Tag Archives: E-discovery

8 Ways to Avoid Being “Extremely Careless” with Data


On July 5th, FBI Director James Comey made a statement that the FBI would not recommend criminal charges against Democratic Party presidential nominee, Hillary Clinton. The announcement was the result of an investigation into the fact that, while serving as secretary of state, Clinton relied exclusively on a personal email account housed by her own personal server rather than using an official, protected state.gov email address. She also communicated from her private email across several electronic devices. Amongst emails about yoga appointments and family outings, Clinton exchanged highly classified information – including Benghazi communications – leading the FBI to question possible breaches of the account from foreign governments and hackers. After months of exhaustive investigation and countless hours of media coverage, the FBI did not uncover sufficient evidence to recommend criminal charges in the case, but concluded that “[Clinton and her staff] were extremely careless in their handling of very sensitive, highly classified information.”

While it’s evident that Clinton probably didn’t think she was being so careless with her data, there are a few simple ways that people in heavily-regulated and litigated industries can avoid being extremely careless. This is especially important when it comes to ediscovery, a time when you’re highly likely to make private information public.

1. The personal & professional are inseparable. Nowadays, people answer work emails on their personal devices and vice versa. They send company files to their home computers so they can work nights and weekends, and send personal documents to print or fax from work. This can be a major headache when it comes to data security, as we saw with the Clinton email scandal. Data that was once relativity secure on company premises leaves the office on portable devices and home networks and is then exposed to the risk of physical and virtual theft. Companies with BYOD or work-from-home policies should establish and enforce strict and specific security guidelines. Employees who work from home or from portable devices should always logout of email accounts and be careful not to join any unknown networks.

2. Keep passwords fresh. Update passwords every 4-6 months. Contrary to popular belief, updating your passwords every 60 or 90 days won’t necessarily result in better security measures, especially when your passwords aren’t strong in the first place. Experts recommend using a password manager like LastPass,  DashLane, or KeePass to generate stronger passwords and keep track of them.

3. Beware of the cloud. Add security layers anywhere sensitive data lives, particularly if it’s shared in the cloud. Putting locks on network file directories is simple enough, but with the massive surge in cloud usage, data leaks become more difficult to control. According to expert Joe Moriarty, businesses can better protect cloud-based data “by adding content controls, protection, tracking and deep analytics to files.” Content controls that a company can easily implement to secure data include watermarking files and videos; limiting employees’ ability to forward or print files; and most importantly, preventing unauthorized viewing, saving, and sharing of data.

4. Continued education by HR. Training your employees on security best practices is crucial to preventing a breach. Consider assigning a compliance officer who can be involved in business decisions. Such a position helps bridge the gap between tech-savvy IT employees and those who may not be able to answer, “How does this affect PCI, PII compliance of HIPAA?”

5. Remember printers? According to expert Michael Howard, the biggest mistake companies make when it comes to securing sensitive data is not securing their printing fleet. He goes on to say a staggering 90% of enterprise businesses have experienced a breach due to unsecured printing. In order to avoid this risk, Michael recommends installing security software that limits printing and helps protect your company paper trail.

While establishing day-to-day security practices is important, safeguarding data during ediscovery is a whole new ballgame. During ediscovery, data changes hands many times internally and externally. Data is gathered from multiple network drives, sources, and authorities then handed over to another party or two, and some of that data might end up in the public record. Penalties for breaches during ediscovery can include mistrials, fines, sanctions, and even lawsuits, so the stakes are extremely high.

6. Know your data. Every organization needs to be familiar with where its data resides, the laws governing it, and  how it may be collected, processed, retained, and transferred before litigation begins. This is especially important when working with cross-border litigation, given the recent changes in EU data protection laws.

7. Limit scope as much as possible. Evaluate the scope of data that is being requested during discovery. For litigation purposes, can the data requested be reasonably limited so that personal data issues can be reduced or eliminated altogether?

