Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for the ‘Data Governance’ Category

The Poisoned Well: Dreaded Pre-Trial “adverse inference” Jury Instruction in Apple v. Samsung

Posted by Johnny Lee on July 26, 2012

U.S. Magistrate Judge Paul S. Grewal granted plaintiff’s motion to issue a critical jury instruction related to the trial between tech giants Apple and Samsung…before the trial is even underway.  This ruling allows the jury to draw whatever inferences it wishes about the “lost evidence,” with Judge Grewal stating that the lost evidence was not only favorable to the plaintiff (Apple) but that the jury “…may choose to find it determinative, somewhat determinative, or not at all determinative in reaching your verdict.”

This ruling puts the defense team (Samsung) even more on the defensive in a suit meant to settle a host of substantial Intellectual Property and device design disputes.  Judge Grewal grounded his jury instruction upon the evidence submitted that the defendant had failed to avoid the auto-deletion of key email evidence.

Judge Grewal summarized the defendant’s lapse as a failure to recognize when its evidence-preservation duties arose (in Judge Grewal’s words, “especially during the critical seven months after a reasonable party in the same circumstances would have reasonably foreseen this suit”).  Simply put, the defendant “fell short of what it needed to do.”

This will be a much-watched case, and having the well “poisoned” so early in the case may have a profound effect upon the outcome.  Undoubtedly, this case will  be discussed a great deal in the eDiscovery literature as yet another object lesson on the importance of evidence preservation, including the related corollaries of records retention, data governance, and litigation holds.

Posted in Data Governance, ECM, eDiscovery, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on The Poisoned Well: Dreaded Pre-Trial “adverse inference” Jury Instruction in Apple v. Samsung

Must Transactional Attorneys Preserve Evidence?

Posted by Johnny Lee on June 5, 2012

Shred-DocumentIt is almost axiomatic in American jurisprudence that the duty to preserve arises for a party when that party “knows or reasonably should know” that litigation is foreseeable.  That said, a recent matter out of the federal courts in New York has raised a very interesting question about evidence preservation duties, as well as when and how they extend to certain parties — including their counsel.

Corporate and litigation counsel alike recognize their (somewhat nebulous) triggering event as the “reasonable anticipation” of a dispute arising, and they respond by issuing data preservation instructions to custodians to ensure that all potentially relevant information is retained for possible review and use in such a matter.  However, federal magistrate judge Joan Azrack has indicated that counsel for a party that destroys evidence might be sanctioned for failing to preserve — independent of a litigation hold — certain documents (including emails) that relate to “the lawyer’s negotiation and documentation of a loan agreement.”

What’s novel in this matter is not that this duty arises for counsel, but when and why.  The case (FDIC v. Malik) involves a suit brought by the FDIC, in its role as the receiver for a mortgage company, against the mortgage company’s attorneys (et alia) relating to a series of loan transactions.

It is important to note that this case is still in process, so its implications (both for litigation- and for records-management) will be watched closely.  Of particular note here is the implication that document retention regulations (in this case, arising out of the attorney’s professional responsibility rules) can establish evidence-preservation obligations where the affected party is “a member of the general class of persons that the regulatory agency sought to protect in promulgating the rule.”  If we were to extrapolate this to organizations across the legal spectrum, this could represent a precedent of staggering influence to corporate America and the way it manages information.

 

Posted in Data Governance, ECM, eDiscovery, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Must Transactional Attorneys Preserve Evidence?

Parting is such tweet sorrow…

Posted by Johnny Lee on May 16, 2012

With humble apologies to The Bard for the headline, a recent story picked up by the The Wall Street Journal chronicles the dismissal of a Chief Financial Officer for his candid and extemporaneous disclosures via Twitter and Facebook.  This is yet another in a long series of headline-grabbing stories related to the perils of un-checked social media gaffes.

The tweeter in question is Gene Morphis who, until quite recently, was the CFO of Francesca’s Holdings Corp.  Through its subsidiary, Francesca’s operates a chain of retail boutiques offering apparel, jewelry, accessories, and gifts to female customers.  The company was founded in 1999, is headquartered in Houston, and has a $1 billion market capitalization.

