Lighthouse Blog

The March sessions of Legalweek took place recently, and as with the February sessions, the virtual event struck a chord that reverberated deep from within the heart of a (hopefully) receding pandemic. However, the discussions this time around focused much less on the logistics of working in a virtual environment and much more on getting back to the business of law. One theme, in particular, stood out from those discussions – the idea that legal professionals will need to have a grasp on the technology that is driving our new world forward, post-pandemic.In other words, the days when attorneys somewhat-braggingly painted a picture of themselves as Luddites holed up in cobwebbed libraries are quickly coming to an end. We live in an increasingly digital world – one where our professional communications are taking place almost exclusively on digital platforms. That means each of us (and our organizations and law firms) are generating more data than we know what to do with. That trend will only grow in the future, and attorneys that are unwilling to accept that fact may find themselves entombed within those dusty libraries.Fortunately, despite our reputation as being slow to adapt, legal professionals are actually an innovative, flexible bunch. Whether a matter requires us to develop expertise in a specific area of the medical field, learn more about a niche topic in the construction industry, or delve into some esoteric insurance provision – we dive in and become laymen experts so that we can effectively advocate for our clients and companies. Thus, there is no doubt that we can and will evolve in a post-pandemic world. However, if anyone out there is still on the fence, below are four key reasons why attorneys will need to become tech savvy, or at least knowledgeable enough to understand when to call in technical expertise.1. Technological Competence is Imposed by Ethics and Evidence RulesFirst and foremost, attorneys have an ethical duty (under ABA Model Rule 1.1) to “keep abreast of changes in the law and its practice, including the benefits and risk associated with relevant technology.” Thirty seven states have adopted this language within their own attorney ethics rules. Thus, just as we have a duty to continue our legal education each year to stay abreast of changes in law, we also have an ethical duty to continue to educate ourselves on the technology that is relevant to our practice.We also have a duty to preserve and produce relevant electronically stored information (ESI) (under both the Federal Rules of Civil Procedure (FRCP), as well as the ABA model ethics rules)[1] during civil litigation. To do so, attorneys must understand (or work with someone who understands) where their client’s or company’s relevant ESI evidence is, how to preserve it, how to collect it, and how to produce it. This means preserving and producing not only the documents themselves but also the metadata (i.e., the information about the data itself, including when it was generated and edited, who created it, etc.). This overall process grows more complicated with each passing year, as companies migrate to the unlimited storage opportunities of the Cloud and employees increasingly communicate through cloud-based collaboration platforms. Working within the Cloud has a myriad of benefits, but it can make it more difficult for attorneys to understand where their client’s or company’s relevant information might be stored, as well as harder to ensure metadata is preserved correctly.Together, these rules and obligations mean that whether we are practicing law within a firm or as in-house counsel at an organization, we have a duty to understand the basics of the technology our clients are using to communicate so that at the very least, we will know when to call in technical experts to meet the ethical and legal obligations we owe to those we counsel.2. Data Protection and Data Privacy is Becoming Increasingly ImportantThe data privacy landscape is becoming a tapestry of conflicting laws and regulations in which companies are currently navigating as best they can. Within the United States alone, there were a multitude of state and local laws regulating personal data that came into effect or were introduced in 2020. For companies that have a global footprint, the worldwide data protection landscape is even more complicated – from the invalidation of the EU-US privacy shield to new laws and modifications of data protection laws across the Americas and Asia Pacific countries. It will not be long before most companies, no matter their location, will need to ensure that they are abiding within the constructs of multiple jurisdictional data privacy laws.This means that attorneys who represent those companies will need to understand not only where personal data is located within the company, but also how the company is processing that data, how (and if) that data is being transmitted across borders, when (and if) it needs to be deleted, the process for effectively deleting it, etc., etc. To do so, attorneys must also have at least some understanding of the technology platforms their companies and clients are using, as well as how data is stored and transferred within those platforms, to ensure they are not advertently running afoul of data privacy laws.As far as data protection, attorneys need to understand how to proactively protect and safeguard their clients’ data. There have been multiple high-profile data breaches in the last few months,and law firms and companies that