When it comes to securing clients’ and businesses’ most sensitive data, more and more attention is being paid to eDiscovery. After all, the discovery process gathers a treasure trove of valuable information, from IP to trade secrets, while the complex process of document review and exchange can be fraught with security risks.
Few people are as familiar with this as Paul Meyer, associate general counsel and lead eDiscovery counsel at Willis Towers Watson. For years, Meyer has been providing legal guidance and leadership in corporate information governance efforts, from the early days of paper records management to the migration into information governance of electronic data sources.
Logikcull recently sat down with Meyer to discuss the convergence of cybersecurity and eDiscovery concerns, why “everything is information governance,” and the implications of international data privacy regulations in the eDiscovery context.
(In addition to sharing his thoughts with the Logikcull Blog, Meyer will be speaking at an upcoming Logikcull Corporate eDiscovery and Cybersecurity User Group on May 18th, in Washington, D.C. Register now if you haven't already!)
The growing attention paid to cybersecurity and eDiscovery, Meyer notes, has several drivers. One of the strongest, from Willis Towers Watson’s perspective as a service provider to many other companies, is client concern. More and more companies are asking about data security infrastructure when producing data in response to litigation, subpoenas, or law enforcement demands, he says.
From a legal perspective, bar associations are increasingly appreciating the importance of protecting client data, Meyer says. “The new model ABA rules recognize that lawyers that aren’t taking care of their data,” he explains, “could be violating a number of their professional obligations, such as their duty to keep data confidential, by not only not having good cybersecurity but not understanding how they do work could create risks for themselves or their clients as well.”
Courts, too, have come around. Courts are “much more receptive to hearing lawyers involved in issues discussing data, to raise security and confidentiality issues than they, frankly, have been at any time in the past,” Meyer says.
The growing focus on data security, both in an eDiscovery context and generally, shouldn’t be overwhelming, however. “It’s more manageable now than it used to be,” Meyer explains. “The corporate world has invested a lot in understanding how to deal with corporate security. There are some good technologies there, a lot more best practices, tried and true practices.”
There are also more options, for organizations of all sizes. “A small company or a small law firm that couldn’t afford top-end cybersecurity several years ago has some specialized cloud services that can provide some pretty advanced cybersecurity protections that really weren’t available more than two or three years ago,” Meyer explains. “I think the market is really maturing.”
“Everything is really one thing, and it’s information governance.”
Cybersecurity, data privacy concerns, and eDiscovery are increasingly converging, such that a siloed approach is no longer appropriate. “A lot of the terms we used to use, like eDiscovery, records management -- they’re really not separate things anymore,” Meyer explains. “Everything is really one thing, and it’s information governance.”
“If you have an integrated approach to information governance, you have to roll in your cybersecurity, your data privacy plan, how you’re managing different classes of data, how you’re going to manage things if you have to collect it, put it on legal hold, or process it.”
Keeping those processes separate and compartmentalized, Meyer says, is perilous, as what works for one approach may not for another. The more law firms and companies have integrated these processes, “the more you’re going to be prepared to deal with the early part of the 21st century.”
A strong information governance approach also means making sure your data remains safe when it’s outside of your hands, as when providing information to outside counsel or opposing parties. “In managing our own counsel relationships,” Meyer says, “we have outside counsel protocols that reserve a lot of the data issues to us, so that we’re managing and controlling how data is moving around in the eDiscovery context.”
“In terms of dealing with opposing counsel and subpoenas, we now have a standard objection that we always issue that we won’t provide any documents until the party receiving them can provide a data security policy that satisfies us that their practices are sufficient. Otherwise, we’re going to talk about how to find a way to meet that in a way that meets our needs. We offer our pre-approved panel of vendors or service providers who can manage that.”
These demands “don’t get as many objections as you’d think,” Meyer explains. “I think lawyers really get it; they like the fact that we offer an alternative.”
When it comes to information protection, Meyer isn’t just talking about electronic data either. “We don’t send anything by FedEx anymore,” he explains. “Paper is as secure as electronic data, which means if we’re producing a box of documents it’s going to be by white-glove courier.”
The more law firms and companies have integrated these processes, “the more you’re going to be prepared to deal with the early part of the 21st century.”
Looking to the future, Meyer sees the European Union’s coming General Data Protection Regulation as a looming challenging for many organizations. “It’s sort of a Y2k that nobody is focusing on, but unlike Y2k, it’s not going to be a ghost. It’s going to be a real issue.”
The GDPR is set to go into effect in May 2018, with penalties for noncompliance that Meyer describes as “breathtaking.”
“It’s sort of a Y2k that nobody is focusing on, but unlike Y2k, it’s not going to be a ghost. It’s going to be a real issue.”
“The penalties can be 20 million euros or 4 percent of global gross revenues, whichever is higher, so that’s a pretty strong incentive to get it right.”
The GDPR needs to be considered in eDiscovery contexts as well, Meyer explains. In the past 12 years, Meyer has seen a “material presence of international data” in eDiscovery matters, in “somewhere between 8-12 percent of the cases we’re dealing with.”
“Even if you have U.S. eDiscovery requests, you’re going to have some international content and you’re going to have to understand what the GDPR requirements are,” he warns, “so that you have a strategy that’s going to comply with those rules.”
While leaders like Microsoft and Google are ahead of the pack when it comes to GDPR preparation, “the bulk of U.S. corporations are still trying to get their head around it and come up with strategies,” Meyer explains. For those “running a little late,” he says, “it’s time to bring in some specialized legal and process advice on what the requirements are going to be, how they’re going to impact your business, and what kind of a working strategy you can have in place in basically a year or less.”
Meyer will be discussing eDiscovery, cybersecurity, and the challenges facing businesses and attorneys at Logikcull’s Corporate eDiscovery and Cybersecurity User Group, May 18th in Washington, D.C.
Register now to join him and other experts for an engaging discussion around steps corporate legal teams can take, including working with outside counsel, to secure their most valuable data.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org.