverage in-house must come with capability tradeoffs (i.e., if the production capability is easy to use, then the analytics tools are lacking; if the processing functionality is fast and robust, then the document review platform is clunky and hard to leverage, etc.).The idea that these tradeoffs are unavoidable may be a relic passed down from the history of eDiscovery. The discovery phase of litigation didn’t involve “eDiscovery” until the 1990s/early 2000s, when the dramatic increase in electronic communication led to larger volumes of electronically stored information (ESI) within organizations. This gave rise to eDiscovery software that was designed to help attorneys and legal professionals process, review, analyze, and produce ESI during discovery. Back then, these software platforms were solely hosted and handled by technology providers that weren’t yet focused entirely on the business of eDiscovery. Because both the software and the field of eDiscovery were new, the technology often came with a slew of tradeoffs. At the time, attorneys and legal professionals were just happy to have a way to review and produce ESI in an organized fashion, and so took the tradeoffs as a necessary evil.But eDiscovery technology, as well as legal professionals’ technological savvy, has advanced light years beyond where it was even five years ago. Many firms and organizations now have the knowledge and staff needed to move to a “self-service, spectra” eDiscovery model for some or all of their matters – and eDiscovery technology has advanced enough to allow them to do so. Unfortunately, despite these technological advancements, the tradeoffs that were so inherent in the original eDiscovery software still exist in some self-service, spectra eDiscovery platforms. Today, these tradeoffs often occur when technology providers attempt to develop all the technology required in an eDiscovery platform themselves. The eDiscovery process requires multiple technologies and services to perform drastically different and overlapping functions – making it nearly impossible for one company to design the best technology for each and every eDiscovery function, from processing to review to analytics to production.To make matters worse, the ramifications of these tradeoffs are much wider than they were a decade ago. Datasets are much larger and more diverse than ever before – meaning that technological gaps that cause inefficiency or poor work product will skyrocket eDiscovery costs, amplify risk, and create massive headaches for litigation teams. But because these types of tradeoffs have always existed in one form or another since the inception of eDiscovery, legal professionals still tend to accept them without question.But rest assured best-in-class technology does exist now for each eDiscovery function. The trick is being able to identify the functionality that is most important to your firm or organization, and then select a self-service, spectra eDiscovery platform that ties all the best technology for those functions together under one seamless user interface.Below are three key steps to prepare for the research and purchasing process that will help drastically minimize the tradeoffs that many attorneys have grown accustomed to dealing with in self-service, spectra eDiscovery technology. Before you begin to research eDiscovery software, you’ve got to fully understand your firm or organization’s needs. This means finding out what eDiscovery technology capabilities, functionality, and features are most important to all relevant stakeholders. To do so:Talk to your legal professionals and lawyers about what they like and dislike about the current technology they use. Don’t be surprised if users have different (or even opposing) positions depending on how they use the software. One group may want a review platform that is scaled down without a lot of bells and whistles, while another group heavily relies on advanced analytics and artificial intelligence (AI) capabilities. This is common, especially among groups that handle vastly different matter types, and can actually be a valuable consideration during the evaluation process. For instance, in the scenario above, you know you will need to look for eDiscovery software that can flex and scale from the smallest matter to the largest, as well as one that can create different templates for disparate use cases. In this way, you can ensure you purchase one self-service, spectra eDiscovery software that will meet the diverse needs of all your users.Communicate with IT and data security teams to ensure that any platform conforms with their requirements.These two groups often end up being pulled into discussions too late once purchasing decisions have already been made. This is unfortunate, as they are integral to the implementation process, as well as to ensuring that all software is secure and meets all applicable data security requirements. Data security in eDiscovery is non-negotiable, so you want to be sure that the eDiscovery technology software you select meets your firm or organization’s data security requirements before you get too far along in the purchasing process.Create a prioritized list of the most important capabilities, functionality, and attributes to all the stakeholders once you’ve gathered feedback.Having a defined list of must-haves and desired capabilities will make it easier to vet potential technology software and ultimately help you identify a technology platform that fits the needs of all relevant stakeholders.ConclusionWith today’s advanced technology, attorneys and legal professionals should not have to deal with technology gaps in their self-service, spectra eDiscovery software, just as law firms and organizations should not have to blindly accept the higher eDiscovery cost and risk those gaps cause downstream. Powerful best-in-class technology for each step of the eDiscovery process is out there. Leveraging the steps above will help you find a self-service, spectra eDiscovery software solution that ties all the functionality you need under one seamless, easy-to-use interface.For more detailed advice about navigating the purchasing process for self-service, spectra eDiscovery software, download our self-service, spectra eDiscovery Buyer’s Guide here. ediscovery-review; ai-and-analyticsself-service, spectra, review, analytics, processing, blog, production, ediscovery-review, ai-and-analyticsself-service, spectra; review; analytics; processing; blog; productionsarah moran