routinely house personal data are often the target of those breaches. Protecting client data requires attorneys to have a semblance of understanding of where client data is and how to protect it properly, including knowing when and how to hire experts who can best offer the right level of protection.3. Internal Compliance is Becoming More Technologically Complicated There has been a lot of interest recently in using artificial intelligence (AI) and analytics technology to monitor internal compliance within companies. This is in part due to the massive amount of data that compliance teams now need to comb through to detect inappropriate or illegal employee conduct. From monitoring departing employees to ensure they aren’t walking out the door with valuable trade secret information, to monitoring digital interactions to ensure a safe work environment for all employees – companies are looking to leverage advances in technology to more quickly and accurately spot irregularities and anomalies within company data that may indicate employee malfeasance.Not only will this type of monitoring require an understanding of analytics and AI technology, but it will also require grasping the intricacies of the company’s data infrastructure. Compliance and legal teams will need to understand the technology platforms in place within their organization, where employees are creating data within those platforms, as well as how employees interact with each other within them.4. The Ability to Explain Technology Makes Us Better AdvocatesFinally, it is important to note that the ability to understand and explain the technology we are using makes us better and more effective advocates. For example, within the eDiscovery space, it can be incredibly important for our clients’ budgets and case outcomes to attain court acceptance of AI and machine-learning technology that can drastically limit the volume of data requiring expensive and tedious human review. To do so, attorneys often must first be able to get buy-in from their own clients, who may not be well versed in eDiscovery technology. Once clients are on-board, attorneys must then educate courts and opposing counsel about the technology in order to gain approval and acceptance.In other words, to prove that the methods we want to use (whether those methods relate to document preservation and collection, data protection, compliance workflows, or eDiscovery reviews) are defensible and repeatable, attorneys must be able to explain the technology behind those methods. And as in all areas of law, the most successful attorneys are ones who can take a very complicated, technical subject and break it down in a way that clients, opposing counsel, judges, and juries can understand (or alternatively are knowledgeable enough about the technology to know when it is necessary to bring experts in to help make their case).Best Practices for Staying Abreast of TechnologyReach out to technology providers to ask for training and tips when needed. When evaluating providers, look for those that offer ongoing training and support.For attorneys working as in-house counsel, work to build healthy partnerships with compliance, IT, and data privacy teams. Being able to ask questions and learn from each other will help head off technology issues for your company.For attorneys working within law firms, work to understand your clients’ data infrastructure or layout. This may mean talking to their IT, legal, and compliance teams so that you can ensure you are up to date on changes and processes that affect your ability to advocate effectively for your client.Look for CLEs, trainings, and vendor offerings that are specific to the technology you and your clients use regularly. Remember that cloud-based technology, in particular, changes and updates often. It is important to stay on top of the most recent changes to ensure you can effectively advocate for your clients.Recognize when you need help. Attorneys don’t need to be technological wizards in order to practice law, however, you will need to know when to call in experts…and that will require a baseline understanding of the technology at issue.To discuss this topic more, feel free to connect with me at smoran@lighthouseglobal.com. [1] ABA Model Rule 3.4, FRCP 37(e) and FRCP 26)ai-and-analytics; ediscovery-review; data-privacy; information-governanceanalytics, data-privacy, information-governance, ediscovery-process, blog, law-firm, ai-and-analytics, ediscovery-review, data-privacy, information-governanceanalytics; data-privacy; information-governance; ediscovery-process; blog; law-firmsarah moran

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse

The Law & Candor podcast is back for season seven, with a special guest speaker twist! In celebration of Women’s History Month (March), this season features an all-female guest speaker lineup. Our esteemed guests will not only explore the hottest topics in legal tech, but also discuss how to champion the development and career growth of women within the space in each episode.Law & Candor co-hosts, Bill Mariano and Rob Hellewell, are back to help lead those discussions in six easily digestible episodes that cover a range of topics: from diversity within eDiscovery, to keeping up with M365 software updates, to a look at possible antitrust changes in a new presidential administration. Check out season seven's lineup below:Diversity and eDiscovery: How Diverse Hiring Practices Lead to a More Innovative Workforce Innovating the Legal Operations Model Efficiently and Defensibly Addressing Microsoft Teams Data Keeping Up with M365 Software Updates AI and Analytics for Corporations: Common Use Cases Antitrust Changes in a New Administration Listen now or bookmark individual episodes to listen to them later, and be sure to follow the latest updates on Law & Candor's Twitter. And if you want to catch up on past seasons or special editions, click here.For questions regarding this podcast and its content, please reach out to us at info@lighthouseglobal.com.diversity-equity-and-inclusionmicrosoft, ai-big-data, legal-ops, blog, antitrust, corporate-legal-ops, diversity-equity-and-inclusionmicrosoft; ai-big-data; legal-ops; blog; antitrust; corporate-legal-opslighthouse

