Risk Aversion in eDiscovery: No Longer Cost Containment’s Red-Headed Stepchild
When it comes to eDiscovery, the conversation today still revolves heavily, if not wholly, around containing costs and gaining predictability into what many perceive to be a painstakingly arduous and overly burdensome process. As the sheer volume of electronically stored information (ESI) continues to rise by the second with an estimated growth rate of 40% annually, maintaining that pace for the next decade or more, (see ECC’s: The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things), it should come as no surprise that the costs associated with searching, sorting, culling, reviewing, and producing this information are on the rise as well. Technologists, software manufacturers, service providers and a whole host of others have taken aim at this Big Data “problem,” focusing their efforts on offering defensible, technology-enabled approaches for corporations and their outside counsel to effectively and efficiently pour through this data in order to affirmatively defend their cases based on legal merit and not sheer cost. But with all of this talk and focus on cost alone, a major concern that is inherent to the discovery process seems to take a back seat: risk.
In their “2014 Data Breach Investigations Report,” Verizon coined 2013 as the year of the “retailer data breach” and calculated that there were 1,367 confirmed data breaches that year alone. This trend of very large, very high-profile organizations experiencing incredibly public and extremely detrimental breaches of their IT infrastructure, where client information was leaked to or accessed by nefarious parties continues to make headlines on a daily basis. The impacts that these breaches can have from a legal and discovery perspective to the organizations that have fallen victim to them can be monumental in terms of cost, and in some instances, can force organizations out of business altogether. To put some dollars around this, the Ponemon Institute released its annual Cost of Data Breach Study in May of this year which indicated an average total data breach cost increase of more than 11% in 2014, equating to an estimated $217 per record impacted by the breach. Many of the most public breaches are dealing with document counts in the hundreds of thousands to millions.
Data breaches represent an outlier, albeit a more common outlier than ever before when it comes to corporate risk considerations which can substantially impact related legal expenditures. But there are lessons to be learned as more attention turns to the pitfalls that can occur if and when risk is not properly averted in a proactive fashion. When it comes to discovery, however, risk remains an afterthought.
The discovery process can be wrought with redundancies and plagued with an extensive amount of risk. For example, a typical workflow looks something like this:
- Data is collected, either by IT or a forensic expert or both and handed over to outside counsel
- Outside counsel makes a copy of that data and then typically partners with an eDiscovery provider of their choosing to have that data processed and placed into a platform for review
- Upon receiving the data from outside counsel, the eDiscovery provider makes a copy of that data onto their systems and ingests it into eDiscovery processing software
- Some initial culling techniques (de-duplication, de-NISTing, date filtering, etc.) may be applied, and then a new copy of the resultant data set is made and imported into a review platform
- Once some coding has occurred a copy of the data with those coding decisions is created and imported back into the processing software to create images for production.
- And so it goes…back and forth, back and forth, copy after copy after copy of data being created and moved between systems
Typically, between 8 and 12 separate copies of data are created for any given matter by the eDiscovery provider as they continue to move information between their various platforms. Now, the corporate client’s ESI resides with their outside counsel, and multiple copies of that information are being housed by the eDiscovery provider. Any of this data is susceptible to the security infrastructure, protocols and procedures of these organizations, of which the corporation may have had no insight into vetting and/or auditing for themselves. Now, multiply this entire process and this entire risk profile by the number of matters per year a corporation deals with and you will uncover a staggering statistic associated with exactly how much of that corporation’s data is strewn amongst several outside counsel and potentially even more eDiscovery providers – all of whom have many, many copies of this ESI on hand.
“Well, my law firm and their eDiscovery provider are as secure as they come so this won’t affect me, right?” Wrong. According to Bloomberg Business’ article, Most Big Firms Have had some Hacking: Business of Law, “at least 80 percent of the biggest 100 law firms have had some sort of breach.” The article makes mention that law firms are particularly “attractive targets” because of all of the information they obtain from their clients related to deal negotiations with adversaries.
On the eDiscovery provider front, similar concerns persist as many “mom and pop” shops do not have the means to invest in highly secure infrastructures and/or set up their servers in some of the world’s most impenetrable data centers. What’s even more frightening is the fact that eDiscovery providers have actually held corporate information “hostage” before, as was the case when GlaxoSmithKline filed a complaint in New York state court in 2013 alleging that their vendor was “holding hostage over 20 terabytes of GSK’s most sensitive and confidential data, and threatened to withhold or destroy the data” unless they received more than $80,000 from GSK (Hand Over the Cash or the Hard Drive Gets It!).
Aside from rigorous security audits of both outside counsel and eDiscovery provider’s IT infrastructure and security protocols, what can be done to mitigate some of the risk that is inherent to this discovery process? Inventus heard this same question posed by our clients over the years and decided to transform the process altogether in order to mitigate, if not outright negate, as much of the risk associated with discovery as possible by creating Direct Link. Simplistically speaking, Inventus recognized the importance associated with keeping client data in one finite location on its systems (inside of our LAW servers) and developed middleware and used links to ensure that the other platforms we use (namely Relativity) could quickly and automatically access that information without ever moving nor making copies of that information. As such, client information is ingested and remains in that finite location, just one time, for the duration of our engagement on a case or with a client.
Direct Link is truly foundational technology that not only ensures that this risk-plagued discovery process is substantially mitigated, but also ensures processes can remain automated and efficient. It was largely because of this proprietary technology development that Inventus has become so heavily relied upon as the preferred discovery management provider in some of the world’s most highly public and sensitive data breach related matters. During the security auditing process, those organizations who were considering partnering with Inventus amidst what was an incredibly tenuous time for their company found comfort in the fact that their corporate information would not be redundantly copied over and over again, and it was this proprietary piece (in addition to our state of the art data security protocols, procedures, certifications and compliance standards) that ultimately swayed their decision in Inventus’ favor.
Cost is certainly a major concern when it comes to eDiscovery but let’s not forget the importance that risk mitigation plays as well.