The best Predictive Coding and Technology-Assisted-Review (T-A-R) Library on the web is at:
Of course, if you can implement a more high tech eSignatures regime, do so.
For examples of available platforms, see the “Vendors” links in my eSignatures Bibliography.
In any event, here is a lower tech method . . .
In this colorful 6-minute Records Retention video, I provide an overview of how a well-organized Electronic Information Management (“EIM”) environment can help a company of any shape or size:
- improve efficiency;
- save money on storage;
- reduce risk; and
- prepare for litigation and eDiscovery.
Fenwick & West’s EIM Practice Group, which I lead, is now in its second decade. In at least 50 matters, my EIM teammates and I have provided practical and economical hybrid legal / IT / information-security advice.
Heartbleed — The “Data Map” Lesson — Intro
The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot. To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the “To Learn More” section at the end of this post. Note, though, that one key lesson is much more of a common-sense, communication and organizational one. Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).
In the 1960’s, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?” In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI). No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations. So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.
A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists. There should be a row for each key repository, e.g., each:
- Cloud environment
And the columns (some of which would entail YES/NO) could include:
- System Name
- Content Type
- In-House or Cloud
- Owner Name (point of contact)
- Owner Contact Info.
- Encrypted at Rest
- Encrypted in Transit
- Retention/Deletion Rule(s)
- Back-up Schedules
- DR/BC Status (Disaster-Recovery/Business-Continuity)
For Cloud-stored data, additional columns could be:
- Segregation from Others’ Data
- Notice-of-Breach Duty Shifted
Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data. Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:
- Personally identiable information (PII)
- Protected health information (PHI)
- Payment card industry information (PCI)
Now, it’s time to begin charting . . . and to start mapping . . .
To Learn More
Some resources as to ESI data-mapping:
— Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)
— Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me 🙂 ]
— Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)
And even more as to “Heartbleed”:
— Codenomicon, The Heartbleed Bug (last visited 5/6/14)
— Qualys, SSL Server Test (last visited 5/6/14)
— Valsorda, Heartbleed test (last visited 5/6/14)
— Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)
— Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)
— Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)
— Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)
— Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)
— Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)
— Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)
— Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)
— Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)
— Timson, Who is Robin Seggelmann and did his Heartbleed break the internet? Sidney Morning Herald (4/11/14)
This 214-page document, “Handbook on European data protection law,” looks incredibly comprehensive. It ends with 13 pages of citations to European case law on various issues.
The resource was “jointly prepared by the European Union Agency for Fundamental Rights and the Council of Europe together with the Registry of the European Court of Human Rights.”
Note also that, since 2012, the Euriopean Union has been working on major proposed amendments to the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995″. A revised EU Directive was “adopted” in January 2012, and ostensibly implementation in 2015 is still the goal. See this home page for the EU Directive amendments.
For some pertinent developments last fall, including backlash from Edward Snowden’s NSA revelations, see:
EU Parliament Q&A, European Parliament/News (“E P/N”) (10/22/13)
Civil Liberties MEPs pave the way for stronger data protection in the EU, E P/N (10/21/13)
MEPs tighten up draft data privacy rules after Snowden revelations, Guardian (10/22/13)
To learn about the inherent conflicts between: on the one hand, U.S. discovery rules/scope; and, ont the other hand, data-privacy laws promulgated by the EU Parliament as well as by various individual countries in the EU (e.g., France, Germany, Italy and the UK . . . check out these resources:
- “Cross-Border/International” slide deck (5/18/12)
- Blackstone eDiscovery video of “eDiscovery 3.0” panel discussion (10/24/12)
And also these excellent compilations:
When we all return to work from Thanksgivukkah weekend, Federal Rule of Civil Procedure (FRCP) 45, governing non-party subpoenas, will have changed, effective December 1, 2013. To review the new content, follow one or both of these links:
- Redline version of amendments to Rule 45 (new material underlined; deleted material lined out)
- Clean version of new Rule 45 (eff. 12/1/13) (submitted by the U.S. Sup. Ct. to Congress 4/16/13)
A set of accompanying changes will also have been made to FRCP 37(b)(1), as reflected at these other links:
- Redline version of amendment to Rule 37(b)(1)-(2) (new material underlined)
- Clean version of new Rule 37(b)(1) (eff. 12/1/13) (and the new heading for Rule 37(b)(2))
- Rest of Rule 37 (that remains unchanged; still reflecting old subsection (b)(1) as of 11/27/13)
And, the all important Advisory Committee Notes can be accessed here:
- Rule 45 Advisory Commitee Note (8 pages of thorough discussion)
- Rule 37 (b)(1) Advisory Commitee Note (1 very short paragaph)
Overview of Several of the Key Changes
1. Issuance from Court Handling Underlying Case
- Now a subpoena not only can but “must be issued from the court where the action is pending.” (emphasis added)
- No longer must it issue from a court located in the geographical area for compliance.
