EU GDPR eDiscovery — Top Ten Tips for Litigators

by Robert Brownstone and Tyler Newby 
(with thanks to Shannon Turner and Sandra Pomeroy)

NOT LEGAL ADVICE.  This non-exhaustive Letterman-style list is to help you spot the GDPR’s potential impacts on data collection and production in litigation involving EU persons

Continue Reading EU GDPR eDiscovery — Top Ten Tips for Litigators

 Heartbleed — The “Data Map” Lesson — Intro

The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot.   To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the “To Learn More” section at the end of this post.    Note, though, that one key lesson is much more of a common-sense, communication and organizational one.  Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).


  Where’s Your Organization’s Data?

In the 1960’s, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?”   In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI).  No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations.   So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.

A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists.   There should be a row for each key repository, e.g., each:

  • Database
  • Website
  • Cloud environment

And the columns (some of which would entail YES/NO) could include:

  • System Name
  • Content Type
  • In-House or Cloud
  • Owner Name (point of contact)
  • Owner Contact Info.
  • Encrypted at Rest
  • Encrypted in Transit
  • Retention/Deletion Rule(s)
  • Back-up Schedules
  • DR/BC Status (Disaster-Recovery/Business-Continuity)

For Cloud-stored data, additional columns could be:

  • Segregation from Others’ Data
  • Notice-of-Breach Duty Shifted

Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data.  Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:

  • Personally identiable information (PII)
  • Protected health information (PHI)
  • Payment card industry information (PCI)

Now, it’s time to begin charting . . . and to start mapping . . .


  

To Learn More

 

Some resources as to ESI data-mapping:

—  Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)

—  Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me 🙂 ]

—  Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)

                                        And even more as to “Heartbleed”:

—  Codenomicon, The Heartbleed Bug (last visited 5/6/14)

—  Qualys, SSL Server Test (last visited 5/6/14)

—  Valsorda, Heartbleed test (last visited 5/6/14)

—  Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)

—  Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)

—  Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)

—  Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)

—  Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)

—  Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)

—  Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)

—  Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)

—  Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)

—  Timson, Who is Robin Seggelmann and did his Heartbleed break the internet?  Sidney Morning Herald (4/11/14)

This 214-page document, “Handbook on European data protection law,” looks incredibly comprehensive.  It ends with 13 pages of citations to European case law on various issues.

The resource was “jointly prepared by the European Union Agency for Fundamental Rights and the Council of Europe together with the Registry of the European Court of Human Rights.”

Note also that, since 2012, the Euriopean Union has been working on major proposed amendments to the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995″.   A revised EU Directive was “adopted” in January 2012, and ostensibly implementation in 2015 is still the goal.  See this home page for the EU Directive amendments.

For some pertinent developments last fall, including backlash from Edward Snowden’s NSA revelations,  see:

To learn about the inherent conflicts between: on the one hand, U.S. discovery rules/scope; and, ont the other hand, data-privacy laws promulgated by the EU Parliament as well as by various individual countries in the EU (e.g., France, Germany, Italy and the UK . . .  check out these resources:

And also these excellent compilations: