Doug Austin is the vice president of products and services for CloudNine. Doug has over 30 years of experience...
Sharon D. Nelson is president of the digital forensics, information technology, and cybersecurity firm Sensei Enterprises. In addition to...
John W. Simek is vice president of the digital forensics, information technology and cybersecurity firm Sensei Enterprises. He is...
The processes of eDiscovery and its regulation are constantly changing. The challenges that come with this continuous evolution require lawyers to be educated on best practices. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to Doug Austin about the most prominent trends in eDiscovery. They talk about the new developments in data privacy laws from 2018 and discuss the most significant criminal and civil eDiscovery cases.
Doug Austin is the vice president of products and services for CloudNine.
Special thanks to our sponsor, PInow.
eDiscovery Major Developments in 2018 and a Look Ahead
Intro: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and which really happening in the trenches, not theory but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 99th Edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, cyber-security, and information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice-president of Sensei Enterprises. Today on Digital Detectives our topic is eDiscovery Major Developments in 2018 and a Look Ahead.
Sharon D. Nelson: Before, we get started I would like to thank our sponsor. We would like to thank PINOW.COM. If you need a private investigator you can trust visit pinow.com to learn more.
John W. Simek: Our guest today is Doug Austin. Doug is a Vice-president of Product and Services for CloudNine. He has over 30 years of experience providing legal technology consulting, technical project management and software development services to numerous commercial and government clients.
Doug is also the editor of the CloudNine’s sponsored eDiscovery Daily Blog which is a trusted resource of e-discovery news and analysis and has received a JD Supra Readers’ Choice Award as Top eDiscovery Author for 2017 and 2018.
We’re glad to have you with us again, Doug.
Doug Austin: Well! Thanks John and Sharon for having me. Wow! 99 Podcasts that’s a lot. I have got to hand it to you guys. I’m a big fan of your podcast theories and I’m a big fan of Sharon’s Ride the Lightning blog as well.
Sharon D. Nelson: Well, thank you very much and as you know we’re fans in return, but for those who don’t know please tell us a little about your e-discovery daily blog which is such a great source of information about both developments and e-discovery and in particular cases, I love how you cover all the cases that are significant and so tell us about the blog and its mission.
Doug Austin: Well! Thanks Sharon. Our blog is called eDiscovery Daily which I would like to say it’s ugly enough, it’s a daily blog about eDiscovery. It’s an educational blog and it’s being around nearly eight-and-half years now. It covers eDiscovery trends, best practices, and as you mentioned case law.
In fact, actually late last year we just covered our 500 cases all time so we are excited about that. We have got over 2000 lifetime posts that are still up on the site and the blog really is become a daily read for a lot of legal professionals. So, we’re very proud of that and I’m proud to be the editor and primary author for the blog.
John W. Simek: Well! Dougie you cover a lot trends on your blog, but going back to last year, the 2018, were there any notable trends that you want to tell our listeners about that stood out.
Doug Austin: Well John there were definitely a handful that I would call notable. One certainly is the transfer e-discovery to collection from other devices such as mobile devices, and even Internet of Things or IoT devices, that’s certainly become more prominent. You are seeing a lot more cases with IoT implications on the criminal side.
And you are definitely seeing mobile devices prevalent for just about any case these days civil or criminal. That’s certainly one notable trend that I have been seeing, but I guess if you were going to say that 2018 was a year of anything, I would have to say, it would be the year of data privacy.
For example last year we saw the General Data Protection Regulation or GDPR going into effect in Europe in May. Now, I think most people now know about GDPR though I am not sure that a lot of people have yet taken action to comply with GDPR despite the fact that the potential fines for failing to comply to huge, up to 4% of annual revenue or 20 million Euro whichever is greater.
And just because it’s a European regulation it doesn’t mean it doesn’t affect a lot of company here in the States. Even, if you are like a local whisky producer in Kentucky and you send 10 bottles to a client in France you are subject to the rules of GDPR. It’s estimated to effect far more than half of the US companies.
Now, we haven’t seen a significant GDPR fine yet, but with all the high profile data breezes that are in the news these days, I got to feel like it’s only a matter of time before we do.
Here in the States we also saw Privacy Law that was an enacted with the California Consumer Privacy Act of 2018, it was passed in June and is said to go into effect January of next year and like GDPR this law gives Californians much the same rights with their personal data, the Europeans give with GDPR. And once again if you do business with California consumers you’d be subject to this law, even if you are not located in California.
So most businesses are probably subject to at least one of these data privacy laws and according to Verizon’s annual data breach report from last year over two thirds of breached take months to discover. So there are probably already a number of companies that have GDPR and eventually California evaluations that probably don’t even know it yet.
As far as the year of data privacy goes we have also seen several cases that relate to privacy concerns in a battle between privacy and relevancy seems to be coming up more common, I am sure we will get to talk about at least a couple of those.
Sharon D. Nelson: Well I noted this morning Doug that the French Data Protection watchdog has fined Google $57 million under GDPR so that’s amazing.
Doug Austin: That’s breaking news and I haven’t seen that yet so, that’s — I am not surprised that the due was coming so I’d be very interested to read about that.
Sharon D. Nelson: Yeah we knew it was coming.
John W. Simek: I think also that to support your trends Doug we can confirm that we hardly ever see a computer in our forensics lab anymore, it’s all mobile device so you have right on track with that comment too.
Sharon D. Nelson: Absolutely.
Doug Austin: Yeah we have see a lot of them as well.
Sharon D. Nelson: So if you had to pick the most important eDiscovery case of 2018 which one would you pick and why?
Doug Austin: Well so I am going to hedge here a little bit because I would probably say there is a most important case each for civil and criminal litigation. In criminal litigation I would have to say it’s obviously Carpenter v. US. For those who don’t know this case involved a man and Timothy Carpenter who was arrested and convicted partially on the basis of cell-site location information that was obtained without a warrant. He was arrested for I believe robberies that were committed.
Carpenter appealed and the appeal went all the way to the US Supreme Court which rode on a very narrow 5-4 split. Chief Justice Roberts wrote the majority opinion which ruled that the government must obtain a warrant in order to access cell phone records and that the Fourth Amendment was designed to protect his personal rights.
Certainly I have think it’s obvious that this base of this case will have tremendous impact on how law enforcement conducts investigations that involve cellphone information which has become one of the most important sources of evidence in criminal cases for sure. So that’s to be another reason why 2018 was the year of data privacy.
On the civil side I would probably have to say it was Waymo v. Uber. This case was interesting. I know. Remember that one. That was fun.
John W. Simek: Yeah, it was.
Doug Austin: Yes and obviously one of the cool fun things about it was it involved claim to stolen technology related to drive Uber’s car so that’s obviously interesting right there, but what was interesting from a eDiscovery standpoint was that it involved Uber’s use of ephemeral messaging apps for communications. Uber used the app Wickr, which automatically deletes messages within a few minutes up to a day or two.
Waymo claimed that Uber was using Wickr to hide the ball with regards to discovery by using an app that didn’t retain the communications. However it eventually came to light that Waymo was also using their own ephemeral messaging app and some of their own communications, so Judge also didn’t ultimately significantly penalize Uber for their use of Wickr.
To me this case I think illustrates just how prevalent massaging apps have become in the workplace. If you remember Yogi Berra, Yogi was once asked by a reporter what he thought about a particular New York restaurant and he said nobody goes there anymore it’s too crowded.
So that’s Yogi for you, but let’s face it when you want to get a hold of colleague in a hurry many people don’t send an email anymore because we all get so many emails so they tend to get lost in the shuffle so when it comes to email and urgent communications nobody goes there anymore it’s too crowded. Now if you want to get a hold of someone and hurry it is so via text massage or some other massaging app.
And millennia these days seems to be much more comfortable talking with their phones than with their voices so massages I would say are replacing phone calls in a lot of cases.
So as you can imagine that obviously has discovery ramifications as nearly every case these days, involves evidence from text or other massaging apps which means that we just have to be more proactive in making sure they preserve, collect, process, review, and produce from these sources as well.
John W. Simek: Well I love the Yogi Berra thing Doug. I hadn’t heard that one before.
Sharon D. Nelson: No that was new to me too, I love that.
Doug Austin: It hadn’t been thrown out there.
John W. Simek: Yogi is always good for something. You talked about the most important eDiscovery case what about the case that attracted them the most attention and why would you say that?
Doug Austin: Well! I would say for obvious reason, I would still have to say that was Carpenter v. US as well and of course you can imagine once the Carpenter ruling came down, a lot of people who had been convicted based on cell-site location information that was obtained without a warrant they have gone, and they filed appeals to get the convictions thrown out.
However one of the things we’re finding is that at least in some instances those appeals have been denied because the courts found that the government accessed that information in good faith reliance on the federal statute and civil court precedent that applied at the time. We have actually covered two of those cases on our blog.
So I would Carpenter certainly attracted the most attention and certainly had the most impact, but it really looks like Carpenter’s effect will probably more on cases going forward not so much on previous convictions.
Sharon D. Nelson: Well every year we usually get one really juicy, sexy sanctions case that everybody is talking about. Did we have any in 2018 Doug?
Doug Austin: We certainly didn’t have the any I would call great, but we certainly had a couple of fun ones, so I’ll give you a couple of those.
Sharon D. Nelson: Okay!
John W. Simek: As you were getting sanctioned, right?
Doug Austin: Yeah! That’s right, yeah! Thankfully no involvement by us. One fun one was Nunes v. Rushton where the defendant infringed the plaintiff’s copyright and her novel by copying protected elements of her book. She also created a number of sock puppet accounts on Google and Yahoo! to post positive reviews of her book and negative reviews of the plaintiff’s book. Honestly, I did not even know if that, take social media accounts were known as sock puppet accounts until I read this case, so I learned something.
After the plaintiff discovered the defendant’s identity, the defendant deleted most of her sock puppet accounts, but not before using them to criticize efforts to investigate her infringing novel.
Ultimately after the case was filed when the plaintiff made a discovery request for those accounts, the defendant deleted one of her remaining Google sock puppet accounts which led to an adverse inference sanction regarding the bad faith deletion of that account? So that was kind of an interesting fun case that I guess talks a little bit about what people do through and try pump themselves up in social media.
Sharon D. Nelson: True! And the price they pay.
Doug Austin: And a price they pay for not doing it legitimately. So, another case we covered this year was Lee v. Trees where the plaintiff whose name was Sarah Lee, I kid you not, she sued her former employer for wrongful termination. The defendant requested that she provide her supporting materials in electronic form, in the native format, but she only produced print copies and she only produced one of her four or five cell phones. Now I do not know who needs four-five cell phones, but I guess, it just goes to show that nobody doesn’t like Sara Lee.
Sharon D. Nelson: Oh! Oh! Bad, bad.
Doug Austin: Every time I talk about that case, I cannot resist that pun.
John W. Simek: All our listeners, they are going to be googling why it so funny?
Doug Austin: Yeah! Any way forensic examination of the one phone that was produced, found at least 44 text messages actually resided in the phone’s unsent folder and more interspersed with fragments of actual text conversations.
So, obviously that’s what happened when it was printed and why the native data can belie what’s produced in print. As a result the judge in that case granted the defendant’s motion for terminating sanctions and dismissed the plaintiff’s claims of prejudice. So, that was a fun learning experienced too.
John W. Simek: Before we moved to our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on Legal Talk Network. Today our topic is eDiscovery Major Developments in 2018 and a Look Ahead. Our guest today is Doug Austin. Doug is the Vice-president of products and services for CloudNine and as you now know we are huge fans of his blog.
So Doug how about technology assisted review? Any interesting developments in TAR in 2018?
Doug Austin: Well! Sharon, there have been so many cases approving the use of TAR that at this point we are really not seeing any disputes anymore and whether TAR’s approved for use in litigation. Instead what we are really seeing are cases that involve the execution of TAR, how well or poorly it was done or may be should be done.
So, in 2018 you could say it was the best of TAR, it was the worst of TAR or at least not a very good TAR result. Certainly the best of TAR was the detailed search and validation protocol that was crafted by special master also noted TAR expert Maura Grossman and the Broiler Chicken Antitrust Litigation and that was that protocol set expectations with regard to how search methods could be conducted or should be conducted whether they were keyword search or TAR/CAL (Continuous Active Learning).
The protocol also addressed the document review validation protocol that involved specification for QC sampling which was excellent. So that’s a guide and protocol that really anybody could reference in their own TAR case. So, I think that was a real good example of the best of TAR. The not so good TAR case was another NDL involving class action against the airlines which was the Domestic Airline Travel Antitrust Litigation.
