I write this post on the three-year anniversary (Cheers!) of Judge Andrew Peck’s Da Silva Moore v. Publicis Groupe et al, S.D. New York, 11-1279, 2-24-2012 opinion, widely cited as the first case ruling to endorse the use of predictive coding or “technology-assisted review” (TAR) as a discovery tool.

TAR is the process of training a computer system to make decisions about the responsiveness of a document that would otherwise be reviewed and coded by a manual reviewer. With TAR, human effort is not eliminated, but rather used throughout the review process to train the system on what is responsive and what is not. The documents used to train the system are called the “training set” or “seed set.”   Once the system is trained, the computer reviews and codes the documents.

Since Da Silva Moore, the use of TAR in cases has gained some traction with litigants and courts. Commentary on the cost-savings and increased accuracy of TAR versus human review is relatively old news, and it seems well-established in case law that, as a general matter, TAR is an appropriate method for reviewing electronic data. But the defensibility of the particular TAR process used in a specific case is not yet predictable (pun intended). For example:

The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.

After years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.

Once upon a time—back when paper ruled—junk mail was clearly junk.  We easily separated the bills from the ads, and it never crossed our minds to save the ads “just in case.”  Fast forward to today’s digital world, and we find that not only are we doubling the volume of data every two years, we are outpacing our storage and, arguably, our ability to manage it. We’re keeping the “ads” and a whole lot more.

The U.S. District Court for the District of Utah recently issued an opinion construing cyber insurance coverage — one of the first cases of its kind. The court determined in Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc. that there was no cyber insurance coverage under a technology errors and omissions policy, because the allegations against the insured included only claims of intentional misconduct. Similar to traditional forms of liability insurance, the errors and omissions cyber insurance only covered mistaken, negligent, or otherwise unintentional conduct.

As data security breaches have become commonplace, many insurers have responded by limiting or excluding coverage for data-related events and claims under traditional policies, and have instead offered separate cyber insurance policies. While there has been much discussion about cyber insurance generally, few courts have yet construed cyber insurance policy terms.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.

With North Korea’s hacking of Sony, the FBI recently stated more than 90% of companies are vulnerable to the same attack. Recent hackings have resulted in bad publicity, confidential information leaks, damage to clients, and heavy monetary damage. It’s important to prepare before an attack to minimize the risk of both being a victim and the

Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?

Employers commonly use video surveillance for safety, security, loss prevention, and employee productivity monitoring. But employers’ legitimate business interests in protecting assets and safeguarding the workplace must be carefully balanced with employees’ reasonable expectations of privacy. As the definition of workplace privacy continues to develop, employers must be conscious of the evolving legal risks of workplace monitoring.