Lighthouse Blog

Collectively, we have sent an average of 306.4 billion emails each day in 2020. Add to that 23 billion text messages and other messaging apps, and you get roughly 41 million messages sent every minute[1]. Not surprisingly, there have been at least one or two articles written about expanding data volumes and the corresponding impact on discovery. I’ve also seen the occasional post discussing how the methods by which we communicate are changing and how “apps that weren’t built with discovery in mind” are now complicating our daily lives. I figured there is room for at least one more big data post. Here I’ll outline some of the specific challenges we’ll continue to face in our “new normal,” all while teasing what I’m sure will be a much more interesting post that gets into the solutions that will address these challenges.Without further delay, here are six challenges we face when working with large data sets and some insights into how we can address these through data re-use, AI, and big data analytics:Sensitive PII / SHI - The combination of expanding data volumes, data sources, and increasing regulation covering the transmission and production of sensitive personally identifiable information (PII) and sensitive health information (SHI) presents several unique challenges. Organizations must be able to quickly respond to Data Subject Access Requests (DSARs), which require that they be able to efficiently locate and identify data sources that contain this information. When responding to regulatory activity or producing in the course of litigation, the redaction of this content is often required. For example, DOJ second requests require the redaction of non-responsive sensitive PII and/or SHI prior to production. For years, we have relied on solutions based on Regular Expressions (RegEx) to identify this content. While useful, these solutions provide somewhat limited accuracy. With improvements in AI and big data analytics come new approaches to identifying sensitive content, both at the source and further downstream during the discovery process. These improvements will establish a foundation for increased accuracy, as well as the potential for proactively identifying sensitive information as opposed to looking for it reactively.Proprietary Information - As our society becomes more technologically enabled, we’re experiencing a proliferation of solutions that impact every part of our life. It seems everything nowadays is collecting data in some fashion with the promise of improving some quality of life aspect. This, combined with the expanding ways in which we communicate means that proprietary information, like source code, may be transmitted in a multitude of ways. Further, proprietary formulas, client contacts, customer lists, and other categories of trade secrets must be closely safeguarded. Just as we have to be vigilant in protecting sensitive personal and health information from inadvertent discloser, organizations need to protect their proprietary information as well. Some of the same techniques we’re going to see leveraged to combat the inadvertent disclosure of sensitive personal and health information can be leveraged to identify source code within document populations and ensure that it is handled and secured appropriately.Privilege - Every discovery effort is first aimed at identifying information relevant to the matter at hand, and second to ensure that no privileged information is inadvertently produced. That is… not new information. As we’ve seen the rise in predictive analytics, and, for those that have adopted it, a substantial rise in efficiency and positive impact on discovery costs, the identification of privileged content has remained largely an effort centered on search terms and manual review. This has started to change in recent years as solutions become available that promise a similar output to TAR-based responsiveness workflows. The challenge with privilege is that the identification process relies more heavily on “who” is communicating than “what” is being communicated. The primary TAR solutions on the market are text-based classification engines that focus on the substantive portion of conversations (i.e. the “what” portion of the above statement). Improvments in big data analytics mean we can evaluate document properties beyond text to ensure the “who” component is weighted appropriately in the predictive engine. This, combined with the potential for data re-use supported through big data solutions, promises to substantially increase our ability to accurately identify privileged, and not privileged, content.Responsiveness - Predictive coding and continuous active learning are going to be major innovations in the electronic discovery industry…would have been a catchy lead-in five years ago. They’re here, they have been here, and adoption continues to increase, yet it’s still not at the point where it should be, in my opinion. TAR-based solutions are amazing for their capacity to streamline review and to materially impact the manual effort required to parse data sets. Traditionally, however, existing solutions leverage a single algorithm that evaluates only the text of documents. Additionally, for the most part, we re-create the wheel on every matter. We create a new classifier, review documents, train the algorithm, rinse, and repeat. Inherent in this process is the requirement that we evaluate a broad data set - so even items that have a slim to no chance of being relevant are included as part of the process. But there’s more we can be doing on that front. Increases in AI and big data capabilities mean that we have access to more tools than we did five years ago. These solutions are foundational for enabling a world in which we continue to leverage learning from previous matters on each new future matter. Because we now have