The Law & Candor podcast is back for Season 8, continuing its exploration of the legal technology revolution. Our co-hosts return with a stellar slate of expert guests and captivating conversations, all striving to elevate the current state of our industry and look to the future.Bill Mariano and Rob Hellewell are back to help lead those discussions in six easily digestible episodes that cover a range of topics, including: AI and linguistics in eDiscovery, staying ahead of AI innovation, family versus four corner review, cross-matter review strategy and implementation, unindexed items in Microsoft 365, and the rise of wearable devices and health-related apps.Episode 1. Finding Lingua Franca: The Power of AI and Linguistics for Legal TechnologyEpisode 2. Staying Ahead of the AI CurveEpisode 3. eDiscovery Review: Family Vs. Four CornerEpisode 4. Achieving Cross-Matter Review Discipline, Cost Control, and EfficiencyEpisode 5. Understanding Microsoft 365 Unindexed Items Episode 6. Getting Personal—Wearable Devices, Data, and CoGetting Personal—Wearable Devices, Data, and Compliance Listen now or bookmark individual episodes to listen to them later, and be sure to follow the latest updates on Law & Candor's Twitter. And if you want to catch up on past seasons or special editions, click here.For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.ediscovery-reviewblog, podcast, ediscovery-review,blog; podcastlighthouse

What does Artificial Intelligence (AI) mean to you? In the non-legal space, AI has taken a prominent role, influencing almost every facet of our day-to-day life – from how we socialize, to our medical care, to how we eat, to what we wear, and even how we choose our partners.In the eDiscovery space, AI has played a much more discreet but nonetheless important role. Its limited adoption so far is due, in part, to the fact that the legal industry tends to be much more risk averse than other industries. The innate trust we have placed in more advanced forms of AI technology in the non-legal world to help guide our decision making has not carried over to eDiscovery – partly because attorneys often feel that they don’t have the requisite technological expertise to explain the results to opposing counsel or judges. The result: most attorneys performing eDiscovery tasks are either not using AI technology at all or are using AI technology that is generations older than the technology currently being used in other industries. All this despite the fact that attorneys facing discovery requests today must regularly analyze mountains of complicated data under tight deadlines.One of the most prominent roles AI currently plays in eDiscovery is within technology assisted review (TAR). TAR uses “supervised” machine learning algorithms to classify documents for responsiveness based on human input. This classification allows attorneys to prioritize the most important documents for human review and, often, reduce the number of documents that need to be reviewed by humans. TAR has proven to be especially helpful in HSR Second Requests and other matters with demanding deadlines. However, the simple machine learning technology behind TAR is already decades old and has not been updated, even as AI technology has significantly advanced. This older AI technology is quickly becoming incapable of handing modern datasets, which are infinitely more voluminous and complicated than they were even five years ago.Because the legal industry is slower to adopt more advanced AI technology, many attorneys have a muddled view of what advanced AI technology exists, how it works, and how that technology can assist attorneys in eDiscovery today. That confusion becomes a significant detriment to modern attorneys, who must start being more comfortable with adopting and utilizing the more advanced AI tools available today if they stand a chance overcoming the increasingly complicated data challenges in eDiscovery. This confusion behind AI can also lead to a vicious cycle that further slows down technology adoption in the legal space: attorneys who lack confidence in their ability to understand available AI technology subsequently resist adoption of that technology; that lack of adoption then puts them even further behind the technology learning curve as technology continues to evolve. This is where legal technology companies with dedicated technology services can help. A good legal technology company will have staff on hand whose entire job it is to evaluate new technology and test its application and accuracy within modern datasets. Thus, an attorney who has no interest in becoming a technology expert just needs to be proficient enough to know the type of tools that might fit their needs – the right technology vendor can do the rest. Technology experts can also step in to help provide detailed explanations of how the technology works to stakeholders, as well as verify the outcome to skeptical opposing counsel and judges. Moreover, a good technology provider can also supply expert resources to perform much of the day-to-day utilization of the tool. In essence, a good legal technology vendor can become a trusted part of any attorney team – allowing attorneys to remain focused on the substantive legal issues they are facing. With that in mind, it’s important to “demystify” some common AI concepts used within the eDiscovery space and explain the benefits more advanced forms of AI technology can provide within eDiscovery. Once comfortable with the information provided here, readers can take a deeper dive into the advantages of leveraging advanced AI within TAR workflows in our full white paper – “TAR + Advanced AI: The Future is Now.” Armed with this information, attorneys can begin a more thoughtful conversation with stakeholders and legal technology companies regarding how to move forward with more advanced AI technology within their own practice.Demystifying AI Jargon in eDiscoveryAt its most