Evolving analytics tools and methods can help expedite review.Analyze this! No, we’re not talking about the 1999 movie starring Robert DeNiro and Billy Crystal, but rather analytics mechanisms that many organizations are using today to streamline discovery. As these mechanisms become more sophisticated, it pays to keep abreast of the ways in which they can impact a review, including how data can be organized, visualized, identified and reduced.For example, conceptual clustering can identify groups of topics that might be clearly responsive or non-responsive. Communication visualization maps can identify communication patterns of key parties within a data collection And, of course, predictive coding can train a supervised machine learning algorithm to identify potentially responsive and non-responsive documents based on classifications of other documents.But there are other use cases for eDiscovery analytics many organizations aren’t taking advantage of that make eDiscovery workflows even more efficient and more cost effective. To improve the efficiency of eDiscovery workflows, organizations can now implement technology with the following analytics features.Email Threading and Near Duplicate IdentificationYou may have heard the famous phrase “Insanity is doing the same thing over and over again expecting a different result.” But, in document review, insanity is simply doing the same thing over and over again. De-duplication using hash values identifies documents that are exact duplicates in content and format, but there is considerable additional content within document collections that is also duplicated within documents that aren’t exact matches. Email conversation threads contain considerable duplicative information, but conversations between multiple people can branch off, so you can’t just assume that the last message for the thread contains the entire thread discussion.Documents converted to PDF may be identical in content but not format, so they have different hash values and are not “de-duped.” ESI collections often include multiple drafts of documents that have both duplicative and unique content. To avoid over-capture of duplicates and gain visibility into email branches, organizations can now employ advanced analytics that can help in the following ways:Utilize advanced algorithms to identify email thread relationships and individual emails in a thread with unique contentGroup similar documents with flexible near-duplicate identification to easily review and compare to determine whether the differences are significantIdentify exact content duplicates with only formatting differences that hash de-duplication would not catch.Name Normalization and Entity AnalysisWhat’s in a name? Potentially, a whole lot of options! If the sixth US president were alive today and sending emails, here are some ways that you might see him represented within the collection:John AdamsJohnny AdamsJohn Q. AdamsQ. AdamsQuincy AdamsAdams, JohnAdams, John Q.Adams, J.Q.Adams, J. Quincyjadams@xyzcorp.com/O=XYZCORP/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=jadamsAdams@gmail.comAnd potentially more…That’s a lot of variation – just for one person! Case teams often waste significant time and energy sorting through the numerous variations of names and email addresses for individuals in a matter. Advanced analytics solutions can be used to automated name normalization algorithms to link different name variations and email addresses to a single individual, format those names uniformly and aggregate the normalized participants that appear across an entire email thread group. The result? Refined results that streamline processes such as privilege logging without the intensive manual cleanup typically associated with the process.Metadata AnalyticsAI-driven analytics applied to the metadata can streamline eDiscovery by:a) identifying mass email communications so that reviewers can focus on more likely responsive emails;b) filtering email signature images and other extraneous embedded objects; andc) remediating data populations with missing or incomplete metadata by auto-detecting and populating email metadata fields on inbound productions.Privilege AnalyticsAutomated categorization and classification powered by advanced analytics can also be applied to privilege review to weed out non-responsive and non-privileged material early and rapidly identify, elevate and prioritize potentially privileged information. Customizable rules to exclude disclaimers and boilerplate language can also improve the accuracy of that identification process by eliminating many false positives.As most privilege determinations involve considerations of nuance and context, human judgments are a necessary part of the process. Pre-built and customized linguistic models, name normalization and email thread identification