Data Privacy

Stay up to date with the latest changes in privacy regulations and explore our insights for managing complex data privacy requirements and compliance with GDPR, CCPA/CPRA, DSARs, HIPAA, PIA, and more.

Filter by content type
Select content type
Filter by trending topics
No items found.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Button Text
September 22, 2023
Case Study

Lighthouse Transforms Complex Enterprise Data Protection with Microsoft Purview

The Lighthouse team of SMEs applied their dedication to exemplary customer experience and unique strategy of marrying compliance, security, IT, and legal needs to help a global chemistry solutions and specialty material producer meet the ever-evolving security and compliance demands and challenges facing international manufacturing and regulations to effectively deploy Microsoft Purview across workstreams while preparing for needs and reducing costs. Global Leader in Chemistry Solutions Transforms Enterprise Data Protection with Microsoft Purview An international producer of commercial chemicals and specialty materials upholds a commitment to people safety and well-being as part of their core tenets. As cyber risks increased along with data volumes, the organization extended their commitment to safety to include the security of data accessed, produced, and stored within their enterprise. Now, the company has implemented a comprehensive data protection program using the entire Microsoft 365 Information Protection suite. After careful design, the team is piloting the solution before a global rollout. A Commitment to Physical and Digital Safety As one of the world’s largest acetyl products manufacturers and a top-tier producer of high-performance engineered polymers, the company supplies chemicals across major industries and for a variety of industrial and consumer applications. Over 10,000 employees in offices, technical centers, and 50+ manufacturing facilities work to realize a vision of improving the world and everyday life through people, chemistry, and innovation—with products that impact the lives of millions. For the organization, an operational approach rooted in well-being has always meant physically safe working environments for employees, and safe solutions for their customers and their communities. However, in this digital age, they have expanded their notion of safety to include data protection for employees, customers, shareholders, and the communities in which they operate. The company’s Chief Information Security Officer (CISO) notes that committing to data protection means a “higher level of assurance—making sure that our security controls keep pace with the threats that surround us every day and seek to exploit vulnerabilities in companies like us every day. You can’t stand still. You always have to evolve—you always have to get better, otherwise you’re devolving, and you’re getting worse, and becoming more vulnerable.” Advancing Data Protection with a Trusted Partner A few years ago, when the company decided to make the move to the cloud, they chose Microsoft 365 E5 and Microsoft Azure, building on their longstanding use of Microsoft technologies. Prior efforts to overhaul their data protection program had been unsatisfactory. However, with access to new Microsoft Purview capabilities, the Information Security team saw an opportunity to try again. They hoped to utilize the full breadth of the Microsoft 365 Information Protection suite including Information Protection Classification and Labeling, Data Loss Prevention (DLP), and Insider Risk Management solutions. Microsoft tapped Security Solutions and Advanced Specialization Designation-Information Protection and Governance Partner Lighthouse Global to lead the engagement for their ability to effectively understand complex compliance needs across IT, security, and legal departments. They hoped that together they could develop a solution to realize the investment they’d made in Microsoft 365, and to support their corporate commitment to safety for both employees and customers. “If you were to interview a bunch of companies, those who have actual, very successful DLP and data labeling programs typically have a hodgepodge of solutions that get melded together,” reflected the CISO, “and that’s where Lighthouse was successful…we’ve been able to leverage the investment…and get it to work, [and not] have to go spend more money to hodgepodge together a solution.” Developing a Comprehensive, Scalable Solution The Lighthouse team started by holding a series of working sessions to align the company’s vision and requirements and design the implementation approach. Using Microsoft Compliance Check, Lighthouse scanned the company’s environment to get an understanding of current state activity and sensitivity intelligence. The team also reviewed existing policies and approaches for the handling of sensitive data and data loss prevention to identify any areas of opportunity or gaps that could exist. From there, the combined teams were able to successfully design and configure a holistic data protection solution leveraging multiple Microsoft Purview products including Data Loss Prevention, Information Protection, and Insider Risk Management. Starting with data classification, the team defined the sensitive information types that needed to be identified. From there, they developed a set of sensitivity labels corresponding to the data protection policy. This set of classification techniques and labels were generated in the course of both Data Loss Protection and Insider Risk Management implementation, ensuring a comprehensive data life cycle protection program from content identification through insider threat analysis. Finally, the Lighthouse team supported the integration of the Microsoft products with the company’s third-party HR software to feed HR data into the Data Theft by Departing Employee Policy, enabling the creation of a truly end-to-end solution. Fulfilling a Mission of Security The company’s dedication to safety, security, and well-being across applications and contexts drove this project’s success. “Because we see security as part of our commitment to people and innovation, we take a uniquely holistic approach and have strong support all the way up to our board of directors,” says the company’s CISO. The CISO also credits Lighthouse’s unwavering commitment to partnership. “They helped us not only implement the technology and guide us through some of the critical points to consider as we implemented the technology, but also the process and decision points with data—which ultimately, in the end, actually worked,” they conclude. Now, with the design and implementation of the Microsoft Purview-based Data Protection program behind them, the organization’s information security team is focused on operationalizing the program through a series of pilots scheduled over the next year. Their ultimate goal is total, global implementation of the solution—and total, global protection for all employee and customer data. Corporate Case Studymicrosoft; big-datamicrosoft-365; data-privacy
October 1, 2022
Case Study

Gap Analysis Solution for IT and Legal Teams Transitioning to M365

Lighthouse saves insurance giant millions of dollars during major technology upgrade. Key Actions Microsoft referred the Company to Lighthouse to resolve existing concerns from the Company’s IT and legal departments that were stifling their automation and transition process to Microsoft 365 (M365). Lighthouse held educational workshops on eDiscovery tools within M365, and devised a comprehensive plan for the compliance. Key Results Unblocked the M365 transition effort and enhanced the partnership between legal and IT. Compliance concerns were answered within M365, saving the company millions of dollars in retaining or updating legacy data management systems. What They Needed Legal Concerns Churn 11th Hour Nightmare for IT Department In 2017, a nationwide insurance giant initiated a transition from an on-premises Microsoft solution to a cloud-based M365 solution fueled by gain from cost, performance, and security improvements. Years later, and well past the intended launch date, the Company’s legal team suddenly halted the transition entirely due to concerns of M365’s eDiscovery capabilities, specifically, how M365 would handle the identification, preservation, and collection of email, instant messages, and files for the Company. The legal department insisted the company retain its custom-built archival solution until all compliance concerns were allayed. These demands put the IT department in an extremely tough spot after having already invested several years into the transition to M365. If forced to extend their aging, on-premises solution, the team would face substantial costs. To help unstick the implementation project, Microsoft suggested the Company engage Lighthouse to assist. Lighthouse immediately understood the legal team’s concerns and acted swiftly to address the Company’s insistence on exercising the transition to M365 with great caution, all while remaining vigilant of the Company’s receipt of hundreds of new legal matters monthly. The sensitive nature of data in this industry and the complex regulatory environment made the potential risk related to mismanagement very high. The process was intricate and complex, and required high-level integration to mitigate the significant risks that were specific to individual privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Hands-on Experience and High-touch Service Bridge the Gaps Lighthouse fielded a team of experts with direct experience in the same or similar roles as the various client stakeholders, ranging from IT to records management, corporate legal, and public affairs. This hand-selected team led a three-part process with their counterparts from the Company: Providing education on the eDiscovery aspects of M365 Analyzing current workflows and performance, and expressing their desired future state Devising a high-level design document for how relevant parties could conduct eDiscovery tasks in compliance with the requirements while using M365 The first two processes helped restore unity among stakeholders, while the design document delivered on the legal team’s concerns, including specified settings for a range of M365 applications and components, such as Exchange Online, SharePoint Online, OneDrive for Business, and Teams. The design document made room for process automation and/or custom workflows, as well as for third-party system integration (for compliance archive, legal hold, matter management, etc.). The initial project success led to a continuing relationship between the Company and Lighthouse, and over time Lighthouse has become a critical element in the Company’s ongoing M365 implementation and adoption journey helping them in charting a path forward. Corporate Case Studycase-study; big-data; cloud-migration; cloud; cloud-services; ccpa; corporate; corporation; data-privacy; data-protection; emerging-data-sources; information-governance; ediscovery; microsoft; gdpr; legacy-data-remediation; legal-holds; risk-management; insurance-industry; record-managementmicrosoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceCase-Study, Big-Data, Cloud-Migration, cloud, Cloud-Services, ccpa, Corporate, Corporation, Data-Privacy, data-protection, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, gdpr, Legacy-Data-Remediation, Legal-Holds, microsoft, risk-management, insurance-industry, Record-Management, microsoft-365, data-privacy, information-governance
June 1, 2023
Case Study

Engineering a Customized M365 eDiscovery Premium Add-on

Lighthouse bridges internal gaps during technology overhaul and solves longstanding compliance issues for a German multinational healthcare manufacturer. Key Actions Lighthouse engaged company stakeholders in operational planning and received funding from Microsoft to devise and integrate a premium Microsoft 365 (M365) add-on to existing Purview Premium eDiscovery, which resolved an outstanding compliance need. Key Results The proof-of-concept achieved a zero-trust security model integrated with third-party software, and satisfied the barring of critical needs for the Company that centralized IT and legal departments after years of dysfunction. What They Needed Automating a transition to M365 commonly yields a clash between IT, legal, and compliance stakeholders if the decision to convert was spearheaded by IT and made without consulting legal and compliance teams. Typically, during planning or implementation of converting to M365, legal teams ask IT how the new platform will manage compliant and defensible processes, and if IT doesn’t have the answers, the project stalls. This was the situation facing a multinational manufacturing Company that engaged Lighthouse for help during the spring of 2020. At that time, the Company was several years into its M365 transition, and the legal teams’ requirements for adoption of native M365 compliance tools barred a complete transition. Pressure to adopt the tools escalated as M365 workloads for content creation, collaboration, and communication were already rolled out, creating an increasingly large and complex volume of data with significant degrees of risk. Lighthouse Responds to Need and Launches New Technology In partnership with Microsoft Consulting Services, Lighthouse organized a companywide M365 “reset,” hosting a three-day workshop to revamp the transition process and generate an official statement of work. The strategic goal was to streamline the stakeholders from litigation, technical infrastructure, cybersecurity, and forensics teams that previously failed to align. The workshop fielded critical topics geared to encourage constructive discussions between stakeholders and to strengthen departmental trust. The outcome of these discussions eventually enabled the company to move forward with critical compliance updates, including the collection and parsing of Microsoft Teams data, and the management of myriad files and email attachments. Lighthouse took stock of the current state, testing potential solutions, and arrived at a proof-of-concept for an eDiscovery Automation Solution (EAS) that augmented existing M365 capabilities to meet the legal team’s security requirements and remediate any performance gaps. Microsoft recognized the potential value of the EAS for the wider market, ultimately leading to Microsoft funding for the proof-of-concept. Inside the eDiscovery Automation Solution (EAS) Technology Azure-native web application designed to orchestrate the eDiscovery operations of an M365 subscriber through Purview Premium eDiscovery automation Maximized Microsoft Graph API “/Compliance/eDiscovery/” functions and other Microsoft API Simplified to Azure AD trust boundary, targeting the M365 tenant hosted within, and enabling full governance of identity and entitlement throughout Azure and M365 security features Benefits Achieved a zero-trust security model Authorized high-velocity, high-volume eDiscovery tasks without outside technology through automation and orchestration of existing M365 eDiscovery premium capabilities native to M365 Mobilized integration with third-party software included in the Company’s eDiscovery workflows Amplified workload visibility by automatically surfacing relevant Mailboxes, OneDrives, and other M365 group-based technologies dependent upon selected Custodians’ access Corporate Case Studybig-data; case-study; cloud-migration; cloud; cloud-services; cloud-security; corporate; corporation; data-privacy; emerging-data-sources; information-governance; ediscovery; microsoft; manufacturing-industry; risk-managementchat-and-collaboration-data; ediscovery-review; microsoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceBig-Data, Case-Study, Cloud-Migration, cloud, Cloud-Services, Cloud-Security, Corporate, Corporation, Data-Privacy, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, manufacturing-industry, risk-management, chat-and-collaboration-data, ediscovery-review, microsoft-365, data-privacy, information-governance
April 12, 2023

The Challenge with Big Data

March 29, 2023

Prioritizing Information Governance and Risk Strategy for a Dynamic Economic Climate

Lica Patterson, Senior Director of Global Advisory Services at Lighthouse, discusses how assessing short and long-term risk can inform a more strategic information governance program.,   As we continue to grapple with a strange and unpredictable economic environment, establishing your legal and information governance priorities can be daunting. While directing investment and energy into the most urgent matters is a reflex during a down economy, neglecting more long-term data issues and risk can be detrimental. How do you balance these interests with already strapped resources? Lica Patterson , Senior Director of Global Advisory Services at Lighthouse, joins the podcast to discuss how assessing short and long-term risk can inform a more strategic information governance program. She also shares how the right technology and teams contribute to accomplishing goals and evolving your program. This episode's sighting of radical brilliance:  3 trends will shape the future of work, according to Microsoft‚Äôs CEO , World Economic Forum,  February 10, 2023. If you enjoyed the show, learn more about our speakers and subscribe on , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and  Twitter .   , information-governance; data-privacy; microsoft-365, information-governance, data-privacy, microsoft-365, emerging-data-sources; legal-holds; podcast; record-management; risk-management
March 31, 2022

Spring Cleaning for Legal Teams: The Cloud and Defensible Deletion of Data

Law & Candor welcomes Erika Namnath of Lighthouse to discuss new challenges with data retention and deletion in the Cloud, developing a defensible disposal program, and getting stakeholder buy-in., To kick off the show, Bill Mariano and Rob Hellewell discuss another Sighting of Radical Brilliance: How scientists are using AI to identify new drug combinations for children with incurable brain cancer. Next, they interview Erika Namnath  from Lighthouse about how to develop a sound and efficient defensible deletion program and the benefits of getting buy-in for it throughout an organization. Some of the key questions they discuss include: Defensible disposal of data continues to be a key challenge for eDiscovery and information governance programs. Why has this issue persisted and how has it evolved? Historically, because of the risk of deleting important information or not being able to defend deletion, teams have defaulted to saving as much as possible. Why is this approach becoming increasingly impossible and even poses a greater risk? How should leaders approach developing a data retention and disposal program or updating their existing one? When developing these retention policies and updates, we often hear challenges with legacy data and legal holds. How can teams wrap their heads around existing data while also considering what they‚Äôre retaining today?  It seems a significant challenge for these programs is gaining stakeholder buy-in and assigning ownership for retention and deletion. What can leaders do to tackle this? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us wherever you get your podcasts, and join in the conversation on Twitter .  Related Links : Blog post: Cloud Adaptation: How Legal Teams Can Implement Better Information Governance Structures for Evolving Software Blog post: Making the Case for Information Governance and Why You Should Address It Now Podcast: Achieving Information Governance through a Transformative Cloud Migration Article: Scientists use AI to identify new drug combination for children with incurable brain cancer About Law & Candor   Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for eDiscovery, compliance, and information governance. To learn more about the show and our speakers, visit the podcast homepage .  , data-privacy; chat-and-collaboration-data; microsoft-365, cloud migration, legacy data remediation, legal holds, podcast, record management, preservation, risk management, data-privacy, chat-and-collaboration-data, microsoft-365,, cloud-migration; legacy-data-remediation; legal-holds; podcast; record-management; preservation; risk-management
December 15, 2022

Data Governance for the BYOD Age

Our hosts chat with Lighthouse's John Bair about implementing proactive data management programs and emerging challenges with remote working, including mobile devices and collaboration data., Law & Candor returns for Season 10 with co-hosts  Bill Mariano  and Rob Hellewell. They kick off the episode with a discussion of a Harvard Business Review article about the ways AI can make strategy more human. Next they are joined by John Bair , Senior Consultant in Digital Forensics at Lighthouse, to discuss bring your own device (BYOD) policies, implementing proactive data management programs, and emerging data challenges with remote working. Some questions that they tackle include: From a data governance and management perspective, what are the greatest challenges that have emerged from working from home and BYOD policies? Many organizations may have governance programs in place but still struggle with new data sources or devices. What can make some programs inadequate to face these changes? For those needing to refresh their governance approach, or build something new, what advice do you have for creating a more proactive program to get ahead of these data challenges? How should legal teams work with IT to ensure these types of programs are a success? How should we think about their roles? As mobile devices and virtual work continue to advance, how can teams ensure their data governance programs keep pace? If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , listen and rate the show wherever you get your podcasts, and join in the conversation on  Twitter .  , chat-and-collaboration-data; data-privacy; forensics; lighting-the-path-to-better-information-governance, collections, emerging data sources, departing/onboarding employee, podcast, preservation, risk management, chat-and-collaboration-data, data-privacy, digital-forensics,, collections; emerging-data-sources; departing-onboarding-employee; podcast; preservation; risk-management
March 25, 2022

Mapping Updates to Data Privacy Regulations Worldwide

Our hosts chat with Lighthouse's Sarah Morgan about updates to privacy regulations in the U.S., Europe, and China, how they're impacting businesses, and what's next on the horizon., Bill Mariano and Rob Hellewell kick off this episode with another segment of Sightings of Radical Brilliance, where they discuss major privacy changes by Google and Apple in their mobile software. Next, our hosts chat with Sarah Moran , eDiscovery Evangelist and Proposal Content Strategist at Lighthouse, about updates to privacy regulations in the U.S., Europe, and China. They also dive into the following key questions: How is the enforcement of GDPR impacting businesses? How has the UK‚Äôs departure from the EU impacted privacy compliance? With so many states pursuing their own privacy regulations, do we anticipate any movement on a federal level? Beyond the U.S. and Europe, what does the privacy landscape look like internationally? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us wherever you get your podcasts, and join in the conversation on Twitter .  Related Links : Blog post: 2021 Data Privacy Overview: New Regulations and Guidance Blog post: Navigating the Intersections of Data, Artificial Intelligence, and Privacy Blog post: The Impact of Schrems II & Key Considerations for Companies Using M365: The Cloud Environment Article: Google Plans Privacy Changes, but Promises to Not Be Disruptive , data-privacy, ccpa, gdpr, dsars, cross border data transfers, pii, podcast, privacy shield, data-privacy,, ccpa; gdpr; dsars; cross-border-data-transfers; pii; podcast; privacy-shield
December 15, 2022

Anonymization and AI: Critical Technologies for Moving eDiscovery Data Across Borders

Our hosts are joined by Lighthouse's Damian Murphy for a lively chat about what AI solutions can be deployed to optimize eDiscovery workflows and maximize data insights while adhering to privacy laws., In this episode's Sighting of Radical Brilliance, our hosts discuss strategies for putting your data to work outlined in a recent Harvard Business Review article. To elucidate the complexities of moving data across borders, Lighthouse's Damian Murphy , Executive Director of Advisory Services in EMEA, joins the podcast. With Paige and Bill, Damian explains recent updates to data transfer policies, and what AI solutions can be deployed to optimize eDiscovery workflows and maximize data insights while adhering to privacy laws. Some key questions they answer, include: With fines continuing to be issued for GDPR violations and organizations grappling with how to transfer data across regions, data privacy is still not a resolved issue. What are some recent policy changes our audience should be aware of? How have these created challenges for the ways that data is managed and how organizations can ultimately utilize it? Many of our listeners are likely aware of how anonymization and pseudonymization are being utilized, but can you remind us how they work? Is there a typical approach for a client faced with the need to supply data held within the EU in order to comply with an eDiscovery order in the US? If the past is any indication, we should expect privacy policies to continue to change and impact data governance. How are anonymization and pseudonymization, and other approaches, helping prepare for what‚Äôs on the horizon? If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , rate us wherever you get your podcasts, and join in the conversation on  Twitter .  , data-privacy; chat-and-collaboration-data; microsoft-365; practical-applications-of-ai-in-ediscovery, gdpr, cross border data transfers, podcast, privacy shield, data-privacy, chat-and-collaboration-data, ai and analyics, microsoft-365, gdpr; cross-border-data-transfers; podcast; privacy-shield
November 16, 2021

Getting Personal—Wearable Devices, Data, and Compliance

Thora Johnson of Orrick joins Bill and Rob to discuss the new data landscape with wearable devices and health apps, and how it has impacted data compliance, cybersecurity, and privacy concerns., In the final episode of the season, co-hosts Bill Mariano and Rob Hellewell review a New Yorker piece by Kyle Chayka about the beauty and uncanniness of AI-created images delivered by the Twitter handle @images_ai. The co-hosts then bring on Thora Johnson of Orrick for a riveting discussion about the rise in wearable devices and the personal data they‚Äôre collecting. They discuss the fascinating innovation in health-related technology and apps and the significant data compliance, privacy, and cybersecurity issues that are accompanying it. Some key questions from their conversation include:  Beyond the more well-known wearable devices and health-related apps, what others are out there and what types of data are they collecting? The proliferation of data these devices and apps are generating have created a unique set of intersecting compliance, security, and privacy challenges‚Äîwhat are some of the most critical to understand? How can teams mitigate the risk of a cyber breach? And in the event it does happen, what are best practices in terms of responding to a breach? What should attorneys and legal teams know about the FTC‚Äôs recent announcement that it plans to ‚Äúvigorously‚Äù enforce its 2009 Health Breach Notification rule? What regulatory issues related to apps collecting genetic information that people should be aware of? The season ends with key takeaways from the guest speaker section. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us on Apple and Stitcher , and join in the conversation on Twitter . , data-privacy; information-governance, ccpa, gdpr, cybersecurity, emerging data sources, pii, podcast, hipaa/phi, data-privacy, information-governance, ccpa; gdpr; cybersecurity; emerging-data-sources; pii; podcast; hipaa-phi
December 3, 2020

Reducing Cybersecurity Burdens with a Customized Data Breach Workflow

Bill Mariano and Rob Hellewell kick off episode 3 with another segment of Sightings of Radical Brilliance where they discuss the EU striking down the Privacy Shield and what that means for the...,   Bill Mariano and Rob Hellewell kick off episode 3 with another segment of Sightings of Radical Brilliance where they discuss the EU striking down the Privacy Shield and what that means for the legal realm. Next, Bill and Rob chat with Jeremiah Weasenforth of Orrick about a recent customized data breach workflow that Jeremiah and his team implemented to significantly reduce the burdens of a data breach. In this interview, Jeremiah uncovers the answers to the following questions:  What are the burdens of a major data breach? What impacts do DSARs and the CCPA have on these breaches? How do you get started with a customized workflow? What technology should one use? How do you implement the workflow internally? What key tips are there for those experiencing cybersecurity burdens today? The show concludes with key takeaways from the guest speaker segment. Subscribe to Law & Candor here , rate us on Apple and Stitcher, join in the conversation on Twitter , and discover more about our speakers and the show here . , data-privacy; legal-operations; information-governance, cybersecurity, data-privacy, podcast, data-privacy, legal-operations, information-governance,, cybersecurity; data-privacy; podcast
December 3, 2020

Cross-Border Data Transfers and the EU-US Data Privacy Tug of War

In the second episode of season six, co-hosts Bill Mariano and Rob Hellewell kick off the show with Sightings of Radical Brilliance. In this episode, they review a recent trends analysis article...,   In the second episode of season six, co-hosts Bill Mariano and Rob Hellewell kick off the show with Sightings of Radical Brilliance. In this episode, they review a recent trends analysis article written by Lighthouse‚Äôs very own John Shaw for The Lawyer that dives into new sources of evidentiary data in employment disputes .    Next, they bring on Melina Efstathiou of Eversheds Sutherland who answers questions around cross-border data transfers and the EU-US data privacy challenges outlined below: What does the surprise decision to invalidate the EU-US Privacy Shield mean for ediscovery? How does this impact other data transfer mechanisms?  What are some of the implications that Brexit could have? Are there any key tips for preparing for the future of cross-border ediscovery? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, subscribe here , rate us on Apple and Stitcher, join in the conversation on Twitter , and discover more about our speakers and the show here . Related Links Blog Post: Worldwide Data Privacy Update Blog Post: Three Steps to Tackling Data Privacy Compliance Post GDPR Blog Post: The U.S Privacy Shield Is No Longer Valid ‚Äì What Does that Mean for Companies that Transfer Data from the EU into the US?   , data-privacy; ai-and-analytics, data-privacy, cross border data transfers, podcast, data-privacy, ai-and-analytics, data-privacy; cross-border-data-transfers; podcast
September 22, 2020

Effective Strategies for Managing DSARs

Since the introduction of the GDPR, organizations with a European presence have seen a rise in the number of Data Subject Access Requests (DSARs). These matters are time-consuming, costly, and not,   In the fourth episode of season five, co-hosts  Bill Mariano and  Rob Hellewell discuss how  Relativity is using its technology to help medical researchers comb through COVID-19 journal articles to help battle the virus.  Bill and Rob then introduce their guest speaker,  Nicki Woodfall of Travers Smith, who uncovers effective strategies for managing DSARs. Nicki answers the following questions in this episode: Why has there been a recent uptick in DSARs over the past few years?  What are the top challenges when it comes to managing DSARs? What are key ways to overcome these common challenges? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, subscribe here , rate us on Apple and Stitcher, join in the conversation on  Twitter , and discover more about our speakers and the show  here . Related Links Blog Post: How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery Case Study:  Penningtons Manches Cooper Takes Control of their eDiscovery Process with Lighthouse Spectra About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance; ai-and-analytics, dsars, podcast, data-privacy, information-governance, ai-and-analytics,, dsars; podcast
June 23, 2020

Managing Cybersecurity in eDiscovery

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†how¬†password dumping can improve your security and what that means...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss how  password dumping can improve your security and what that means for the future of security.  In this episode, Bill and Rob are joined by  Dave Kuhl of Lighthouse. The three uncover the complexities around managing cybersecurity as well as practical tips for overcoming challenges via the following questions: What are the recent complexities around managing cybersecurity? What are today‚Äôs biggest threats? What are some key lessons learned around these challenges? How do you combat cybersecurity challenges? How do you get ahead of these issues before they hit? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . Related Links Blog Post: Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production Blog Post: Top Three Tips for Structuring an Effective eDiscovery Security Evaluation Podcast Episode:  Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production Webinar Recording: The Risks of Cybersecurity in eDiscovery ‚Äì Is Your Data Safe? About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; ediscovery-review; information-governance, cybersecurity, podcast, data-privacy, ediscovery-review, information-governance,, cybersecurity; podcast
March 24, 2020

How Microsoft 365 and GDPR Are Driving a Proactive Approach to eDiscovery Across the Globe

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†changes the legal system may face thanks to¬†innovation brought...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss changes the legal system may face thanks to  innovation brought about by AI, big data, and online courts .  In this episode, Bill and Rob are joined by  Mike Brown of Lighthouse. The three uncover how Microsoft 365 (M365) and GDPR are driving change for a more proactive approach to ediscovery across the globe and answer the following questions:  How have GDPR and M365 changed company attitudes from a reactive to a more proactive approach to ediscovery? How does Brexit impact this? How does a company actually become GDPR compliant? How do companies prepare? How do DSARs come into play? How does M365 help solve for these concerns? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . Related Links Blog Post:  Why Moving to the Cloud is a Legal Conversation , data-privacy; microsoft-365; chat-and-collaboration-data, microsoft, gdpr, data-privacy, cross border data transfers, podcast, data-privacy, microsoft-365, chat-and-collaboration data,, microsoft; gdpr; data-privacy; cross-border-data-transfers; podcast
March 24, 2020

Data Privacy in a Post-GDPR World: Facing Regulators and Ensuring Compliance Through Rock-Solid Information Governance Practices

In the second episode of season three, co-hosts¬†Bill Mariano and¬†Rob Hellewell kick off the show with¬†Sightings of Radical Brilliance. In this episode, they discuss¬†how¬†technology competence has...,   In the second episode of season three, co-hosts  Bill Mariano and  Rob Hellewell kick off the show with Sightings of Radical Brilliance. In this episode, they discuss how  technology competence has become a priority for today‚Äôs lawyers, which has become a recent hot topic within the space as more  states make technical competence for lawyers mandatory .  They then introduce the next guest speaker segment from the live recording of Law & Candor during Legaltech, which features Kelly Clay from GSK. They explore how GDPR has impacted the ediscovery world, both globally and in the US, since its enactment and focus on ways to mitigate risk by uncovering answers to the following questions:  What key challenges have GDPR and the rise of recent privacy laws created globally and in the US? How can information governance and compliance practices mitigate data privacy and security risks? What are best practices or key recommendations for listeners? Our co-hosts wrap up the episode with a few key takeaways. Join in the conversation on  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, gdpr, data-privacy, information-governance, compliance and investigations, podcast, data-privacy, information-governance, gdpr; data-privacy; information-governance; compliance-and-investigations; podcast
December 4, 2019

Would a No-Deal Brexit Change How We Handle Cross-Border Collections in Europe?

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†personalized and predictive medicine and how¬†apple watches have...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss  personalized and predictive medicine and how  apple watches have been saving lives . In addition, they dive into what these trends mean for the legal field. In this episode, Bill and Rob are joined  Josh Yildirim , Executive Director of Service Delivery of Europe at Lighthouse. The three of them jump into the current status of Brexit and what the future of cross-border data collections could look like. Below are the questions they address:  Where we are at currently with Brexit and whether a no-deal is likely? How could this potentially impact data privacy? How could this impact cross-border collections? What are some practical tips when it comes to potential challenges? What are companies going to need to do to prepare? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, cross border data transfers, podcast, data-privacy, information-governance, cross-border-data-transfers; podcast
December 4, 2019

Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production

In the fourth episode of season two, co-hosts¬†Bill Mariano and¬†Rob Hellewell begin with¬†Sightings of Radical Brilliance and the recent¬†trend of folks moving away from email and towards text and...,   In the fourth episode of season two, co-hosts  Bill Mariano and  Rob Hellewell begin with Sightings of Radical Brilliance and the recent  trend of folks moving away from email and towards text and chat tools . They dive into the diverse challenges and risks associated with this shift. Next, Bill and Rob introduce their guest speaker,  David Kessler , Head of Data and Information Risk, United States, at Norton Rose Fulbright US LLP, to discuss cybersecurity challenges across the various stages of the EDRM. In this episode they ask the following key questions to David: What does a high-level overview of data security look like today? Who does this affect? Where are vulnerabilities within the EDRM? What are some key solutions for overcoming top challenges? In the end, our co-hosts wrap up with a few key takeaways. Follow us on  Twitter and discover more about our speakers and the show  here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , data-privacy; information-governance, cybersecurity, preservation and collection, processing, podcast, data-privacy, information-governance, ediscovery-review,, cybersecurity; preservation-and-collection; processing; podcast
September 26, 2023

Navigating Cross-Border eDiscovery Issues in the Wake of a U.S. Adequacy Determination

At Lighthouse our teams have the benefit of working across numerous clients, cases, and jurisdictions. As a result, we are building deep institutional knowledge across many aspects of eDiscovery that may be more difficult for individuals or teams to amass organically. To benefit our clients, we regularly share these insights in an ongoing series of best practices articles. This article provides updated guidance on cross-border eDiscovery in the wake of a recent adequacy determination by the European Commission for EU-US data transfers.Best Practices to Support Cross-Border Data Transfers in eDiscovery In any matter that potentially involves the processing and transfer of personal data across country borders, case teams should consider the following factors before deciding on a strategy:The underlying company’s own policy governing the processing of personal data (including transfer mechanisms, such as consent and/or binding corporate rules)The specific countries at issue (some countries have additional requirements for data residency, heightened consent requirements, etc.)The nature of the data (including special categories of protected data, i.e., high risk data), as well as the importance of the custodian and uniqueness/criticality of the dataThe options and feasibility of obtaining custodian consent for the transfer of their data (e.g., time to obtain consent, employment status of the custodian, the impact of obtaining consent on an investigation)When evaluating options for where the data should be processed, case teams should also consider:The country where most custodians are located (i.e., where the largest volume of data will be located) Data center options (if no data center, consider other cloud based or remote kit options and the impact on downstream search/review)The pros and cons of processing data in a single data repositoryMinimization at the point of collection as opposed to once data is processed into a review toolNote that most clients follow a “hub-centric” approach and process data in accordance with specific regions, e.g., data stored in the US is processed in the US; data stored in Europe is processed in a European data center; data stored in APAC is process either in APAC, depending on the country-specific laws, or in Europe, and so forth.Whenever non-U.S. data is present in a matter, case teams should consider the following best practices for cross-border data transfers:Establish lawful grounds for processing personal data (e.g., custodian consent, adequacy decision, or a legal exception defined by applicable data privacy regulations, such as the GDPR’s legitimate business interest exception). Note that many case teams choose not to rely solely on custodial consent for larger matters, unless the data originates from a highly restrictive jurisdiction (e.g., Switzerland, France, Germany, Luxembourg, etc.) or the matter involves specially protected data. Ensure there are adequate safeguards in place to support exceptions, such as the legitimate business interest exception. At a minimum, this includes efforts to “minimize” what is being processed (i.e., collecting only data that is necessary for the activity at hand). Case teams can minimize the volume of data being processed by using keywords or other filters to reduce what is collected, culling data at the processing stage, conducting a search for certain categories of personal data, redacting personal data, and permitting a custodian to review data prior to transfer.Case teams should also follow specific best practices when encountering any of the below scenarios during eDiscovery: Matters involving U.S. litigations and eDiscovery: Consider adding supplemental data privacy safeguards, including putting a protective order in place that specifically addresses the handling of personal data subject to applicable law (e.g., GDPR and other applicable country specific regulations). This includes provisions to designate certain data as subject to the protective order and specific provisions that require the deletion of data (and confirmation of deletion) once the litigation concludes. Matters involving cross-border transfers from other (non-U.S.) countries: Ensure an appropriate cross-border transfer mechanism is in place for all data transfers. Common examples of appropriate cross-border transfer mechanisms include model contract clauses, intra-company agreements, and adequacy decisions rendered by the European Commission (including the adequacy decision for the new EU-U.S. Data Privacy Framework).Matters involving data originating in China (PRC): Take into consideration all data security implications and PRC laws before transferring any data out of the country (including the requirement to conduct a state-secrets review in-country before any data can be transferred outside the country).Matters involving data originating in countries with heightened privacy restrictions and/or sector-specific requirements (i.e., bank secrecy): Consider processing (and potentially reviewing) data in-country.Document the protocol adhered to for each matter.ConclusionWhile transferring personal data across borders may feel like an increasingly complicated task for legal and eDiscovery teams, it is also a task that will be increasingly necessary as corporate data volumes grow and spread. The good news is that case teams do not have to navigate those complexities alone. An experienced eDiscovery partner with a global footprint and information governance/legal experts on staff can work closely with both outside and in-house counsel to develop a solution for cross-border data transfers that meets the legal requirements and needs of each matter. resource-article; data-privacy; information-governanceCross-border data transfercross-border-data-transfersjamie brown
July 10, 2023

To Reduce Risk and Increase Efficiency in Investigations and Litigation, Data is Key