basic, AI refers to the science of making intelligent machines – ones that can perform tasks traditionally performed by human beings. Therefore, AI is a broad field that encompasses many subfields and branches. The most relevant to eDiscovery are machine learning, deep learning, and natural language processing (NLP). As noted above, the technology behind legacy TAR workflows is supervised machine learning. Supervised machine learning uses human input to mimic the way humans learn through algorithms that are trained to make classifications and predictions. In contrast, deep learning eliminates some of that human training by automating the feature extraction process, which enables it to tackle larger datasets. NLP is a separate branch of machine learning that can understand text in context (in effect, it can better understand language the way humans understand it).The difference between the AI technology in legacy TAR workflows and more advanced AI tools lies in the fact that advanced AI tools use a combination of AI subsets and branches (machine learning, deep learning, and NLP) rather than just the supervised machine learning used in TAR. Understanding the Benefits of Advanced AIThis combination of AI subsets and branches used in advanced AI tools provides additional capabilities that are increasingly necessary to tackle modern datasets. These tools not only utilize the statistical prediction that supervised machine learning produces (which enables traditional TAR workflows), but also include the language and contextual understanding that deep learning and NLP provide. Deep learning and NLP technology also enable more advanced tools to look at all angles of a document (including metadata, data source, recipients, etc.) when making a prediction, rather than relying solely on text. Taking all context into consideration is increasingly important, especially when making privilege predictions that lead to expensive attorney review if a document is flagged for privilege. For example, with traditional TAR, the word “judge” in the phrases, “I don’t think the judge will like this!” on an email thread between two attorneys and, “Don’t judge me!” on a chat thread with 60 people regarding a fantasy football league will be classified the same way – because statistically, there is not much difference between how the word “judge” is placed within both sentences. However, newer tools that combine supervised machine learning with deep learning and NLP can learn the context of when the word “judge” is used as a noun (i.e., an adjudicator in a court of law) within an email thread with a small number of recipients versus when the word is being used as a verb on an informal chat thread with many recipients. The context of the data source and how words are used matters, and an advanced AI tool that leverages a combination of technologies can better understand that context.Using Advanced AI with TAROne common misconception regarding using newer, more advanced AI tools is that old workflows and models must go out the window. This is simply not true. While there may be some changes to review workflows due to the added efficiency generated by advanced AI tools (the ability to conduct privilege analysis simultaneously with responsive analysis, for example), attorneys can still use the traditional TAR 1.0 and TAR 2.0 workflows they are familiar with in combination with more advanced AI tools. Attorneys can still direct subject matter experts or reviewers to code documents, and the AI tool will learn from those decisions and predictive responsiveness, privilege, etc.The difference will be in the results. A more advanced AI tool’s predictions regarding privilege and responsiveness will be more accurate due to its ability to take nuance and context into consideration –leading to lower review costs and more accurate productions.ConclusionMany attorneys are still hesitant to move away from the older, AI eDiscovery tools they have used for the last decade. But today’s larger, more complicated datasets require more advanced AI tools. Attorneys who fear broadening their technology toolbox to include more advanced AI may find themselves struggling to stay within eDiscovery budgets, spending more time on finding and less time strategizing – and possibly even falling behind on their discovery obligations.But this fear and hesitancy can be overcome with education, transparency, and support from legal technology companies. Attorneys should look for the right technology partner who not only offers access to more advanced AI tools, but also provides implementation support and expert advisory services to help explain the technology and results to other stakeholders, opposing counsel, and judges.To learn more about the advantages of leveraging advanced AI within TAR workflows, download our white paper, “TAR + Advanced AI: The Future is Now.” And to discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com.ai-and-analytics; chat-and-collaboration-data; ediscovery-review; lighting-the-path-to-better-ediscoveryreview, ai-big-data, tar-predictive-coding, blog, ai-and-analytics, chat-and-collaboration-data, ediscovery-review,review; ai-big-data; tar-predictive-coding; blogai-analyticssarah moran

The theme at the last CLOC conference was all about how the legal function is going through a tremendous evolution. Businesses are changing rapidly through digital transformation and remote or hybrid work environments while trying to capture the attention of technology saturated consumers. To remain competitive, legal departments must evolve to handle new types of work and constantly advancing processes and technologies, and consider how the legal function impacts the broader organization. They need to do this while also showing that their own department is embracing change, staying up on technology, and becoming more efficient. To do this well, legal department heads and the lawyers and professionals in the department will have to learn, and practice, some new skills: embracing technology, project management, change management, and adaptability. Some good news—recent trends in the legal space are helping departments and professionals facilitate and adapt to these changes. The first is an