Data privacy has been front page news in the wake of massive data breaches and a growing number of organizations are looking to their legal counsel to help them understand the intricacies and legal issues associated with data privacy – and effectively minimize risks. Join host Charles Volkert, executive director of Robert Half Legal, and leading experts, Frank Serge and Sunny Sanghani, as they discuss what law firms and legal departments are doing to minimize risk as it relates to social media, cloud computing and data privacy.
Robert Half Legal Report: eDiscovery Management, Part 2: Minimizing Social Media, Cloud Computing and Data Privacy Risks – 6/23/2015
Advertiser: Welcome to the Robert Half Legal Report, where we discuss current issues impacting the legal profession relating to hiring, staff management, and more. With leading experts in the field, Robert Half Legal provides lawyers, paralegals and support staff, to law firms and corporate legal departments on a project in full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.
Charles Volkert: Hello everyone and welcome. I’m Charles Volkert, executive director of Robert Half Legal, and the host of our program. In our last episode, we had a great discussion on what counsel can do for their legal teams for success when managing a request for ediscovery. Today in part 2 of our discussion, we’ll address what law firms and legal departments are doing to minimize risk as it relates to social media, cloud computing, and data privacy. Returning to our program are Frank Serge and Sunny Sanghani. Frank Serge is vice president for Robert Half Legal’s consulting solution and ediscovery Practice, where he provides consultation and support to law firms and corporate legal departments to create operational efficiencies, mitigate risks, reduce costs, and design customized ediscovery solutions. He serves as a business partner to multiple Fortune 1000 companies and AmLaw firms throughout Chicago, North America, as well as internationally. Sunny Sanghani is an associate director for Robert Half Legal’s consulting solutions in ediscovery practices. He provides investigative support and managed solutions to clients in the areas of documentation gathering and review, evidence and electronic discovery management. Welcome back to the show, Frank and Sunny.
Frank Serge: Thank you, Chad.
Sunny Sanghani: Thanks for having us back, Chad.
Charles Volkert: Data privacy has been front page news in the wake up massive data breaches during the past several months. And a growing number of organizations are looking to their legal counsel to help them understand the intrinsics and risks associated with data privacy and effectively minimize risks. Frank, what are your thoughts on just the overall focus in and around this area?
Frank Serge: Due to the explosion in data through traditional and new forms of media combined with the ever-evolving regulatory landscape, privacy and data protection are fast-growing areas in the legal profession. The estimated annual cost to the global economy from cybercrime now exceeds $400 billion. According to a report from the Center for Strategic and International Studies in Mcafee. Also, cyber security should be a top priority for law firms of all sizes, especially in light of recent high profile breaches. Law firms in particular are prime targets for criminals. Also, the American Bar Association House of Delegates also is encouraging both private and public sector organizations to deploy robust cyber security programs. And in a recent conference that I attended, many, many internal counsel have this as a number one priority on their list to tackle in 2015.
Charles Volkert: Very interesting insights, Frank. So with that in mind, Sunny, what do law firms and their corporate clients need to be aware of as it relates to cyber security?
Sunny Sanghani: Firms need to be making sure that they’re hiring the right professionals with the IT risks piece in mind. Cyber security is on the rise and these attacks are becoming increasingly more sophisticated and destructive. The firm’s confidential data and reputation is on stake here, and IT and legal need to work together to ensure that their network defenses are keeping up to pace with these mountain threats. For example, personally identifiable information may be sitting on a machine or server outside of the security parameters that IT has set. And this could be done just to facilitate a business reason for recording purposes. The tools that enable legal professionals to work more effectively, such as Cloud computing mobile devices, are also making law firms more vulnerable to data breaches. While law firms are updating these outdated systems to be more efficient, they’re also strategically hiring data privacy officers and other specialists with strong backgrounds in document retention, security and records management to safeguard the confidential information. By employing specialized professionals and experts, you can have a layered approach in protecting both your paper and digital information, including putting in management controls, restricted access and security software. Alongside regular audits to ensure proper security procedures are being followed.
Charles Volkert: That’s great information, Sunny, and maybe let me ask a followup question. Where should the defense against cybercrime start?
Sunny Sanghani: Defense against cyber crime should start at the top. The law firm’s management including senior partners and administrators need to work closely with their IT counterparts and manage the organization’s cyber security efforts on an ongoing basis. They need to allocate sufficient resources to ensure effective protection against those risks. A single data breach can be very costly, and while there’s no way to prevent 100% of attacks, you want to make sure you have something in place so you can respond in lightning speed.
Charles Volkert: Excellent direction you provided there, Sunny, for our audience. Frank, anything to add on this piece of the discussion?
Frank Serge: Yeah, only that every time I sit down with associate general counsel or general counsel, this is one of the key points of their discussion with me. How can they better be prepared for an incident, and then if one does occur, how can they respond.
Charles Volkert: So that’s a good segway, Frank, into talking about how ediscovery is being affected by social media and Cloud computing. What trends are you seeing and how are these trends impacting companies as they view ediscovery and cybersecurity?
Frank Serge: Cloud services and social networking are influencing how ediscovery’s managed. But consider the rapidly expanding usage of Cloud services and social network sites. Gartner predicts that the global Cloud-based security services will be a $3.1 billion service in 2015. Companies recognize that it’s not sufficient to just passively delegate management of ESI in the event that they’re hit with an ediscovery request. What that stems from, an internal investigation or civil or criminal litigation. Many are becoming increasingly aware of the need to take additional action to manage the ediscovery issues, their obligations, risks and liabilities resulting from data stored in the Cloud and their employees and clients, online conduct on social media sites. This is particularly true as data is increasingly being transferred across borders, thus implicating various types of data privacy obligations.
Charles Volkert: Very interesting, Frank. So Sunny, what are the potential issues that come with Cloud computing?
Sunny Sanghani: So some firms and companies don’t even realize that turning to Cloud solutions for data storage can complicate potential requests for ESI. The fact is that the information in the Cloud is constantly changing. Metadata can be lost or altered during information transfers or retrievals, making it difficult to accurately preserve and produce. A good example is how data gets replicated between, say your cell phone and your laptop, leaving a trail of messages not only on your phone but on your hard drive. And that has become actually a big eye opener for law firms as we’ve been helping due collection preservation activities for them. Data stored in the Cloud also raises the issue of ownership. While many companies may own their data, it doesn’t necessarily control how the external Cloud systems operate. And many users and Cloud providers have not considered a plan to meet ediscovery requirements relating to that data. While the legal standard or duty is fairly broad, and practice is much less clear and requires significant effort to craft and memorialize obligations and responsibilities. These circumstances certainly don’t mean that organizations should dismiss outright any consideration for utilizing Cloud services, though. It does mean that they should enter contracts and service agreements with Cloud providers, proactively addressing issues around preserving, segregating where possible, and collecting electronic data. Increasingly, legal professionals and in-house legal teams are working closely with their IT parties and third party vendors to avoid glitches when software is upgraded or replaced. If legal organizations employ Cloud services, it’s critical that they thoroughly understand not only where they own Cloud information and where their clients are, but also the capabilities of their service providers of the data needs to be accessed.
Charles Volkert: Thanks, Sunny. Based on your feedback and Frank’s, there is a lot to be worried about, a lot to be thinking about in and around this area, so all great information. Let’s take a quick break.
Advertiser: To find, hire, and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that could adapt to changing workload levels, realize significant cost savings, and improve the overall management of Human Resources. We offer a wide range of resources to assist hiring managers at job candidates; including our annual salary guide, industry leading workplace research, and valuable interactive tools. For more information, call us at (800) 870-8367, or visit RobertHalfLegal.com
Charles Volkert: Welcome back. I’m Chad Volkert and with us today are Sunny Sanghani and Frank Serge from Robert Half Legal’s Consulting Solutions and Ediscovery Practice. Frank, let’s start with you and let’s talk about social media. What I would consider closely related and arguably a subset of Cloud computing. Frank, do you want to set the stage for us in this area?
Frank Serge: Sure. So use of social networks by law firms and their clients to attract customers and recruit talent has mushroomed in recent years. Specifically, if we look at Facebook, it has over 1.4 billion users. LinkedIn has just over 500 million users. Google, Instagram and Skype have right around 300 million and Twitter is just under 300 million. It’s important to note that as more of these companies and law firms leverage the power of social media to closely engage with customers, it opens itself to a public who can make comments that live onsite. In addition, individuals can create blogs and other sites that discuss a company without the company’s knowledge or control at all.
Charles Volkert: Sunny, anything additional that you would add to Frank’s great points in this area?
Sunny Sanghani: Yeah, taking it from the spin of trying to collect material from here, there’s always an issue relating to timing and permissions. What is publicly available and what is privately available. How to obtain a post or message that’s been shared with friends are only visible to the individual. Information might be locked on and often it’s very difficult to obtain and to substantiate. The discovery of social media information falls under the same rules of other forms of ediscovery. As discussed earlier, there’s an increasing likelihood that a firm’s employees are using social media sites at work for both business and personal reasons and unintentionally creating discoverable electronic information. This can become particularly troublesome for firm finds, it needs to access an employee’s social media account and then learns that the employee has deactivated the account. Even if the data can be retrieved from the social media vendor, the organization can possibly face a sanction due to its failure to preserve the data. Efforts to request or compel a production of electronic information from social media vendors have been extremely challenging, and some attorneys are either unaware of their obligations under the rules and related case law, or are slipping up when it comes to the preservation of information posted to these sites. For example, one lawyer agreed to a 5 year suspension of his license after advising his client to clean up his Facebook photos. It has become increasingly clear that if parties do not preserve social media information, they risk court sanctions.
Charles Volkert: And Frank, can you share a little bit about the case law in this area?
Frank Serge: Sure, as I was researching as I was going to be a part of another panel about a year ago, I looked into this pretty thoroughly and one of the things that I learned is that you can’t just necessarily go on a fishing expedition with regards to people’s social media accounts. You need to be very specific as to what is discoverable as far as being very, very direct in what you’re asking for. And also that courts seem to be appointing intermediaries to ensure that personal information won’t be turned over. So essentially, people are looking at the document to ensure that they may be relevant to a particular request from another side before turning over the entirety of a person’s social media account.
Charles Volkert: Well that’s great information from both you and Sunny. Before we wrap up, I’d like to ask each of you to share a few closing thoughts, and maybe we’ll start with you, Sunny.
Sunny Sanghani: I think probably a focus on what corporations and legal teams who are managing ediscovery successfully are doing, and that’s establishing preventive controls and acceptable use policies to reduce the exposure, but also allow employees to do their jobs.
Charles Volkert: Thanks, Sunny. Frank?
Frank Serge: Yeah, corporations are becoming more savvy in their outside span as well as with the protection of their sensitive data. With such a focus on data security and privacy, that is strictly endowed to their vendors and the outside counsel that they’ve worked with for many, many years. But in order to keep working with those corporations, both the vendors and the outside counsel are being subjected to the same data security standards as their corporate client utilizes internally.
Charles Volkert: Very interesting. Well, unfortunately that’s all the time that we have today, but I’d like to thank Frank Serge and Sunny Sanghani for joining us. Before we close, can you both provide your contact information in case our audience would like to follow up with you directly and maybe Frank, I’ll throw it over to you first.
Frank Serge: Sure, thank you Chad. I can be contacted at [email protected]
Charles Volkert: A
Sunny Sanghani: Thanks, Chad. [email protected]
Charles Volkert: And our listeners can reach me at [email protected]. You can also visit RobertHalfLegal.com to learn more about our ediscovery and consulting solutions, and also to subscribe to our legal blog for weekly updates on ediscovery, the legal job market, and other important industry developments. Thanks for listening today, and join us next time on the Robert Half Legal Report.
Advertiser: The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Thanks for listening to this podcast. Robert Half Legal connects the most highly skilled candidates with the best positions in the legal profession. join us again for the latest information in the latest edition of the Robert Half Legal Report, here on the Legal Talk Network.
[End of Transcript]