TITLE

Navigating Big Data's Perfect Storm: Controlling Costs and Cyber Risks Through Defensible Data Disposition Programs

Texas Lawyer's In-House Counsel Summit, December 3, 2015

DANIEL S. MEYERS, ESQ. PRESIDENT, INFORMATION GOVERNANCE

• Bracewell & Giuliani LLP – 10 Years– Partner: Commercial Litigation – 4 Years– Co-Founder/Chair: E-Discovery & Information Governance

• Certifications

– CIPP/US Information Privacy Professional– ACEDS E-Discovery Specialist

2

ANDREW NEAL DIRECTOR, FORENSIC TECHNOLOGY &

CONSULTING• 30 years’ experience in technology, forensics and

investigations.• Licensed investigator and security consultant.• Forensics teacher at major universities and for police agencies

across the country.• Expert witness on digital forensics and investigations.• Developed first commercial digital forensics and information

security laboratory in the southwestern United States.• CISM, CRISC, CIFI, DABFE, ACE, AME.

3

4

COMPANIES GENERATE DATA AT STAGGERING RATES

Global email traffic creates 183 billion new messages every day.

ExxonMobil’s employees create 5.2 million new messages every day.

Corporate data growth is expanding at an approximate rate of 30% every year.

By 2020: 26 billion devices will be connected to the internet (that’s more than three devices for every person on the planet).

5

THREE CORPORATE “PAIN POINTS” IN THE BIG DATA ERA

1. Runaway Litigation Costs Resulting from the Demands of eDiscovery.

2. Proliferation of Sanctions Motions for Perceived eDiscovery Shortcomings.

3. Explosion of Costs and Risks of Storing Massive Troves of Data.

6

FIRST PAIN POINT: THE EXPLOSION OF eDISCOVERY COSTS

• In an average litigation or investigation, the eDiscovery costs alone constitute 60-70% of the client’s total legal spend.

• “Of the 1,000 largest matters in Relativity, the median size in 2013 was 3.3 million records per case, in 2014 it was 5.1 million.”   

• Even pre-litigation costs are prohibitive: companies spend millions of dollars preserving information for threatened lawsuits that may never even materialize.

SourcesMemorandum of Advisory Committee on Federal Rules of Civil Procedure (June 14, 2014) http://www.legaltechnews.com/id=1202734804528/Inside-the-Gartner-Magic-Quadrant-and-The-Currents-of-Change#ixzz3j5Zafn3n 7

THE EXPLODING COSTS ARE BIG BURDEN, SMALL BENEFIT

8

EXAMPLE: BAYER CORPORATION

“To review Bayer’s experience under the current rules, we examined a group of related class actions that recently concluded with a summary judgment decision in favor of Bayer following full fact and expert discovery. To comply with our preservation obligations in these matters, we preserved an estimated 17,388 GB of information over a period of four years. In response to plaintiffs’ discovery requests, we produced 31.1 GB of that information (comprising 1.3 million pages). In other words, the ratio of information preserved to information produced in the litigation was 559:1.” (emphasis added).

SourceBayer Corporation, Public Comments on Proposed Amendments to the Federal Rules of Civil Procedure, available at http://www.lfcj.com/uploads/3/8/0/5/38050985/frcp_bayer._kaspar_stoffelmayr_10.25.13.pdf.

9

EXAMPLE: MICROSOFT2013 Averages Per Litigation

Volume preserved: 59,285,000 pages Volume processed: 10,544,000 pages

Volume reviewed : 350,000 pages

Volume produced: 87,500 pages

Volume admitted as evidence: 88 pages

RATIO OF PRESERVED : PRODUCED – 677 : 1

RATIO OF PRESERVED : ADMITTED – 673,693 : 1

SourceMicrosoft Corporation, Public Comments on Proposed Amendments to the Federal Rules of Civil Procedure.

10

SECOND PAIN POINT: THE PROLIFERATION OF SANCTIONS MOTIONS

“Sanctions” are punitive measures that a judge will impose on a party when it fails to adequately preserve and produce documents.

Judge Shira Scheindlin (S.D.N.Y) warned that eDiscovery sanctions need limits, “lest litigation become a ‘gotcha’ game rather than a full and fair opportunity to air the merits of a dispute.”

SourcePension Committee, 685 F. Supp. 2d 456 (S.D.N.Y. 2010).

11

PROLIFERATION OF SANCTIONS MOTIONS

Sources:Sanctions for e-Discovery Violations: By the Numbers, Duke L.J. (2010)Electronic Discovery Year-End Update (2012), Gibson Dunn 12

PROLIFERATION OF SANCTIONS MOTIONS

The Tide of Sanctions Continues to Rise

In 2014, companies reported a 42% rise in cases in which they affirmatively had to defend their preservation practices.

Yet 55% of in-house lawyers report a lack of confidence that their legal hold process would withstand legal scrutiny:

SourcesLegal Hold Pro, Legal Hold & Data Preservation Benchmark Survey 2014Thomson Reuters, Consistency is the Key to Defensible Legal Hold Process (2015)

13

PROLIFERATION OF SANCTIONS MOTIONS

Examples of Monetary Sanctions:

• U.S. v. Philip Morris (D.C. 2004) – Philip Morris was sanctioned $2,750,000 for failing to preserve emails.

• In re Praxada Products Liability Litigation (S.D.Ill. Dec. 2013) – Defendants (pharmaceutical companies) were sanctioned $931,500 for failing to preserve text messages.

14

PROLIFERATION OF SANCTIONS MOTIONS

• Adverse Inferences:- “In practice, an adverse inference instruction often ends

litigation - it is too difficult a hurdle for the spoliator to overcome. The in terrorem effect of an adverse inference is obvious. When a jury is instructed that it may infer that the party who destroyed potentially relevant evidence did so out of a realization that the evidence was unfavorable, the party suffering this instruction will be hard-pressed to prevail on the merits.” Zubulake, 220 F.R.D. at 219-220

• Case-terminating sanctions:- Gillett v. Michigan Farm Bureau (Michigan Court of Appeals, 2009).

Plaintiff’s lawsuit was dismissed in its entirety for failing to preserve electronic files from a laptop computer.

15

THIRD PAIN POINT: COSTS AND RISKS OF BIG DATA STORAGE

Storage Costs• 37% of U.S. companies store between 500,000 and 1 million GBs of data;

another 19% store between 1 million and 499 million GBs.

• The average yearly cost to store 1 million GBs is $3.12 million.

• Yet 70% of stored data has no business or legal value.

• The problem is only getting worse: corporate data growth is expanding at an approximate rate of 30% every year.

SourcesMaking Big Data Possible: Evaluating New Ways of Storing Data on a Massive Scale (April 2014), available at http://storiant.com/resources/Storiant-CIO-Survey-Report.pdf; Drew Robb, Big Data Means Big Storage Costs, Research Now (Aug. 25, 2014), available at http://www.researchnow.com/en-US/PressAndEvents/InTheNews/2014/august/big-data-means-big-storage-costs.aspx; Jake Frazier, Hoarders: The Corporate Edition, Business Computing World http://www.businesscomputingworld.co.uk/hoarders-the-corporate-edition/ (Sept. 25, 2013); Dennis Kiker, Defensible Data Deletion: A Practical Approach to Reducing Cost and Managing Risk Associated with Expanding Enterprise Data ,20 Richmond J. of L. & Tech., 6 at 3 (2014); EDRM, Disposing of Digital Debris (2014).

16

COSTS AND RISKS OF BIG DATA STORAGE

Cybersecurity Threats• 42.8 million attacks globally in 2014, or 117,339 attacks per day (a 48%

increase from 2013).

• The costs of attacks are substantial; in 2014, each successful breach cost the target company $2.7 million - $5.85 million (more than a 34% increase over the average costs in 2013).

• While the indirect costs of attacks are more difficult to quantify, the resulting business disruptions and reputational damage are severe.

SourcesPwC, The Global State of Information Security 2015 (Sept. 30, 2014), available at http://www.pwc.com/gsiss2015at 7.Mayer Brown, Perspectives on Cybersecurity and its Legal Implications (2015)

17

DEFENSIBLE DATA DISPOSITION SERVICES

• What is it?– What data does the client have?– Where is the data stored?– When is the data obsolete?– Whether the data can be disposed? – How should the data be disposed?

• What are the Benefits?– Save money!

• Litigation costs• Storage and migration costs

– Reduce risk! • Sanctions exposure• Cybersecurity/privacy risks 18

Three-Step Process

1. Data Map / Categories / Lifecycle

2. Assess Legal and Operational Retention Needs

3. Design and Implement the Program Purge Redundant/Unnecessary Data. Train Future Behavior. Apply Policy & Controls.

THE ANATOMY OF A DEFENSIBLE DATA DISPOSITION PROGRAM

19

101010001110010100110 1 1 0 1 0 0 1 0 0 1 0 1 10 1 0 0 1 1 01 0 0 1 1 0 11 0 00 1 0 0 1

STEP ONE: MAP DATA

20

21

• Interview IT and representatives of business divisions– Utilize software solutions to automate the

“interviews” remotely.

• Review current bills/vendors for storage clues.

• Use existing process maps and departmental descriptions.

• Data scan (or “crawl”) data repositories for metadata.

• Identify redundant data through unique hash values.

“DATA MAPPING” SOURCES AND LOCATIONS OF CORPORATE DATA

22

• Broad categories of data type can make discussion easier

– Financial transaction, HR, Marketing, Operational Summary

• Classify as to Sensitivity– PII/PIH, Competitive, Privileged, IP/Plans, Public

• Use as few categories/classes as is functional.

• The goal is to set and apply policy and controls clearly!

CATEGORIZE & CLASSIFY

23

IDENTIFY DATA LIFECYCLE

Create/Accept

Classify

UseStore

Destroy

For each Class

For each Category

Each transition is time definite

Litigation hold = exception

STEP TWO: ASSESS LEGAL AND OPERATIONAL RETENTION NEEDS

• Apply regulatory footprint to the data map• Update retention schedule• Overlay operational retention needs

- Survey a cross-section of personnel to identify business needs.

- Validate the interviews by cross-referencing the results with data access logs.

24

STEP THREE: DESIGN & IMPLEMENT THE DISPOSITION PROGRAM

• Purge redundant data and legacy data that is not needed for operational or legal reasons

• The method of disposal must reflect the confidentiality level of the documents being disposed.

• Train and educate personnel on the new corporate policies. • Retention schedules v. litigation hold obligations.• The importance of disposing of digital debris.

25

Show Your Work!

26

What Makes Deletion Defensible?

It is……• Driven by class/category based

policy.• Audited and measured.• Logged and tracked.• Uses technically sound measures.• Leaves no data behind.• Can be stopped if needed.• Document every step!

Fines

Distracts IT from Primary Focus

E-Discovery Costs

Reputational Harm

Breach

Adverse Inference Penalties

Return on Investment

27

Data Storage Costs

Data Handling Efficiency

Operational Insight

Risk Management

Questions?

Daniel S. Meyers, Esq.President

Information GovernanceTransPerfect Legal Solutions

212.867.6600, ext. 1725dmeyers@transperfect.com

Andrew NealDirector

Forensic Technology and ConsultingTransPerfect Legal Solutions

214.744.4200aneal@transperfect.com