uptick in legal technologies available to legal departments. Instead of adapting to whatever technology the business makes available to the department, there are technologies built by lawyers for running a legal department. This trend means that lawyers have already started down the path of being more technology-forward. Second, the advent of the legal operations role—putting business discipline and rigor around the functioning of the legal department— has brought more robust project management and change management into many law departments. With these foundational blocks in place, lawyers must evolve their skills to take their department to the next level.The first, and likely most obvious, skill an attorney needs in a rapidly evolving business environment is a firm grasp on existing and emerging technology. There are two important categories of technology to consider—the first is legal technology and the second is broader technology trends. Legal technology not only facilitates the day-to-day functioning of the legal department—with e-billing, contract management, and project intake and workflow software—but also includes more complex categories such as eDiscovery and data management. To learn more about these technologies you can attend CLEs about relevant technologies in your area of practice or attend a legal technology conference. Outside of the legal space, there are also many general technology trends that are important for lawyers to be immersed in, including digital transformation, artificial intelligence, and digital payments and cryptocurrency. Digital transformation is all about changing from a brick and mortar, paper-based business to one that strategically leverages technology, digital tools, and the cloud to do the work. This is important for lawyers because it impacts the way their organizations contract and manage these technologies. Migrating to the cloud also benefits lawyers because it provides new technologies to manage legal departments.[1] Like cloud, AI has the ability to transform how lawyers work (e.g., check out our recent blog post on utilizing chatbots) as well as how their companies work. For both AI and digital transformation, reading and watching videos for IT leaders can help—although made for a different audience, there are lots of resources out there and they can provide the information relevant to lawyers. Finally, the plethora of digital payment methods and the volatility of cryptocurrency will have legal impacts in the future and lawyers should learn to understand the differences.The next set of skills is about project execution and management. As businesses change through digital transformation, it is equally important to transform the way legal departments work. To do that, learning effective business case presentation, project management, and change management are incredibly valuable talents. While diving into a full 30-page business case can sometimes be necessary, focusing time on learning to create an executive summary business case is time better spent for lawyers. You can find resources and templates in many places, including SmartSheet and Asana.There is a whole discipline around project management as well as multiple ways to drive results most effectively. Whether you take an agile approach or a more traditional method, the following skills are necessary: Cross-functional collaboration, including understanding and empathy for other departments, and influencing othersCommunication, including how to communicate effectively with a remote team – a reality that is often the norm in today’s worldTime management and prioritizationLeadership – leading a team and inspiring a team, and keeping team members engaged and focused both in the same office or working remotelyFacilitating a learning mindset across the project and team – ensuring that people are looking out for ways to continuously improve, learning from each step of the project, and iterating on each phase of the projectA couple of good resources for developing these skills include PMI.org, and LinkedIn Learning courses such as Project Leadership, Project Management Foundations: Communication, and Project Management Tips. Note that this is a discipline that can take years to perfect so focus on getting familiar with the concepts and then look for ways to get real life experience in your business. The best way to master these skills is through practice.While project management focuses on the process where you create a change, change management is a separate set of skills focused on moving people through that change. There are two components of change management lawyers need to know. The first is how to manage their own reaction to change—being adaptable can bring a lot of value to a volatile world.[2] Professor Anne Converse Willkom of Drexel University provides some great ways to work on becoming more adaptable here. The second part of change management is helping others through change. This may be your team or it could be a team impacted by a project you are leading. Harvard Business Review has a whole category of writing dedicated to this area, highlighting the importance of leading through change.There is a lot of information and resources to move through so it’s important to prioritize the areas and skills that will impact your role now and as you move through your career. From there, identify the list of resources you want to access to master those areas then work it in to your schedule. It’s important to budget 2-4 hours a week, at minimum, building your skills in one of these areas. If that seems like a lot, keep in mind that it is only 5-10% of a standard work week.‍[1] You can find more information on what this change is in this article by CIO.[2] It is sometimes hard to judge adaptability because we tend to be surrounded by like-minded thinkers. As such, relying on a third party resource can help. There is a great Forbes article that shares the signs of an adaptable person. Evaluate yourself versus this list and work on areas where you may not be adaptable.ediscovery-review; legal-operationsediscovery-process, blog, project-management, ediscovery-review, legal-operationsediscovery-process; blog; project-managementlighthouse