In that case the plaintiffs filed a motion requesting an extension of 6 months because they said there was an issue with United Airlines core document production. Using TAR United produced more than three-and-half million documents to them. But after sampling the production, the plaintiffs determined that only 600,000 or 17% of the documents are actually responsive.
United actually subsequently agreed with that assessment when they did their own testing. The airlines opposed to plaintiff’s request for an extension though and they tried to claim that the review wouldn’t take that long based on their assessment a review rate of three documents per minute which not surprisingly the plaintiffs called preposterous.
Three documents per minute I have yet to see anybody even approach two documents per minute more like one and change if that so needless to say ultimately the judge granted the plaintiffs’ motion. So, to me this case really illustrates how important the human factor is the TAR process. Your TAR result is only as good as process that goes with it. If that’s bad your TAR result will be bad as well, regardless how good the technology is.
Sharon D. Nelson: That’s a very good way putting it.
John W. Simek: The same kind of analogy is garbage in garbage out, right?
Doug Austin: Exactly, exactly. The technology is the only one component in the solution there.
John W. Simek: If there a mistake, you just make the mistake faster and more often.
Doug Austin: Right, good point.
John W. Simek: Well! Doug what are some of the biggest eDiscovery challenges that you think lawyers are facing today?
Doug Austin: Well, again I certainly already discussed, touched on discovery from various sources like mobile devices and IoT devices and really those increasing sources of discoverable data has made that the discovery process more complex. As you both I’m sure know that Federal Rules of 2015 addressed proportionality and we are really starting to see a lot of cases limit discovery in terms of data volume.
But the sources from which that data may be obtained are multiplying so the proportionality challenge while becoming less deep is now getting wider, so really I would say the challenges for attorneys with regard to that are changing from data volume to more dealing with a variety of data sources and how to address them affectively.
But to me I think the biggest challenge facing lawyers today is pre-litigation. With the data privacy considerations that we have already discussed and you got growing issues like me to and the workplace it’s becoming more important than ever to understand your organization’s data before even it gets to the litigation stage.
Organizations are really going to have to start to become more proactive in looking for issues and addressing them before they develop into litigation. So that means a growing emphasis on compliance and investigations, the ability to look for personally identifiable information or PII, the ability to look for personal health information or PHI and for ability to find out the personal information as well as to find the indications of harassment in the workplace
I’m a big advocate of information governance policies and organization data maps and things like that, but they only tell you which barn your haystack is located in, not necessarily where the needle is within that haystack. So with the growing challenge of big data it’s going to take technology I think to get us to a point where we can be proactive to find the necessary data quickly and address those issues. I guess you could say technology got us into this mess and it’s going to have get us out of this mess.
Sharon D. Nelson: I think you can say that with the reference to a lot of topics.
Doug Austin: That’s true.
Sharon D. Nelson: You have identified Doug a lot of challenges. How do you think lawyers are progressing in terms of getting the education to address those challenges?
Doug Austin: Well we are seeing some positive in them in requiring the lawyers to understand the technology. I think we are up to like 34 states now. It has some sort of technology competence rule or guidance 34-35 I believe last count. I think Louisiana was requiring it was the most recent one I have seen and we are up to at least two states now the North Carolina that actually require portion of their CLE requirement to be technology based CLE. I think there was a third one that was working on it last year but I have not seen if that become official yet.
So we are seeing some progress. Still not a lot of teaching about electronic discovery in those law schools from what I hear unfortunately and we still have long way to go not to mention it’s a losing target I mean as all the technology continues to change in advance that continues to change in advance where we just have to know and we still feel lawyers making the most fundamental errors like the man with forward action plug that you just covered on your blog Sharon.
So it’s really to me imperative these days to at least have the rudimentary understanding of the technology and partner with someone who has an advanced understanding of technology if they are going to be able to provide confident representation for their clients. The cost is just to great for doing that as I think we have seen in a number of cases recently.
John W. Simek: Doug you alluded to IoT devices earlier in criminal litigation, how are these millions and billions of IoT devices impacted discovery in those cases?
Doug Austin: Well, we certainly as I have already mentioned you are seeing those devices becoming more common in criminal litigation cases. I will give you A handful of examples. A lot of people may have heard about the murdered case in New Hampshire where a judge recently requested that Amazon handover audio recordings from an Echo device that was present in the house where two women were found dead.
We just covered a case pretty recently on the blog, it involved the murder of a woman in San Jose where her Fitbit recorded a rapid rise in her heart before dropped out to nothing which gave the police a clear timeframe of her death. The timeframe happen to coincide from her stepfather that was captured on surveillance cameras many of which these days are all also IoT devices and he was arrested.
There was another Fitbit case actually that was covered on 48 Hours last year where victim’s boyfriend was cleared because his Fitbit showed he was sleeping when she was killed. There is also other cases I have heard of you have these car infotainment systems where they track so much GPS indications which stores have been open and closed.
I heard about a case where apparently one person with in the area of the home invasion and they claimed he was there alone but when they looked at the data from his car infotainment system they saw all the doors have been opened and closed except for the driver side door an hour or so before and then right there by the home invasion scene.
So it’s just amazing the type of data that’s available these days to provide evidence in these cases. So we are seeing their use more in criminal cases. We are not really seeing so much of their use in civil cases yet, but I expect that will probably eventually change.
The problem and the challenges that almost none of these devices make it easy to get the data out so that’s really going to only add to the discovery challenges that we’re spaced today.
Sharon D. Nelson: Well, those stories, any of the IoT stories are just so popular on the lecture circuit. I save every last one of them in a folder, just because people love to hear what their devices can tell about them and the actual application of IoT because most of us never thought when we started hooking all of these things up to the internet we never thought of the extent of the privacy implications or how much these things are going to testify potentially for or against us.
John W. Simek: Yeah one of these days we going to have to sit down over a beer with Doug and tell all about IoT family law cases.
Doug Austin: Oh yeah I would love that, that would be a lot fun.
Sharon D. Nelson: That would require a pitcher.
Doug Austin: Even better.
Sharon D. Nelson: Even better. So Doug let us go from talking about all of these cases now to looking in 2019, so what you see in your Crystal Ball for that year and beyond?
Doug Austin: So I have already talked about the challenges of cyber security, data privacy and #Me Too. So if I were really going to pick an emerging trend that I think is going for to be far reaching I really expect that the focus for litigation technology is really going to push further and further left on the EDR model towards the information governance stage.
I think there is a lot organizations that really don’t have a lot of litigation that requires any sophisticated technological solutions to manage. But pretty much every organization has data privacy and they have workplace behavior considerations to worry about.
So to me I think the market for technologies that help address the growing compliance and investigation challenges that organizations face today, I feel like that market is actually going to eventually dwarf the market for the discovery technology that we see today.
I just think that the need is going to be universal. It’s going to be significant and organizations are really going to be compelled with all the drivers that are forcing them to really figure out a way to use the technology to get a better understanding of their organizations’ data. So, to me, if there is a new frontier in this space, I would say that’s got be here.
Sharon D. Nelson: Well that’s a pretty good prediction and on that note I will stop and thank you for being our guest again today. It was a pleasure to have you back. We do really, really, really enjoy your blog. It’s one of the few that I actually look at every single day. And I know since I do it, I want to you to rate a commendable blog post and get it right or try to so it’s just been such a pleasure to have you Doug, please come back and be with us again.
Doug Austin: My pleasure Sharon and John. I would say likewise with your blog and I will wait with bated breath to find out who your hundredth podcast guest will be I am looking forward to that.
Sharon D. Nelson: Okay! We don’t yet either.
Doug Austin: Okay! Very good.
Sharon D. Nelson: But would like to know.
John W. Simek: Well that does it for this edition of Digital Detectives and remember you can subscribe to all of the editions of this podcast at leagaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast please rate us on Apple podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and cyber security services at senseient.com. We will see you next on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Gail Gottehrer explores the scope of the Internet of Things and gives an understanding of the privacy, security, and legal issues associated with IoT...
Sharon Nelson and John Simek help give guidance for lawyers with cybersecurity paralysis, and have a discussion on how to improve security based on...
Darius Davenport discusses how he helps his clients deal with cybersecurity concerns and privacy matters.
Joe Meadows has a discussion with John Simek and Sharon Nelson about internet defamation.
Brett Burney talks about what lawyers need to know about digital forensics on mobile devices.
Sherri Davidoff talks about her career as a penetration tester and what she has developed with the companies in the area of cybersecurity.