can extend those automated privilege determinations more quickly through the collection, with automated identification of legal concepts, privilege actors and law firms and a reusable asset with consistent propagation of privilege designations across matters.And clean name normalization outputs, along with automated and customizable privilege reasons assigned to each document expedite privilege log creation, significantly decreasing the manual cleanup often associated with this time-consuming task.Personal Identifiable Information (PII) DetectionFinally, with all of the data privacy requirements associated with recent regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), identifying and protecting PII has become a requirement within every phase of the eDiscovery lifecycle. Using analytics and pattern matching through regular expressions (RegEx) to identify common format numbers such as passport IDs, social security numbers, drivers license numbers and credit card numbers, as well as identification of common form types that often contain PII (such as loan applications or IRS forms) will help flag those documents so that they can be adequately protected throughout the process.Newer, more advanced AI-driven analytics solutions go a step further by utilizing highly precise classifiers to model the way in which different forms of supported personal data appear in data populations. These automated solutions provide rapid identification of likely and potential PII, resulting in rapid insights and immediate access to the most relevant documents first.ConclusionYou may be using analytics to streamline parts of your eDiscovery process, but there are always new use cases being identified to leverage analytics to make your eDiscovery workflows more efficient. Even Analyze This had a sequel!For more information on ways H5 Matter Analytics® can assist your organization in creating efficiencies and expediting eDiscovery workflows, click here.ediscovery-reviewblog, -ediscovery, data-analytics, document-review, ediscovery-review, aiandanalyticsblog; ediscovery; data-analytics; document-reviewlighthouse

In part one of this series, we described the state of the EU-US Privacy Shield and the mechanisms global companies have relied upon to transfer data from their multiple locations. In short, a recent decision – Schrems II – invalidated the Privacy Shield and shook the foundation of Standard Contractual Clauses (SCCs). Companies are now left asking the question of how to respond.In this post, we will share our view on how to navigate forward. If your organization is not already highly reliant on cloud software, we recommend weighing the benefits and risks of making that move. As you assess your options, keep in mind that this move may come at a higher cost because of the need to do periodic risk assessments during this uncertain time. For those already in the Cloud, the motto here is “do everything that you reasonably can.” The position no company wants to find itself in is one of stasis. It is difficult to see such a position being looked upon favourably should regulators start to investigate how companies are responding to Schrems II and the consequences that go along with it.The touchstone is the EDPB guidance and its six-stage approach to assessing data transfers, which we recommend companies undertake:Identify your data transfers: It is an obvious first step, although in practice this could prove challenging. You’ll need to know all the scenarios where your data is moved to a non-European Economic Area (EEA) country (at the time of writing this article, the UK, although out of Europe, is still under the European umbrella until at least the 30th of June).Identify the data transfer mechanisms: You need to decide the grounds upon which the transfer is taking place, such as on the basis of an adequacy decision (this does not apply to the US), SCCs, or a specific derogation (such as consent).Assess the law in the third country: You need to assess “if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” There is more guidance from the EDPB as to how the evaluation should be carried out (i.e., an independent oversight mechanism should exist). How effective or practical it is to suggest each company has to perform its own thorough legal assessment as the entire range of relevant legislation in any importing country is open to debate and might perhaps be considered further as these recommendations are refined.Adopt supplementary measures if necessary to level up protection of data transfers: The EDPB has published a non-exhaustive list of such measures, which essentially fall into one of three categories - technical (i.e., encryption), contractual (i.e., transparency), and organisational (i.e., involvement of a Data Protection Officer on all transfers). We’ll have a look at these measures in more detail below in relation to Microsoft 365.Adopt necessary procedural steps: If you have made changes to deliver the required level of protection, these need to be embedded into your operation (i.e.., by means of policy).Re-evaluate at appropriate intervals: This is not a job that can be completed and then left. It needs continual monitoring. There is no specific guideline as to what an appropriate interval is, but quarterly is probably a reasonable approach.Essentially this boils down to carrying out a risk assessment and taking steps to mitigate the risks that are uncovered. If your cloud strategy includes Microsoft 365, the next part of this blog series is a must-read. We will share what Microsoft has done in response to Schrems II as well as some specific configuration options that will influence steps 4 and 5, listed above. Bear in mind that these recommendations could change and you should watch the space. To continue the discussion or to ask questions, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse

In 2016, European companies doing business in the US were able to breathe a sigh of relief. The European Commission deemed the Privacy Shield to be an adequate privacy protection. For the next half a decade, this shield, as well as Standard Contractual Clauses (SCCs), created the foundation upon which most global businesses were able to manage the thousands of data transfers that occur in each of their business days.Everything changed in July 2020 when the Court of Justice of the European Union gave its seismic judgment in a case generally known as Schrems II. As we will see, the decision has a particular impact on any companies relying on, or moving to, a cloud computing strategy. Businesses have been left needing to make a risk decision with seemingly no ideal outcome. Some legal, privacy, and compliance teams may be advocating for staying away from a cloud approach in light of the decision. The business teams, however, are focused on the vast array of benefits that cloud software offers.So what is the right decision? Where does the law stand and how do you manage your business in this uncertain time? In this four-part blog series, we’ll explain the impact of Schrems II, provide practical tips for companies in the midst of making a cloud decision, give specific advice regarding companies who have, or are implementing, Microsoft’s cloud offering (M365), and offer our view as to the future.Schrems II and Its ImpactFirst, let;s look at the Schrems II decision. The background to the case is well worth exploring but for the sake of brevity and providing actionable information we’ll focus on the outcome and the consequences. The key outcomes impact the two primary ways in which most data transfers between Europe and the US:The EU-US Privacy Shield was invalidated with immediate effect.SCCs (the template contracts created by the EU Commission which are the most common way in which data is moved from the EU) were declared valid, but companies using SCCs could no longer just sign up and send. A company relying on SCCs would have to verify on a case-by-case basis that the personal data being transferred was adequately protected. This process is sometimes called a Transfer Impact Assessment, although the court did not coin that phrase. If the protection is inadequate, then additional safeguards could be needed.The consequences of the decision are still revealing themselves, but as things stand:The Privacy Shield (used by more than 5,000 mostly small-to-medium enterprises) has gone with no replacement in sight (although the Biden administration appears to recognise its importance with the rapid appointment of the experienced Christopher Hoff to oversee the process).There have been significant developments in relation to SCCs, additional safeguards, and transfer impact assessments:The US published a white paper to help organisations make the case that they should be able to send personal data to the US using approved transfer mechanisms.The European Data Protection Board (EDPB) published guidance on how to supplement transfer tools.The European Commission published draft replacement SCCs.The EDPB and the European Data Protection Supervisor adopted a joint opinion on the draft replacement SCCs requesting several amendments.There is not a clear timetable as to when the replacement SCCs or EDPB guidance (which has completed a period of publication consultation) will be finalised. The sooner the better because there seem to be inconsistencies between them. For example, the Schrems II judgment and draft replacement SCCs permit a risk assessment (i.e., it is possible to conclude that personal data might not be completely protected, but that the risk is so small that the parties can agree to proceed), whereas the EPDB recommendations seem to deal in black and white with no shades between (i.e., there is either adequate protection or there is not). It will be important to monitor which, if any, of these drafts moves and in which direction. Whether the SCCs are supported with a risk assessment or analysis along the lines of the EDPB recommendations (or perhaps both), going forward using SCCs may be rather cumbersome particularly in a cloud environment where the location and path of the data is not always crystal clear. Companies are therefore in something of a grey triangle, the sides of which are a judgment of the highest European Court, a draft replacement to the SCCs the Court reviewed in its judgment, and draft guidance about additional safeguards. In part two </span><span>of the series, we will offer companies some practical guidance on how to move forward in light of this grey triangle.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, data-privacy, blog, privacy-shield, data-privacy, microsoft-365, information-governance,microsoft; data-privacy; blog; privacy-shieldlighthouse

A time-saving tool that consolidates different names for the same entity can make all the difference. One of the many challenges of electronic information and messaging rests in ascertaining the actual identity of the message creator or recipient. Even when only one name is associated with a specific document or communication, the identity journey may have only just begun.The many forms our monikers take as they weave in and out of the digital realm may hold no import for most exchanges, but they can be critical when it comes to eDiscovery and privilege review, where accurate identification of individuals and/or organizations is key.It’s difficult enough when common names are shared among many individuals (hello, John Smith?), but the compilation of our own singular name variations and aliases as they live in the realm of digital text and metadata make life no less complicated. In addition, the electronic format of names and email addresses as they appear in headers or other communications can also make a difference. Attempts to consolidate these variations when undertaking document review is painstaking and error-prone.Not metadata — people. Enter “name normalization.” Automated name normalization tools come to the rescue by isolating and consolidating information found in the top-level and sub-level email headers. Automated name normalization is designed to scan, identify, and associate the full set of name variants, aliases, and email addresses for any individual referenced in the data set, making it easier to review documents related to a particular individual during a responsive review.The mindset shift from email sender and recipient information as simply metadata to profiles of individuals is a subtle but compelling one, encouraging case teams and reviewers to consider people-centric ways to engage with data. This is especially helpful when it comes to identifying what may be—and just as importantly what is not—a potentially privileged communication.Early normalization of names can optimize the privilege workflow.When and how name normalization is done can make a big difference, especially when it comes to accelerating privilege review. Name normalization has historically been a process executed at the end of a review for the purpose of populating information into a privilege log or a names key. However, performing this analysis early in the workflow can be hugely beneficial.Normalizing names at the outset of review or during the pre-review stage as data is being processed enables a team to gain crucial intelligence about their data by identifying exactly who is included in the correspondence and what organizations they may be affiliated with. With a set of easy-to-decipher names to work with instead of a mix of full names, nicknames, initials without context, and other random information that may be even more confusing, reviewers don’t have to rely on guesswork to identify people of interest or those whose legally-affiliated or adversarial status may trigger (or break) a privilege call.Name normalization tools vary, and so do their benefits. Not all name normalization tools are created equal, so it is important to understand the features and benefits of the one being used. Ideally, the algorithm in use maximizes the display name and email address associations as well as the quality and legibility of normalized name values, with as little cleanup required as possible. Granular fielded output options, including top level and sub-header participants is also helpful, as are simple tools for categorizing normalized name entities based on their function, such as privilege actors (e.g., in-house counsel, outside counsel, legal agent) and privilege-breaking third parties (e.g., opposing counsel, government agencies). The ability to automatically identify and classify organizations as well as people (e.g., government agencies, educational institutions, etc.) is also a timesaver.Identification of privilege-breaking third parties is important: although some third parties are acting as agents of either the corporation or the law firms in ways that would not break privilege, others likely would. Knowing the difference can allow a team to triage their privilege review by either eliminating documents that include the privilege breakers from the review entirely, significantly reducing the potential privilege pile, or organizing the review with this likelihood in mind, helping to prevent any embarrassing privilege claims that could be rejected by the courts.Products with such features can provide better privilege identification than is currently the norm, resulting in less volume to manage for privilege log review work later on and curtailing the re-reviews that sometimes occur when new privilege actors or breakers come to light later in the workflow. This information enables a better understanding of any outside firms and attorneys that may not have been included in a list of initial privilege terms and assists in prioritizing the review of documents that include explicit or implied interaction with in-house or outside counsel.Other privilege review and logging optimizers. Other analytics features that can accelerate the privilege review process are coming on the scene as AI tools become more accepted for document review. Privilege Analytics from within Lighthouse Matter Analytics can help review teams with this challenging workflow, streamlining and prioritizing second pass review with pre-built classifiers to automate identification of law firms and legal concepts, tag and tier potentially privileged documents, detect privilege waivers, create privilege reasons, and much more.Interested in how Name Normalization works in Privilege Analytics? Let us show you!ediscovery-review; ai-and-analyticsblog, name-normalization, privilege-review, ediscovery-review, ai-and-analyticsblog; name-normalization; privilege-reviewlighthouse