Emerging Technology and the Law Blog
Does GDPR Apply in the US? Yes. GDPR (European Union General Data Protection Regulation) is a comprehensive new law protecting the data privacy of EU citizens. GDPR takes effect on May 25, 2018. It consists of 99 articles and will have sweeping impact on U.S. enterprises. It requires that all personal data be handled according to the GDPR Data Protection Principles. These includes the famous “right to be forgotten,” as well as transparency, data portability, breach notification, information security, etc. If you have a public facing website that collects user data and operates in EU countries, it is not too late to get advice. Watch this space as we roll out solutions for enterprises that are not ready.
The GDPR protects “personal data” of EU citizens. So, if you are only doing business outside the European Union then you don’t have to consider it at all, right? Think again. What about any business with a website?
In December 2015, the electronic discovery provisions of the Federal Rules of Civil Procedure (FRCP) were amended to substantially expand the Safe Harbor against sanctions for destruction of electronic data. In my November 2015 white paper, C-Level Guide to Covering Your Information Governance Assets, I predicted that the amended rules signaled a pivot away from one of the main sources of eDiscovery uncertainty – the inconsistent imposition of severe sanctions for the loss of electronically stored information (ESI) relevant to dispute resolution. The prediction holds. The prior Safe Harbor under the 2006 FRCP provided modest protections against sanctions where ESI …
While many of the high-level principles of Information Governance (IG) and the technologies supporting their implementation are almost universally applicable, each industry sector presents different challenges – one-size solution does not fit all. For example, unregulated privately held technology start-ups that are experiencing rapid growth may not have any retention / destruction policies in place; they will expand their IT storage until they crash into a big event, such as litigation, an IPO, or a merger. At that point they might require a top to bottom reconstruction – akin to an emergency room visit after a car crash. Other organizations …
A document retention policy is in reality a document destruction policy. Therefore, a key reason for an organization to adopt a document retention policy is to establish a program for the deletion/destruction of information that is not required for business, regulatory and other needs. This reality is made necessary by the fact that digital information is growing at an unprecedented rate and that much of it is contained in “unstructured” storage such as email, SharePoint and shared network drives. Data hoarding not only increases direct information technology costs but it presents other substantial risks and costs to an organization ranging …
Every gambler knows That the secret to survivin’ Is knowin’ what to throw away And knowin’ what to keep ‘Cause every hand’s a winner And every hand’s a loser And the best that you can hope for is to die In your sleep The Gambler lyrics © Sony/ATV Music Publishing LLC Some of the more frequent questions asked of eDiscovery attorneys when teaming with IT professionals on archiving and other retention policy projects, relate to the timing, scope and especially the release of legal holds. Misconceptions about “Legal Hold” abound, many of them (unfortunately) coming from litigation attorneys stuck in …
In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance. It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious. Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection. But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk. Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel. While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …
Gartner defines Information Governance as an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to reach its goals. One of the core requirements of a legally defensible Information Governance program is a reasonable and consistently applied records & information management (RIM) system. Accountability and defensibility hinge on the ability of an organization to govern its information in all formats and on all media, and to ensure or prove that it is compliant with all legal requirements. Building an information governance framework is by necessity a cross-disciplinary effort. In a world where virtually all information is created in digital form, IT departments are commonly given the lead. However, even the most advanced and elegant technical solutions must be guided by at least two other disciplines: legal, and records management. Especially in the wake of hacking scandals like Sony Pictures, the importance of Information Governance is increasingly recognized as a board level and C-Level concern. Information is an asset and a source of risk, it must be treated with great care. Information is an asset and a source of risk, it must be treated with great care. …
C-Level Guide to Covering Your Information Assets The management and protection of information assets increasingly represent both the greatest potential value and the greatest risk to the enterprise. Big Data and analytics are now being leveraged by companies well beyond Amazon, Facebook, Uber and Google. Beginning with the Enron scandal and the advent of penalties (civil and criminal) for the improper destruction of electronically stored information (ESI), the existential risk from the disclosure of corporate mistakes or malfeasance through investigation, litigation discovery, or hacking has increased on pace with the explosion of digital data. The reputational damage to Target, Sony, …
Among the many types of challenges presented by the adoption of cloud computing are those involving computer forensics. Computer forensics can be thought of as the set of tools and techniques that make eDiscovery possible and reliable. It is defined in Wikipedia as, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.” The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) defines cloud computing forensic science more specifically as, the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, …