According to the The Wall Street Journal, Mr. Morphis “maintained a publicly viewable profile on Facebook, authored a blog called ‘Morph’s View’ and maintained a Twitter account under the handle ‘theoldcfo.’  Online, he discussed everything from Christmas to college basketball, and occasionally company doings.”  It was the last point in this list that brings him to our attention.

The Journal reports that Morphis posted information related to his dealings with Francesca’s board, an investor road show, earnings calls, and other corporate interactions.  Following an internal investigation led by outside counsel, the company has stated that it terminated Morphis “for cause” and that it is “disappointed by this situation but we expect our executives to comply with all company policies.”

While this specific fact pattern is not familiar to this editor, we can perhaps expect similar examples to come.  According to a recent survey from the Society for Human Resource Management, only two in five employers have formal social-media policies.  Perhaps just as telling, of those organizations with formal policies, one in three have taken “disciplinary action” against an employee in the past year.

The take-away?  Social media technologies represent a significant source of both benefit and risk to organizations today.  Examining these benefits and risks is becoming more and more crucial, and placing these benefits and risks within the context of existing compliance frameworks is becoming the only way to proportionally manage the same.

Posted in Data Governance, Investigations, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , | Comments Off on Parting is such tweet sorrow…

ForensicUpdate Editor to present on two CyberSecurity Panels…

Posted by Johnny Lee on May 7, 2012

This year’s AccessData User’s Conference will be help in Las Vegas. This conference brings together world-class instruction from real-world industry practitioners, and it provides a wealth of information related to cybersecurity, forensics, and eDiscovery.

This three-day conference will include luminaries from around the world, leading sessions and delving into the complexities related to acquiring, analyzing, and managing data in fast-paced environments and situations. There is a variety of break-out sessions and hands-on laboratories designed to improve the participants’ skills and to apply what they have learned.

ForensicUpdate editor, Johnny Lee, will participate in two panel discussions: “Data Governance and eDiscovery” and “Data Breaches.”  Click here for more details.

Posted in Computer Forensics, Data Governance, eDiscovery, Information Security, Investigations, Privacy, Records Retention, Social Networking | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on ForensicUpdate Editor to present on two CyberSecurity Panels…

DLA Piper publishes global handbook on Data Privacy Laws…

Posted by Johnny Lee on April 23, 2012

The safeguarding of personal information by organizations has never been more difficult or more necessary.  This is true not merely because of the relatively unchecked trends of data proliferation and data portability but also because of the increasingly complicated legal and regulatory landscape.

Organizations of all sizes are struggling with this, but multi-national companies have a unique set of challenges in trying to identify —much less reconcile — the myriad of rules, regulations, and laws related to the protection of personal data.  This is what makes DLA Piper’s subject contribution such a welcome addition to the compliance literature.

The DLA Piper Information Law Team have published a handbook with “an overview of the applicable privacy and data protection laws and regulations across 58 different jurisdictions, including a section on enforcement.  Edited by Cameron Craig, Paul McCormack, Jim Halpert, Kate Lucente, and Arthur Cheuk, the DLA Piper 2011/2012 Data Protection Laws of the World Handbook is available here.”

Posted in Data Governance, ECM, Information Security, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on DLA Piper publishes global handbook on Data Privacy Laws…

2012 Perspectives from the Chief Audit Executive’s office…

Posted by Johnny Lee on April 2, 2012

Grant Thornton’s latest thought leadership in the audit and compliance arena focuses on the perspective of the chief audit executive (“CAE”).  The survey, entitled “Rising to new challenges: The view from the office of the CAE,” includes input from approximately three hundred CAEs from around the United States.

With “promising economic signs emerging, organizational demands are pulling internal audit in new directions.”  This survey captures how CAEs are striving to balance competing goals and initiatives.

This survey also builds up on Grant Thornton’s prior CAE survey from 2011 and “confirms that internal audit is receptive to assimilating newer and broader responsibilities for evaluating emerging risks, ensuring appropriate corporate governance and incorporating technology into internal audit processes.”  Click here to read the executive summary of this report.

Posted in Announcement, Data Governance, Fraud, Privacy | Tagged: , , , , , , , , , , , , , , , | Comments Off on 2012 Perspectives from the Chief Audit Executive’s office…

Forensic Update editor presenting at 7th Annual Fraud Summit…

Posted by Johnny Lee on March 20, 2012

The seventh-annual “Fraud Summit” will be held later this month at the University of Texas at Dallas.  This summit is a collaboration among the Dallas Chapter of the Institute of Internal Auditors, the North Texas Chapter of ISACA, and the Dallas Chapter of the Association for Certified Fraud Examiners.

This two-day conference will include “numerous sessions with dynamic presenters on current fraud topics,” including a variety of break-out sessions designed to improve the participants’ fraud-detecting skills and to apply what they have learned.  Several sessions will focus upon “advanced fraud techniques and case studies for those looking for more than just the basics.”

ForensicUpdate editor, Johnny Lee, will present on the topic of “Data Governance and eDiscovery.”  Click here for more details.

Posted in Announcement, Computer Forensics, Data Governance, eDiscovery, Fraud, Investigations | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Forensic Update editor presenting at 7th Annual Fraud Summit…

Our Porous Periphery…news from the data leakage front

Posted by Johnny Lee on March 5, 2012

A recent study from Harris Interactive indicates that, despite what appear to be known risks, organizations continue to permit high-risk data practices.  The study, commissioned by Imation, surveyed several hundred IT decision-makers throughout the United States and Canada.

According to the study, 91% of organizations allow removable storage devices (e.g., USB drives, external hard drives, smart phones, etc.) on their networks.  Additionally, 81% of organizations report having some policy that mandates the encryption of organizational data when employees are using removable storage devices — though over 65% of organizations report having little or no enforcement of these best practices.  Put differently, despite the well documented risks of highly portable and unencrypted data leaving the building, only 25% of U.S. organizations enforce encryption on removable media.

As if these statistics weren’t staggering in their own rite, 20% of businesses report having no defined action plan to address the specter of data breach.  Worse, these same 20% state that they do not intend to draft such an action plan in the foreseeable future.

For years, the higher risk of data compromise from internal players has been axiomatic.1  While these risks do not always arise from sinister acts, there are virtually no distinctions (either within the press or with regulators and potential plaintiffs) between data breaches that occur for profit versus through negligence.  Like me, the study’s sponsors are surprised by the somewhat cavalier attitude of organizations that are not locking down data as well as perhaps they ought.

1 Q.v., Study from Ponemon Institute & Checkpoint Software (February 2011), entitled “Understanding Security Complexity in 21st Century IT Environments,” which indicates that 75% of organizations report data losses from malicious or negligent insiders.

Posted in Data Governance, ECM, eDiscovery, Information Security, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , | Comments Off on Our Porous Periphery…news from the data leakage front

Data Classification — Proactive Gambit against Reactive Inertia

Posted by Johnny Lee on February 28, 2012

Data Classification

Countless times during my career, I’ve been asked why data classification makes financial sense for an organization.  This particular conversation typically arises in the context of a rebuttal to an unpopular project that has been proposed (i.e., one that doesn’t affect the bottom line — at least in a material and self-evident way).

Data classification can mean many things, of course, but from a data security perspective it typically involves the assignment of a sensitivity rating (or level) to various data used by an organization.  The purpose of this assignment is, above all, to avoid “boiling the ocean,” as we consultants like to say.

Whether an organization is responding to a specific regulatory mandate, an active litigation, or merely taking a proactive stance toward its information management lifecycle, properly classifying the data is the first step.  Such classifications (e.g., top secret, secret, confidential, restricted, and unclassified) allow organizations to identify what data an organization is handling on a regular basis, how well it is securing such data, and whether significant risks are being mitigated that relate to same.

While computer applications and appliances exist to help with data classification, ultimately this is a subjective exercise.  Properly done, it includes all strata of the business, incorporates a risk-based approach, and contemplates business, technical, and other points of view.  Only by identifying which data are important to the business, can an organization hope to quantify how expensive and inefficient its one-size-fits-all data management strategy truly is.

While data classification is most often cast in the light of risk-avoidance, there are significant benefits to classifying data that do, in fact, translate to the bottom line.  Indeed, when an organization invests the time to classify its data, there are frequently entire populations of content that are being secured at great cost — though the actual content of these files merits no such security.  These savings alone can pay for a data classification exercise.

Similarly, when organizations truly identify what data are important to their day-to-day operations, a great focus is brought to bear on how those data are created, managed, copied, distributed, and (ultimately) retired.  This heightened awareness likewise has tremendous benefit for companies — whether in heavily regulated industries or not.

Posted in Data Governance, ECM, Information Security, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Data Classification — Proactive Gambit against Reactive Inertia

Federal Circuit’s Model Order adopted to curtail the expense of eDiscovery…Paradigm Shift of Wishful Thinking?

Posted by Johnny Lee on January 30, 2012

eDiscovery-LassoIn a move designed to stem the escalating costs of electronic discovery, the U.S. Court of Appeals for the Federal Circuit recently adopted a Model Order that sets out requirements designed to limit the scope and impact of eDiscovery in patent cases.  In a September 2011 presentation, Chief Judge Randall Rader of the U.S. Court of Appeals for the Federal Circuit unveiled a Model Order Regarding E-Discovery in Patent Cases (“Model Order”).

Judge Rader stated last September (at the joint conference of the Federal Circuit and Eastern District of Texas) that the Model Order will serve as an aid to district courts to enforce “responsible, targeted use of eDiscovery.”  According to Chief Judge Rader, the Model Order was drafted by special committee of the Advisory Council for the Federal Circuit and was designed to achieve the efficiencies achieved via Federal Rule of Civil Procedure (“FRCP”) Rule 30 (which limits the number of depositions that may be taken by each party).

The Model Order contains discrete provisions orchestrated to minimize expensive, overbroad, and time-consuming eDiscovery requests by establishing a process by which parties should exchange information, including electronically stored information (“ESI”).  Under the Model Order, parties are required to exchange “core documentation” prior to any request or production of electronic mail.  This core documentation includes related to the underlying patent and it prior art as well as the allegedly infringing product.

One of the most impactful provisions of the Model Order is its distinct and very detailed — treatment of electronic mail.  The Model Order actually presumes that general production requests shall not include email.  This addresses one of the most significant aspects of discovery in patent litigation, as a good deal of what is typically reviewed in such matters begins (and often ends) with a review of email.

Should this presumption be surmounted in a given matter, the Model Order also seeks to limit the number of custodians from whom email shall be produced.  “Each requesting party shall limit its email production requests to a total of five custodians per producing party for all such requests.”  This too can have a tremendous impact on the scope, expense, and timeliness of document reviews within patent litigation.

These changes alone are substantial, but the Model Order goes on to limit the nature and scope of eDiscovery in several other notable ways:

  • Email production requests should be limited to a total of five search terms, per custodian, per party;
  • Absent a showing of good cause, parties should be exempted from producing metadata;
  • Costs will be shifted for disproportionate production requests (consistent with FRCP Rule 26); and
  • Inadvertent productions are deemed a non-waiver within the pending case or any other state/federal proceeding (consistent with Federal Rule of Evidence 502).

These changes codify a material shift in thinking that speaks directly to the root causes of overblown eDiscovery efforts in patent cases.  Moreover, these changes should begin to bear fruit immediately in the form of reduced “digital haystacks” that parties are required to sift through in search of the proverbial needle(s) they seek.

Indeed, in a recent patent case in the Northern District of California, a U.S. Magistrate Judge granted a defense motion to govern discovery using an order quite similar to the Model Order (q.v., DCG v. Checkpoint Technologies).  Interestingly, in that case, the plaintiff asserted that the Model Order should not be applied, as it was designed to limit discovery abuses by so-called “patent trolls” (as opposed to disputes between actual competitors in the marketplace).  The Magistrate Judge disagreed with this assertion, stating that the Model Order neither deals exclusively with patent trolls nor exempts parties from discovery scope-limitations simply because they are market competitors.

Posted in Computer Forensics, Data Governance, eDiscovery, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , , , , , , , , , , , , | Comments Off on Federal Circuit’s Model Order adopted to curtail the expense of eDiscovery…Paradigm Shift of Wishful Thinking?

 
%d bloggers like this: