A couple of years back, when the GDPR was about to come into force, there was a great deal of talk about Data Subject Access Requests (DSARs). While European residents had long held the right to request their data, the fact that it was now free, and that there were potentially significant penalties for non-compliance meant that many organizations expected a tsunami of DSARs. There was an increase but perhaps not a tidal wave. Recently there has been speculation (in the wake of the COVID-19 pandemic and the associated job redundancies) that we are likely to see another surge.
It is important to understand that DSARs are about the rights of a data subject. A data controller must not only confirm whether it is processing the data requested and provide a copy, but also document:
The purposes of processing
The categories of personal data concerned
The recipients or categories of recipient to whom the data has been disclosed
The retention period for storing the personal data or, where this is not possible, the criteria for determining how long it will be stored
Notice of the existence of the right to request rectification, erasure, or restriction or to object to such processing and the right to lodge a complaint with the supervisory authority
The existence of automated decision-making (including profiling)
The safeguards provided if the data is transferred to a third country or international organization.
So, you can see that the exercise is as much about data governance and organization as it is about eDiscovery. Many DSARs are from disgruntled consumers, so managing the requests is mainly about good customer relations. Fix a person’s mobile phone, for example, and they may drop the DSAR.
However, there is one scenario where DSARs take on some of the characteristics of eDiscovery. A DSAR can be a quick and inexpensive way to get evidence to support a claim, without having to start on an expensive formal lawsuit (a kind of shortcut to pre-action disclosure). It can also be a negotiating ploy for an executive wanting to negotiate a decent exit package. “I know your data is a mess, and it will cost you £50,000 to respond to this, so I’ll settle for £20,000.” Or it might just be a disgruntled ex-employee who wants to cause annoyance.
An organization needs to respond to a DSAR within 30 days, but typically they don’t send the data to their supporting law firm until day 20—and I’ve heard stories of day 28. Further, the lawyers don’t necessarily know whether the DSAR is a torpedo about to explode into a larger legal action, or a legitimate request that needs to be answered as efficiently and cheaply as possible.
This is the great advantage of Nuix Discover®: It has the flexibility to support a self-service model designed to maximize efficiency and minimize cost while being able to pivot and become a full-function deep investigation and review tool. Panoram’s vision is to combine the two: Get lawyers used to the technology in day-to-day cases so they’re comfortable using the tools for more challenging ones.
THE MANTRA IS SPEED TO REVIEW AND SPEED OF REVIEW
Of course, that starts with fast and comprehensive data processing. Nuix has long been the benchmark here, and the ongoing enhancements in areas such as Microsoft Teams processing will be crucial going forwards.
Then it is all about the parallel early case assessment workflows of discounting redundant information and finding what is important. Nuix Discover’s analytics tools such as Mines and Clusters might allow you to exclude large amounts of non-personal communication from a review. If there is a parallel complaint going on (say into bullying) then communication network analysis will quickly allow you to see if team members are talking to each other about a person, and the concept cloud will allow you to understand what they are saying and whether it includes anything untoward.
As ever, the key route to controlling costs though is in review; accelerators such as quick coding, code as previous, and macros all help speed up review and so reduce cost. Threading, near dupe, and concepts allow you to streamline review workflows so reviewers get batches of similar data types to look at and make faster, more consistent review decisions.
The DSAR rules allow lawyers to exclude some documents from production, most notably for legal professional privilege and for confidentiality. Most complicated is the scenario of mixed data, where there may be a conflict between the need to provide data to a data subject and not to harm a third party’s rights—known as a tie breaker. Here the ability to note why a decision has been made is crucial, and so too is a consistency of approach. Back to the design of the right workflow.
Then there is redaction. The ability to use search term families to find and redact on individual documents is already useful. Regular expression searches make it possible to identify patterns of personal information (such as credit card numbers, national identity numbers, and passports). Once Nuix Discover has highly awaited case-wide redaction and native redaction for Microsoft Excel, it will have a significant advantage (for a while) over other products. Fast redaction is key to DSARs.
Finally, we have reporting. Law firms may be supporting multiple DSARS and need to make sure they are on track to meet the 30-day deadline, but also to measure accuracy and cost. Ideally this will reveal whether certain approaches are more efficient and make sure they are not losing money. A recent survey by Guardum says it costs £4,900 to answer the average DSAR, which does not leave a lot of fat. In Deer v Oxford University,the court ordered further searches causing the university to review 500,000 documents at a cost of £116,000 (for the disclosure of a further 33 documents).
The world does not standstill. You will notice I have consistently talked about data, not documents. Most kinds of data can be personal data (IP addresses, for instance). As we move to 5G and the internet of things, there is likely to be a coming together of the cybersecurity and forensics end of things and traditional legal review. Finding ways to show and illustrate this will be key and it is our hope that by being a Nuix partner we can both be at the forefront of building compelling solutions.
You’ve likely heard the common catchphrase ‘end-to-end’ many times in our little eDiscovery world. It’s a buzzword that has helped to serve many of us in the investigations, eDiscovery, and compliance communities. Even Gartner uses it, stating “By 2023, more than 70% of enterprise IT leaders will upgrade to end-to-end e-discovery software to reduce time and legal spend, up from 10% in 2019.”
In recent years, there has been an undeniable uptick in enterprise customers leveraging a combination of software and eDiscovery consultants helping to build their own end-to-end in-house eDiscovery and information governance program. In helping to architect many of these, it occurred to me that the very phrase itself can be quite misleading.
FROM LEFT TO RIGHT
The left ‘end’ is rather straightforward. The duty to preserve electronically stored information (ESI) gets triggered when litigation is reasonably anticipated. From there, we know the rest—preservation, collection, processing, and review of discoverable ESI ensues. Makes sense.
The right ‘end’ is where it gets a little foggy and some logical questions begin to surface:
Does it truly end with a production / presentation?
If so, is it safe to presume that each end-to-end process is an isolated, matter-by-matter task that has a defined beginning and a defined end?
Wait, are you telling me that we are also going to have to re-collect, re-process, and re-review everything again the next time a new matter pops up, even if the same custodian’s data is required again?
Why not create a principal data inventory of your frequent flier custodians’ ESI?
Why can’t we leverage modernized scalable architecture to be able to search, analyze, and cull even the largest and most voluminous data sets?
If data makes it to review, do you want to be clever with those coding decisions and bolt them back onto your ESI warehouse, ensuring that these costly coding decisions get reused to help guide attorneys for future matters?
If redactions are being made for PII, PHI, trade secrets, etc., would it be helpful to carry those coding decisions and redactions forward for each new matter containing that identical record?
For data that has been processed and is no longer responsive to legal hold, wouldn’t it help to be able to safely and easily release the data from your ESI warehouse and where it lives in the wild?
AN ANSWER TO YOUR QUESTIONS
These questions have led us to create a 360° approach to the litigation lifecycle that saves millions of dollars and thousands of hours of time previously spent in collection, processing, and review. Perhaps even more important, it delivers consistency across future reviews and productions. As the intelligence layer grows over time, your ESI warehouse becomes smarter, more agile, and exponentially more valuable.
Combining enterprise-grade collection, processing, and review technology with knowledgeable experts can help you build a defensible, repeatable, and future-proof eDiscovery and information governance program. In short, putting an end to ‘end-to-end.’
Most people in our industry know Nuix has powerful and scalable tools for solving eDiscovery, investigation, information governance, and other problems. What some may not know if that most of this technology can be run remotely, meaning work can continue and people can stay busy and safe all at the same time. Explore with us some of the scenarios and solutions we have at hand to keep the lights on while we navigate through a global pandemic.
Several remote workforce scenarios exist today using Nuix. Some of these use cases exist because of the COVID-19 pandemic, while others were in place well before. Some of these scenarios and solutions include:
The eDiscovery meat/data grinder. The process must keep moving forward; litigants will demand it.
Forensic investigation. Collect remotely and safely in a repeatable fashion.
Insolvency, bankruptcy, and accounting. Who is owed, by whom? How much is left? What contracts are valid or invalid? How will you sort out the mess? The hospitality and retail industries, along with others, have been hit hard. Fair distribution of assets and wealth is required considering the situation.
Fraud. During recovery, it’s an unfortunate reality that investigations into misappropriation of funds from the federal government will be necessary. The old adage “follow the money” holds true here; there’s a lot of money involved, hence a proportionate amount of fraud.
REAL SITUATIONS IN A CHANGED WORLD
We continue to hear about incredible applications of our software from customers faced with significant challenges.
Getting Ahead Of Insolvency And Bankruptcy
One large global customer had over 12 TB of data already collected and placed into the Nuix Discover® SaaS environment as they started to sort through insolvency materials. These materials will allow the firm to properly assign asset ownership and distribution for companies that have unfortunately had to shut down a result of COVID-19.
It will take years of discovery work to properly dispose of assets for thousands of companies affected by the pandemic. Using Nuix Discover in the cloud, the firm can start ranking assets and creditors using the software’s analytics capabilities and continuous active learning (CAL).
Field Work Using A Mobile Forensic Lab
It’s not uncommon for a mobile forensic lab to be “wheeled in” to a location to collect data for a forensic investigation. It is possible however to use the Nuix Portable Collector to make forensically sound images. It’s ideal especially for larger data quantities that can’t be reliably collected over the network in a timely manner and have them shipped to a static forensic lab. Just as clean rooms are often used for forensic investigations, you can adapt similar procedures allowing forensic examiners to ensure their safety while processing and investigation commence via the cloud or the web-based review and analytics interfaces.
Virtual Settlement Conferences
We have a partner that’s processing data centrally and distributing it using Nuix Investigate® to help its clients facilitate virtual legal settlement conferences.
To begin, unstructured data is being downloaded from networked drives at the rate of around 200 GB a day in batches. This data is sometimes custodian-based and sometimes based on matter or data type.
The partner then processes the data with Nuix Workstation and presents it online via a secure login to Nuix Investigate. The end customers—in this case, law firms—can then run various searches; tag, annotate, and redact; and then inform the partner that the data is ready for production. At this point, the partner produces a load file in Nuix Workstation and uploads it to a network drive securely via virtual private network.
Most litigation is settled outside of a courtroom. This fact, and the current environment, lends itself to a virtual remote working process. Many parties are likely to take the attitude of “Let’s just settle quickly rather than take our chances waiting for courts to reopen.”
The recent trend of law firms moving to e-signatures for official documents specifically to meet the needs of this unusual time further pressures the legal services community and legal software companies to ensure a safe and uninterrupted workflow.
Centralization Of Data
Because Nuix tools allow you to work via the web creating a data lake, serving many stakeholders (Legal/Compliance/Risk/Governance/Investigation) makes a ton of sense. Even the inverse sounds better and transparent to users—leave the data where it is, process it where it lives, and form a virtual data lake and manage the data via the web using Nuix Investigate and the functionality to promote data to Nuix Discover to keep the party going.
Running Nuix Workstation In The Cloud? Yes You Can!
A little-known fact, Nuix Workstation and Nuix Investigate both run well in Azure, Google Cloud, or AWS virtual environments. Using the Aspera utility for uploading data quickly to the SaaS environment of your choice, it’s easy to process and enrich data, getting it ready for review and analytics quickly. You can use the same licenses you already have and install the products on cloud-based servers anywhere in the world while pulling licenses for servers in traditionally architected locations behind the firewall or in the cloud for no additional cost.
Nuix Discover SaaS
Nuix Discover SaaS has been available for years, putting linear review, advanced analytics, and so much more at legal teams’ fingertips. With a long, storied tradition of cloud support and continuous performance updates, look no further for your eDiscovery review needs.
The Nuix investigate user and group permissioning allows for incredibly granular separation of duties. Not only can you set up users within groups to have unique logins and access to only specific cases, you can even set specific permissions to operate within a given case. Restrictions to downloading, redacting, printing, and other operations exist for each user and group.
You can also change or elevate permissions at any time as well as changing or deleting logins for temporary users to further ensuring chain of custody. Separation of responsibility is now more important than ever since we can’t easily physically audit data or even the process used to produce it. Being able to demonstrate that a series of people were involved in the virtual chain of custody is increasingly important.
Licensing In The Cloud
Nuix’s Cloud Licensing Server allows high speed expansion to processing capability with no risk and makes burst licensing for when the big jobs land in your lap a reality.
Because Nuix Workstation and Nuix Investigate are now licensed by the Cloud Licensing Server, licenses are distributed via AWS instead of a physical license dongle, removing one more physical obstacle and, incidentally, keeping staff safe. As I mentioned above, if a matter increases in size, we can distribute “burst” licenses for specific timeframes to meet the challenge of unexpected or uncommonly large data sets.
With expectations that litigation will rise steadily in the coming months due to COVID recovery efforts, burst licensing could come in very handy.
Collect From Anywhere
With Nuix Enterprise Collection Center you can push the two flavors of Nuix agents to endpoints easily, drastically expanding your network collection capabilities. You can create collections for forensic as well as eDiscovery use cases and pull the data over the network.
Great news! It’s already sanitized—no hand sanitizer needed! The data (and devices housing it) never need to physically change hands. All this work collecting, processing, and reviewing the data can be “done from home” and work can continue with a highly defensible chain of custody built in.
MORE FLEXIBILITY WITH EVERY RELEASE
We didn’t start down the path toward flexibility through some prescient expectation of a global pandemic. Products like Nuix Discover and Nuix Investigate, along with our cloud licensing and endpoint software, just happen to meet the needs of a distributed workforce.
Let’s face it; modern organizations demand more options and employ more remote workers today than ever in history. I don’t have a statistic for that, but just look around and you can see it for yourself. While this pandemic will pass and many of you will go back to work in an office in the hopefully near future, the need still exists for options in your enterprise software solutions.