1 Information Governance: Turning Insight into ActionSeptember 16, 2015

2 Holistic Security Intelligence – Steps to Limiting Business RiskDaniel Goldman, Legal Counsel, Mayo Clinic Robert Cattanach, Partner, Dorsey & Whitney LLP

3 Speakers Robert Cattanach - Partner & Chair of Data Privacy Practice at Dorsey & Former DOJ Bob is an experienced trial lawyer who has represented numerous clients in breach responses, development of privacy policies and procedures, and provided counsel to corporate Boards of Directors, and Audit Committees on matters of cybersecurity, privacy and internal governance. Bob’s long history of interaction with key government agencies began in Washington D.C. after he graduated from Annapolis. He was the Special Counsel to the Secretary of the Navy, The Honorable Graham Claytor and then moved on to the Department of Justice. There he was assigned to national security cases, with clients such as the CIA, FBI, Departments of State, Defense and Energy. Bob’s longstanding relationship with those agencies with enables him to engage with key players on major cyber issues, and be the “go-to” attorney for all matters cyber. He is also a commentator and contributor to coverage of cybersecurity issues, ranging from the New York Times and USA Today to numerous television media and the Sedona Conference Working Group 11 on cyber matters. (http://www.dorsey.com/eu-steps-to-prepare-for-a-data-breach/) Daniel Goldman, Legal Counsel at Mayo Clinic Dan has been in house counsel at Mayo Clinic since 2001 and advises in a number of areas, including privacy, data security, strategic and international transactions, telemedicine, trademark and social media. His handle is Danielg280.

4 “[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” -Robert S. Mueller, Director, FBI

5 Study: Cost of Data Breach62 companies participated $6.5M is the average total cost of data breach 11% increase in total cost of data breach $217 is the average cost per lost or stolen record 8% increase in cost per lost or stolen record Ponemon Institute© Research Report “Cost of Data Breach Study: U.S.” 2015

6 FTC v. Wyndham Court affirmed FTC’s authority under Section 5 of FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. Court also affirmed district court’s finding that Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. A judicial stamp of approval to the FTC’s ongoing enforcement of commercial data security practices

7 Remijas v. Neiman Marcus Group, LLC*Unanimous ruling from 7th Circuit Court of Appeals reinstated a lawsuit against Neiman Marcus over a data breach in which hackers stole credit card information from as many as 350,000 customers. Lowers the bar for consumers who want to sue over such breaches. Previously, many companies were able to avoid these types of lawsuits by invoking Clapper v. Amnesty International, 133 S. Ct (2013) which required a showing of a risk of “imminent” and “concrete” injury in order to have standing to bring suit. SCt upcoming decision in Spokeo case may provide greater clarity on the type and amount of injury necessary for standing *2015 U.S. App. LEXIS 12487, *18 (7th Cir. 2015)

8 Privacy Policies and PracticesDelaware Online Privacy and Protection Act (effective 1/1/16) Delaware Dept of Justice Consumer Protection Unit has enforcement authority and may investigate and prosecute violations of the act [Del. Code tit. 6, §1203C.] Revisit company privacy policies and practices in light of the Act and similar laws, including the California Online Privacy Protection Act and Privacy Rights for California Minors, Mass data protection laws and applicable federal privacy laws (HIPAA, FERPA, GLBA)

9 Data Breaches - Cause Increasing globalization of businessProliferation of “Big Data” projects Increasing use of cloud services and third parties to host and manage data Unmanaged data sources and volumes Increasing sophistication of private and governmental hacking Varied laws protecting privacy within the US and internationally

10 Data Breach – Proactive StepsKnow Your Data and Where it Resides Know (and manage) Your Systems Know (and manage) Your Vendors Have an Incident Response Plan Practice the Plan Train Your Employees Re-train Your Employees Evaluate Your Cyber Insurance

11 Data Breach – Incident ResponseWhat data was accessed? What are the jurisdictions potentially affected?  What are the notification requirements for each of those jurisdictions? State Federal (proposed) Exceptions What (and when) are you going to tell your customers/the media? Will you offer compensation or credit monitoring with your notice?

12 Incident Response - First 24 hours ChecklistRecord the date and time when the breach was discovered Alert and activate everyone on the response team so you can execute plan Secure premises to preserve evidence Stop additional data loss Document everything Interview those involved

13 Incident Response - First 24 hours ChecklistReview protocols regarding disseminating information about the breach Assess priorities and risks based on what you know Bring in your investigations team Notify law enforcement, if needed, after consulting with legal counsel Notify your insurance carrier Develop media response plan

14 Data Breach - Practice Mock breach Table top exercise Who to includeBenefits

15 Know Your Data - Information GovernanceWithout knowledge of an organization’s critical assets, too many resources are spent on protecting everything. While there are many ways to gain access to an organization’s environment, whether through third-party vendors with too much access or social engineering of the front line, the goal is to build up defenses around those critical assets. Defensible Deletion = less data that can be accessed by cyber criminals, careless employees or IT malfunction.

16 Healthcare Data BreachHIPAA Omnibus Rule Breach redefined to include more incidents – Harm Standard Eliminated Stiffer penalties Vendors and subcontractors directly liable Notification clarified Comprehensive Risk Assessment

17 Healthcare Data BreachHIPAA Omnibus Rule (cont.) Unauthorized use, access or disclosure is a breach unless covered entity can show risk of “compromise” is low: What was the nature and extent of the PHI involved Who was the unauthorized person who used the PHI? Was the PHI actually acquired or viewed by an unauthorized person? To what extent has the risk to the PHI been mitigated?

18 Vendor Management– Know Your VendorsReview and approval of vendors who host sensitive company data (customer SSN, Credit Card info)? At a minimum, Identify and inventory vendors with access to sensitive data whom company works IT Vendors Professional service providers Onsite independent contractors and temps

19 Vendor Management– Know Your VendorsAssess vendor security measures before retention Screening of staff, including on-boarding/off-boarding Location and retention of data Will it be stored outside the US? Encryption of data in transit and at rest Intrusion testing Security certifications

20 Vendor Management– Know Your VendorsSite visits Contractual requirements and protections Legally binding security obligations Right to audit The big “I”: Indemnification Ownership of data (including de-identified data)

21 Evaluate Your Cyber InsuranceZurich American Insurance Co. v. Sony Corp. of America, et. al. (N.Y. Sup. Ct. Feb. 21, 2014) Incorporate cyber risks into existing risk management and governance processes What insurance do you have? What insurance do you need? What are the exclusions?

22 Future Legislation? Information Sharing Legislation (passage uncertain) Voluntary Liability and Anti-Trust protection for those who participate Validate authority to share information Federal government can share cyber intrusion information with companies

23 Q&A

24 FCPA – Proactive Monitoring for Compliance & Risk ManagementBeth Forsythe, Dorsey & Whitney LLP Jason Flemmons, Senior Managing Director, FTI Consulting Jim Barratt, Managing Director, FTI Consulting

25 Speakers Jim Barratt - Managing Director, FTI Consulting .In the area of anti-bribery and corruption, Jim has a breadth of experience including developing a corporate compliance function while serving as the interim Chief Compliance Officer of Control Components Inc., a $600 million global manufacturing company, facing a DOJ FCPA investigation. Jim has also advised companies and their counsel on profit disgorgement analyses and approaches in conjunction with government settlements related to FCPA violations. Jim has led numerous forensic accounting investigations involving complex accounting issues and financial fraud. He has assisted counsel in communicating the findings of those investigations to audit committees, SEC staff and committees of U.S. Congress. Notably, he led a team of forensic accountants in a nine-month investigation of accounting and reporting issues at Freddie Mac. Jim coordinated and supervised a multi-year, large scale forensic accounting analyses and assisted internal and external counsel in the development of litigation claims on behalf of the Lehman Brothers Holdings Inc. bankruptcy estate.

26 Speakers Jason Flemmons - Senior Managing Director, FTIJason is the former Deputy Chief Accountant of the SEC’ Division of Enforcement, where he supervised and performed numerous financial and accounting fraud investigations. During his 12 years of service at the SEC, Jason advised on a wide range of technical accounting, auditing and disclosure issues. He also performed and managed cash-tracing investigations resulting from violations of the FCPA, asset misappropriations, Ponzi schemes and concealment of illicit gains. He co-chaired the Division of Enforcement's Cross Border Working Group, which oversaw and coordinated numerous investigations involving issuers and auditors located in foreign jurisdictions. Beth Forsythe – Associate Investigations & FCPA practice, Dorsey In her white collar and corporate investigations practice, Beth conducts effective internal investigations and represents those under investigation by federal or state authorities for securities fraud, health care fraud, mortgage fraud, public corruption, and Foreign Corrupt Practices Act ("FCPA") violations. Beth also routinely provides anti-corruption/FCPA due diligence and compliance advisory services, including program development, board presentations, and employee training. Beth is a Magna Cum Laude graduate of St. Thomas School of Law where she was the Editor in Chief of the Law Journal and clerked for the Honorable Diana E. Murphy, U.S. Court of Appeals for the Eighth Circuit.

27 Reactive (post-event)Types of Monitoring Reactive (post-event) Transaction Testing Third Party Audits Proactive (pre-event) Use of Third Party Agents Gifts and Entertainment New Employee Hiring Employee training

28 FCPA Risk Areas to be Monitored ProactivelyUse of Third Party Agents Most FCPA violations involve the use of Third Party Agents Know your Vendors/Suppliers Perform Due Diligence on Third Party Agents prior to engagement Due Diligence efforts that utilize consistent approach and centralized repository Establishing and reviewing vendor master file Some accounting systems can be designed to prevent payment without proper due diligence and approvals Collaboration with Compliance, Legal and the Business Units for review and approval Company Third Party Agent Customer

29 FCPA Risk Areas to be Monitored ProactivelyGifts and Entertainment Another common area for FCPA violations is gifts and entertainment of government officials Establishing policies and procedures and guidance Prior approval of gift giving Maintaining a standard form and gift register Requirement of prior supervisor and/or compliance approval of certain levels of meal and entertainment

30 FCPA Risk Areas to be Monitored ProactivelyNew Employee Hiring Recent issues of hiring family members of government officials as interns (BNY Mellon) Proactive background check and required disclosure of any relationships with customers/government officials Independent background check on potential relationships Adequate coordination between HR and the Business Unit

31 Challenges to Effective Proactive MonitoringNon-centralized and outdated vendor master files and databases Lack of coordination and approval process for hiring third parties Different accounting systems and incompatible data sets Insufficient training of gatekeepers and approvers Conflicting global and local policies and practices Limited Compliance resources Unclear responsibilities of Business Units, Compliance and Legal

32 Keys to Effective Proactive MonitoringUtilize existing systems and modify if needed to achieve goals Integrate data directly from data sources to enhance review and approval Work to standardize forms and processes across geographic locations Develop a central repository for third party information Close collaboration between Compliance, Legal, HR and Business units Sufficient employee training on processes and approvals Continually review, modify and improve monitoring steps as needed

33 Q&A

34 LUNCH 12 – 1pm

35 Complexities and Considerations around Emerging TechnologiesValerie Lloyd – Xcel Energy, eDiscovery Program Manager Derek Noer – Best Buy, Sr. eDiscovery Manager Robert Stangler - Ameriprise Financial, Sr. Manager, eDiscovery & eCommunications Risk Management

36 Speakers Robert Stangler – Sr. Manager, eDiscovery & eCommunications Risk Management, Ameriprise Financial Robert has over 8 years of eDiscovery and 10+ years of IT experience. At Ameriprise, he is focused on developing and enhancing eDiscovery processes and procedures, while at the same time managing the tactical initiatives regarding discovery and information requests.  His background and specialties include improving the defensibility of the discovery process, testifying as a 30(b)(6) witness and reducing eDiscovery spend through process improvement and strategic planning. Robert is a certified eDiscovery specialist and a graduate of St. Mary’s University of Minnesota. Derek Noer – Sr. eDiscovery Manager, Best Buy Derek is a certified eDiscovery specialist with experience in various information technology, leadership and management roles. At Best Buy, he is responsible for continuous process improvement and cost management through efficient and effective use of technology and service solutions. His experience includes supporting counsel in eDiscovery needs for all types of litigation as well as coordinating with major eDiscovery software and service solution providers/vendors in the evaluation, procurement/auction and deployment of products and services. Derek is a graduate of Thomas M. Cooley Law School and Drake University.

37 Speakers Valerie Lloyd – Manager of eDiscovery Program, Xcel EnergyAt Xcel Energy, Valerie’s role is that of developing, implementing and managing an e-discovery program. This includes training and supporting litigation paralegals on the use of various e-discovery tools from collections to review, selecting and managing the implementation of software, designing in-house processes/best practices and outside counsel requirements, managing vendor relations and budgets, and serving as an in-house resource re: 26(f) conferences and reviews. She is an active member of Women in eDiscovery and EDRM. Prior to joining Xcel Energy, Valerie practiced law in Burbank, CA where her practice focused on litigating matters involving real property and small businesses. She received her Juris Doctor from Glendale University College of Law, MBA from Pepperdine University and a B.S. in Medical Microbiology from California State University – Long Beach. She holds CEDS (Certified eDiscovery Specialist) certification and is admitted to the bar in California.

38 Agenda Introduction Cloud Technologies – Internal and ExternalSocial Media BYOD Q&A

39 Cloud Technologies Considerations of Cloud Technologies Data SecurityAccess Controls Authentication Data Integrity Security of Vendor Privacy PII PCI HIPAA Ability to retrieve data for Discovery Requests Agreement specifics Timing Shared/Multi-Tenant Cloud vs Private Cloud Onshore/Offshore What happens when the FBI raids a Data Center?

40 Cloud Technologies Complexities of Cloud Technologies CollectionsWho does the collections? Timeliness Retention Management What does the contract say? Internal tools provided “out of the box” Are they robust enough?

41 Social Media Who has a Social Media Policy? When was it last updated?Considerations of Social Media Do you have guidelines for employees? Do you monitor? How much is enough? Social Media to research potential jurors Complexities of Social Media Regulations by Industry Appropriate Monitoring for Business and Regulatory needs Negative clean up Keyword monitoring in a complex environment Authentication Do I have the right John Doe?

42 Bring Your Own Device Who has a BYOD Policy?Who has the Legal Hold, Collections and Disposition procedures documented for BYOD? Considerations of BYOD Remote wipe capabilities Personal data affected Containerization Preservation Outlook Web Access and home computers Tablets, iPads, etc. Departing employees Complexities of BYOD Collections Virtual Desktop Environment Privacy expectations of users Comingled personal data vs company data

43 Q&A

44 Information Governance & Litigation: What Matters Most?Sarah Stroebel, Sr. Vice President & Associate General Counsel, U.S. Bank Skip Durocher, Partner, Dorsey & Whitney LLP

45 Speakers Sarah Stroebel – Sr. Vice President & Associate General Counsel, US Bank Sarah Stroebel serves as Associate General Counsel with the litigation group at U.S. Bank National Association, where she has worked for the past seven years.  In that role, Sarah manages significant exposure defensive litigation, including class action litigation and all of the Bank’s patent litigation, throughout the country for various business lines within the Bank.  In addition to managing litigation, Sarah manages a team of attorneys and paralegals who provide pre-litigation, litigation, and legal process services to all areas of the Bank.  Sarah also manages the Bank’s eDiscovery and Legal Records Hold team.

46 Speakers Skip Durocher – Partner, Dorsey & Whitney, LLPPartner in the Litigation Department since 1995, Co-Chair of the firm's E-Discovery Practice Group and Co-Chair of the Indian Law Practice Group, Skip has handled a wide variety of litigated matters, including commercial contracts, minority shareholder disputes, consumer credit, insurance coverage, business torts, federal Indian law, and other civil actions.

47 What is Information Governance?The Compliance, Governance, and Oversight Council (“CGOC”): “the discipline of managing information according to its legal obligations and its business value, which enables defensible disposal of data and lowers the cost of legal compliance.”  The Sedona Conference: “an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.” Involves Legal, Records, IT, Compliance, Security, HR, and the business

48 The Intersection InfoGov InfoSec eDiscovery Identifying Data, RecordsData Owners and Custodians Data Case-specific Custodians Securing Minimizing Storage Requirements by Identifying What's Important and Disposing All Else Maximizing Protection by Identifying and Storing Appropriately Collecting and Preserving What's In Scope and Storing Securely and Immutably Managing Defining rules for all data including records, managing to those rules Defining rules for classifying data, managing to classification Adhering to eDiscovery rules within associated jurisdictions

49 Why Does Information Governance Matter?Legal Considerations Litigation Expenses & Data Storage Costs Risk Management & Regulatory Compliance

50 Legal Considerations No general law governing document retentionStatutory and regulatory requirements in certain industries Common law duty arises with respect to litigation.

51 Legal Considerations: Evaluation of Retention Policies to Determine SanctionsAm. Fast Freight, Inc. v. Nat'l Consol. & Distrib., Inc., 2007 WL (W.D. Wash. Nov. 7, 2007) Production of policies regarding data retention and destruction Research Foundation of SUNY v. Nektar Therapeutics, No , 2013 WL (N.D.N.Y. May 15, 2013) Sanctions denied - plaintiffs had: Comprehensive document preservation policy Issued oral and written hold notices Preserved back-up tapes Confirmed custodians had not deleted documents Lewy v. Remington Arms Co., 836 F. 2d 1104 (8th Cir. 1988) Three-part test to determine reasonableness of company retention policy: Whether retention period is reasonable, given the record Whether other lawsuits have been filed against the company involving similar complaints Whether the policy was adopted in bad faith

52 Legal Considerations: Responsible Data RetentionPhillip M. Adams & Assoc. v. Dell, Inc., 2009 WL (D. Utah March 30, 2009) Decentralized records management system does not meet good faith requirements of FRCP 37(e) “While a party may design its information management practices to suit its business purposes, one of those business purposes must be accountability to third parties.” “[a]n organization should have reasonable policies and procedures for managing its information and records. The absence of a coherent document retention policy is a pertinent factor to consider when evaluating sanctions.” Court found that the lack of a retention policy and irresponsible data retention practices were responsible for significant lack of data

53 Legal Considerations: Not Knowing Where Your Data IsOn-going antitrust litigation involving Delta Airlines Financial sanctions: nearly $5 million for failure to produce documents on previously undiscovered backup tapes Aero Products Int’l, Inc. v. Intex Recreation Corp., WL (N.D. Ill. Feb. 11, 2005) Adverse inference instruction: failure to suspend normal 30-day deletion practice once litigation hold issued

54 Legal Considerations: Former Employee DataAMC Tech (AMC Tech., LLC v. Cisco Sys., Inc., No. 11-cv PSG, 2013 WL (N.D. Cal. July 15, 2013)) Destruction of former employee’s electronic information as the result of the company’s routine practices Court concluded no inappropriate actions by Defendant. Charvat et. al. v. Valente et. al., (N.D. Ill July 1, 2015) Deletion of electronic files belonging to two departed employees, done in compliance with established business procedure of deleting files 30 days post-termination, and at a time when litigation was not anticipated.

55 Legal Considerations: BYOD is IncludedIn re: Pradaxa Prods. Liab. Litig., Case No. 2:12-md-02385, WL (S.D.Ill. Dec. 9, 2013) Sanctions for violation of court’s case management orders Key issues: Cooperation & Proportionality Danger of engaging in proportionality without engaging opposing counsel Failure to place a timely hold incremental holds Scope of what to put on hold Failure to identify key custodian Failure to produce ESI for certain custodians Implications for BYOD Failure to preserve business-related text messages from cell phones of certain custodians

56 Legal Considerations: Outside Vendors MatterSekisui American Corp. v. Hart, 945 F. Supp. 2d 494 (S.D.N.Y. Aug. 15, 2013) Destruction of ESI triggers presumption of prejudice to other party and is grossly negligent conduct. No litigation hold for 15 months No notification to outside IT vendor for 21 months “To shift the burden to the innocent party to describe or produce what has been lost as a result of the opposing party’s willful or grossly negligent conduct is inappropriate because it incentivizes bad behavior on the part of would-be spoliators” Sanctions could be warranted upon finding of negligent destruction without finding of bad faith.

57 Legal Considerations: Not Just DocumentsSokn v. Fieldcrest Cmty. Unit School Dist. No. 8, No. 10-cv-1122, WL (C.D. Ill. Jan. 17, 2014) Destruction of relevant audio recordings of closed-session school board meetings in violation of Illinois Open Meetings Act, school board’s own document retention policies, and Illinois common law Despite policies, unknown number of recordings destroyed without a vote Court declined to impose sanctions where bad faith could not be established absent evidence of when the tapes were destroyed.

58 The Federal Rules: New Rule 37(e)(e) FAILURE TO PROVIDE PRESERVE ELECTRONICALLY STORED INFORMATION Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good faith operation of an electronic system.If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court: (1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or (2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may: (A) presume that the lost information was unfavorable to the party; (B) instruct the jury that it may or must presume the information was unfavorable to the party; or (C) dismiss the action or enter a default judgment.

59 Discovery Expenses E-discovery costs range anywhere from $5,000 to $30,000 per gigabyte. Minnesota Journal of Law, Science and Technology “[T]he total costs per gigabyte reviewed were generally around $18,000.” “Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery,” Nicholas M. Pace and Laura Zakaras Document review is most expensive aspect of e-discovery Targeted collection and advanced technology tools help reduce e-discovery cost, but over-retention of data also contributes to costs of e-discovery.

60 Storage Costs Data and IT expenses are function of amount of enterprise data, applications, and hardware. Lack of an information management program increases annual storage procurement costs. Consequently, storage management, staff expenses, and server and software costs also increase. Disposing of information without business value allows resources to be re-directed to other initiatives while also creating business efficiencies. While cloud technology continues to drive storage costs down, consideration must be given to costs of e-discovery versus adding more storage and avoiding governance practices.

61 Risky Business: e-DiscoveryCosts of discovery Not knowing what data you have and how to preserve it Protection of PII and other confidential information Inadvertent production of privilege information Non-compliance Potential data breaches

62 The Challenges Big Data Dark Data Globalization Security and Privacy90% of world-wide data created in past 2 years Volume and sources (cloud, social media, personal devices) compound problems of managing data, introduce risk, add to e-discovery costs Big data needed for business analytics initiatives Dark Data Data volumes continue to grow Companies don’t always know where there data is Globalization Management of data that may reside in other countries and subject to their laws and regulations Compliance with various regulatory laws within the US Security and Privacy Strong Records & Information Management (RIM) programs target data security and privacy. BYOD programs blur the line between personal and professional and bring additional challenges to RIM

63 Why Do You Need an IG Policy?Maintain documents that are necessary for the on-going operation of the business Preserve and protect critical records, as well as records of historical significance Establish legal compliance Protect proprietary and private information Ensure disposition of records no longer required for business or legal purposes Decrease costs Manage risk

64 IG and E-Discovery: What Matters Most?AN IG POLICY Tailored to company and industry Types of records Control of records Location of records Types of litigation and/or regulatory requirements Provide clear retention guidelines Disaster recovery Business continuity Eligibility for destruction Allow for consistent enforcement Regular review and revision Incorporate use of technology Training Perfection is not the standard, nor is it possible

65 Q&A

66 Information Governance: Turning Insight into ActionDavid Grant, FTI Consulting Caroline Sweeney, Dorsey & Whitney LLP David Yerich, United Health Group

67 Making Data More Manageable and Valuable

68 Speakers David Grant David Grant is a senior managing director in the FTI Technology practice and is based in New York. Mr. Grant leads FTI Technology’s predictive coding, visual analytics and Discovery Consulting practice. He focuses on planning and managing discovery strategies for and across major litigations involving large data volumes, tight deadlines and international data collection; on the use of machine learning and visual analytics to build case knowledge and reduce discovery costs; and on discovery readiness projects involving proactive planning for ongoing litigation needs. Caroline Sweeney Caroline Sweeney manages Dorsey’s e-discovery services, LegalMine. Caroline is a member of Dorsey’s Electronic Discovery Practice Group and the Cybersecurity, Privacy and Social Media Practice Group. She is a member of The Sedona Conference Working Group on Electronic Document Retention and Production and sits on the Information Governance steering committee for the International Legal Technology Association (ILTA). Caroline has extensive experience consulting with attorneys and clients with regard to e-discovery, including identification, preservation, collection, processing, review and production of electronically stored information. David Yerich David Yerich is the Director of eDiscovery for UnitedHealth Group, a fortune 25 company headquartered in Minnesota. David’s responsibilities include designing, updating and implementing the processes, protocols and tools utilized by the Company related to electronic discovery for regulatory and legal matters. Prior to joining UnitedHealth Group, David worked as the Electronic Discovery Consultant at a Minneapolis law firm where he and his teams worked with attorneys, paralegals, litigation support team members and clients on all aspects of eDiscovery, including the identification, preservation and collection of electronically stored information (ESI). David also provided oversight for the document review operations. Before joining the law firm, David worked at a large agri-business for ten years implementing and supporting technology solutions. David’s later projects focused on document and electronic records management, including a roll-out of a world wide document management tool for their legal department. David is a graduate of the University of Minnesota and Hamline University School of Law and is licensed to practice in the state of Minnesota.

69 Data Growth Increased data sources and growing data volumes leading to greater costs of review: Litigation document review M&A due diligence review Compliance review Internal investigations Microsoft: expenditures for e-discovery vendors and outside counsel in excess of $600 million https://bol.bna.com/as-data-streams-grow-lawyers-look-for-new-ways-to-find-facts/

70 The Explosion of AnalyticsKeyword Search Automated Coding Concept Clustering Visual Analytics Social Network Analysis DATA DRIVEN DECISION MAKING Predictive Coding Threading Data Mining Multi Dimensional Content Analysis Attenuated Search ??????

71 High Level Summary by Index / Structured Data (e.g. metadata)Dates Hot/Seed Documents Keywords Custodians Concepts Custodians Any Field in the Database can Become a Point in the Analysis

72 High level summary by contentEach cluster provides information about the clustered docs (Concepts, Density of Concepts, Most Representative Documents) layover flight delay airport boarding ticket fantasy draft football quarterback suspension week 1 matchup Mines High level summaries by content Identifying pieces of data that look like they have a chance of being relevant to the matter or not interesting at all When dealing with the data at a summary level you need to choose the data you want to target and move into something that summarize at a document level so that you can zoom in. And then have those documents organize themselves by what they’re about Identify very quickly that, say, 600 of a 1000 are not interesting as they are about a nuance of what you wanted but the others focus on those you really want. See that same summary at the document level. What the tool is doing is putting together sets of documents and seeing how those documents are related: topics or concepts. These become the data points that you use to see what is going on in the docs and which don’t matter and zero in on those that do request investigation improper attorney payment reporting

73 ‘Zoom’ to Document Level Summary by Content / Index Datadot = one document spine = group of clusters that share a similar concept --[ ]-- request investigation improper attorney payment reporting clusters = groups of similar documents cluster concepts

74 74

75 Why Analytics? See Federal Rules of Evidence Rule 502 : Cost Control“Depending on the circumstances, a party that uses advanced analytical software applications and linguistic tools in screening for privilege and work product may be found to have taken ‘reasonable steps’ to prevent inadvertent disclosure. The implementation of an efficient system of records management before litigation may also be relevant.” Cost Control Risk Reduction

76 Analytic Methods Rules-Driven Facet-Driven Propagation-DrivenI know what I am looking for and how to search for it. Facet-Driven I let the system tell me about my data’s groups and trends. Propagation-Driven I start making decisions and the system looks for like items.

77 Analytics: Pre-LitigationProactive information governance efforts BYOD programs Evaluation and data driven reform of policies Evaluation of legacy systems Backup tape policy first - stop holding new tapes beyond 30 days Remediate old tapes Remove ROT from live sources Create new applications with retention as a requirement Legacy migration opportunities Use of analytics to manage information in-house Identification and securing of protected information Data classification tools Policy enforcement Legal Hold program Business units / custodians Custodian interview responses

78 Analytics: Early Case Assessment In-housePreservation Data sources requiring preservation Collection Custodian analysis Data Analysis Scope analysis for burden quantification Investigation Key document assessment Compliance audits

79 Analytics: Early Case Assessment at the Law FirmData analysis File types Custodians Timelines Gap analysis Social network views Frequent concept analysis Search term vetting Search term hit reports Overlap of search terms Sample coding with responsive/search term analysis Case Intelligence – analytics research

80 Analytics: Review & ProductionConcept clustering Prioritized review Predictive coding Quality control Production Clustering tools to identify overlaps between responsive and privilege content Clustering tools to identify potential missed redactions

81 Analytics: Predictive Coding - Example WorkflowProvide Seed Set Train and Refine Predictive Model Validate Model Performance Apply Scores and Codes to Population Refine Sampling Refine Refine Two changes Add rotating report / (to icon / showing report from Ringtail – to finalizing production defensibility) Cubes QC? (missing docs from a date range? Expected custodians present?) Finalize Defensibility Doc Level QC – visual coding verification High Level QC – assess completeness of production

82 Analytics: Predictive Coding - Example Workflow

83 Analytics: Metrics & Process ImprovementCorporate: Percentage of documents reviewed outside of retention policy guidelines Number of data sources collected per custodian Volume percentages amongst collected data sources Law Firm: Data volumes, types, processing rates, de-duplication rates Data reduction through other mechanisms Review rates by type of case Continuous process improvement to increase cost efficiencies Vendor: Total cost savings Systematic culling data volume reduction Speed of identification of key documents Reduction in the number of times a document is reviewed for the same or similar purposes Data re-use and data repository

84 Q&A

85 THANK YOU!