the ability to evaluate a document comprehensively, we can predict with high accuracy populations that should be subject to TAR-based workflows and those that should simply be sampled and set aside.Key Docs - Variations of the following phrase have been uttered time and again by numerous people (most often those paying discovery bills or allocating resources to the cause), “I’m going to spend a huge amount of time and money to parse through millions of documents to find the 10-20 that I need to make my case.” They’re not wrong. The challenge here is that what is deemed “key” or “hot” in one matter for an organization may not be similar to that which falls into the same category on another. Current TAR-based solutions that focus exclusively on text lay the foundation for honing in on key documents across engagements involving similar subject matter. Big data solutions, on the other hand, offer the capacity to learn over time and to develop classifiers, based on more than just text, that can be repurposed at the organizational and, potentially, industry level.Risk - Whether related to sensitive, proprietary, or privileged information, every discovery effort utilizes risk-mitigation strategies in some capacity. This, quite obviously, extends to source data with increasing emphasis on comprehensive records management, data loss prevention, and threat management strategies. Improvements in our ability to accurately identify and classify these categories during discovery can have a positive impact on left-side EDRM functional areas as well. Organizations are not only challenged with identifying this content through the course of discovery, but also in understanding where it resides at the source and ensuring that they have appropriate mechanisms to identify, collect and secure it. Advances in AI and big data analytics will enable more comprehensive discovery programs that leverage the identification of these data types downstream to improve upstream processes.As I alluded to above, these big data challenges can be addressed with the use of AI, analytics, data reuse, and more. Now that I have summarized some of the challenges many of you are already tasked with dealing with on a day-to-day basis, you can learn more about actual solutions to these challenges. Check out my colleague’s write up on how AI and analytics can help you gain a holistic view of your data.To discuss this topic more or to ask questions, feel free to reach out to me at NSchreiner@lighthouseglobal.com.[1] Metrics courtesy of Statistachat-and-collaboration-data; ai-and-analyticsprivilege, analytics, ai-big-data, data-re-use, phi, pii, blog, chat-and-collaboration-data, ai-and-analyticsprivilege; analytics; ai-big-data; data-re-use; phi; pii; blognick schreiner

Long gone are days when the majority of discovery records were kept in paper format. Documents, invoices, and other related evidence needed to be scanned and printed in the tens (if not hundreds) of thousands. Today, a huge number of discovery efforts (internal or external) revolve around digital content. Ergo, this article will highlight the collection of digital evidence and how to best prepare your case when it comes to preservation and collections as well as processing and filtering.But, before we get into that, one of the core factors to keep in mind here is time, which will always be there irrespective of what we have at hand. It is especially complicated if multiple parties are involved, such as vendors, multiple data locations, outside counsels, reviewers, and more. For the purposes of this blog, I have divided everything into the following actionable groups - preservation and collection as well as processing and filtering.Preservation and CollectionIn an investigation or litigation there could be a number of custodians involved, for example, people who have or had access to data. Whenever there are more than a handful of custodians the location may vary. It is imperative to consider where and what methods to use for data collection. Sometimes an in-person collection is more feasible than a remote collection. Other times, a remote collection is the preferred method for all those concerned. A concise questionnaire along with answers too frequently asked questions is the best approach to educate the custodian. Any consultative service provider must ensure samples are readily available to distribute that will facilitate the collection efforts.Irrespective of how large the collection is, or how many custodians there are, it is best to have a designated coordinator. This will make the communication throughout the project manageable. They can arrange the local technicians for remote collections and ship and track the equipment.The exponential growth in technology presents new challenges in terms of where the data can reside. An average person, in today’s world, can have a plethora of potential devices. Desktops and laptops are not the only media where data can be stored. Mobile devices like phones and tablets, accessories such as smartwatches, the IoT (everything connected to the internet), cars, doorbells, locks, lights…you name it. Each item presents a new challenge and must be considered when scoping the project.User-generated data is routinely stored and shared on the Cloud using a variety of platforms. From something as ancient as email servers to “new” rudimentary storage locations, such as OneDrive, Google Drive, Dropbox, and Box.com. Others include collaborative applications, such as SharePoint, Confluence, and the like.Corporate environments also heavily rely on some sort of common exchange medium like Slack, Microsoft Teams, and email servers. These applications also present their own set of challenges. We have to consider, not just what and how to collect, but equally important is how to present the data collected from these new venues.The amount of data collected for any litigation can be overwhelming. It is imperative to have a scope defined based on the need. Be warned, there are some caveats to setting limitations beforehand, and it will vary based on what the filters are. The most common and widely acceptable limitation is a date range. In most situations, a period is known and it helps to set these parameters ahead of time. In doing so, only the obvious date metadata will be used to filter the contents. For example, in the case of emails, you are limited to either the sent or received date. The attachment's metadata will be ignored completely. Each cloud storage presents its own challenges when it comes to dates.Data can be pre-filtered with keywords that are relevant to the matter at hand. It can greatly reduce the amount of data collected. However, it is solely dependent on indexing capabilities of the host, which could be non-existent. The graphical contents and other non-indexable items could be excluded unintentionally, even if they are relevant.The least favored type of filter among the digital-forensics community is a targeted collection, where the user is allowed to guide where data is stored and only those targeted locations are preserved. This may not be cost effective, however, it can restrict the amount of data being collected. This scope should always be expected to be challenged by other parties and may require a redo.Processing and FilteringOnce the data collected goes through the processing engine the contents get fully exposed. This allows the most thorough, consistent, and repetitive filtering of data. In this stage, filtering relies on the application vetted by the vendor and accompanied by a process that is tested, proven, and updated (when needed).The most common filtering in eDiscovery matters is de-NIST-ing, which excludes the known “system” files from the population. Alternatively, an inclusion filter can be applied, which only pushes forward contents that typically a user would have created, such as office documents, emails, graphic files, etc. In most cases, both de-NIST-ing and inclusion filters are applied.Once the data is sent through the meat grinder (the core processing engine) further culling can be done. At this stage, the content is fully indexed and extensive searches and filters will help limit the data population even further to a more manageable quantity. The processing engine will mark potentially corrupt items, which are likely irrelevant. It will also identify and remove any duplicate items from all collected media from the entire matter data population. Experts can then apply relevant keyword searches on the final product and select the population that will be reviewed and potentially produced.I hope this article has shed some light on how to best prepare your case when it comes to preservation and collections as well as processing and filtering. To discuss this topic further, please feel free to reach out to me at MMir@lighthouseglobal.com.digital-forensics; information-governance; chat-and-collaboration-datacollections, ediscovery-process, preservation-and-collection, processing, blog, digital-forensics, information-governance, chat-and-collaboration-data,collections; ediscovery-process; preservation-and-collection; processing; blogmahmood mir

However you view a DSAR, for any entity who receives one, they are time consuming to complete and disproportionately expensive to fulfill. Combined with the increasing manner in which they are being weaponized, companies are often missing opportunities to mitigate the negative effects of DSARs by not migrating data to the Cloud.Existing cloud solutions, such as M365 and Google Workplace (formerly known as G-Suite) allow administrators to,for example, set data retention policies, ensuring that data cannot routinely be deleted before a certain date, or that a decision is made as to when data should be deleted. Equally, legal hold functionality can ensure that data cannot be deleted at all. It is not uncommon for companies to discover that when they migrate to the Cloud all data is by default set to be on permanent legal hold. Whilst this may be required for some market sectors, it is worth re-assessing any existing legal hold policy regularly to prevent data volumes from ballooning out of control.Such functionality is invaluable in retaining data, but can have adverse effects in responding to DSARs, as it allows legacy or stale data to be included in any search of documents and inevitably inflates costs. Using built-in eDiscovery tools to search and filter data in place in combination with a data retention policy managed by multiple stakeholders (such as Legal, HR, IT, and Compliance) can mitigate the volumes of potentially responsive data, having a significant impact on downstream costs of fulfilling a DSAR.Typically, many key internal stakeholders are frequently unaware of the functionality available to their organization. This can help to mitigate costs, such as Advanced eDiscovery (AED) in Microsoft 365, or Google Vault in Google Workspace. Using AED, a user can quickly identify relevant data sources, from mailboxes, OneDrive, Teams, Skype, and other online data sources, apply filters such as date range and keywords, and establish the potential number of documents for review within in minutes. Compare this to those who have on-premise solutions, where they are wholly dependent on an internal IT resource, or even the individual data custodians, to identify all of the data sources, confirm with HR / Legal that they should be collected, and then either apply search criteria or export the data in its entirety to an external provider to be processed. This process can take days, if not weeks, when the clock is ticking to provide a response in 30 days. By leveraging cloud technology, it is possible to identify data sources and search in place in a fraction of the time it takes for on-premise data.Many cloud platforms include functionality, which means that when data is required for a DSAR, it can now be searched, filtered, and, crucially, reviewed in place. If required, redactions can be performed prior to any data being exported externally. Subject to the level of license held, additional functionality, such as advanced indexing or conceptual searching, can also be deployed, allowing for further filtering of data and thus reducing data volumes for review or export.The technology also allows for rapid identification of multiple data types including:Stale dataSensitive data types (financial information/ PII)Customer-specific dataSuspicious / unusual activitiesBy using the inbuilt functionality to minimize the impact of such data types as part of an Information Governance / Records Management program, there can be significant changes and improvements made elsewhere, including data retention policies, data loss prevention, and improved understanding of how data is routinely used and managed in general day-to-day business. This, in turn, has significant time and cost benefits when required to search for data, whether for a DSAR, investigation, or a litigation exercise. Subject to the agreement with the cloud service provider, this may also have benefits in reducing the overall volume and cost of data hosted.With a sufficiently robust internal protocol in place, likely data sources can be identified and mapped. Now, when a DSAR request is received, an established process exists to rapidly search and cull potential cloud-based data sources, including using tools such as Labels or Sensitivity Type to exclude data from the review pool, and efficiently respond to any such request.Migrating to the Cloud may seem daunting, but the benefits are there and can be best maximized when all stakeholders work together, across multiple teams and departments. DSARs do not have to be the burden they are today. Using tools readily available in the Cloud might also significantly reduce the burdens and costs of DSARs.To discuss this topic further, please feel free to reach out to me at MBicknell@lighthouseglobal.com.data-privacy; ediscovery-review; information-governance; microsoft-365cloud, dsars, cloud-services, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; dsars; cloud-services; blogmatt bicknell

self-service, spectra as a topic has grown significantly in the recent past. With data proliferating at astronomical amounts year over year it makes sense that corporations and firms are wanting increasing control over this process and its cost. Utilizing a self-service, spectra eDiscovery tool is helpful if you want control over your queue as well as your hosted footprint. It is beneficial if your team has an interest and the capability of doing your own ECA. Additionally, self-service, spectra options are useful as they provide insight into specific reporting that you may or may not be currently receiving.Initially, the self-service, spectra model was introduced to serve part of the market that didn’t require such robust, traditional full eDiscovery services for every matter. Tech-savvy corporations and firms with smaller matters were delighted to have the option to do the work themselves. Over time there have been multiple instances in which a small matter scales unexpectedly and must be dealt with quickly, in an all hands on deck approach, to meet the necessary deadlines. In these instances, it’s beneficial to have the ability to utilize a full-service team. When these situations arise it’s critical to have clean handoffs and ensure a database will transfer well.Moreover, we have seen major strides in the self-service, spectra space regarding the capabilities of data size thresholds. self-service, spectra options can now handle multiple terabytes, so it’s not just a “small matter” solution anymore. This gives internal teams incredible leverage and accessibility not previously experienced.self-service, spectra considerations and recommendationsIt’s important to understand the instances in which a company should utilize a self-service, spectra model or solution. Thus, I recommend laying out a protocol. Put a process in place ahead of time so that the next small internal investigation that gets too large too quickly has an action plan that gets to the best solution fast. Before doing this, it’s important to understand your team’s capabilities. How many people are on your team? What are their roles? Where are their strengths? What is their collective bandwidth? Are you staffed for 24/7 support or second requests or are you not?Next, it’s time to evaluate what part of the process is most beneficial to outsource. Who do you call for any eDiscovery related need? Do you have a current service provider? If so, are they doing a good job? Are they giving you a one-size-fits-all solution (small or large), or are they meeting you where you are and acting as a true partner? Are they going the extra mile to customize that process for you? It’s important to continually audit service providers.Think back to past examples. How prepared has your team and/or service provider been in various scenarios? For instance, if an investigation is turning into a government investigation, do you want your team pushing the buttons and becoming an expert witness, or do you have a neutral third party to hand that responsibility off to?After the evaluation portion, it’s time to memorialize the process through a playbook, so that everyone has clear guidelines regardless of which litigator or paralegal internally is working on the case. What could sometimes be a complicated situation can be broken down into simple rules. If you have a current protocol or playbook, ensure your team understands it. Outline various circumstances when the team would utilize self service or full service, so everyone is on the same page.For more on this topic, check out the interview on the Law & Candor podcast on scaling your eDiscovery program from self service to full service. ediscovery-reviewcloud, self-service, spectra, cloud-services, blog, ediscovery-review,cloud; self-service, spectra; cloud-services; bloglighthouse

Have you ever had this scenario – multiple team members from different groups come to you frustrated because the working relationship between their groups is “broken?” Legal is saying they aren’t getting what they need, IT says they are providing what’s asked, and finance doesn’t understand why we are paying our outside vendor for something that the internal IT and legal teams are “supposed to do.” You are responsible for process improvement among these groups so the questions and frustration lands on your desk! This is a common issue. So common, in fact, that this was a big part of a recent Legal Operators webinar I attended. The good news is that the solution may be simple.Often times, the issue revolves around language and how different departments are using the words differently. Let’s explore the above scenario a bit further. The legal team member says they asked IT to gather all data from a certain “custodian.” The IT team took that to mean all “user-created data” on the network from one certain employee, so that is what they provided. They didn’t, however, gather the items on the person’s desktop nor did they gather records that the person created in third-party systems such as the HR and sales systems that the company uses. The legal team, therefore, asked the outside vendor to collect the “missing” data and that vendor sent a bill for their services. Finance is now wondering why we are paying for collecting data when we have an IT team that does that. The issue is that different teams have slightly different interpretations of the request. Although this scenario is eDiscovery specific, this can happen in any interaction between departments. As legal operations is often responsible for process improvement as well as the way legal functions with other departments, the professionals in that group find themselves trying to navigate the terminology. To prevent such misunderstandings in the future, you can proactively solve this problem through a dictionary.Creating a dictionary can be really simple. It is something I have seen one person start on their own just by jotting down words they hear from different groups. From there, you can share that document and ask people to add to it. If you already have a dictionary of your company acronyms, you can either add to it or you can create a specific “data dictionary” for the purposes of legal and IT working together. Another option is to create a simple word document for a single use at the outset of a project. Which solution you select will vary based on the need you are trying to solve. Here are some considerations when you are building out your dictionary.What is the goal of the data dictionary? Most commonly I have seen the goal to be to improve the working relationship of specific teams long term. However, you may have a specific project (e.g., creation of a data map or implementation of Microsoft 365) that would benefit from a project-specific dictionary.Where should it live? This will depend on the goal, but make sure you choose a system that is easy to access for everyone and that doesn’t have a high administrative burden. Choosing a system that the teams are using for other purposes in their daily work will increase the chances of people leveraging this dictionary.Who will keep it updated? This is ideally a group effort with one accountable person who will make any final decisions on the definitions and own updating in the future. There will be an initial effort to populate many terms and you may want a committee of 2 or 3 people to edit definitions. After this initial effort, you can allow access to everyone to edit the document or you can have representatives from each team. The former allows the document to be a living, breathing document and encourages updating, however, may require more frequent oversight by the master administrator. The latter allows each group to have its own oversight but increases the burden of updating. Whichever method you choose, the ultimate owner of the dictionary should review it quarterly to ensure it is staying up to date.Who will have access? I recommend broader access over more limited access, especially for the main groups involved. The more people understand each other’s vocabulary, the easier it is for teams to work together. However, you should consider your company’s access policies when making this decision.What should it include? All department-specific business terms. It is often hard to remember what vernacular in your department is specific to your department as you are so steeped in that language. One easy way to identify these terms is to assign a “listener” from another department in each cross-functional meeting you have for a period. For example, for the next 3 weeks, in each meeting that involves another department, ask one person from that other department to write down any words they hear that are not commonly used in their department. This will give you a good starting point for the dictionary.Note that. although I am talking about a cross-functional effort in the above, this dictionary can also be leveraged within a department. I have found it very effective to create a legal ops dictionary that includes terms from all other departments that you pick up in your work with those other departments. This can still help your goal of resolving confusion and will allow you to get to a common understanding quickly as you are then better equipped with the language that will make your ask clear to the other team.legal-operationsediscovery-process, legal-ops, blog, legal-operations,ediscovery-process; legal-ops; bloglighthouse

Recently, I had the pleasure of appearing as a guest on Season 5, Episode 1 of the Law & Candor podcast, hosted by Lighthouse’s Rob Hellewell and Bill Mariano. The three of us discussed cloud migrations and how that process can provide a real opportunity for an organization to transform its approach to information governance. Below is a summary of our conversation, including best practices for organizations that are ready to take on this digital and cultural cloud transformation process.Because it is difficult to wrap your head around the idea of a cloud transformation, it can be helpful to visualize the individual processes involved on a much smaller scale. Imagine you are simply preparing to upgrade to a new computer. Over the years, you have developed bad habits around how you store data on your old computer, in part because the tools on that computer have become outdated. Now that you’re upgrading, you have the opportunity to evaluate your old stored data to identify what is worth moving to your new computer. You also have the opportunity to re-evaluate your data storage practice as a whole and come up with a more efficient plan that utilizes the advanced tools on your new computer. Similarly, the cloud migration process is the best opportunity an organization has to reassess what data should be migrated, how employees interact with that data, and how that data flows through the organization before building a brand new paradigm in the Cloud.You can think of this new paradigm as the organization’s information architecture. Just like a physical architecture where the architect designs a physical space for things, an organization’s information architecture is the infrastructure wherein the organization’s data will reside. To create this architecture effectively, you first must analyze how data flows throughout the company. To visualize this process, imagine the flow of information as a content pipeline: you’ve got a pile of papers and files on your desk that you want to assess, retain what is useful to you, and then pass on to the next person down the pipe. First, you would identify the files you no longer need and discard those. Next, you would identify what files you need for your work and put those aside for yourself. Then you would pass the remaining pile down to the next person in the pipeline, who has a different role in the organization (say, accountant). The accountant will pull out the files that are relevant to their accounting work, and pass the files down to the next person (say, a lawyer). The lawyer performs the same exercise for files that are relevant to their legal role, and so on until all the files have a “home.”In this way, information architecture is about clearly defining roles (accounting role, legal role, etc.) and how those roles interact with data, so that there is a place in the pipeline for the data they utilize. This allows information to flow down the pipeline and end up where it belongs. Note how different this system is from the old information governance model, where organizations would try to classify information by what it was in order to determine where it should be stored. In this new paradigm, we try to classify information by how it is used – because the same piece of content can be used in multiple ways (a vendor contract, for example, can be useful to both legal and accountant roles). The trick to structuring this new architecture is to place data where it is the most useful. Going hand-in-hand with the creation of a new information architecture, cloud migrations can (and should) also be an opportunity for a business culture transformation. Employees may have to re-wire themselves to work within this new digital environment and change the way they interact with data. This cultural transformation can be kicked off by gathering all the key players together and having a conversation about how each currently interacts with data. I often recommend conducting a multi-day workshop where every stakeholder shares what data they use, how they use it, and how they store it. For example, an accountant may explain that when he works on a vendor contract, he pulls the financial information from it and saves it under a different title in a specific location. A lawyer then may explain that when she works on the same vendor contract, she reviews and edits the contract language, and saves it under a different title to a different location. This collaborative conversation is necessary because, without it, no one in the organization would be able to see the full picture of how information moves through the organization. But equally important, what emerges from this kind of workshop is the seeds of culture transformation: a greater awareness from every individual about the role they play in the overall flow of information throughout the company and the importance of their role in the information governance of the organization. Best Practices for Organizations: Involve someone from every relevant role in the organization in the transformation process (i.e. everyone who interacts with data). If you involve frontline workers, the entire organization can embrace the idea that the cloud migration process will be a complete business culture transformation.Once all key players are involved, begin the conversation about how each role interacts with data. This step is key not only for the business cultural transformation, but also for the organization to understand the importance of doing the architecture work.These best practices can help organizations leverage their cloud migration process to achieve an efficient and effective information governance program. To discuss this topic further, please feel free to reach out to me at JHolliday@lighthouseglobal.com. information-governancemicrosoft-365, legal-operationscloud; information-governance; cloud-migration; bloglighthouse