8. When in doubt, redact. Redaction is the only foolproof way to protect sensitive data. With the growing amount of ESI and increasing regulations surrounding things like PII, you can’t risk letting sensitive data slip through the cracks during ediscovery and into the hands of opposing counsel. Unfortunately, the viability and cost of manual redaction is quickly approaching an unsustainable level. With the correct redaction software, companies can ensure sensitive data gets redacted automatically, saving time, costs, and reducing the risk of human error during review.

While the data we deal with on a day-to-day basis may not be labeled as “Highly Classified” like Clinton’s, it’s still very important to have the proper procedures in place for handling and protecting it. With ESI volumes growing at an alarming rate, it’s important that we look to technology for help with data security, particularly during ediscovery, so that we aren’t caught being extremely careless.

Why Accidental Disclosure of PII Can Be Disastrous


We focus a lot on finding and redacting PII while data is being prepared for opposing counsel, but what are the consequences of sensitive data being produced and ending up in the wrong hands?

Federal Rule of Civil Procedure 5.2 stipulates four categories of information to be protected: Social Security numbers, names of minors, birth dates, and financial account numbers. Let’s say you work for Corporation A, which is being sued by Corporation B for work performed by a specific team at Corporation A. Each individual on that team at Corporation A becomes a relevant custodian in discovery. In compliance with Rule 5.2, you cull all the HR documents of the team members for PII to redact. What you don’t realize is that one of the team members has saved a tax document on their desktop to fax to their accountant during work hours. That information is stored on your servers, so it becomes part of the case, and you’ve missed it. You send your documents to opposing counsel for review.  They won’t spend their time looking for information to redact on your behalf, so the information makes it through discovery and is brought in as a court document. Now it’s a part of the trial record, which is publicly accessible, and that individual’s information has been compromised.

So what happens when there’s a data breach? Well, that depends on which state you’re in, which federal statute the case falls under, and what the existing data breach laws are. For example, in a case regulated by the strict rules of HIPAA and in a state as diligent as Connecticut, where any information that can potentially have an association with a particular individual is considered private, PII leaks during litigation are subject to data breach notification requirements, meaning you must disclose your mistake to anyone affected, explain to them what they can do to protect themselves, and offer a solution to fix the breach. Beyond notification requirements, you can also be subject to monetary penalties, sanctions, and/or disciplinary actions against the litigators. That would mean Corporation A is subject to a wide range of possible repercussions. In one scenario, Corporation A might have to sue the contract review firm they hired to ensure that they go back to re-review their data, securing any compromised sensitive information. Perhaps there are no punitive sanctions on Corporation A in this instance, but you’ve just lost a lot of time and money in re-review.

In another scenario, the case may be ruled a mistrial because of negligence or non-compliance. Again, Corporation A has lost a lot of time and money, but now you’ve also sullied your reputation because of a mistake in basic litigation processes, risking the loss of future clients and future revenue. But let’s also say that over the course of litigation, the employee whose information has been compromised has left Corporation A. When you notify the former employee of the data breach, they sue you for leaking their private information. Now Corporation A has lost a lot of time and money, your case was thrown out as a mistrial, your reputation is damaged, and you’re caught up in yet another lawsuit. There might be penalties to pay out to the client and possible ethics sanctions handed down from the judge with monetary fines attached. Corporation A decides to sue the review firm for their litigation costs. Now two extra lawsuits have come out of what was supposed to be just one. A tangled legal web has been woven because of Corporation A’s lack of precaution at the onset of the lawsuit with Corporation B.

A data breach can have considerable fallout for firms and clients alike, so ensuring that proper measures are taken to secure sensitive data is a crucial first step in the discovery process. There are technologies that can automate and expedite the process of identifying and removing sensitive data to ensure that nothing falls through the cracks. By incorporating the right legal technologies, money is saved rather than wasted, and reputations remain sterling.

For further reading on this topic, check out the following resources: