Admit it – it feels strange, in an e-discovery world, to include “tangible things” in a legal hold notice. Litigation has always been document-intensive, and preserving ESI has been the crux of compliant legal hold practice ever since Judge Scheindlin took us to school in Zubulake. But as Starbucks recently learned the hard way, we forget “things” at our peril.

Starbucks not only sells lots of coffee – it provides the ambiance to enjoy it, such as by hanging out on a Starbucks deck in a patio chair, sipping an Americano while perusing the blogosphere. With thousands of such chairs and ensconced customers, something was bound to go awry.

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.

In 2012, the Federal Trade Commission filed suit in federal court against hotelier Wyndham and its various subsidiaries (“Wyndham”), claiming that Wyndham’s allegedly unreasonable data security practices allowed hackers to steal personal information and payment data of Wyndham’s customers. The FTC’s claims were not unusual – by 2012 the FTC had spent a decade pursuing companies for unreasonable data security in administrative actions under Section 5 of the FTC Act, which forbids unfair or deceptive acts or practices in or affecting commerce.  In each of these prior enforcement actions the company settled with the FTC, agreeing to comprehensive data security controls, program monitoring, and reporting, usually extending for 20 years.

But Wyndham’s response was highly unusual – it pushed back, and continues to do so, challenging the FTC’s authority to enforce “reasonable” data security under the FTC Act.

In its motion to dismiss, Wyndham argued that the unfairness prong of FTC Act Section 5 does not empower the FTC to regulate cybersecurity, and also that the FTC has not provided constitutionally adequate notice of what cybersecurity practices are required to satisfy a “reasonableness” standard.

The federal district court denied Wyndham’s motion to dismiss, but later allowed an interlocutory appeal on Wyndham’s arguments. The stage is now set for the Third Circuit Court of Appeals, in a case of first impression, to decide whether the FTC has authority under the unfairness prong of FTC Act Section 5 to enforce reasonable data security. Will the Third Circuit resolve this issue, or will it dodge the question?

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.

I write this post on the three-year anniversary (Cheers!) of Judge Andrew Peck’s Da Silva Moore v. Publicis Groupe et al, S.D. New York, 11-1279, 2-24-2012 opinion, widely cited as the first case ruling to endorse the use of predictive coding or “technology-assisted review” (TAR) as a discovery tool.

TAR is the process of training a computer system to make decisions about the responsiveness of a document that would otherwise be reviewed and coded by a manual reviewer. With TAR, human effort is not eliminated, but rather used throughout the review process to train the system on what is responsive and what is not. The documents used to train the system are called the “training set” or “seed set.”   Once the system is trained, the computer reviews and codes the documents.

Since Da Silva Moore, the use of TAR in cases has gained some traction with litigants and courts. Commentary on the cost-savings and increased accuracy of TAR versus human review is relatively old news, and it seems well-established in case law that, as a general matter, TAR is an appropriate method for reviewing electronic data. But the defensibility of the particular TAR process used in a specific case is not yet predictable (pun intended). For example:

The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.

After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

Once upon a time—back when paper ruled—junk mail was clearly junk.  We easily separated the bills from the ads, and it never crossed our minds to save the ads “just in case.”  Fast forward to today’s digital world, and we find that not only are we doubling the volume of data every two years, we are outpacing our storage and, arguably, our ability to manage it. We’re keeping the “ads” and a whole lot more.

The U.S. District Court for the District of Utah recently issued an opinion construing cyber insurance coverage — one of the first cases of its kind. The court determined in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. that there was no cyber insurance coverage under a technology errors and omissions policy, because the allegations against the insured included only claims of intentional misconduct. Similar to traditional forms of liability insurance, the errors and omissions cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.

As data security breaches have become commonplace, many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion about cyber insurance generally, few courts have yet construed cyber insurance policy terms.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.