It was a tumultuous summer in the world of data privacy, so I wanted to keep legal and compliance teams updated on changes that may affect your business in the coming months. Below is a recap of important data privacy changes across multiple jurisdictions, as well as where to go to dive into these updates a little deeper. Keep in mind that some of these changes may mean heightened responsibilities for companies related to breach requirements and/or data subject rights.U.S. On September 17th, four U.S. Republican senators introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” (SAFE DATA). The Act is intended to provide Americans “with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices.” The Act contains data privacy elements that are reminiscent of the GDPR and California Consumer Privacy Act (CCPA) of 2018, including requiring tech companies to provide users with notice of privacy policies, giving consumers the ability to opt in and out of the collection of personal information, and requiring businesses to allow consumers the ability to access, correct, or delete their personal data. See the press release issued by the U.S. Senate Committee on Commerce, Science and Transportation here: https://www.commerce.senate.gov/2020/9/wicker-thune-fischer-blackburn-introduce-consumer-data-privacy-legislationCalifornia’s Proposition 24 (the “California Privacy Rights Act of 2020”) will be on the state ballot this November. In some ways, the Act expands upon the CCPA by creating a California Privacy Protection Agency and tripling fines for collecting and selling children’s private information. Proponents say it will enhance data privacy rights for California citizens and give them more control over their own data. Opponents are concerned that it will result in a “pay for privacy” scheme, where large corporations can downgrade services unless consumers pay a fee to protect their own personal data. See: https://www.sos.ca.gov/elections/ballot-measures/qualified-ballot-measures for access to the proposed Act.In mid-August, the Virginia Legislative Commission initiated study commissions to begin evaluating elements of the proposed Virginia Privacy Act, which would impose similar data privacy responsibilities on companies operating within Virginia as the GDPR does for those in Europe and the CCPA does for those in California. To access the proposed Act, see: https://lis.virginia.gov/cgi-bin/legp604.exe?201+sum+HB473.EuropeOn September 8, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) concluded that the Swiss-US Privacy Shield does not provide an adequate level of protection for data transfers from Switzerland to the US. The statement came via a position paper issued after the Commissioner’s annual assessment of the Swiss-US Privacy shield regime, and was based on the Court of Justice of the European Union (CJEU) invalidation of the EU-US Privacy Shield. You can find more about the FDPIC position paper here: https://www.edoeb.admin.ch/edoeb/de/home/kurzmeldungen/nsb_mm.msg-id-80318.htmlSimilarly, Ireland’s data protection commissioner issued a preliminary order to Facebook to stop sending data transfers from EU users to the U.S., based on the CJEU’s language in the Schrems II decision which invalidated the EU-US Privacy Shield. In response, Facebook has threatened to halt Facebook and Instagram services in the EU. Check out the Wall Street Journal’s reporting on the preliminary order issued by the Ireland Data Protection Commission here: https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980. For Facebook’s response filing in Ireland, see: https://www.dropbox.com/s/yngcdv99irbm5sr/Facebook%20DPC%20filing%20Sept%202020-rotated.pdf?dl=0Relatedly, in wake of the Schrems II judgment, the European Data Protection Board has also created a task force to look into 101 complaints filed with several data controllers in EEA member states related to Google/Facebook transfers of personal data into the United States. See the EDPB’s statement here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_enBrazilIn September, the new Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) became retroactively effective after the end of a 15-business-day period imposed by the Brazilian Constitution. This was a surprising turn of events after the Brazilian Senate rejected a temporary provisional measure on August 26th that would have delayed the effective date to the summer of 2021. Companies should be aware that the law is similar to the GDPR in that it is extra territorial and bestows enhanced privacy rights to individuals (including right to access and right to know). Be aware too, although administrative enforcement will not begin until August of 2021, Brazilian citizens now have a private right of action against organizations that violate data subjects’ privacy rights under the new law. For more information, check out the LGPD site (that can be translated via Google Chrome) with helpful guides and tips, as well as links to the original law: https://www.lgpdbrasil.com.br/. The National Law Review also has a good overview of the sequence of events that led up to this change here: https://www.natlawreview.com/article/brazil-s-data-protection-law-will-be-effective-after-all-enforcement-provisions.EgyptIn June, Egypt passed the Egyptian Data Protection Law (DPL), which is the first law of its kind in that country and aims to protect the personal data of Egyptian citizens and EU citizens in Egypt. The law prohibits businesses from collecting, processing, or disclosing personal information without permission from the data subject. It also prohibits the transfer of personal data to a foreign country without a license from Egypt. See the International Association of Privacy Professional’s reporting on the law here: https://iapp.org/news/a/egypt-passes-first-data-protection-law/To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com.data-privacyccpa, gdpr, data-privacy, blog, data-privacy,ccpa; gdpr; data-privacy; blogsarah moran

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com that features Lighthouse's John Shaw.A highlight of the challenges arising from the increased use of collaboration and messaging tools by employees in remote-work environments.Our “top trends” series was born out of a desire to help in-house lawyers with their horizon scanning and with assessing the potential risks heading their way. Each post focuses on a specific area, providing companies and their lawyers with quick summaries of some of the challenges heading their way.Our latest piece in the series looks at the top 3 trends in-house lawyers should take notice of in the area of employment disputes, and was carefully curated by one of our experts – Lighthouse director of business development John Shaw. The Covid-19 pandemic has affected every sector of law and litigation, and employment law is certainly no exception. From navigating an ever-changing web of COVID-19 compensation regulations, to ensuring workplaces are compliant with shifting government health guidelines – the last six months have been chaotic for most employers. But as we all begin to regain our footing in this “new normal”, there is another COVID-19-related challenge that employers should be wary of: the increased use of collaboration and messaging tools by employees in remote-work environments.This past spring, cloud-based collaboration tools like Slack and Microsoft’s Teams reported record levels of utilisation as companies around the world were forced to jettison physical offices to keep employees safe and comply with government advice. Collaboration tools can be critical assets to keep businesses running in a remote work environment but employers should be aware of the risks and challenges the data generated from these sources can pose from an employment and compliance perspective.Intermingling of personal and work-related data over chatAs most everyone has noticed by now, working remotely during a pandemic can blur the line between “work life” and “home life.” Employees may be replying to work chat messages on their phone while simultaneously supervising their child’s remote classroom, or participating in a video conference while their dog chases the postman in the background. Collaboration and chat messaging tools can blur this line even further. Use of chat messaging tools is at an all-time high as employees who lost the ability to catch up with co-workers at the office coffee station transition these types of casual conversation to work-based messaging tools. These tools also make it easy for employees to casually share non-work related pictures, gifs, and memes with co-workers directly from their mobile phone.The blurring line between home and work, as well as the increased use of work chat messaging can also lead to the adoption of more casual written language among employees. Most chat and collaboration tools have emojis built into their functionality, which only furthers this tendency. Without the benefit of facial expressions and social cues, interpretation of this more casual written communication style can vary greatly depending on age, context, or culture.All of this means that personal, non-work related conversations with a higher potential for misinterpretation or dispute are now being generated over employer-sanctioned tools and possibly retained by the company for years, becoming a part of the company’s digital footprint.Evidence gathering challengesEmployers should expect that much of the data and evidence needed in future employment disputes and investigations may originate from these new types of data sources. Searching for and collecting data from cloud-based collaboration tools can be a more complicated process than traditional searching of an employee’s email or laptop. Moreover, the actual evidence employers will be searching for may look different when coming from these data sources and require additional steps to make it reviewable. Rather than using search terms to examine an employee’s email for evidence of bad intent, employers may now be examining the employee’s emoji use or reactions to chat comments on Teams or Slack.Evidence for wage and hour disputes may also look a bit different in a completely remote environment. When employees report to a physical office, employers can traditionally look to data from building security or log-in/out times from office-based systems to verify the hours an employee worked. In a remote environment, gathering this type of evidence may be a bit more complex and involve collecting audit logs and data from a variety of different platforms and systems, including collaboration and chat tools. A company’s IT team or eDiscovery vendor will need to understand the underlying architecture of these tools and ensure they have the capacity to search, collect, and understand the data generated from them.Employer best practicesEmployers should consider implementing an employee policy around the use of collaboration tools and chat functionality, as well as a comprehensive data retention schedule that accounts for the data generated from these tools. Keep these plans updated and adjust as needed. Ensure IT teams or vendors know where data generated by employees from these new data sources is stored, and that they have the ability to access, search, and collect that data in the event of an employment dispute.chat-and-collaboration-data; microsoft-365microsoft, cloud, emerging-data-sources, blog, chat-and-collaboration-data, microsoft-365microsoft; cloud; emerging-data-sources; blogthe lawyer