2. Nationwide-Service and Compliance-Location Clarification
- Now “[a] subpoena may be served at any place within the United States,” even though the compliance location must be tethered to the recipient’s place of residence, work or business.
- No longer does one ever need to refer to state law — as to, e.g., compliance location.
3. Forum for Subpoena-Related Motions/Disputes — a Change but With Some Flexibility
- Now, subpoena-related disputes will typically be resolved in the district court in the compliance location; however, there is a possibility of transfer of a pertinent motion to the issuing court.
- FRCP 45(d)(3) [formerly (c)(3)]
- FRCP 45(f) [NEW subsection]
- Advisory Committee Note to 45(f)
- “In some circumstances . . . transfer may be warranted in order to avoid disrupting the issuing court’s management of the underlying litigation, as when that court has already ruled on issues presented by the motion or the same issues are likely to arise in discovery in many districts[; t]ransfer is appropriate only if such interests outweigh the interests of the nonparty served with the subpoena in obtaining local resolution of the motion.”
- No longer does one have to bring such a motion before the issuing court; however, “the court where compliance is required . . . may transfer a motion . . . if the person subject to the subpoena consents or if the court finds exceptional circumstances.”
As to a range of eDiscovery issues related to non-party subpoenas, see:
— eDiscovery: Subpoenas and Non-Party Production Issues (lengthy slide deck from a webinar I did for Lorman Education Services 5/20/13)
As to the brand new FRCP changes (including ones not touched on in this post), see these excellent resources:
— Changes to [FRCP] 45 . . . Promise To Simplify Federal Subpoena Practive, by Christopher Tompkins & Ethan E. Kent, Jenner & Block (11/14/13)
— Rule 45 Third‐Party Subpoenas and Upcoming Amendments, by Jonathan E. Goldberg of SNR Denton and Darren A. Craig of Frost Brown Todd, Strafford Publications (7/11/13)
— Report of the Civil Rules Advisory Committee (6/6/11)
Despite many well-publicized gaffes in legal, political and business arenas, many folks do not properly electronically redact sensitive information before letting a document loose into the wild. Supposedly blacked-out or whited-out text can remain in a document. A mere overlay can be readily removed, uncovering the text one intended to hide. And secret content can still be text-searchable and thus also copy-able/paste-able.
This overview is meant to help you become — in the terminology of the old children’s show Romper Room — a “do-bee” and not a “don’t-bee”. If your interest gets piqued in redaction or in related “metadata” issues in our era of National Security Administration (NSA)/PRISM and Petraeus/Broadwell, sign up for an upcoming Lorman webinar (October 24, 2013) by the “Guru of Metadata” (yours truly). That presentation — chock full of live streaming demos — will be my 41st external metadata presentation over the past seven years.
The portion(s) of a document’s contents containing highly confidential and/or sensitive information of any sort is not meant to be exposed. Such concerns can arise in the political and diplomatic spheres. They can also be present in the corporate world where no loyal executive or staff member wants to disclose his or her company’s proprietary secrets.
In a lawsuit, depending on the context, there can be one to many substantive and/or procedural legal rules that forbid disclosure (yes; this is a “law” sentence; so I felt compelled to sprinkle in an “and/or) . Examples of categories that can be subject to a protective order include:
an individual’s personally identifiable information, e.g., details of a financial, health, medical or insurance nature;
a child’s or victim’s identity
trade secret information that could lose its value or protected nature if not properly handled;
attorney work-product; and
information covered by various privileges, such as:
the one often invoked in the Nixonian and Clintonian eras — “executive privilege.”
Since its enactment on December 1, 2007, Federal Rule of Civil Procedure 5.2 has, with certain enumerated exceptions, required the redaction of any “filing that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number.”
In the lawsuit context, on many an occasion a litigant’s counsel’s mishandled electronic redaction has exposed information on an adversary, co-defendant or other type of party. Examples include: the Federal Trade Commission that exposed information on Whole Foods; a federal court that exposed some of Facebook’s confidential numbers; the federal prosecutors in the BALCO/Bonds case; ATT’s counsel’s exposure of the NSA’s “secret room” information in a brief filed in a telecom case that ultimately included the NSA as a defendant; Plaintiffs’ counsel in an employment case against GE; and Zynga’s counsel in a lawsuit with Electronic Arts (EA). After a redaction snafu, it can be difficult to settle a case or have a cohesive relationship with the other side — or regain credibility with a judge.