Handling large volumes of data during an investigation or litigation can be anxiety-inducing for legal teams. Corporate datasets can become a minefield of sensitive, privileged, and proprietary information that legal teams must identify as quickly as possible in order to mitigate risk. Ironically, corporate data also provides a key to speeding up and improving this process. By reusing metadata and work product from past matters in combination with advanced analytics, organizations can significantly reduce risk and increase efficiency during the review process.In a recent episode of Law & Candor, I discussed the complex nature of corporate data and ways in which the work done on past matters—coupled with analytics and advanced review tools—can be reused and leveraged to reduce risk and increase efficiency for current and future matters. Here are my key takeaways from the conversation.From burden to asset: leveraging data and analytics to gain the advantageThe evolution of analytical tools and technologies continues to change the data landscape for litigation and investigations. In complex matters especially—think multi-district litigation, second requests, large multi-year projects with multiple review streams—the technology and analytics that can now be applied to find responsive data not only helps streamline the review process but can extend corporate knowledge beyond a single matter for a larger purpose. Companies can now use their data to their advantage, transforming it from a liability into an asset. Prior to standardization around threading and TAR and CAL workflows, repository models were the norm. Re-use of issue coding was the best way to gain efficiency, but each matter still began with a clean slate. Now, with more sophisticated analytics, it’s not just coding and work product that can be re-used. The full analysis that went into making coding decisions can be applied to other matters so that the knowledge gained from a review and from the data itself is not lost as new matters come along. This results in greater overall efficiencies—not to mention major cost-savings—over time.Enhanced tools and analytics reduce the risk of PII, privilege, and other sensitive data exposureWith today’s data volumes, the more traditional methods used in review, such as search terms and regular expression (regex), can often result in high data recall with low precision. That is, such a wide net is cast that a lot of data is captured that isn’t terribly significant, and data that does matter can be missed. Analytical modeling can help avoid that pitfall by leveraging prior work product and coding to reduce the size of the data population from the outset, sometimes by as much as 90%, and to help find information that more traditional tools often miss.This is especially impactful when it comes to PII, PHI, and privileged or other sensitive data that may be in the population, because the risk of exposure is significantly reduced as accuracy increases. Upfront costs may seem like a barrier, but downstream cost savings in review make up for itWhen technology and data analytics are used to reduce data volume from the beginning, efficiencies are gained throughout the entire review process; there are exponential gains moving forward in terms of both speed and cost. Unfortunately, the upfront costs may seem steep to the uninitiated, presenting what is the likely barrier to the lack of wide adoption of many advanced technologies. The initial outlay before a project even begins can be perceived as a challenge for eDiscovery cost centers. Also, it can be very difficult for any company to keep up with the rapid evolution of both the complex data landscape and the analytics tools available to address it—the options can seem overwhelming. Finding the right technology partner with both expertise and experience in the appropriate analytics tools and workflows is crucial for making the transition to a more effective approach. A good partner should be able to understand the needs of your company and provide the necessary statistics to support and justify a change. A proof-of-concept exercise is a way to provide compelling evidence that any up-front expenditure will more than justify a revised workflow that will exponentially reduce costs of linear document review.How to get startedSeeing is believing, as they say, and the best way to demonstrate that something works is to see it in action. A proof-of-concept exercise with a real use case—run side-by-side with the existing process—is an effective way to highlight the efficiencies gained by applying the appropriate analytics tools in the right places. A good consulting partner, especially one familiar with the company’s data landscape, should be able to design such a test to show that the downstream cost savings will justify the up-front spend, not just for a single matter, but for other matters as well. Cross-matter analysis and analytics: the new frontierTAR and CAL workflows, which are finally finding wider use, should be the first line of exploration for companies not yet well-versed in how these workflows can optimize efficiency. But that is just the beginning. Advanced analytics tools add an additional level of robustness that can put those workflows into overdrive. Cross-matter analysis and analytics, for example, can address important questions: How can companies use the knowledge and work product gleaned from prior matters and apply them to current and future matters? How can such knowledge be pooled and leveraged, in conjunction with AI or other machine learning tools, to create models that will be applicable to future efforts?Marrying the old school data repository concept with new analytics tools is opening a new world of possibilities that we’re just beginning to explore. It’s a new frontier, and the most intrepid explorers will be the ones that reap the greatest benefits. For more information on data reuse and other review strategies, check out our review solutions; data-privacy; ediscovery-reviewcorporate; ai-and-analytics; analytics; big-data; compliance-and-investigations; corporationcassie blum
July 23, 2019

Why Moving to the Cloud is a Legal Conversation

There is a common theme buzzing around the legal tech and eDiscovery industry – the Cloud and how in-house lawyers should be aware of the implications of their companies moving to the Cloud. Due to its regular appearance, there is an increasing focus on the legal implications of moving to the Cloud, rather than IT and operational considerations, within organisations.Setting the StageThe Cloud is familiar to most people thanks to the way we store photos and save emails. However, the impact of the Cloud in such a short space of time, even for personal users, is remarkable. Google now gives away cloud storage space worth around $15,000 per person at 1995 prices to its users (of which there are approximately 1 billion). In other words, what would have cost a combined $15 trillion just 24 years ago is now being offered for free (Goldin and Kutarna. Age of Discovery. 1990. Print.).The common response to the question of moving a companies' data to the Cloud is typically around perceived issues of both cost and security. Both of these topics are fundamental but are limited in scope when considering the wide-ranging potential of enterprise cloud technology from the perspective of data governance, compliance, and eDiscovery.Reducing or eliminating IT spend on building and maintaining infrastructure is a driving force for companies to move to the Cloud. Another is the need to provide employees with the tools they need to not only continue their everyday tasks but also to adapt and innovate. Microsoft recently quoted that, “97% of Fortune 500 and 95% of Fortune 1000 companies have Office 365 to benefit from streamlined infrastructure, data management, and collaborative technology opportunities.” They have discovered that cloud-based productivity has moved far beyond just standard applications like Word or Excel. Networked applications fuel employee innovation. According to a study by Vanson Bourne, “companies leveraging cloud services increased their time to market by 20.7%. At the same time, IT spending decreased by 15.1%, and, as for employees, productivity jumped 18.8%.”When compared to cost savings and data security, data governance, compliance, and eDiscovery often get less consideration. This is because a transition to the cloud is a core business decision, taken on at an enterprise-wide level to streamline the company and provide business-critical tools to employees. The legal capabilities of the technology may seem peripheral to the IT teams focusing on transitioning from on-premise infrastructure to cloud-based data centres. However, when you consider the variety of ways in which data is generated and the volume of this data, legal needs to lead the way in managing risk and adding value to how collaboration is managed across the company.Driving Home the PointIronically, cloud-based technologies like Office 365 make it even easier to generate ever-larger amounts of data. It is, therefore, no surprise that the same technology can (and should) be used to govern this data. Legal needs to consider how to take ownership of the companies' data for risk management purposes if nothing else.An example of this is persistent chat using Skype, Teams, Yammer, etc. Legal rather than IT needs to drive the key questions. Is this functionality available to everyone? How long is chat data stored? Does the company utilise more than one chat solution and do they interact with each other? Is the data discoverable if necessary and can it be searched? Can a legal hold be placed on this content? When deleted, does that fit with the overall data retention policy and is that consistent across multiple locations?Just one aspect of data governance that, of data retention and associated policies and logistics, can be overwhelming. Every organisation has many applications that employees use. A switch to a cloud-based environment doesn’t just mean the data is stored somewhere else. It means that tools are probably available for employees to work more intelligently and collaboratively. This is a positive thing for both efficiency and most likely profitability. It is also positive in terms of data governance and compliance. Policies such as data retention and categorisation can be refreshed so that they are not written and ignored. They can be hardwired into the very applications that generate the bulk of a company's data, from email and business documents to persistent chat applications, financial data, and internal social media.Cloud-based technology such as Office 365 can be utilised to manage contentious matters more effectively and proportionally (crucial for Subject Access Requests), without the need for large-scale intervention from third parties who deploy forensic data collection experts to ship large volumes of data elsewhere for eDiscovery purposes.Furthermore, failure to provide modern workplace technology often means that a shadow IT environment develops within a company, a phenomenon that makes governance and compliance even more difficult than it already is. Employees will use whatever technology they can to make their job easier, regardless of policy. Again, legal, not IT, can lead the way in aligning policies with the use of modern workplace tools.Fortunately, security concerns have done little to hold back the tide of progress to cloud-based infrastructure. Microsoft may be a company that has the most attempted external hacks, but it also has a budget of over $1 billion annually to ensure the data it holds is secure. Other cloud-based providers also understand the value of managing their clients’ data and have similar impressive ways and large budgets to protect it. Microsoft's share price demonstrates what shareholders think of their focus on the cloud over the last five years. Windows is not discussed as widely these days compared to Office 365.Looking Forward IT and security may be the departments responsible for a transition to the Cloud but legal and compliance are the departments that should take ownership of the generation and governance of the data. This should not be seen as a burden, but a welcome change in how to align a modern workplace with a comprehensive framework to manage risks inherent in big data.If you would like to discuss this topic further, please feel free to reach out to me at; ediscovery-review; information-governance; microsoft-365cloud, information-governance, cloud-security, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; information-governance; cloud-security; blogmichael brown
March 26, 2021

Legal Tech Innovation: Learning to Thrive in an Evolving Legal Landscape

The March sessions of Legalweek took place recently, and as with the February sessions, the virtual event struck a chord that reverberated deep from within the heart of a (hopefully) receding pandemic. However, the discussions this time around focused much less on the logistics of working in a virtual environment and much more on getting back to the business of law. One theme, in particular, stood out from those discussions – the idea that legal professionals will need to have a grasp on the technology that is driving our new world forward, post-pandemic.In other words, the days when attorneys somewhat-braggingly painted a picture of themselves as Luddites holed up in cobwebbed libraries are quickly coming to an end. We live in an increasingly digital world – one where our professional communications are taking place almost exclusively on digital platforms. That means each of us (and our organizations and law firms) are generating more data than we know what to do with. That trend will only grow in the future, and attorneys that are unwilling to accept that fact may find themselves entombed within those dusty libraries.Fortunately, despite our reputation as being slow to adapt, legal professionals are actually an innovative, flexible bunch. Whether a matter requires us to develop expertise in a specific area of the medical field, learn more about a niche topic in the construction industry, or delve into some esoteric insurance provision – we dive in and become laymen experts so that we can effectively advocate for our clients and companies. Thus, there is no doubt that we can and will evolve in a post-pandemic world. However, if anyone out there is still on the fence, below are four key reasons why attorneys will need to become tech savvy, or at least knowledgeable enough to understand when to call in technical expertise.1. Technological Competence is Imposed by Ethics and Evidence RulesFirst and foremost, attorneys have an ethical duty (under ABA Model Rule 1.1) to “keep abreast of changes in the law and its practice, including the benefits and risk associated with relevant technology.” Thirty seven states have adopted this language within their own attorney ethics rules. Thus, just as we have a duty to continue our legal education each year to stay abreast of changes in law, we also have an ethical duty to continue to educate ourselves on the technology that is relevant to our practice.We also have a duty to preserve and produce relevant electronically stored information (ESI) (under both the Federal Rules of Civil Procedure (FRCP), as well as the ABA model ethics rules)[1] during civil litigation. To do so, attorneys must understand (or work with someone who understands) where their client’s or company’s relevant ESI evidence is, how to preserve it, how to collect it, and how to produce it. This means preserving and producing not only the documents themselves but also the metadata (i.e., the information about the data itself, including when it was generated and edited, who created it, etc.). This overall process grows more complicated with each passing year, as companies migrate to the unlimited storage opportunities of the Cloud and employees increasingly communicate through cloud-based collaboration platforms. Working within the Cloud has a myriad of benefits, but it can make it more difficult for attorneys to understand where their client’s or company’s relevant information might be stored, as well as harder to ensure metadata is preserved correctly.Together, these rules and obligations mean that whether we are practicing law within a firm or as in-house counsel at an organization, we have a duty to understand the basics of the technology our clients are using to communicate so that at the very least, we will know when to call in technical experts to meet the ethical and legal obligations we owe to those we counsel.2. Data Protection and Data Privacy is Becoming Increasingly ImportantThe data privacy landscape is becoming a tapestry of conflicting laws and regulations in which companies are currently navigating as best they can. Within the United States alone, there were a multitude of state and local laws regulating personal data that came into effect or were introduced in 2020. For companies that have a global footprint, the worldwide data protection landscape is even more complicated – from the invalidation of the EU-US privacy shield to new laws and modifications of data protection laws across the Americas and Asia Pacific countries. It will not be long before most companies, no matter their location, will need to ensure that they are abiding within the constructs of multiple jurisdictional data privacy laws.This means that attorneys who represent those companies will need to understand not only where personal data is located within the company, but also how the company is processing that data, how (and if) that data is being transmitted across borders, when (and if) it needs to be deleted, the process for effectively deleting it, etc., etc. To do so, attorneys must also have at least some understanding of the technology platforms their companies and clients are using, as well as how data is stored and transferred within those platforms, to ensure they are not advertently running afoul of data privacy laws.As far as data protection, attorneys need to understand how to proactively protect and safeguard their clients’ data. There have been multiple high-profile data breaches in the last few months,and law firms and companies that routinely house personal data are often the target of those breaches. Protecting client data requires attorneys to have a semblance of understanding of where client data is and how to protect it properly, including knowing when and how to hire experts who can best offer the right level of protection.3. Internal Compliance is Becoming More Technologically Complicated There has been a lot of interest recently in using artificial intelligence (AI) and analytics technology to monitor internal compliance within companies. This is in part due to the massive amount of data that compliance teams now need to comb through to detect inappropriate or illegal employee conduct. From monitoring departing employees to ensure they aren’t walking out the door with valuable trade secret information, to monitoring digital interactions to ensure a safe work environment for all employees – companies are looking to leverage advances in technology to more quickly and accurately spot irregularities and anomalies within company data that may indicate employee malfeasance.Not only will this type of monitoring require an understanding of analytics and AI technology, but it will also require grasping the intricacies of the company’s data infrastructure. Compliance and legal teams will need to understand the technology platforms in place within their organization, where employees are creating data within those platforms, as well as how employees interact with each other within them.4. The Ability to Explain Technology Makes Us Better AdvocatesFinally, it is important to note that the ability to understand and explain the technology we are using makes us better and more effective advocates. For example, within the eDiscovery space, it can be incredibly important for our clients’ budgets and case outcomes to attain court acceptance of AI and machine-learning technology that can drastically limit the volume of data requiring expensive and tedious human review. To do so, attorneys often must first be able to get buy-in from their own clients, who may not be well versed in eDiscovery technology. Once clients are on-board, attorneys must then educate courts and opposing counsel about the technology in order to gain approval and acceptance.In other words, to prove that the methods we want to use (whether those methods relate to document preservation and collection, data protection, compliance workflows, or eDiscovery reviews) are defensible and repeatable, attorneys must be able to explain the technology behind those methods. And as in all areas of law, the most successful attorneys are ones who can take a very complicated, technical subject and break it down in a way that clients, opposing counsel, judges, and juries can understand (or alternatively are knowledgeable enough about the technology to know when it is necessary to bring experts in to help make their case).Best Practices for Staying Abreast of TechnologyReach out to technology providers to ask for training and tips when needed. When evaluating providers, look for those that offer ongoing training and support.For attorneys working as in-house counsel, work to build healthy partnerships with compliance, IT, and data privacy teams. Being able to ask questions and learn from each other will help head off technology issues for your company.For attorneys working within law firms, work to understand your clients’ data infrastructure or layout. This may mean talking to their IT, legal, and compliance teams so that you can ensure you are up to date on changes and processes that affect your ability to advocate effectively for your client.Look for CLEs, trainings, and vendor offerings that are specific to the technology you and your clients use regularly. Remember that cloud-based technology, in particular, changes and updates often. It is important to stay on top of the most recent changes to ensure you can effectively advocate for your clients.Recognize when you need help. Attorneys don’t need to be technological wizards in order to practice law, however, you will need to know when to call in experts…and that will require a baseline understanding of the technology at issue.To discuss this topic more, feel free to connect with me at [1] ABA Model Rule 3.4, FRCP 37(e) and FRCP 26)ai-and-analytics; ediscovery-review; data-privacy; information-governanceanalytics, data-privacy, information-governance, ediscovery-process, blog, law-firm, ai-and-analytics, ediscovery-review, data-privacy, information-governanceanalytics; data-privacy; information-governance; ediscovery-process; blog; law-firmsarah moran
November 5, 2020

Why Moving to the Cloud can Help with DSARs (and Have Some Surprise Benefits)

However you view a DSAR, for any entity who receives one, they are time consuming to complete and disproportionately expensive to fulfill. Combined with the increasing manner in which they are being weaponized, companies are often missing opportunities to mitigate the negative effects of DSARs by not migrating data to the Cloud.Existing cloud solutions, such as M365 and Google Workplace (formerly known as G-Suite) allow administrators to,for example, set data retention policies, ensuring that data cannot routinely be deleted before a certain date, or that a decision is made as to when data should be deleted. Equally, legal hold functionality can ensure that data cannot be deleted at all. It is not uncommon for companies to discover that when they migrate to the Cloud all data is by default set to be on permanent legal hold. Whilst this may be required for some market sectors, it is worth re-assessing any existing legal hold policy regularly to prevent data volumes from ballooning out of control.Such functionality is invaluable in retaining data, but can have adverse effects in responding to DSARs, as it allows legacy or stale data to be included in any search of documents and inevitably inflates costs. Using built-in eDiscovery tools to search and filter data in place in combination with a data retention policy managed by multiple stakeholders (such as Legal, HR, IT, and Compliance) can mitigate the volumes of potentially responsive data, having a significant impact on downstream costs of fulfilling a DSAR.Typically, many key internal stakeholders are frequently unaware of the functionality available to their organization. This can help to mitigate costs, such as Advanced eDiscovery (AED) in Microsoft 365, or Google Vault in Google Workspace. Using AED, a user can quickly identify relevant data sources, from mailboxes, OneDrive, Teams, Skype, and other online data sources, apply filters such as date range and keywords, and establish the potential number of documents for review within in minutes. Compare this to those who have on-premise solutions, where they are wholly dependent on an internal IT resource, or even the individual data custodians, to identify all of the data sources, confirm with HR / Legal that they should be collected, and then either apply search criteria or export the data in its entirety to an external provider to be processed. This process can take days, if not weeks, when the clock is ticking to provide a response in 30 days. By leveraging cloud technology, it is possible to identify data sources and search in place in a fraction of the time it takes for on-premise data.Many cloud platforms include functionality, which means that when data is required for a DSAR, it can now be searched, filtered, and, crucially, reviewed in place. If required, redactions can be performed prior to any data being exported externally. Subject to the level of license held, additional functionality, such as advanced indexing or conceptual searching, can also be deployed, allowing for further filtering of data and thus reducing data volumes for review or export.The technology also allows for rapid identification of multiple data types including:Stale dataSensitive data types (financial information/ PII)Customer-specific dataSuspicious / unusual activitiesBy using the inbuilt functionality to minimize the impact of such data types as part of an Information Governance / Records Management program, there can be significant changes and improvements made elsewhere, including data retention policies, data loss prevention, and improved understanding of how data is routinely used and managed in general day-to-day business. This, in turn, has significant time and cost benefits when required to search for data, whether for a DSAR, investigation, or a litigation exercise. Subject to the agreement with the cloud service provider, this may also have benefits in reducing the overall volume and cost of data hosted.With a sufficiently robust internal protocol in place, likely data sources can be identified and mapped. Now, when a DSAR request is received, an established process exists to rapidly search and cull potential cloud-based data sources, including using tools such as Labels or Sensitivity Type to exclude data from the review pool, and efficiently respond to any such request.Migrating to the Cloud may seem daunting, but the benefits are there and can be best maximized when all stakeholders work together, across multiple teams and departments. DSARs do not have to be the burden they are today. Using tools readily available in the Cloud might also significantly reduce the burdens and costs of DSARs.To discuss this topic further, please feel free to reach out to me at; ediscovery-review; information-governance; microsoft-365cloud, dsars, cloud-services, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; dsars; cloud-services; blogmatt bicknell
October 6, 2020

Worldwide Data Privacy Update

It was a tumultuous summer in the world of data privacy, so I wanted to keep legal and compliance teams updated on changes that may affect your business in the coming months. Below is a recap of important data privacy changes across multiple jurisdictions, as well as where to go to dive into these updates a little deeper. Keep in mind that some of these changes may mean heightened responsibilities for companies related to breach requirements and/or data subject rights.U.S. On September 17th, four U.S. Republican senators introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” (SAFE DATA). The Act is intended to provide Americans “with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices.” The Act contains data privacy elements that are reminiscent of the GDPR and California Consumer Privacy Act (CCPA) of 2018, including requiring tech companies to provide users with notice of privacy policies, giving consumers the ability to opt in and out of the collection of personal information, and requiring businesses to allow consumers the ability to access, correct, or delete their personal data. See the press release issued by the U.S. Senate Committee on Commerce, Science and Transportation here:’s Proposition 24 (the “California Privacy Rights Act of 2020”) will be on the state ballot this November. In some ways, the Act expands upon the CCPA by creating a California Privacy Protection Agency and tripling fines for collecting and selling children’s private information. Proponents say it will enhance data privacy rights for California citizens and give them more control over their own data. Opponents are concerned that it will result in a “pay for privacy” scheme, where large corporations can downgrade services unless consumers pay a fee to protect their own personal data. See: for access to the proposed Act.In mid-August, the Virginia Legislative Commission initiated study commissions to begin evaluating elements of the proposed Virginia Privacy Act, which would impose similar data privacy responsibilities on companies operating within Virginia as the GDPR does for those in Europe and the CCPA does for those in California. To access the proposed Act, see: September 8, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) concluded that the Swiss-US Privacy Shield does not provide an adequate level of protection for data transfers from Switzerland to the US. The statement came via a position paper issued after the Commissioner’s annual assessment of the Swiss-US Privacy shield regime, and was based on the Court of Justice of the European Union (CJEU) invalidation of the EU-US Privacy Shield. You can find more about the FDPIC position paper here:, Ireland’s data protection commissioner issued a preliminary order to Facebook to stop sending data transfers from EU users to the U.S., based on the CJEU’s language in the Schrems II decision which invalidated the EU-US Privacy Shield. In response, Facebook has threatened to halt Facebook and Instagram services in the EU. Check out the Wall Street Journal’s reporting on the preliminary order issued by the Ireland Data Protection Commission here: For Facebook’s response filing in Ireland, see:, in wake of the Schrems II judgment, the European Data Protection Board has also created a task force to look into 101 complaints filed with several data controllers in EEA member states related to Google/Facebook transfers of personal data into the United States. See the EDPB’s statement here: September, the new Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) became retroactively effective after the end of a 15-business-day period imposed by the Brazilian Constitution. This was a surprising turn of events after the Brazilian Senate rejected a temporary provisional measure on August 26th that would have delayed the effective date to the summer of 2021. Companies should be aware that the law is similar to the GDPR in that it is extra territorial and bestows enhanced privacy rights to individuals (including right to access and right to know). Be aware too, although administrative enforcement will not begin until August of 2021, Brazilian citizens now have a private right of action against organizations that violate data subjects’ privacy rights under the new law. For more information, check out the LGPD site (that can be translated via Google Chrome) with helpful guides and tips, as well as links to the original law: The National Law Review also has a good overview of the sequence of events that led up to this change here: June, Egypt passed the Egyptian Data Protection Law (DPL), which is the first law of its kind in that country and aims to protect the personal data of Egyptian citizens and EU citizens in Egypt. The law prohibits businesses from collecting, processing, or disclosing personal information without permission from the data subject. It also prohibits the transfer of personal data to a foreign country without a license from Egypt. See the International Association of Privacy Professional’s reporting on the law here: discuss this topic further, please feel free to reach out to me at, gdpr, data-privacy, blog, data-privacy,ccpa; gdpr; data-privacy; blogsarah moran
June 8, 2020

Top Three Tips for Structuring an Effective eDiscovery Security Evaluation

In the modern age of legal technology, cybersecurity and eDiscovery are unquestionably intertwined. As cybersecurity threats escalate and bad actors find success with new methods and sophisticated tools to gain access to the ever-growing volumes and types of confidential electronic data, legal departments and law firms are getting hit daily by cybersecurity incidents and breaches, with many not even knowing when the incidents have occurred. The legal world, and eDiscovery in particular, are enticing targets, as matters typically involve huge volumes of sensitive information and data often resides across multiple providers who play a part in the collection, processing, hosting, review, and production of data.From a security perspective, corporations are constantly dealing with the data their employees create, and thus they typically maintain a solid system focused on maintenance, protection, back-ups, and defense of that data. This internal process is implemented using governance, risk, and compliance standards that run pretty well from the inside. But security gaps arise when that data becomes subject to a legal hold for litigation and that once well-protected data gets sent out to law firms and/or outside providers.So how can organizations feel confident they’re effectively evaluating the cybersecurity stability of their law firms, third parties, cloud providers, etc.? Do your providers have relevant security controls in place to ensure your data resides in a reasonably similar method as you would store the data yourself? Here are the top three tips for structuring an effective and comprehensive eDiscovery security evaluation and creating a strong relationship with your providers:Leverage Industry-Standard CertificationsAt the security evaluation stage, it’s critical to get to know your providers well and develop trusted relationships. The best way to first evaluate their overall security is to leverage industry-standard certifications. If the provider has access to and holds your data, they should be able to demonstrate that they’re ISO 27001 and SOC 2 certified as those have become the standard security environment protocol in the eDiscovery industry. Industry-standard questionnaires such as the SIG can also be used to validate a provider’s security structure. If a provider already has a completed and updated the SIG, this can be immediately accepted without needing to recreate the wheel and require another type of basic security assessment. This should serve as your baseline and will aid your risk assessments overall. It’s also important for organizations to audit, on an annual basis, those fundamental controls your providers have in place as the industry continues to focus deeper into all areas of each certification. The days of checking the standard audits off your list and being considered compliant are quickly becoming a thing of the past. With the increase in breaches, we are also seeing deeper and more thorough inspections beyond your own company and a shift to the provider space. So make sure you’re getting involved and staying involved with your suppliers. They are critical elements of your success and you need to treat them as such.Devise Security Questions That Go Beyond the BasicsIn addition to the standard certifications and questions the SIG and other general security audits give you, it’s also important to go beyond the basics and devise questions for your eDiscovery vendors that will uncover any existing gaps. Outside of questionnaires that simply ask for “yes” or “no” answers, consider doing regular audits with specific and focused questions. For example, ask your providers to discuss what different technologies they’re considering in the next 12 months or what new security certifications they’re planning to pursue. This ensures that you’re acting in a forward-thinking manner and developing better insight into your partners’ future development. To combat the growing cybersecurity threat, organizations need to remain one step ahead and devise questions to find forward-thinking suppliers rather than ones that just check the boxes. It’s also crucial to apply focused energy to the evolution of the organization and its suppliers. Take the time to have open dialogue and explore different solutions with the goal of prevention of threats. In today’s market, most organizations are still operating in a reactive state, meaning solutions are in place to detect malicious behaviors already inside your boundaries. Remember the clock always wins and prevention is the preferred way to stay ahead of attacks. Ask your technology providers the tough questions around ransomware and look to see what kinds of SLAs or guarantees they can offer. This is a great place to start to separate products and services by the maturity of their offering.Consider a Managed Services EnvironmentIn the most ideal of situations, a corporation would know in advance their list of trusted providers for investigations and litigation, and they would have a regular flow of communication with those providers that includes updates on standard certifications as well as regular audits including questions that go beyond the basics. Many times, this secure workflow can be best served by establishing a dedicated managed services environment that can support a more seamless and secure flow of data when a matter transitions to eDiscovery. Taking advantage of the dedicated services that come with a managed services environment, the corporation gets a technically skilled and more diverse talent base to draw from – one that becomes an extension of your team and treats the security of your data as if it were their own. Within that environment, law firms and document review lawyers all log into the same database and a partnership develops between all parties, creating a more secure environment. In addition, you’ll see cost savings by not having to invest in your own security infrastructure and separate cybersecurity personnel.Overall, vendor security is an integral part of an organization’s cybersecurity strategy. It’s imperative for corporations who transfer sensitive data out of their control to third parties to make sure that each and every supplier who handles the data meets all of the organization’s internal security requirements, as well as established regulatory requirements. This can be achieved by choosing providers who maintain industry-standard security certifications, performing regular audits outside of standard security questionnaires, and at the most secure level, by creating a managed services environment with your suppliers. data-privacy; ediscovery-reviewcybersecurity, cloud-security, ediscovery-process, blog, data-privacy, ediscovery-reviewcybersecurity; cloud-security; ediscovery-process; bloglighthouse
April 20, 2020

Three Steps to Tackling Data Privacy Compliance Post GDPR

Recently we took Lighthouse’s legal technology podcast series Law and Candor on the road and broadcast a special live edition to our audience straight from Legaltech. One episode focused on the issue that’s at the forefront of the eDiscovery and information governance world: data privacy compliance in the post-GDPR world. Our distinguished Law and Candor hosts spoke with special guest Kelly Clay, global eDiscovery counsel and head of information governance at GlaxoSmithKline (GSK), about the key challenges or “opportunities” that GDPR, CCPA, and other burgeoning laws around data privacy have presented, and subsequently how the associated risks have permanently shifted the legal landscape.With the two-year anniversary of GDPR’s first day of implementation right around the corner, it’s a perfect time to reflect on where we are now. Organizations around the world have become more comfortable with the idea that data governance, privacy, and security are more than just new challenges they are being forced to solve. Businesses are beginning to see the new opportunities that come from data privacy regulations as they realize the benefits that come from cross-functional stakeholders working together across all of their internal support functions.So what are organizations doing to get a handle on the information governance side of the house and ensure compliance in this post-GDPR era? Here are three steps to take on the road to continual compliance:Understand where your data resides. It might seem obvious, but the number one place to start (and some would argue the most important) is taking a detailed look at your data and understanding all of the different types your organization generates, and the various locations where it all resides. Many who have already embarked on this journey have found silos during the process and encountered complications in understanding the full extent of their data and where it is. Now’s the time to use the information you gather to create a detailed and comprehensive data map that can be easily and automatically updated as new locations and new data are constantly created.Focus on the general principles. It’s easy to get overwhelmed in the data mapping process, especially if you’re a large organization whose employees utilize many different communication methods and IT has traditionally employed disparate storage methods for that never-ending mountain of data. Once your data map is in place, take a step back and realize you can’t tackle every potential compliance issue at the same time. Instead, continue to focus on the overall general principles like understanding where the data is flowing from and where it’s going, whether it’s email, chats, or data in the Cloud.Change the narrative. Historically, Legal and IT have operated separately and handled data based on the nature of their specific job functions. For example, Legal views data and information through the lens of risk management, while IT has a different approach in how it views managing and archiving data within an enterprise. With GDPR, CCPA, and likely many more privacy regulations to come, organizations need to handle data differently and understand everyone is accountable and must work cross functionally. Key players from the technology group to the procurement team to the business strategy group must change their mindset and be mindful of how they deal with data while keeping legal risk at the forefront.Ultimately, the post-GDPR era is here to stay and organizations should treat these dramatic changes in how we view and handle data as an opportunity not a challenge. Getting a handle on how to create an effective compliance program is a team effort that requires everyone to get on the same page, and it’s particularly important to involve your key stakeholders early on in the process.More on this topic can be found in this article, How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery. data-privacy; information-governanceccpa, gdpr, cloud-security, blog, data-privacy, information-governanceccpa; gdpr; cloud-security; bloglighthouse
March 18, 2021

The Impact of Schrems II & Key Considerations for Companies Using M365: The Background

In 2016, European companies doing business in the US were able to breathe a sigh of relief. The European Commission deemed the Privacy Shield to be an adequate privacy protection. For the next half a decade, this shield, as well as Standard Contractual Clauses (SCCs), created the foundation upon which most global businesses were able to manage the thousands of data transfers that occur in each of their business days.Everything changed in July 2020 when the Court of Justice of the European Union gave its seismic judgment in a case generally known as Schrems II. As we will see, the decision has a particular impact on any companies relying on, or moving to, a cloud computing strategy. Businesses have been left needing to make a risk decision with seemingly no ideal outcome. Some legal, privacy, and compliance teams may be advocating for staying away from a cloud approach in light of the decision. The business teams, however, are focused on the vast array of benefits that cloud software offers.So what is the right decision? Where does the law stand and how do you manage your business in this uncertain time? In this four-part blog series, we’ll explain the impact of Schrems II, provide practical tips for companies in the midst of making a cloud decision, give specific advice regarding companies who have, or are implementing, Microsoft’s cloud offering (M365), and offer our view as to the future.Schrems II and Its ImpactFirst, let;s look at the Schrems II decision. The background to the case is well worth exploring but for the sake of brevity and providing actionable information we’ll focus on the outcome and the consequences. The key outcomes impact the two primary ways in which most data transfers between Europe and the US:The EU-US Privacy Shield was invalidated with immediate effect.SCCs (the template contracts created by the EU Commission which are the most common way in which data is moved from the EU) were declared valid, but companies using SCCs could no longer just sign up and send. A company relying on SCCs would have to verify on a case-by-case basis that the personal data being transferred was adequately protected. This process is sometimes called a Transfer Impact Assessment, although the court did not coin that phrase. If the protection is inadequate, then additional safeguards could be needed.The consequences of the decision are still revealing themselves, but as things stand:The Privacy Shield (used by more than 5,000 mostly small-to-medium enterprises) has gone with no replacement in sight (although the Biden administration appears to recognise its importance with the rapid appointment of the experienced Christopher Hoff to oversee the process).There have been significant developments in relation to SCCs, additional safeguards, and transfer impact assessments:The US published a white paper to help organisations make the case that they should be able to send personal data to the US using approved transfer mechanisms.The European Data Protection Board (EDPB) published guidance on how to supplement transfer tools.The European Commission published draft replacement SCCs.The EDPB and the European Data Protection Supervisor adopted a joint opinion on the draft replacement SCCs requesting several amendments.There is not a clear timetable as to when the replacement SCCs or EDPB guidance (which has completed a period of publication consultation) will be finalised. The sooner the better because there seem to be inconsistencies between them. For example, the Schrems II judgment and draft replacement SCCs permit a risk assessment (i.e., it is possible to conclude that personal data might not be completely protected, but that the risk is so small that the parties can agree to proceed), whereas the EPDB recommendations seem to deal in black and white with no shades between (i.e., there is either adequate protection or there is not). It will be important to monitor which, if any, of these drafts moves and in which direction. Whether the SCCs are supported with a risk assessment or analysis along the lines of the EDPB recommendations (or perhaps both), going forward using SCCs may be rather cumbersome particularly in a cloud environment where the location and path of the data is not always crystal clear. Companies are therefore in something of a grey triangle, the sides of which are a judgment of the highest European Court, a draft replacement to the SCCs the Court reviewed in its judgment, and draft guidance about additional safeguards. In part two </span><span>of the series, we will offer companies some practical guidance on how to move forward in light of this grey triangle.To discuss this topic further, please feel free to reach out to us at; microsoft-365; information-governancemicrosoft, data-privacy, blog, privacy-shield, data-privacy, microsoft-365, information-governance,microsoft; data-privacy; blog; privacy-shieldlighthouse
August 28, 2020

The U.S Privacy Shield Is No Longer Valid – What Does that Mean for Companies that Transfer Data from the EU into the US?

It feels fitting that the summer of 2020 would bring us Schrems II. This surprising Court of Justice of the European Union (CJEU) decision wreaked havoc in late July by invalidating the EU - U.S. Privacy Shield and calling into question other mechanisms for transferring the personal data of EU citizens into the United States (and beyond) under the GDPR. Let’s take a deeper dive into that decision and what it means for companies that need to transfer EU citizens’ data into the U.S.Shrems HistorySchrems II is the second decision by the CJEU that is based on privacy complaints made against Facebook by Austrian privacy activist Max Schrems. Both cases stem from privacy concerns related to the U.S. National Security Agency (NSA)’s ability to access the personal data of EU citizens, famously disclosed by Edward Snowden in 2013.In the first Schrems decision in 2015, the CJEU invalidated the U.S. - EU Safe Harbor Framework (the predecessor to the EU - U.S. Privacy Shield) as a means to transfer personal data from the EU into the U.S., finding that the protections afforded by the Safe Harbor framework did not meet fundamental privacy rights guaranteed within the EU to EU citizens.In the aftermath of the first Schrems decision, the U.S. Department of Commerce and the EU Commission collaborated to implement the EU-U.S. Privacy Shield as a replacement to the Safe Harbor Framework, again allowing for a broader transfer mechanism of personal data into the U.S. compared to the alternatives (namely, “standard contractual clauses” (SCCs) and “binding corporate rules” (BCRs) – more on those below). Since its implementation in 2016, over 5,000 organizations have met the requirements administered by the International Trade Administration to join the Privacy Shield. Meeting those requirements can mean a large investment for organizations in overhauling their data privacy practices.That brings us to Schrems II, wherein Schrems brought a second complaint against Facebook, this time challenging the validity of SCCs as a mechanism to transfer personal data into the U.S. In Schrems II, he argued that the same privacy concerns related to the NSA’s ability to access EU citizens’ personal data under the Safe Harbor framework also applied to personal data transferred via an SCC. It should be noted here that around the same time, European privacy advocates also filed a challenge to the new EU-U.S. Privacy Shield with the European Court.Schrems II CJEU DecisionIn the Schrems II ruling in July, the CJEU ultimately decided to address both the EU-U.S. Privacy Shield and SCC issues.The Court upheld the validity of SCCs as a means to transfer personal data from the EU into the U.S. However, rather than carte blanche approval, the Court laid out obligations for both parties of an SCC and data protection supervisory authorities within the EU. Those obligations include:Entities that are transferring personal data of EU citizens into the U.S. must verify “on a case by case basis” that the protections afforded by the SCC can be met and that there is an “adequate level of protection” in the U.S. to protect the personal data of EU citizens.Entities that are receiving personal data of EU citizens in the U.S. have an obligation to notify the data exporter if they are unable to comply with the SCC for any reason.Data protection supervisory authorities within the EU have a mandatory obligation to evaluate not only the terms of the SCCs themselves, but also whether the data protections afforded by the U.S. legal system can meet those terms. If the SCC is found to be insufficient, the supervisory authority has an obligation to stop the transfer.This decision puts SCCs (and thereby BCRs) on shaky ground throughout the entire world, because the threshold set by the Court applies to any third country, not just the U.S. (see Questions 2 and 6 of the FAQ issued by the European Data Protection Board for more information on these points).However, the real kicker of Schrems II for U.S.-based companies with an international presence is that the CJEU completely invalidated the EU-U.S. Privacy Shield. The Court found that the U.S. does not provide sufficient protection of EU citizens’ personal data because of the access the U.S. government has to EU citizens’ personal data and because EU citizens have no means of redress against U.S. authorities should their privacy rights be violated.What Does Shrems II Mean for Companies that Need to Transfer Personal Data from the EU into the U.S.Companies that were relying on the Privacy Shield to transfer EU data into the U.S. should:Work to put individual SCCs or BCRs in place to achieve these transfers. There is no grace period during which a company can keep transferring data using the Privacy Shield mechanism, according to the European Data Protection Board (see Question 3 for more information).Continue to comply with all current Privacy Shield obligations. While the CJEU decision invalidates the Privacy Shield, it does not relieve current participant organizations of their obligations.Watch for further guidance from both the European Data Protection Board and the U.S. Department of Commerce (DOC). DOC and the European Commissioner for Justice issued a joint press release in early August, stating that they have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy shield framework that would meet the requirements laid out by the CJEU.Companies that rely on SCCs or BCRs as a means to transfer personal data should: Conduct a risk assessment to determine whether those agreements and the recipient of the data in the U.S. can provide an adequate level of data protection, according to the European Data Protection Board (see Questions 5 and 6 for more information).Watch for further guidance from data protection authorities in relevant countries related to SCCs and BCRs in the wake of Schrems II. The transfer of personal data between countries is vital to the lifeblood of many companies, large and small. While Schrems II has thrown a wrench into the legality of those transfers… all is not lost. Stay tuned for updates from U.S. and EU authorities that may help ease the burden of this unexpected decision by the CJEU. Resources for More Information CJUE Schrems II full decision: press release on its Schrems II decision: – U.S. Privacy Shield Program Schrems II FAQs: Data Protection Board Schrems II FAQs: Secretary of Commerce Wilbur Ross Statement on Schrems II ruling and the importance of EU-U.S. data flows: press statement from the U.S. Secretary of Commerce and the European Commissioner regarding initiated discussions for a new privacy shield:’s Information Commissioner’s Office updated statement on the Schrems II decision: discuss this topic further, please feel free to reach out to me at Or, take a look at other Worldwide Data Privacy, blog, data-privacycloud-security; blogsarah moran
March 26, 2021

The Impact of Schrems II & Key Considerations for Companies Using M365: The Future

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse
March 22, 2021

The Impact of Schrems II & Key Considerations for Companies Using M365: The Cloud Environment

In part one of this series, we described the state of the EU-US Privacy Shield and the mechanisms global companies have relied upon to transfer data from their multiple locations. In short, a recent decision – Schrems II – invalidated the Privacy Shield and shook the foundation of Standard Contractual Clauses (SCCs). Companies are now left asking the question of how to respond.In this post, we will share our view on how to navigate forward. If your organization is not already highly reliant on cloud software, we recommend weighing the benefits and risks of making that move. As you assess your options, keep in mind that this move may come at a higher cost because of the need to do periodic risk assessments during this uncertain time. For those already in the Cloud, the motto here is “do everything that you reasonably can.” The position no company wants to find itself in is one of stasis. It is difficult to see such a position being looked upon favourably should regulators start to investigate how companies are responding to Schrems II and the consequences that go along with it.The touchstone is the EDPB guidance and its six-stage approach to assessing data transfers, which we recommend companies undertake:Identify your data transfers: It is an obvious first step, although in practice this could prove challenging. You’ll need to know all the scenarios where your data is moved to a non-European Economic Area (EEA) country (at the time of writing this article, the UK, although out of Europe, is still under the European umbrella until at least the 30th of June).Identify the data transfer mechanisms: You need to decide the grounds upon which the transfer is taking place, such as on the basis of an adequacy decision (this does not apply to the US), SCCs, or a specific derogation (such as consent).Assess the law in the third country: You need to assess “if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” There is more guidance from the EDPB as to how the evaluation should be carried out (i.e., an independent oversight mechanism should exist). How effective or practical it is to suggest each company has to perform its own thorough legal assessment as the entire range of relevant legislation in any importing country is open to debate and might perhaps be considered further as these recommendations are refined.Adopt supplementary measures if necessary to level up protection of data transfers: The EDPB has published a non-exhaustive list of such measures, which essentially fall into one of three categories - technical (i.e., encryption), contractual (i.e., transparency), and organisational (i.e., involvement of a Data Protection Officer on all transfers). We’ll have a look at these measures in more detail below in relation to Microsoft 365.Adopt necessary procedural steps: If you have made changes to deliver the required level of protection, these need to be embedded into your operation (i.e.., by means of policy).Re-evaluate at appropriate intervals: This is not a job that can be completed and then left. It needs continual monitoring. There is no specific guideline as to what an appropriate interval is, but quarterly is probably a reasonable approach.Essentially this boils down to carrying out a risk assessment and taking steps to mitigate the risks that are uncovered. If your cloud strategy includes Microsoft 365, the next part of this blog series is a must-read. We will share what Microsoft has done in response to Schrems II as well as some specific configuration options that will influence steps 4 and 5, listed above. Bear in mind that these recommendations could change and you should watch the space. To continue the discussion or to ask questions, please feel free to reach out to us at; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
March 24, 2021

The Impact of Schrems II & Key Considerations for Companies Using M365: Microsoft’s Response

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
December 20, 2019

Sitting at the Same Lunch Table: 3 Key Ways to Ensure Legal and IT are in Sync

Legal and IT teams do not necessarily sit at the same lunch table (to use an over-simplified high-school analogy), however, organizations can quickly run into challenges when these teams are not aligned. As corporate data volume and types continue to grow at record speed, it is critical to maintain a technology infrastructure that is not only secure, but also satisfies the legal requirements for managing information. I recently had the privilege of chatting with Craig Shaver, the eDiscovery Program Director at Hilton Worldwide, about the challenges of this electronic data mosaic and innovative strategies to enable collaboration between these groups on the Law and Candor podcast. In this blog, I will review the key challenges we discussed as well as summarize three key solutions to overcoming them in the hopes it will help align your IT and legal teams.To level set, both teams have different priorities. Legal is generally focused on ensuring that the company’s data is protected and retention policies are upheld, while IT is looking for new ways to manage the ever-increasing volume of data to drive efficiency while maintaining budgets. So, when IT moves forward with new technology solutions, large data migrations, moves to the Cloud, or even simple contractual agreements and is not in sync with Legal due to other priorities or lack of communication, items may be missed and can create large downstream issues such as potentially responsive documents going uncollected, being slapped with spoliation charges, or costly and time-consuming rework.Nobody wants unforeseen charges or to loose time and money, so let’s look at some solutions to overcoming these challenges by ensuring collaboration between these two teams. Begin by:Establishing Legal Processes and Policies – Legal needs to first ensure they have effective legal hold processes in place, clear and consistent policies on data retention, as well as defensible deletion policies. Without these in place there is no formal process.Ensuring Participation on Both Sides – It is important to identify and designate a legal and IT liaison to sit on various steering committees and be a part of any technology decisions, migration projects, etc. In some larger, global organizations, you may want at least two or three people from each group involved to attend these meetings, as it can be a lot of work and require travel. Legal will understand the impact on the overall eDiscovery process and can review service-level agreements and SOWs as well.Continuing the Ongoing Partnership and Communication – Post project, it is important to continue to meet regularly (weekly or monthly) with key stakeholders to continue to communicate around upcoming migrations, technology changes, etc., as well as build trust and a further develop relationships. Legal can help IT enforce their deployment and security policies with other departments within the company as well as ensure GDPR compliance and other factors are considered when looking at new products.Enacting these three solutions will help you ensure your teams stay in sync. When legal and IT sit at the same lunch table and stay in communication, organizations are more likely to experience seamless or near-seamless integration of processes, better understand project timelines, reduce friction between very busy teams, maintain a shared understanding each other’s workloads and processes, as well as gain trust amongst the teams, which helps with future projects and getting folks to support one another.To discuss this topic more, reach out to me at; information-governance; data-privacygdpr, ediscovery-process, blog, legal-operations, information-governance, data-privacy,gdpr; ediscovery-process; blogbill mariano
April 22, 2021

Navigating the Intersections of Data, Artificial Intelligence, and Privacy

While the U.S. is figuring out privacy laws at the state and federal level, artificial and augmented intelligence (AI) is evolving and becoming commonplace for businesses and consumers. These technologies are driving new privacy concerns. Years ago, consumers feared a stolen Social Security number. Now, organizations can uncover political views, purchasing habits, and much more. The repercussions of data are broader and deeper than ever.Lighthouse (formerly H5) convened a panel of experts to discuss these emerging issues and ways leaders can tackle their most urgent privacy challenges in the webinar, “Everything Personal: AI and Privacy.”The panel featured Nia M. Jenkins, Senior Associate General Counsel, Data, Technology, Digital Health & Cybersecurity at Optum (UnitedHealth Group); Kimberly Pack, Associate General Counsel, Compliance, at Anheuser-Busch; Jennifer Beckage, Managing Director at Beckage; and Eric Pender, Senior Director at Lighthouse (formerly with H5); and was moderated by Sheila Mackay, Managing Director at Lighthouse (formerly with H5).While the regulatory and technology landscape continues to rapidly change, the panel highlighted some key takeaways and solutions to protect and manage sensitive data leaders should consider:Build, nurture, and utilize cross-functional teams to tackle data challengesDevelop robust and well-defined workflows to work with AI technology Understand the type and quality of data your organization collects and stores Engage with experts and thought leadership to stay current with evolving technology and regulations Collaborate with experts across your organization to learn the needs of different functions and business units and how they can deploy AI Enable your company’s innovation and growth by understanding the data, technology, and risks involved with new AIDevelop collaboration, knowledge, and cross-functional teamsWhile addressing challenges related to data and privacy certainly requires technical and legal expertise, the need for strong teamwork and knowledge sharing should not be overlooked. Nia Jenkins said her organization utilizes cross-functional teams, which can pull together privacy, governance, compliance, security, and other subject matter experts to gain a “line of sight into the data that’s coming in and going out of the organization.”“We also have an infrastructure where people are able to reach out to us to request access to certain data pools,” Jenkins said. “With that team, we are able to think through, is it appropriate to let that team use the data for their intended purpose or use?”In addition to collaboration, well-developed workflows are paramount too. Kimberly Pack explained that her company does have a formalized team that comes together on a bi-monthly basis and defined workflows that are improving daily. She emphasized that it all begins with “having clarity about how business gets done.”Jennifer Beckage highlighted the need for an organization to develop a plan, build a strong team, and understand the type and quality of the data it collects before adopting AI. Businesses have to address data retention, cybersecurity, intellectual property, and many other potential risks before taking full advantage of AI technology.Engage with internal and external experts to understand changing regulations Keeping up with a dynamic regulatory landscape requires expanding your information network. Pack was frank that it’s too much for one person to learn themselves. She relies on following law firms, becoming involved in professional organizations and forums, and connecting with privacy professionals on LinkedIn. As she continually educates herself, she creates training for various teams at her organization, including human resources, procurement, and marketing.“Really cascade that information,” said Pack. “Really try to tailor the training so that it makes sense for people. Also, try to have tools and infographics, so people can use it, pass it along. Record all your trainings because everyone’s not going to show up.”The panel discussed how their companies are using AI and whether there’s any resistance. Pack noted her organization has carefully taken advantage of AI for HR, marketing, enterprise tools, and training. She noted that providing your teams with information and assistance is key to comfort and adoption.“AI is just a tool, right?” Pack said. “It’s not good, it’s not bad.” The privacy team conducts a privacy impact assessment to understand how the business can use the technology. Then her team places any necessary limitations and builds controls to ensure the team uses the technology ethically. Pack and Jenkins both noted that the companies must proactively address potential bias and not allow automated decision-making.Evaluate the benefits and risks of AI for your organization The panel agreed organizations should adopt AI to remain competitive and meet consumer expectations. Pack pointed out the purpose of AI technology is for it to learn. Businesses adopting it now will see the benefits sooner than those that wait.Eric Pender noted advanced technologies are becoming more common for particular uses: cybersecurity breach response, production of documents, including privilege review and identifying Personally Identifiable Information (PII), and defensible disposal. Many of these tasks have tight timelines and require efficiency and accuracy, which AI provides.The risks of AI depend on the nature of the specific technology, according to Beckage. It’s each organization’s responsibility to perform a risk assessment, determine how to use the technology ethically, and perform audits to ensure the technology is working without unintended consequences.Facilitate innovation and growth It is also important to remember that in-house and outside counsel don’t have to be “dream killers” when it comes to innovation. Lawyers with a good understanding of their company’s data, technology, and ways to mitigate risk can guide their businesses in taking advantage of AI now and years down the road.Pack encouraged compliance professionals to enjoy the problem-solving process. “Continue to know your business. Be in front of what their desires are, what their goals are, what their dreams are, so that you can actively support that,” she said.Pender says companies are shifting from a reactive approach to a proactive approach, and advised that “data that’s been defensively disposed of is not a risk to the company.” Though implementing AI technology is complex and challenging, managing sensitive, personal data is achievable, and the potential benefits are enormous.Jenkins encouraged the “four B’s.” Be aware of the data, be collaborative with your subject matter experts, be willing to learn and ask tough questions of your team, and be open to learning more about the product, what’s happening with your business team, and privacy in an ever-changing landscape.Beckage closed out the webinar by warning organizations not to reinvent the wheel. While it’s risky to copy another organization’s privacy policy word for word, organizations can learn from the people in the privacy space who know what they’re doing; data-privacyprivilege, cybersecurity, ai-big-data, pii, blog, preservation, ai-and-analytics, data-privacyprivilege; cybersecurity; ai-big-data; pii; blog; preservationlighthouse
June 28, 2021

New Rules, New Tools: AI and Compliance

We live in the era of Big Data. The exponential pace of technological development continues to generate immense amounts of digital information that can be analyzed, sorted, and utilized in previously impossible ways. In this world of artificial intelligence (AI), machine learning, and other advanced technologies, questions of privacy, government regulations, and compliance have taken on a new prominence across industries of all kinds.With this in mind, H5 recently convened a panel of experts to discuss the latest compliance challenges that organizations are facing today, as well as ways that AI can be used to address those challenges. Some key topics covered in the discussion included:Understanding use cases involving technical approaches to data classification.Exploring emerging data classification methods and approach.Setting expectations within your organization for the deployment of AI technology.Keeping an AI solution compliant.Preventing introducing bias into your AI models.The panel included Timia Moore, strategic risk assessment manager for Wells Fargo; Kimberly Pack, associate general counsel of compliance for Anheuser-Busch; Alex Lakatos, partner at Mayer Brown; and Eric Pender, engagement manager at H5; The conversation was moderated by Doug Austin, editor of the eDiscovery Today blog.Compliance Challenges Organizations Are Facing TodayThe rapidly evolving regulatory landscape, vastly increased data volumes and sources, and stringent new privacy laws present unique new challenges to today’s businesses. Whereas in the recent past it may have seemed liked regulatory bodies were often in a defensive position, forced to play catch-up as powerful new technologies took the field, these agencies are increasingly using their own tech to go on the offensive.This is particularly true in the banking industry and broader financial sector. “With the advent of fintech and technology like AI, regulators are moving from this reactive mode into a more proactive mode,” said Timia Moore, strategic risk assessment manager for Wells Fargo. But the trend is not limited to banking and finance. “It’s not industry specific,” she said. “I think regulators are really looking to be more proactive and figure out how to identify and assess issues, because ultimately they’re concerned about the consumer, which all of our companies are and should be as well.”Indeed, growing demand by consumers for increased privacy and better protection of their personal data is a key driver of new regulations around the world, including the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) and various similar laws in the United States. It’s also one of the biggest compliance challenges facing organizations today, as cyber attacks are now faster, more aggressive, and more sophisticated than ever before.Other challenges highlighted by the panel included:Siloed departments that limit communications and visibility within organizationsA dearth of subject matter expertiseThe possibility of simultaneous AI requests from multiple regulatory agenciesA more remote and dispersed workforce due to the pandemicUse Cases for AI and ComplianceIn order to meet these challenges head on, companies are increasingly turning to AI to help them comply with new regulations. Some companies are partnering with technology specialists to meet their AI needs, while some are building their own systems.Anheuser-Busch is one such company that is using an AI system to meet compliance standards. As Kimberly Pack, associate general counsel of compliance for Anheuser-Busch, described it: “One of the things that we’re super proud of is our proprietary AI data analyst system BrewRight. We use that data for Foreign Corrupt Practices Act compliance. We use it for investigations management. We use it for alcohol beverage law compliance.”She also pointed out that the BrewRight AI system is useful for discovering internal malfeasance as well. “Just general employee credit card abuse…We can even identify those kinds of things,” Pack said. “We’re actively looking for outlier behavior, strange patterns or new activity. As companies, we have this data, and so the question is how are we using it, and artificial intelligence is a great way for us to start being able to identify and mitigate some risks that we have.”Artificial intelligence can also play a key role in reducing the burden from alerts related to potential compliance issues or other kinds of wrongdoing. The trick, according to Alex Lakatos, partner at Mayer Brown, is tuning the system to the right level of sensitivity—and then letting it learn from there. “If you set it to be too sensitive, you’re going to be drowned in alerts and you can’t make sense of them,” Lakatos said. “You set it too far in the other direction, you only get the instances of the really, really bad conduct. But AI, because it is a learning tool, can become smarter about which alerts get triggered.”Lakatos also pointed out that when it comes to the kind of explanations for illegal behaviors that regulators usually want to see, AI is not capable of providing those answers. “AI doesn’t work on a theory,” he said. “AI just works on correlation.” That’s where having some smart people working in tandem with your AI comes in handy. “Regulators get more comfortable with a little bit of theory behind it.”H5 has identified at least a dozen areas related to compliance where AI can be of assistance, including: key document retention and categorization, personal identifiable information (PII) location and remediation, first-line level reviews of alerts, and policy applicability and risk identification.Data Classification, Methods, and ApproachesThere are various methods and approaches to data classification, including machine learning, linguistic modeling, sentiment analysis, name normalization, and personal data detection. Choosing the right one depends on what companies want their AI to do.“That’s why it’s really important to have a holistic program management style approach to this,” said Eric Pender, engagement manager at H5. “Because there are so many different ways that you can approach a lot of these problems.”Supervised machine learning models, for instance, ingest data that’s already been categorized, which makes them great at making predictions and predictive models. Unsupervised machine learning models, on the other hand, which take in unlabeled, uncategorized information, are really good at data pattern and structure recognition.“Ultimately, I think this comes down to the question of what action you want to take on your data,” Pender said. “And what version of modeling is going to be best suited to getting you there.”Setting Expectations for AI DeploymentOnce you’ve determined the type of data classification that best suits your needs, it’s crucial to set expectations for the AI deployment within your company. This process includes third-party evaluation, procurement, testing, and data processing agreements. Buying an off-the shelf solution is a possibility, though some organizations—especially large ones—may have the resources to build their own. It’s also possible to create a solution that features elements of both. In either case, obtaining C-suite buy-in is a critical step that should not be overlooked. And to maintain trust, it’s important to properly notify workers throughout the organization and remain transparent throughout the process.Allowing enough time for proper proof of concept evaluation is also key. When it comes to creating a timeline for deploying AI within an organization, “it’s really important for folks to be patient,” according to Pender. “People who are new to AI sometimes have this perception that they’re going to buy AI and they’re going to plug it in and it just works. But you really have to take time to train the models, especially if you’re talking about structured algorithms and you need to input classified data.”Education, documentation, and training are also key aspects of setting expectations for AI deployment. Bear in mind, at its heart implementing an AI system is a form of change management.“Think about your organization and the culture, and how well your employees or impacted team members receive change,” said Timia Moore of Wells Fargo. “Sometimes—if you are developing that change internally, if they’re at the table, if they have a voice, if they feel they’re a meaningful part of it—it’s a lot easier than if you just have some cowboy vendor come in and say, ‘We have the answer to your problems. Here it is, just do what we say.’”Keeping AI Solutions Compliant and Avoiding BiasWhen deploying an AI system, the last area of consideration discussed by the panel was how to keep the AI solution itself compliant and free of bias. Best practices include ongoing monitoring of the system, A/B testing, and mitigating attacks on the AI model.It’s also important to always keep in mind that AI systems are inherently dependent on their own training data. In other words, these systems are only as good as their inputs, and it’s crucial to make sure biases aren’t baked into the AI from the beginning. And once the system is up and running—and learning—it’s important to check in on it regularly.“There’s an old computer saying, ‘Garbage in, garbage out,’ said Lakatos. “The thing with AI is people have so much faith in it that it is become more of ‘garbage in, gospel out.’ If the AI says it, it must be true…and that’s something to be cautious of.”In today’s digital world, AI systems are becoming more and more integral to compliance and a host of other business functions. Educating yourself and making sure your company has a plan for the future are essential steps to take right away.The entire H5 webcast, “New Rules, New Tools: AI and Compliance,” can be viewed; data-privacyccpa, gdpr, blog, ai, big-data, -data-classification, fcpa, artificial-intelligence, compliance, ai-and-analytics, data-privacyccpa; gdpr; blog; ai; big-data; data-classification; fcpa; artificial-intelligence; compliancemitch montoya
March 25, 2020

How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery

Executive SummaryThe GDPR and Data Subject Access Requests (DSARs) are a key reason why companies are starting to focus their attention on information governance strategically, as opposed to simply reacting each time they get a request. With GDPR, companies have seen a significant increase in DSARs and the resulting requirement to look inwardly at their data landscape is timed perfectly with advances in cloud computing.Inconsistent NeedOver the last 20 years, I have assisted clients in responding to triggering events such as litigation and investigations by helping to identify where their data is and how to retrieve, preserve, and filter it for legal review. Rarely have those same clients been interested in proactively implementing information governance frameworks and policies without a consistent need to do so. A General Counsel once told me they face an investigation about as often as every Olympic cycle, so they don’t prioritise resources to prepare for such an infrequent event.The GDPR and associated DSAR obligations have provided exactly this motivation. However, this stick has combined with the carrot of cloud computing to provide the right mix of requirement and capability, not just to make compliance a token project stream within a company, but an enterprise-wide strategic initiative to focus on how data is generated, accessed, managed, and deleted. Common and Civil Law EnvironmentsThroughout my career, I have worked closely with companies in mainland Europe and the Middle East on cross-border litigation and investigations. In my experience, companies operating in civil law jurisdictions are not as familiar with the eDiscovery process as their common law counterparts unless they have faced regulatory scrutiny (such as companies in the financial services or technology industry). This is because they and their counsel do not face the same discovery obligations and thus have not traditionally focused on gathering evidence to produce to a court or third party. The result is inadequate retention procedures and disconnected strategies regarding data management.However, one thing all companies have in common is that using technology to make data management more efficient has become essential as data volumes grow. For example, DSAR responses may not be as ‘normal’ in mainland Europe as they are in the US or UK, but they have universally added motivation to those tasked with managing data within the company.Information Governance Buy-InNow that awareness has increased on the significant consequences of holding certain data longer than you need, senior leadership is prioritising (even at board level) how to effectively manage data within the company. This comes at a time when most companies have moved or are moving to the Cloud. According to Microsoft, “97% of Fortune 500 and 95% of Fortune 1000 companies have Office 365.” Notably, these companies are not moving to the Cloud for compliance or eDiscovery reasons, they are doing so for overall enterprise reasons including streamlining IT operations by moving off premise, giving employees access to modern workplace tools, and for security purposes. But as a bonus, when it comes to comprehensive cloud platforms such as Office 365, information governance, compliance, and eDiscovery tools are already included.Cloud Relevance for Legal TeamsNow that companies are shifting their focus to information governance, what can legal teams do to utilise the investment they’ve made in cloud computing? Since business efficiencies are important but not what legal is primarily concerned about, risk management is the key and to that end, data management is the order of the day. With increased GDPR penalties looming and cloud capabilities at their disposal, lawyers are now turning to the central pillars of information governance – document retention, categorisation, preservation, defensible deletion, identification, collection, and, depending on cloud maturity, data migration.For example, utilising functionality within Office 365, a company has a fighting chance to develop very effective and granular document retention policies that actually work and are dynamic (rather than a dusty document no one ever refers to). Categorising a document (or having it automatically categorised) when it is created, as well as determining, based on its content, when it will be deleted, is a very powerful capability. Setting email and chat message retention based on a defined policy is a significant achievement that goes a long way to limiting what data is kept and for how long.Not Just TechnologyAs GDPR and the Cloud have revolutionised information governance and provided the motivation and capability to address new and existing risks and inefficiencies, for these technology solutions to work in the long term, there needs to be a strong focus on people and processes. Change management has always been the Achilles heel of technology implementation and it is no different for Office 365 when it comes to effective information governance. First and foremost, understanding who in the company has responsibility for various processes needs to be determined. For example, who will respond to a DSAR? Who will create the data searches, preserve the data, and retrieve it for review? When it comes to labelling a document, what is the criteria for determining what qualifies as personal data? How does the technology assist in the decision making? How can a remediation exercise tie into an ongoing retention policy?Overall ComplianceIt is very hard for a multinational company to become 100% GDPR compliant. However, the Cloud offers significant capability for a company to take very reasonable and appropriate measures that go a long way. It’s better to be in the middle of the sheep pack than on the outside when the wolf is close and modern cloud technology allows companies to develop enterprise-wide frameworks to better manage their data. Let the regulators worry about companies with no demonstrable plans, not those who have made comprehensive changes to their data landscape. Even for companies that are not used to the fraught discovery world of US or even UK discovery, information governance has become a key priority due to GDPR and increasingly complex data environments that can now be managed in an effective and coordinated manner.More on this topic can be found in this article, Three Steps to Tackling Data Privacy Compliance Post GDPR. To discuss this article further, please feel free to reach out to me at data-privacycloud, gdpr, dsars, blog, data-privacy,cloud; gdpr; dsars; blogmichael brown
July 19, 2021

Cybersecurity Defense: Recommendations for Companies Impacted by the Biden Administration Executive Order

As summarized in the first installment of our two-part blog series, President Biden recently issued a sweeping Executive Order aimed at improving the nation’s cybersecurity defense. The Order is a reaction to increased cybersecurity attacks that have severely impacted both the public and private sectors. These recent attacks have evolved to a point that industry solutions have a much more difficult time detecting encryption and file state changes in a reasonable timeframe to prevent an actual compromise. The consequence is that new and evolving ransomware and malware attacks are now getting past even the biggest solution providers and leading scanners in the industry.Thus, while on its face, many of the new requirements within the Order are aimed at federal agencies and government subcontractors, the ultimate goal appears to be to create a more unified national cybersecurity defense across all sectors. In this installment of our blog series, I will outline recommended steps for private sector organizations to prepare for compliance with the Order, as well as general best-practice tips for adopting a more preemptive approach to cybersecurity. 1. Conduct a Third-Party AssessmentFirst and foremost, organizations must understand their current cybersecurity posture. Given the severity and volume of recent cyberattacks, third-party in-depth or red-team assessments should be done that would include not only the organization’s IT assets, but also include solutions providers, vendors, and suppliers. Red teaming is the process of providing a fact-driven adversary perspective as an input to solving or addressing a problem. In the cybersecurity space, it has become a best practice wherein the cyber resilience of an organization is challenged by an adversary or a threat actor’s perspective.[1] Red-team testing is very useful to test organizational policies, procedures, and reactions against defined, intended standards.A third-party assessment must include a comprehensive remote network scan and a comprehensive internal scan with internal access provided or gained with the intent to detect and expose potential vulnerabilities, exploits, and attack vectors for red-team testing. Internal comprehensive discovery includes scanning and running tools with the intent to detect deeper levels of vulnerabilities and areas of compromise. Physical intrusion tests during red-team testing should be conducted on the facility, networks, and systems to test readiness, defined policies, and procedures.The assessment will evaluate the ability to preserve the confidentiality, integrity, and availability of the information maintained and used by the organization and will test the use of security controls and procedures used to secure sensitive data.2. Integrate Solution Providers and IT Service Companies into Plans to Address Above Executive Order StepsTo accurately assess your organization’s risk, you first have to know who your vendors, partners, and suppliers are with whom you share critical data. Many organizations rely on a complex and interconnected supply chain to provide solutions or share data. As noted above, this is exactly why the Order will eventually broadly impact the private sector. While on its face, the Order only seems to impact federal government and subcontractor entities, those entities’ data infrastructures (like most today) are interconnected environments composed of many different organizations with complex layers of outsourcing partners, diverse distribution routes, and various technologies to provide products and services – all of whom will have to live up to the Order’s cybersecurity standards. In short, the federal government is recognizing that its vendors, partners, and suppliers’ cybersecurity vulnerabilities are also its own. The sooner all organizations realize this the better. According to recent NIST guidance, “Managing cyber supply chain risk requires ensuring the integrity, security, quality, and resilience of the supply chain and its products and services.” NIST recommends focusing on foundational practices, enterprise-wide practices, risk management processes, and critical systems. “Cost-effective supply chain risk mitigation requires organizations to identify systems and components that are most vulnerable and will cause the largest organizational impact if compromised.[2]In the recent attacks, hackers inserted malicious code into Orion software, and around 18,000 SolarWinds customers, including government and corporate entities, installed the tainted update onto their systems. The compromised update has had a sweeping impact, the scale of which keeps growing as new information emerges. Locking down your networks, systems, and data is just the beginning! Inquiring how your supply chain implements a Zero Trust strategy and secures their environment as well as your shared data is vitally important. A cyber-weak or compromised company can lead to exfiltration of data, which a bad actor can exploit or use to compromise your organization.3. Develop Plan to Address Most Critical Vulnerabilities and Threats Right AwayThird-party assessors should deliver a comprehensive report of their findings that includes the descriptions of the vulnerabilities, risks found in the environment, and recommendations to properly secure the data center assets, which will help companies stay ahead of the Order’s mandates. The reports typically include specific data obtained from the network, any information regarding exploitation of exposures, and the attempts to gain access to sensitive data.A superior assessment report will contain documented and detailed findings as a result of performing the service and will convey the assessor’s opinion of how best to remedy vulnerabilities. These will be prioritized for immediate action, depending upon the level of risk. Risks are often prioritized as critical, high, medium, and low risk to the environment, and a plan can be developed based upon these prioritizations for remediation.4. Develop A Zero Trust StrategyAs outlined in Section 3 of the Order, a Zero Trust strategy is critical to addressing the above steps, and must include establishing policy, training the organization, and assigning accountability for updating the policy. Defined by the National Security Agency (NSA)’s “Guidance on the Zero Trust Security Model”: “The Zero Trust model eliminates trust in any one element, node, or service by assuming that a breach is inevitable or has already occurred. The data-centric security model constantly limits access while also looking for anomalous or malicious activity.”[3]Properly implemented Zero Trust is not a set of access controls to be “checked,” but rather an assessment and implementation of security solutions that provide proper network and hardware segmentation as well as platform micro-segmentation and are implemented at all layers of the OSI (Open Systems Interconnection) model. A good position to take is that Zero Trust should be implemented using a design where all of the solutions assume they exist in a hostile environment. The solutions operate as if other layers in a company’s protections have been compromised. This allows isolation of the different layers to improve protection by combining the Zero Trust principles throughout the environment from perimeters to VPNs, remote access to Web Servers, and applications. For a true Zero Trust enabled environment, focus on cybersecurity solution providers that qualify as “Advanced” in the NSA’s Zero Trust Maturity Model; as defined in NSA’s Cybersecurity Paper, “Embracing a Zero Trust Security Model.”[4] This means that these solution providers will be able to deploy advanced protections and controls with robust analytics and orchestration.5. Evaluate Solutions that Pre-emptively Protect Through Defense-In-DepthIn order to further modernize your organization’s cybersecurity protection, consider full integration and/or replacement of some existing cybersecurity systems with ones that understand the complete end-to-end threats across the network. How can an organization implement confidentiality and integrity for breach prevention? Leverage automated, preemptive cybersecurity solutions, as they possess the greatest potential in thwarting attacks and rapidly identifying any security breaches to reduce time and cost. Use a Defense-in-Depth blueprint for cybersecurity to establish outer and inner perimeters, enable a Zero Trust environment, establish proper security boundaries, provide confidentiality for proper access into the data center, and support capabilities that prevent data exfiltration inside sensitive networks. Implement a solution to continuously scan and detect ransomware, malware, and unauthorized encryption that does NOT rely on API calls, file extensions, or signatures for data integrity.Solutions must have built-in protections leveraging multiple automated defense techniques, deep zero-day intelligence, revolutionary honeypot sensors, and revolutionary state technologies working together to preemptively protect the environment. ConclusionAs noted above, Cyemptive recommends the above steps in order to take a preemptive, holistic approach to cybersecurity defense. Cyemptive recommends initiating the above process as soon as possible – not only to comply with potential government mandates brought about due to President Biden’s Executive Order, but also to ensure that organizations are better prepared for the increased cybersecurity threat activity we are seeing throughout the private sector. ‍[1]“Red Teaming for Cybersecurity”. ISACA Journal. October 18, 2018. [2] “NIST Cybersecurity & Privacy Program” May 2021. Cyber Supply Chain Risk Management C-SCRM” [3] “NSA Issues Guidance on Zero Trust Security Model”. NSA. February 25, 2021.[4] “Embracing a Zero Trust Security Model.” NSA Cybersecurity Information. February 2021.; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporatelighthouse
May 18, 2020

Cybersecurity in eDiscovery: Protecting Your Data from Preservation through Production

Now more than ever, data security has become priority number one, especially in the context of litigation and eDiscovery. And as the worlds of eDiscovery, information governance, and cybersecurity continue to rapidly converge, cybersecurity incidents are alarmingly on the rise, showcasing all of the weaknesses in an organization’s information governance system. Addressing cybersecurity continues to be a top challenge in eDiscovery. Many are unsure if their own internal processes are safe, not to mention those of the vendors who manage their outsourced eDiscovery.So, how can you protect your ESI all the way from preservation and collection to review and production? In a Law and Candor podcast episode, special guest David Kessler, Head of Data and Information Risk at Norton Rose Fulbright US LLP, discussed with our hosts the diverse set of challenges that arise with data security at each stage of the EDRM. Most understand the right methods start with implementing the fundamentals of cybersecurity, but some have learned the hard way that you can’t fix a house built on a shaky foundation after a cybersecurity disaster strikes. With the protection of client ESI first and foremost top of mind, here are the some of the most pressing cybersecurity challenges in eDiscovery as well as actionable solutions.Cybersecurity Challenges in eDiscoveryThe intersection of information governance, eDiscovery, and data security: The nature of data has evolved such that eDiscovery and information governance naturally intersect with data privacy and security. We’ve learned that issues around data access are very similar to eDiscovery issues and the next challenge is learning how to operate the areas together cohesively. In addition, with the shift to scrutiny on privacy and what can be done with personal data, now we know almost all cases that involve ESI have tremendous privacy concerns.The important role eDiscovery plays in cybersecurity: No longer are the days where confidential data relevant to litigation is primarily found in email and simply on computers. Now, data is created and stored across a wide variety of mediums and the amount of data continues to grow at an exponential rate. For cybersecurity criminals, this is a gold mine of confidential data available to steal and access.The outstanding security gaps throughout the EDRM: Historically, we’ve been focused on the responding parties’ obligations to securely undertake discovery. The business process of eDiscovery is primarily about collecting, copying, and transferring data outside of an organization, which creates concerns about securing that information at every stage of the process. Both the responding and requesting parties need to find a way to collaboratively and cooperatively work together at the beginning of a case to ensure data is protected through the entire EDRM lifecycle.The weakest part of the cybersecurity chain is when you hand over sensitive data: How do we help clients make sure their data isn’t accidentally or intentionally taken from them during the eDiscovery process? Everyone from eDiscovery vendors to law firms has an obligation to shore up their security and organizations have a responsibility to thoroughly vet those partners as they hand over their most sensitive data. In the EDRM, attention has shifted to making sure cybersecurity protections span the entire EDRM and the last step that hasn’t received much attention is making sure the requesting party is taking the appropriate steps to secure the data once they receive it.Cybersecurity Solutions in eDiscoveryShore up cybersecurity contracts and repurpose existing security riders: When an organization engages law firms and eDiscovery vendors to handle discovery, it’s important they work closely with their data security IT team. These teams can help to repurpose some of the standard security riders from other contracts and use it to create new contracts with the appropriate protections in place.Establish comprehensive protective orders at the beginning of cases: With respect to the requesting party, who you will ultimately be producing the data to, ensure that early in the case you’ve negotiated a comprehensive protective order that includes reasonable and proportionate requirements for the protection of data. In that protection order (and a step that’s often forgotten), follow up and confirm the data you produced has been deleted after a case is over.Keep open lines of communication with law firms and eDiscovery vendors: Your discovery partners understand and have a significant stake in their security reputations. They have a strong motivation to work with you to execute risk assessments and other agreements that contain the necessary security provisions to ensure your data is safe at every step of the process. Also, include a breach notification order if data is accidentally lost or there’s an attack.Focus on things you can do to strengthen your productions: Think about the most efficient ways to reduce the number of copies involved in productions where appropriate. For example, use redaction as much as possible and consequently less copies of data. Don’t produce sensitive and irrelevant portions of data – redact it instead.Ultimately, most people have become acutely aware of the vulnerabilities that exist in data security as it travels through the EDRM, and as law firms and eDiscovery vendors become accustomed to deeper vetting, it’s at the production stage where the biggest security vulnerabilities seem to remain. To get ahead of all aspects of potential cybersecurity failures, the use of well-written protective orders will get you a long way. Requirements in protective orders can ensure all parties take reasonable steps to protect data from third-party hackers and unauthorized access, as well as include protections based on encryption, access controls, passwords,; information-governance; ediscovery-reviewcybersecurity, cloud-security, ediscovery-process, preservation-and-collection, blog, data-privacy, information-governance, ediscovery-review,cybersecurity; cloud-security; ediscovery-process; preservation-and-collection; bloglighthouse
January 22, 2021

Cloud Security and Costs: How to Mitigate Risks Within the Cloud

When it comes to storing organizational data in the Cloud, a few phrases come to mind: the train has left the station; the ship has sailed; the horse is out of the barn, etc. No matter how you phrase it, the meaning is the same – the world is moving to the Cloud, with or without you. It is no longer an oncoming revolution. The revolution is here and your organization needs to prepare for dealing with data in the Cloud, if it hasn’t already. With that in mind, let’s talk cloud logistics – namely, security and cost.First up to the Plate – Cloud Security You might have heard the analogy circulating in technology forums recently that storing your data within the Cloud is akin to storing data on someone else’s hard drive. Unfortunately, from a security perspective, that’s not quite an accurate analogy (although life would be much easier if it were true).Don’t get me wrong - a significant benefit of moving to the Cloud is that it allows an organization to transfer much of the day-to-day security management to a technology company with the resources and expertise to handle that risk. Thus, if you are moving to a private cloud (i.e., renting data center space for your equipment), you can ease security concerns by ensuring that the hosting company maintains widely recognized security attestations/certifications and has a demonstrated commitment to data center security in accordance with strict vendor management risk processes. And of course, there’s always the reassurance when moving to a public cloud (Microsoft’s Azure or Amazon’s AWS) that you’re entrusting your data to companies with seemingly infinite security resources and expertise. That all certainly helps me sleep better at night.However, working within the Cloud still poses unique internal security challenges that will only amplify any of your existing security weaknesses if you’re not prepared for them. To put it another way: ISO certifications from cloud service providers cannot protect you from yourself. Risk, governance, and compliance teams will need to identify, plan for and adapt to internal security challenges. To do so, be sure to have a change management and review approval process in place (ideally before moving to the Cloud, but if not, as soon as possible once you’ve migrated). Also, ensure that your company has someone on hand (either through a vendor or within your IT staff) with the expertise needed to manage your internal cloud security who can stay abreast of all updates and changes.Next up – CostTo plan for a cloud migration, all stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) should have a seat at the table and a plan in place for scaling up in the Cloud. Each team should understand the plan and process, as well as the role their team plays in controlling cost and risk for the company.Cloud Security and Costs Best PracticesTo plan for security risk in the Cloud, companies should ensure that:All cloud service providers are fully vetted, security certified, and have the requisite posture in place to fully protect your data.Company internal processes are evaluated for security risks and gaps. Have a change management and review approval process in place and ensure that you have the experts on hand to manage your cloud security practices and stay abreast of all updates and changes.To plan for costs, companies should ensure that:All stakeholders (including Legal Operations, Finance, DevOps, Security, and IT) collaborate and have a plan in place for scaling up within the Cloud when needed.Each team understands the plan and process, as well as the role their team plays in controlling cost and risk for the; information-governancecloud-security, cloud-migration, blog, data-privacy, information-governancecloud-security; cloud-migration; blogmarcelino hoyla
July 16, 2021

Cybersecurity Defense: Biden Administration Executive Order a Great Start Towards a More Robust National Framework

On May 12, President Biden issued a landmark Executive Order (“the Order”) aimed at improving the country’s cybersecurity threat defense. This Order is an attempt to create a “whole of government” response to increasingly frequent cybersecurity incidents that have wreaked havoc in the United States in recent months, affecting everything from energy supplies to healthcare systems to IT infrastructure systems. In addition to becoming more frequent, recent cyberattacks have also become increasingly more sophisticated – and even somewhat professional. In response to these attacks, the Biden administration seeks to build a national security framework that aligns the Federal government with private sector businesses in order to “modernize our cyber defenses and enhance the nation’s ability to quickly and effectively respond to significant cybersecurity incidents.” Prior to this Order, there has been no unified system to report or respond to cybersecurity threats and breach incidents. Instead, there is currently a patchwork of state legislation and separate federal government agency protocols, all with differing reporting, notification, and response requirements.In the first of this two-part blog series, I will broadly outline the details of this Order and what it will mean for private sector companies in the coming years. In the second installment, Rob Pike (CEO and Founder of Cyemptive Technologies) will provide guidance on how to set up your organization for compliance with the Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. What is in President Biden’s Executive Order on Improving the Nation’s CybersecurityThere are nine main sections to the Order, which are summarized below.Section 1: PolicyThis section outlines the overall goal of the Order – namely that, with this Order, the Federal government is intent on making “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” To do so, the Order states that the government must improve its efforts to “identify, deter, protect against, detect, and respond to” cybersecurity attacks. While this may sound like a purely governmental task, the Order specifically states that this defense will require partnership with the private sector. Section 2: Removing Barriers to Sharing Threat Information As noted above, prior to this Order, there was no unified system for sharing information regarding threats and data breaches. In fact, separate agency procurement contract terms may actually prevent private companies from sharing that type of information with federal agencies, including the FBI. This section of the Order responds to those challenges by requiring the government to update federal contract language with IT service providers (including cloud service providers) to require the collection and sharing of threat information with the appropriate government agencies. While the Order currently only speaks to federal subcontractors, it is expected that this information-sharing requirement will have a trickle-down effect across the private sector, with purely private companies falling in line to share threat information once federal subcontractors are required to do so. Section 3: Modernizing Federal Government CybersecurityThis section calls for the federal government to adopt security best practices – and is specifically aimed at adopting Zero Trust Architecture and pushing a move to secure cloud services, including “Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).” It requires that each government agency update plans to prioritize the adoption and use of cloud technology and develop a plan to implement Zero Trust Architecture, in part by incorporating the migrations steps outlined by the National Institute of Standards and Technology (NIST).Section 4: Enhancing Software Supply Chain SecurityThis section deals with increasing the cybersecurity standards of software sold to the government. It specifically calls out the fact that the development of commercial software “often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” It, therefore, calls for “more rigorous and predictable mechanisms for ensuring that products function securely.” Thus, this section calls for NIST to issue new security guidelines for software used by the government. These new guidelines will include encryption requirements, multi-factor and risk-based authentication requirements, vulnerability detection and disclosure programs, and trust relationship audits, among others.Section 5: Establishing a Cyber Safety Review BoardThis section establishes a federal Cyber Safety Review Board, which will convene following significant cyber incidents, providing recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. It will be made up of federal officials, as well as representatives from private sector entities.Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and IncidentsThis section again speaks to the patchwork of differing vulnerability and incident response procedures that currently exists across multiple federal agencies. The goal here is to create a standard set of operational procedures (or a playbook) for cybersecurity vulnerability and incident response activity. The playbook will have to incorporate all appropriate NIST standards, be used by all Federal Civilian Executive Branch (FCEB) Agencies, and spell out all phases of incident response.Sections 7 and 8: Improving Detection, Investigation, and Remediations of Cybersecurity Vulnerabilities and Incidents on Federal Government NetworksThese two sections focus on creating a unified approach to the detection, investigation, and remediation of cybersecurity vulnerabilities and incidents. Section 7 focuses on improving detection – mandating that all FCEB agencies deploy an “Endpoint Detection and Response (EDR)” initiative to support proactive detection of cybersecurity incidents and establishes a procedure for the implementation of threat hunting and detection, as well as inter-agency information sharing around threat detection. Section 8 is focused on improving the government’s investigative and remediation capabilities – namely, by establishing requirements for agencies and their IT service providers to collect, maintain, and share specified information from Federal Information System network logs.Section 9: National Security SystemsThis section requires the Secretary of Defense to adopt National Security System requirements that are at least equivalent to the requirements spelled out by the above sections in the Order.Who Will This Impact?As noted above, while the Executive Order is aimed at shoring up the federal government’s cybersecurity detection and response systems – its impacts will be felt throughout much of the private sector. That isn’t a bad thing! A patchwork cybersecurity system is clearly not the best way to respond to the increasingly sophisticated cybersecurity incidents currently threatening both the United States government and the private sector. Responding to these threats requires a robust, unified national cybersecurity system, which in turn requires updated and unified cybersecurity standards across both government agencies and private sector companies. This Executive Order is a great stepping stone towards that goal.As far as timing for private sector impacts: the first impacts will be felt by software companies and other organizations that directly contract with the federal government, as there are direct requirements and implications for those entities spelled out within the Order. Many of those requirements come into play within 60 days to a year after the date of the Order, so there may be a quick turnaround to comply with any new standards for those organizations. Impacts are then expected to trickle down to other private sector organizations: as government subcontractors update policies and systems to comply with the Order, they will in turn require the companies that they do business with to comply with the new cybersecurity standards. In this way, the Order actually creates an opportunity for the federal government to create a cybersecurity floor above which most companies in the US will eventually have to comply.ConclusionDetecting and defending against cybersecurity threats is an increasingly difficult worldwide challenge – a challenge to which, currently, no perfect defense exists. However, with this Order, the United States is taking a step in the right direction by creating a more unified cybersecurity standard and network that will encourage better detection, investigation, and mitigation.Check out the second installment of this blog series, where Rob Pike, CEO and Founder of Cyemptive Technologies, provides guidance on how to set up your organization for compliance with the Executive Order, as well as general best-practice tips for adopting a preemptive cybersecurity approach. If you would like to discuss this topic further, please reach out to me at; information-governancecloud, cybersecurity, blog, corporate, data-privacy, information-governancecloud; cybersecurity; blog; corporateerin rubenstein
February 24, 2020

Beyond HIPAA: Protecting Private Data in Healthcare Fraud Matters

When it comes to data privacy in healthcare fraud investigations and litigation, there is more than HIPAA to consider. Fraud investigations and litigation in the healthcare industry are growing. Whether these matters are handled internally or involve external parties to produce to, increased regulatory scrutiny — coupled with vast amounts of data generated by healthcare organizations — has created a pressing need for such organizations to become more adept at comprehensively inventorying, accessing, and reviewing internal data sources for potential fraud.A perennially tricky issue, and one that is just getting thornier, concerns how to treat sensitive, private data in a healthcare context. Healthcare organizations need to be mindful not only of carefully managing protected health information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA), but also protected consumer information, which is now subject to regulations such as the California Consumer Privacy Act. Challenges and costs related to being compliant with these regulations are growing and setting themselves up to be just as substantial as managing privilege in litigation.Healthcare data: What privacy rules apply?To make sure these new compliance requirements do not inadvertently extend timelines or burn through budgets, those managing healthcare fraud matters need to proactively take stock of which regulatory regimes concerning personal data are applicable in their case and what data sets being reviewed in their matter could potentially have personal data subject to regulation.Now there is certainly a gray area in distinguishing between protected health information and protected consumer information in a healthcare context. Technically, information is PHI (and therefore subject to HIPAA) if it is created or received by a healthcare provider or health plan. But in today’s data-driven environment, there are a variety of touchpoints between consumers and healthcare services (e.g., marketing data analytics, customer service records, fitness app logs, fringe benefit tracking) that defy traditional understandings of what exactly differentiates PHI from a broader pool of potentially protected consumer data.So, whether subject to HIPAA or CCPA or other privacy mandates, healthcare companies nowadays need to be able to track potentially protected information across all of their data sources, including those not traditionally considered sensitive in that they do not contain information such as health histories, lab test results, or medical bill information.Healthcare fraud: Muddying the data privacy watersThe nature of healthcare fraud further complicates an approach to identifying and appropriately treating sensitive personal data. Matters related to false claims, physician self-referral, Medicaid/Medicare fraud, improper kick-backs, or non-compliant contract and billing practices (to name a few), most often require delving into internal email communications to understand to what extent a fraudulent pattern exists within the organization under investigation, thus enlarging the data pool subject to privacy mandates.The internal work of sorting out billing and coding issues is a messy affair that involves relaying a variety of details of specific patient treatment across multiple related emails. Methodically tracking how these questions get resolved internally over time is at the heart of good healthcare fraud investigation and litigation practice. And carefully treating the sensitive data involved in these conversations is a responsibility that comes with it. If, for instance, you are relying on techniques to extract personal data that have only been tested on structured electronic medical records, you will be missing data that is potentially protected in relevant email discussions.Similar to the task of finding potentially privileged information in large document sets, identifying and treating personal data in healthcare fraud requires its own dedicated workflow, leveraging a mix of tools and methods. The key to successful identification and treatment of protected personal data is being deliberate about the process you design and implement, and specific about the tools you are integrating into, data-privacybloglighthouse
February 25, 2021

AI and Analytics: New Ways to Guard Personal Information

Big data can mean big problems in the ediscovery and compliance world – and those problems can be exponentially more complicated when personal data is involved. Sifting through terabytes of data to ensure that all personal information is identified and protected is becoming an increasingly more painstaking and costly process for attorneys today.Fortunately, advances in artificial intelligence (AI) and analytics technology are changing the landscape and enabling more efficient and accurate detection of personal information within data. Recently, I was fortunate enough to gather a panel of experts together to discuss how AI is enabling legal professionals in the ediscovery, information governance, and compliance arenas to identify personal protected information (PII) and personal health information (PHI) more quickly within large datasets. Below is a summary of our discussion, along with some helpful tips for leveraging AI to detect personal information.Current Methods of Personal Data Identification Similar to the slower adoption of AI and analytics to help with the protection of attorney-client privilege information (compared to the broader adoption of machine learning to identify matter relevant documents), the legal profession has also been slow to leverage technology to help identify and protect personal data. Thus, the identification of personal data remains a very manual and reactive process, where legal professionals review documents one-by-one on each new matter or investigation to find personal information that must be protected from disclosure.This process can be especially burdensome for pharmaceutical and healthcare industries, as there is often much more personal information within the data generated by those organizations, while the risk for failing to protect that information may be higher due to healthcare-specific patient privacy regulations like HIPAA.How Advances in AI Technology Can Improve Personal Data Identification There are a few ways in which AI has advanced over the last few years that make new technology much more effective at identifying personal data:Analyzing More Than Text: AI technology is now capable of analyzing more than just the simple text of a document. It can now also analyze patterns in metadata and other properties of documents, like participants, participant accounts, and domain names. This results in technology that is much more accurate and efficient at identifying data more likely to contain personal information.Leveraging Past Work Product: Newer technology can now also pull in and analyze the coding applied on previous reviews without disrupting workflows in the current matter. This can add incredible efficiency, as documents previously flagged or redacted for personal information can be quickly removed from personal information identification workflows, thus reducing the need for human review. The technology can also help further reduce the amount of attorney review needed at the outset of each matter, as it can use many examples of past work product to train the algorithms (rather than training a model from scratch based on review work in the current matter).Taking Context into Account: Newer technology can now also perform a more complicated analysis of text through algorithms that can better assess the context of a document. For example, advances in Natural Language Processing (NLP) and machine learning can now identify the context in which personal data is often communicated, which helps eliminate previously common false hits like mistakenly flagging phone numbers as social security numbers, etc.Benefits of Leveraging AI and Analytics when Detecting Sensitive DataArguably the biggest benefit to leveraging new AI and analytics technology to detect personal information is cost savings. The manual process of personal information identification is not only slower, but it can also be incredibly expensive. AI can significantly reduce the number of documents legal professionals would need to look through, sometimes by millions of documents. This can translate into millions of dollars in review savings because this work is often performed by legal professionals who are billed at an hourly rate.Not only can AI utilization save money on a specific matter, but it can also be used to analyze an entire legal portfolio so that legal professionals have an accurate sense of where (and how much) personal information resides within an organization’s data. This knowledge can be invaluable when crafting burden arguments for upcoming matters, as well as to better understand the potential costs for new matters (and thus help attorneys make more strategic case decisions).Another key benefit of leveraging AI technology is the accuracy with which this technology can now pinpoint personal data. Not only is human review much less efficient, but it can also lead to mistakes and missed information. This increases the risk for healthcare and pharmaceutical organizations especially, who may face severe penalties for inadvertently producing PHI or PII (particularly if that information ends up in the hands of malevolent actors). Conducting quality control (QC) with the assistance of AI can greatly increase the accuracy of human review and ensure that organizations are not inadvertently producing individuals’ personal information. Best Practices for Utilizing AI and Analytics to Identify Personal DataPrepare in Advance: AI technology should not be an afterthought. Before you are faced with a massive document production on a tight deadline, make sure you understand how AI and analytics tools work and how they can be leveraged for personal data identification. Have technology providers perform proof of concept (POC) analyses with the tools on your data and demonstrate exactly how the tools work. Performing POCs on your data is critical, as every provider’s technology demos well on generic data sets. Once you have settled on the tools you want to use within your organization, ensure your team is trained well and is ready to hit the ground running. This will also help ensure that the technology you choose fits with your internal systems and platforms.Take a Global Team Approach: Prior to leveraging AI and analytics, spend some time working with the right people to define what PII and PHI you have an obligation to identify, redact, or anonymize. Not all personal information will need to be located or redacted on every matter or in every jurisdiction, but defining that scope early will help you leverage the technology for the best use cases.Practice Information Governance: Make sure your organization is maintaining proper control of networks, keeping asset lists up to date, and tracking who the business and technical leads are for each type of asset. Also, make sure that document retention policies are enforced and that your organization is maintaining controls around unstructured data. In short, becoming a captain of your content and running a tight ship will make the entire process of identifying personal information much more efficient.Think Outside the Box: AI and analytics tools are incredibly versatile and can be useful in a myriad of different scenarios that require protecting personal information from disclosure. From data breach remediation to compliance matters, there is no shortage of circumstances that could benefit from the efficiency and accuracy that AI can provide. When analyzing a new AI tool, bring security, IT, and legal groups to the table so they can see the benefits and possibilities for their own teams. Also, investigate your legal spend and have other teams do the same. This will give you a sense of how much money you are currently spending on identifying personal information and what areas can benefit from AI efficiency the most.If you’re interested in learning more about how to leverage AI and analytic technology within your organization or law firm, please see my previous articles on how to build a business case for AI and win over AI naysayers within your organization.To discuss this topic more or to learn how we can help you make an apples-to-apples comparison, feel free to reach out to me at; ai-and-analyticsai-and-analytics, microsoft-365analytics; data-privacy; ai-big-data; bloglighthouse
January 12, 2022

2021 Data Privacy Overview: New Regulations and Guidance

While everyone hoped that 2021 would be less tumultuous than 2020, it certainly did not turn out that way in the end. The same was true in the world of data privacy – with sweeping new data protection regulations and guidance issued throughout the year that made significant ripples. Below is a summary of some of the most important data privacy changes that will impact companies operating in the United States, Europe, and China in 2022 and beyond.US Regulation ChangesVirginia Consumer Data Protection Act (VCDPA)What it Does: Similar to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (jointly, the first GDPR-like data protection regulations passed within the US), the new Virginia regulation is a comprehensive data protection law that bestows certain rights and protections to Virginia residents regarding the use of their personal data, including:The right to opt out of having their data sold or used for targeted advertising, as well as the right to opt out of having their data used for “profiling” (i.e., using a person’s personal data to evaluate, analyze, or predict aspects of their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements).The right to request that companies provide information about the personal data they have collected from them, and have it corrected or deleted.The right to request a free copy of their personal data in a portable, readily usable format.The law also requires companies to gain permission from citizens before collecting certain classes of highly sensitive personal data, including racial or ethnic origin, genetic data, and geolocation. The new law does not provide for a private right of action (i.e., it does not allow individuals to bring lawsuits against companies for data privacy rights violations). Instead, the law will be enforced by the state’s Attorney General.Who it applies to: All Virginia residents have rights under the VCDPA. Any company or organization that conducts business in Virginia and meets either of the following two criteria must comply with its requirements:Controls or processes personal data of at least 100,000 consumers; orDerives over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.Note that there are broad exemptions for financial institutions, as well as organizations or businesses that are governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.When it takes effect: Jan. 1, 2023When it was passed: March 2, 2021Other notes: Tech industry trade groups and businesses heavily supported the VCDPA. Colorado Privacy Act (CPA)What it Does: Following in the footsteps of California and Virginia, Colorado was the third state to pass a comprehensive GDPR-like data privacy law. The new law conveys data privacy rights to Colorado residents that are nearly identical to the VCDPA, including:The right to opt out of the use of their personal data for sale or targeted advertising, as well as for the use in profiling decisions that would have legal or significant effects to the consumer (such as the use of personal data that may affect decisions regarding consumer lending, financial, housing, and insurance decisions).The right to request that companies provide information about the personal data they have collected from them, and request that it either be corrected or deleted.The right to obtain their personal data from a company in a free “portable” and readily usable format.Similar to Virginia and California, the law also classifies “sensitive data” as a separate category of personal data that requires additional protection, including: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. Note that Colorado’s definition of sensitive data does not include precise geolocation data, whereas Virginia and California’s data protection laws do.Who it applies to: All Colorado residents have rights under the CPA. Any company or organization that conducts business or produces commercial products or services that are intentionally targeted to Colorado residents and meet either of the following two criteria must comply with its requirements: Controls or processes personal data of at least 100,000 consumers in a calendar year; orDerives revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.The law specifically does not apply to state and local governments, state institutions of higher education, personal data governed by certain state and federal laws, and employment records.When it takes effect: July 1, 2023When it was passed: July 7, 2021Other notes: Similar to the VCDPA and to the CCPA, the CPA does not create a private right of action. Enforcement is exclusively with the state’s Attorney General and District Attorneys. Additionally, the act specifically states that a violation of its requirements is a deceptive trade practice for purposes of enforcement. Utah Cybersecurity Affirmative Defense ActWhat it does: Utah’s Cybersecurity Affirmative Defense Act provides new affirmative defenses that businesses in Utah can use to defend themselves against lawsuits arising out of a data security breach. The law states that an organization can affirmatively defend itself against a data security breach lawsuit that alleges that the organization failed to implement reasonable information security controls, so long as that organization maintained and complied with a written cybersecurity program that meets certain requirements spelled out within the law.The new law also allows an organization to defend itself against claims that it failed to appropriately respond to a cybersecurity breach, so long as its cybersecurity program had reasonable protocols in place for responding to breaches.Additionally, an organization can defend itself against claims that it failed to appropriately notify individuals effected by a data breach if the organization’s cybersecurity program had reasonable protocols in place for notifying individuals about breaches and those protocols were followed after the breach.In this way, the law provides an incentive for Utah businesses to implement updated cybersecurity programs to protect Utah residents’ personal data more effectively, by providing defenses to data breach lawsuits if such programs are implemented and followed.Who it applies to: Any person (which the law defines as an individual and most business organizations) that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements spelled out within the act, and is in place during the relevant cybersecurity breach.When it takes effect: May 5, 2021When it was passed: March 11, 2021Other notes: The affirmative defenses are not available where the organization had advanced notice of a cybersecurity threat or risk. The law also states that it does not provide for a private right of action for failing to comply (thus private citizens may not sue organizations who don’t implement cybersecurity programs that meet the requirements spelled out within the law). California Consumer Privacy Act AmendmentsWhat it does: The amendments update the California Consumer Privacy Act (passed in 2018) to include three general changes relating to a consumer’s right to opt out of the selling of their personal information, and one change to authorized agent requests for information related to a consumer’s personal information.The three changes relating to a consumer’s right to opt out of the selling of their information include the following:Any business that sells personal information that it collected offline must now inform consumers in an offline method of their right to opt out, including instructions on how to do so.Authorizes the use of a specific “opt-out” icon that can be used in addition to posting the notice of the right to opt out (but not in lieu of that notice).Mandates that a business’s method for consumer request submissions to opt out must be easy to execute, require minimal steps, and not designed in a way that purposefully or substantially subverts or impairs a consumer’s choice to opt out.The change regarding authorized agent requests to a business on behalf of a consumer related to the consumer’s personal information includes the following:When a consumer uses an authorized agent to submit a request for information about the personal data a company has collected from the consumer (or requests to change or delete that personal data), the responding business may now require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:(1) Verify their own identity directly with the business.(2) Directly confirm with the business that they provided the authorized agent permission to submit the request.This is a change from the previous version of the law, which mandated that the consumer provide the authorized agent’s signed permission, in addition to the other two requirements listed above.Who it applies to: All California residents have rights under the CCPA. Any for-profit business that does business in California and meets any of the following criteria must comply with the CCPA:Has a gross annual revenue of over $25 million.Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; orDerives 50% or more of their annual revenue from selling California residents’ personal information.When it takes effect: March 15, 2021When it was passed: March 15, 2021 GDPR ChangesNew Standard Contractual Clauses (SCCs) Issued by the European CommissionWhat it Does: The SCCs are a contractual device used to help ensure that personal data transferred outside the EU is kept secure and complies with GDPR requirements, wherein the entity receiving the data contractually agrees to protect the transferred personal data according to stringent GDPR requirements. After the 2020 invalidation of the EU-US Privacy Shield, SCCs are now one of the only viable GDPR-compliant methods for entities within the US to receive personal data from entities in Europe.The new SCCs take into account the decision-making behind the invalidation of the EU-US Privacy Shield. Whereas the old SCCs were rigid, the new SCCs provide a bit more flexibility. They are now “modular,” meaning entities can now choose from a selection of four different models, depending on the type of transaction: controller to controller; controller to processor; processor to sub-processor; and processor to controller. They also expand the rights given to data subjects, including the right to enforce SCC provisions against both the data exporter and data importer. Additionally, the SCCs mandate that data importers must agree to EU jurisdiction (including EU courts as well as compliance with applicable EU data protection laws). There is also a new optional clause (Clause 7) that allows new parties to be added to the SCCs, as well as new Annexes that must be customized for each transaction.Who it applies to: A data importer located in a country without an EU adequacy decision (like the US) that is not itself subject to the GDPR should utilize the new SCCs to transfer personal data from the EU – unless exceptions apply (i.e., the parties are able to rely on an alternate transfer mechanism, etc.). However, Recital 7 of the new SCCs appears to state that when the data importer is itself subject to the GDPR (for example, because the company provides services or goods to individuals living in the EU), the new SCCs cannot be used. This language has left open questions around what transfer mechanism companies should use in that situation (see below for a summary of additional guidance issued by the European Data Protection Board surrounding this issue).Additionally, due to Brexit, the new SCCs do not apply in the UK. The UK Information Commissioner’s Office (ICO) has launched a public consultation on drafting a new set of SCCs for use within the UK.When it takes effect: The new SCCs became effective on June 27, 2021. Any new contracts and processing transactions taking place after September 27, 2021 must use the new SCCs. Any contracts entered into prior to September 27th, 2021 must be updated with the new SCCs by December 27, 2022.When it was issued: June 4, 2021 New Guidance for Cross-Border Data Transfers Issued by the European Data Protection Board ("EDPB")What it Does: The invalidation of EU-US Privacy Sheild in 2020, along with the new SCCs (above), has led to uncertainty around how to comply with the GPDR when transferring data between the EU and countries such as the US that do not have an adequacy decision (i.e., a decision by the European Commission that a country outside the EU offers adequate levels of data protection to safely protect EU personal data that is transferred there). In particular, language within the Recitals of the SCCs states that the new SCCs only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR. This language has left open questions around what type of transfer mechanism (if any) is needed for a transfer of data to an importer that is already subject to the GDPR.New guidance issued by the EDPB provides some concrete answers to a few of these questions, as well as resolved some other long-standing murkiness about cross-border transfers (even if the guidance does not resolve all uncertainty).For example, the guidance now definitively states that data transfers from an EU-based data exporter to a data importer based outside the EU is, in fact, a transfer within the meaning of Article 44 of the GDPR and therefore would require the importer to enter into an SCC (or possibly adopt Binding Corporate Rules). However, as noted above, if the importer is itself subject to the GDPR, Recital 7 of the new 2021 SCCs state that the new SCCs cannot be used, leaving open the question of what SCC should be used in that situation. Note that the minutes to the European Data Protection Board plenary meeting held in September of 2021 mention that the EU Commission will issue a new set of SCC to govern this type of data transfer.The guidance also settled some long-standing questions around other types of transactions that are not considered transfers of data under Article 44 of the GDPR. For example, the new guidance affirmatively states that “direct collections” of personal data from individuals located within the EU does not constitute a transfer of data (because when the information is collected directly, there is no transfer between controller and processor). It also clarified that “intra-company” data transfers are not considered a transfer of data under Article 44 because a transfer requires two parties. However, note that while these transactions are not considered “transfers” under Article 44, all other applicable GDPR protections still apply and must be followed.Who it applies to: The guidance will be particularly useful for any non-EU organization that needs to transfer or collect data from within the EU. When it takes effect: November 19, 2021When it was issued: November 19, 2021 Other New RegulationsChina’s Personal Information Protection Law (PIPL)What it does: China’s new Personal Information Protection Law is a GDPR-like comprehensive data protection law aimed at protecting the personal information of “natural persons” located within China. It governs how companies collect, process, and transfer personal data of people within China and like the GDPR, is exterritorial in its reach – meaning it applies to companies outside of China that handle the personal data of someone located in China. Also like the GDPR, it allows individuals in China to request access to their personal data that a company has collected and ask for it to be corrected or deleted. And like the GDPR, the regulation includes the risk of large fines against companies that fail to comply with its mandates – including up to five percent of a company’s annual revenue. However, unlike the GDPR, failure to comply also includes the risk of being “blacklisted” by the Chinese government, as well as possible criminal penalties.Multinational organizations with Chinese employees should also be aware that the law contains specific regulations regarding transferring the personal information of Chinese employees across the country’s borders. This means that companies cannot transfer internal employee information (including typical information routinely handled by a company’s HR department) outside of China’s borders without the consent of the employee and meeting other specifications spelled out within the law.Who it applies to: The PIPL protects the personal data of people located in China. It applies to companies operating in China, as well as organizations outside of China that process the personal data of people within China for any of the following reasons:(1) To provide products or services to people in China;(2) To analyze or assess the behavior of people in China; or(3) Any other circumstances that falls under unspecified Chinese laws and regulations.When it takes effect: November 1, 2021When it was issued: August 20, 2021data-privacydata-privacyblog; data-protectionsarah moran
No items found. Please try different search parameters.