Outside of the lawsuit realm, perhaps the most famous redaction gaffe of all occurred in December 2009, when the Transportation Security Administration (TSA) apparently used outdated software tools that did nothing to actually keep from exposure various Department of Homeland Security (DHS) parameters as to airport security screenings.
Panning out to the other threat of non-scrubbed metadata (such as improperly handled Tracked Changes), many powerful entities and individuals have been laid low. Among others, the metadata cobra has struck the UN Secretary General, the British Prime Minister’s Office (in the “Downing Street Memo”), the Republican Social Security Administration, the Democratic National Committee, the California Attorney General’s Office, the Motion Picture Association of America (MPAA) and SCO Group.
If you are as [sadistic] [curious] [educational] as I, then you will find links to all these tales in this Metadata slide deck (5/2/13) by me and well known eDiscovery attorney and blogger Perry Segal.” Drum roll, please . . . .
In eDiscovery, make sure: you or your trusted tech person knows how to use the appropriate software and that, before you send data to the other side, some Quality Control (QC) has occurred, including as to the stipulated specs as to format(s) of exchange. As to day-to-day ad hoc redactions, consider these guidelines:
Microsoft Word’s borders/shading
Microsoft Word’s highlighter
- Adobe Acrobat’s Rectangle tool
- Adobe Acrobat’s Text Box tool
* UNLESS YOU’RE GOING TO GO “LOW-TECH” BY PRINTING TO PAPER, SCANNING AND OCR’ING]:
As noted throughout this post, you can: sign up for the upcoming Lorman webinar (10/24/13) — full of live s demos and my 41st external Metadata presentation; and check out this Metadata slide deck (5/2/13). That deck also links to a Metadata Bibliography. Let’s “bee” careful out there . . . .
PS (3/3/14) — Check out this great how-to-redact click-capture-video
See this June 2012 Tutorial I found the other day.
Although this tutorial is geared toward Adobe Acrobat Professional X, it also reflects how to redact in Acrobat Pro XI.
Just a quick note to remind (?or first-mind?) everyone that this site’s Resources page is an ever-expanding universe.
Some highlights of recent additions and changes include:
- New/replacement Litigation-Holds slide deck — from a webinar I did for National Constitution Conferences (NCC) on 9/12/13
- Brand new eSignatures Bibliography posted on 9/11/13
- New/replacement Records-Retention slide deck from a webinar I did for NCC on 9/10/13
- Revised/updated Predictive Coding & T-A-R slide deck — as revised 5/11/13
Keep visiting ITLawToday’s Resources page and the rest of this site to stay up to date on the intersection of law and IT.
Over the past dozen years, having done almost 400 presentations (almost 500 including eDiscovery law school class sessions) within my firm and out in the world I have learned a number of tricks of the trade.
Though generally I am function paperlessly, a reality is that many an attendee still likes a hardcopy slides handout on which he/she can take notes. I do generate same and have them printed in color, double-sided.
More importantly, from a technical perspective, I’ve never been happy with Microsoft PowerPoint’s default Handout Creation modes, at least up through the 2007 version.
Even assuming one doesn’t put too much text on each slide, neither out-of-the-box approach is very satisfying. Either there are 3 slides to a page so the attendees can barely see the miniscule text. Or there are 2 slides to a page but no note lines.
So, many moons ago, my former assistant (she’s still a tech-savvy secretary here at Fenwick & West) Berta Lopez helped me come up with a better way. The end result, as coined by me, is . . . drum roll please . . . . “Display-One-Readable-Slide-And-Lines” (“DORSAL”) handout version.
Maybe Microsoft or a handshake-software programmer can come up with an automated approach to generate my favored version. Until that day, here’s a “how-to” if you or your assistant would like to give it a try:
- Open the .ppt version and from the Office button, choose “Create Handouts in Microsoft Office Word”:
- Then, in the ensuing window, choose “Blank lines below slides”:
- Click on OK or press the Enter key.
- Once it all goes into Word, save the file
- Then, for each slide/image, right click, then choose Format Object:
- Click on the Size tab
- In the Height field input 4.8 over the default height
- [You can copy the 4.8 for pasting into this filed for each of the other slides/objects.]
- Then click on OK or press the Enter key.
- Repeat for each slide.
- Once you get through all the slides/images, save the file
- Then convert it to Acrobat (File . . . Print . . . . AdobePDF)
- In the .pdf version in Adobe Acrobat, click on the Pages tab (on the left).
- Via Ctrl+Click, select all the pages that have only blank lines (every other page).
- Right click on one of them and choose Delete Pages.
- Click OK as to each of the next two prompts.
- Save the file, which should now only have slides (one per page).
- Remove the Metadata.
- Save the file again.
Your attendees will thank you. . . .
The Just-Signed New Jersey Law
On Thursday August 29, New Jersey Governor Chris Christie signed revised legislation, namely A.B. 2878, which, among other restrictions, forbids employers to ask applicants or employees for their social-media or other online logins/passwords. A few months back, on May 6, Gov. Christie had conditionally vetoed a prior iteration of the bill, asking that it not rein in employers so much.
For example, the Governor sought — and ultimately obtained by an August 19 unanimous vote — amednments that would allow employers to conduct various types of investigations and not prohibit “an employer interviewing a candidate for a marketing job . . . from asking about the candidate’s use of social networking so as to gauge the candidate’s technological skills and media savvy.”
Similar Laws in Force in a Dozen Other States
New Jersey joins the following 12 other states that have enacted similar bans during since May 2, 2012:
— Already in force:
Michigan; New Mexico; Utah; Vermont; and Washington
— Taking effect soon:
Controversy re: These Login/Password Bans
The wave of state legislation in this context is a privacy victory for employees, job seekers and/or students. But, from the management perspective, many have criticized the stricter of these laws as addressing a discrete (non-)issue with a blunt instrument approach. See, e.g., Molly DiBianca, Michigan Enacts Social-Media Privacy Law, Delaware Employment Law Blog (Dec. 30, 2012).
Others have noted that a greater priority should be a modernization of the federal Electronic Communications Privacy Act (“ECPA”). Behnam Dayanim, Employee Privacy Forces Legislation, Recorder (Aug. 8, 2012) (“these ‘bullet bills’ … represent a missed opportunity both to update the SCA to reflect today’s technology and to re-engage . . . over the broader policy questions.”) (LEXIS ID and password needed).
Indeed, the federal Stored Communications Act (SCA) — Title II of the ECPA — of is sorely in need of an update as its outdated provisions do not come close to addressing modern technology and 21st century methods of electronic communications. The SCA was passed in 1986 to try to address that new-fangled technology known as voicemail.
The only amendment to the SCA since its 1986 inception was via the USA PATRIOT Act, hastily passed just weeks after 9-11 to make it easier for prosecutors to obtain from Internet Service Providers the missives of potential terrorists. The SCA’s sister provision, the Wiretap Act — now Title I of the Electronic Communications Privacy Act (ECPA) — has barely been changed since way back in 1968, when wiretapping on phone calls was the primary concern.
Note, though, that the SCA has been interepreted many times by various federal courts to criminalize and provide civil damages for anyone who illictly obtains an individual’s login credentials and then accesses a password-protected online environment. See Robert D.Brownstone, eWorkplace II White Paper (Apr. 3, 2012), at 19-20 (.pdf pp. 24-25).
But see also this brand new piece, Philip L. Gordon, New Jersey Court’s Decision Provides Roadmap For Access To Employees’ Restricted Social Media Content, Workplace Privacy Counsel (Aug. 27, 2013), which addresses a recent decision in a case whose prior opinion was discussed in Venkat Balasubramani, Accessing an Employee’s Facebook Posts by “Shoulder Surfing” a Coworker’s Page States Privacy Claim — Ehling v. Monmouth Ocean Hosp., Eric Goldman Blog (June 4, 2012).
As to a reboot of the ECPA for the 21st century, of course none of us — including our state legislators — can force Congress’ hand.
Congress Asleep at the Switch with SNOPA (why didn’t they call it “SNOOPA”?)
Two Dozen More State Bills Pending
Open Issue = “Shoulder-Surfing”
Banning forced disclosure of logins/passwords has been the thrust of the pertinent statutes so far. Thus, some of the enacted and pending bills have been silent as to the related practice of “shoulder-surfing” — namely, having an interviewee log into, e.g., her/his Facebook while the interviewer stands or sits behind the prospect so as to see all the private content to which the applicant is instructed to surf.
At first blush, conceptually shoulder-surfing seems quite similar to login/password access. But maybe there are differences, such as that the element of surprise might not allow an applicant the chance to “clean up” his or her social-media possts and friends/followers lists. And maybe, some ban exceptions should exist in certain public sector situations.
Apparently, cities and counties like to be able to try to sniff out whether prospective cops have relatives or friends who are gang members. On the other hand, government action intruding into individual privacy is a constitutional law concern for public agency employers.
As to the various sides and aspects of the shoulder-surfing issue, see generally: Bob Sullivan, Govt. Agencies, colleges demand applicants’ Facebook passwords, NBC News (Mar. 6, 2012). And the above-linked Gordon/Hwang piece sheds some light on which of the first 12 password-bans bans ostensibly did and did not address in-person shoulder-surfing — and on some do’s and don’ts (mostly don’ts).