US eDiscovery v UK eDisclosure

1,273 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,273
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Quentin Archer
    Quentin specialises in matters involving computers, communications and other aspects of high technology. He regularly advises on the resolution of technical disputes, the preparation and negotiation of outsourcing and other IT agreements, and on regulatory issues such as data protection. Quentin is the co-chair of the Sedona Working Group on International Data Privacy issues.
    Jim Shook
    Jim is a recognized authority on legal discovery and compliance issues related to electronic information. In his role as the Director of EMC’s eDiscovery and Compliance Legal Team, Jim regularly counsels EMC’s customers in helping them to solve challenges with eDiscovery, compliance, and privacy. He is a long-time, active member of The Sedona Conference.
    David Morris
  • Information is at the heart of your business and fundamentally there’s a lot of it. There is forecast to be 1.8 zetabytes of information by 2011, so there is lot of information out there.
    Most of that information is not sitting inside of databases. In fact, 95 percent of information is unstructured. That’s emails, files, videos – any type of content that is out in your environment today.
    What you will find is that most of it in your organization is unmanaged. We estimate that 85 percent of all information that sits out in an organization today is unmanaged and that means there is no formal retention policy, no formal data protection policy in place for managing that information.
    In fact, even though individuals create a great amount of information today, organizations are accountable for also about 85 percent of the information overall in the industry today. So there’s a lot of information out there. It’s not very well managed, and it’s becoming more and more regulated.
    And information across the organization and the penalties for not properly managing the organization are getting more and more severe. If you do the math, by 2011 there is 1.2 zetabytes of information out there and that information is in organizations and needs to be looked at, to be managed, and it’s not being done today. And that’s really the challenge and the opportunity that we see in this marketplace today.
    Uncontrollable growth of information:
    SharePoint: 2 billion seats, growing at 25%, will surpass $5 billion by 2012
    More than half of organizations are running SharePoint
    Email is growing at 20% *
    Risks and costs of litigation:
    40% of largest companies spend over $5 million annually on litigation **
    Hyundai was fined $8M for willfully failing to comply with discovery requests ***
    80% of electronic discovery includes email****
  • Growing need for eDiscovery amongst corporations
    Once a Litigation event occurs the Corporation must by law respond. There is no OPT out.
    89% of companies face litigation (Fulbright & Jaworski 6th annual litigation study)
    Chances are high that they have some internal investigation or audit now
    It costs $18M to handle eDiscovery for 1 TB of information if you are not prepared (Gartner)
    The costs of complete outsourcing could be as high as 10x the cost of internal handling of eDiscovery
    Risks and costs of litigation:
    40% of the largest companies spend over $5 million annually on litigation (Fulbright and Jaworski)
    Willful destruction of evidence lead to sanctions – E.g. $29 million in damages (Zubulake vs. UBS Warburg)
    Average annual cost of litigation preparedness and response is $34M for large corporations
    Federal Rules of Civil Procedure (FRCP) – speed is of the essence for eDiscovery
    (Summaries from slide 4)
    There are compelling statistics about eDiscovery.
    89% of companies face litigation … and nearly all companies have some kind of internal investigation or audit at any given point in time.
    With average costs of incidents being $1.5M it’s important to have cost containment strategies and repeatability.
    Further, the costs of outsourcing, not to mention the resulting lack of control, are reasons to strongly consider deploying in-house eDiscovery technology.
    10x came from the Kazeon site with side by side differences for in-house vs. a 3rd party
  • Today we’ll discuss a content intelligence challenge that faces numerous businesses like yours—unmanaged file growth. Examples of questions to answer are where is it located, how much do you have, and when can you delete it.
    We will then examine EMC's offering to address this business challenge, EMC SourceOne File Intelligence.
    We will then follow up with some representative use cases and conclude with a summary.
  • US eDiscovery v UK eDisclosure

    1. 1. 1© Copyright 2010 EMC Corporation. All rights reserved. Be st Practice We binar eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws e Disco ve ry series sponsored by EMC SourceOne eDiscovery - Kazeon
    2. 2. 2© Copyright 2010 EMC Corporation. All rights reserved. eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws Panelists Quentin Archer – Partner at Hogan Lovells, London and Co-Chair of Sedona Conference Working Group 6. James D. Shook – Director, EMC eDiscovery and Compliance Legal Group; member Sedona Conference WG1 and WG6. J. David Morris - webinar moderator
    3. 3. 3© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
    4. 4. 4© Copyright 2010 EMC Corporation. All rights reserved. Information Today – The Big Picture 1.8ZbLots of It Mostly Unstructured 95% Mostly Unmanaged 85% Becoming More Regulated ▲ Created by Organizations 85% Information
    5. 5. 5© Copyright 2010 EMC Corporation. All rights reserved. Average US eDiscovery Costs 10x increased costs to outsource $1.5M average cost per incident $34M average annual legal costs 89% of companies face litigation $18M+ cost to review 1 TB of info
    6. 6. 6© Copyright 2010 EMC Corporation. All rights reserved. 67% of eDiscovery Cases Awarded Sanctions in 1H2010 (31 Cases Requested Sanctions; 21 Cases Awarded Sanctions) Source: DIGITAL DISCOVERY & E-EVIDENCE REPORT ISSN 1941-3882
    7. 7. 7© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
    8. 8. 8© Copyright 2010 EMC Corporation. All rights reserved. World Litigation Overview US Common law Broad, expansive discovery “E-discovery” Generally bear fees & costs UK Common law Reasonable discovery “E-disclosure” Loser pays CN Common Law Broad, includes e-data Civil Code Limited disclosure
    9. 9. 9© Copyright 2010 EMC Corporation. All rights reserved. Worlds Apart? US UK/CN EU Privacy Very little in the workplace Strong protection for employees Very strong Data Ownership Employer-focused Employee-focused Employee-focused eDiscovery Broad, expensive UK: Growing but < US Typically very limited
    10. 10. 10© Copyright 2010 EMC Corporation. All rights reserved. Privacy Concerns Source: Fulbright and Jaworski, 7th Annual Litigation Trends Survey Report
    11. 11. 11© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
    12. 12. 12© Copyright 2010 EMC Corporation. All rights reserved. UK Data Protection Act 1998 • Implements EU Data Protection Directive 1995 • Regulates the activities of "data controllers", who control the purposes for which data is processed • "Processing" covers just about any activity relating to data • "Personal data" is data relating to an identifiable living individual • Data in manual unstructured filing systems is not included eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    13. 13. 13© Copyright 2010 EMC Corporation. All rights reserved. The Data Protection Principles • Personal data must be processed in accordance with eight data protection principles • Breach of the principles can lead to enforcement action by the Information Commissioner, or a private action for damages • Deliberate or reckless breaches can result in penalties of up to £500,000 • Breaches in the financial services field can also attract the attention (and fines) of the Financial Services Authority eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    14. 14. 14© Copyright 2010 EMC Corporation. All rights reserved. Principles 1 to 4 • Personal data must be processed fairly and lawfully • Personal data must be obtained for specified purposes and not processed in a manner incompatible with those purposes • Personal data must be adequate, relevant and not excessive • Personal data shall be accurate and (where necessary) kept up to date eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    15. 15. 15© Copyright 2010 EMC Corporation. All rights reserved. Principles 5 to 8 • Personal data must not be kept longer than necessary • Personal data must be processed in accordance with the rights of data subjects • Appropriate technical and organisational measures must be taken against unauthorised processing, and against loss or destruction • Personal data must not be transferred to a country outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to personal data eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    16. 16. 16© Copyright 2010 EMC Corporation. All rights reserved. Controllers and processors • An entity which processes personal data on behalf of a data controller is a "data processor" • There must always be a written contract between the data controller and the data processor • Contracts must require the processor to act only on the instructions of the controller, and to comply with the security conditions in the seventh principle • The security conditions require: • The implementation of appropriate technical and organisational measures to protect against unauthorised or unlawful processing, taking into account the harm that might result • Taking steps to ensure reliability of employees eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    17. 17. 17© Copyright 2010 EMC Corporation. All rights reserved. Exporting personal data • No transfer of personal data outside the EEA unless the destination territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data • “Transfer” and “adequate level of protection” are important concepts • Several cases where the general rule does not apply eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    18. 18. 18© Copyright 2010 EMC Corporation. All rights reserved. What is a transfer? • No transfer merely by placing material on the Web (Lindqvist case, November 2003) • But placing material on an intranet, where the intention is to make it available to people in different countries, may be subject to different criteria • Mere transit (e.g. routing emails through a third country) unlikely to amount to a "transfer" eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    19. 19. 19© Copyright 2010 EMC Corporation. All rights reserved. Who determines adequacy? • Exporting data controller must assess adequacy • If there is a Community finding of adequacy, the controller can rely on that • In the case of a controller-processor transfer, the Commissioner may presume adequacy: • Data controller remains liable • Must be a written contract in place • Must be no particular risks in destination country eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    20. 20. 20© Copyright 2010 EMC Corporation. All rights reserved. EU findings of adequacy for non-EEA countries • Andorra • Argentina • Canada (but only to activities covered by the Personal Information Protection and Electronic Documents Act) • Faeroe Islands • Guernsey • Isle of Man • Israel • Jersey • Switzerland • USA (Safe Harbor and passenger data only) eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    21. 21. 21© Copyright 2010 EMC Corporation. All rights reserved. Where export is possible, even if no adequate protection • If the data subject has given consent • If the transfer is necessary for the performance of a contract with the data subject • If the transfer is necessary for the purposes of: • Legal proceedings • Obtaining legal advice • Establishing, exercising or defending legal rights • Use of model contract clauses • Binding corporate rules eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    22. 22. 22© Copyright 2010 EMC Corporation. All rights reserved. Differences within the EU • Concept of personal data is narrower in the UK than in the rest of the EU (Durant case) which has caused difficulties • Many EU regulators exercise greater supervision, including a requirement to approve contracts for the export of personal data • Fines can be larger than the UK eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    23. 23. 23© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
    24. 24. 24© Copyright 2010 EMC Corporation. All rights reserved. Between A Rock and A Hard Place • Claim for unpaid invoices – AccessData sued ALSTE, a German company • ALSTE objected to discovery requests – Claimed violation of GDPA and German Constitution • Court disagreed, ordered production "[i]t is well settled that such [blocking] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute." See Societe Nationale Industrielle Aerospatiale, 482 U.S. 522, 544 (1987). AccessData Corp. v. ALSTE Technologies GmbH, 2010 WL 318477 (D. Utah Jan. 21, 2010)
    25. 25. 25© Copyright 2010 EMC Corporation. All rights reserved. Some Practical Issues Inter-country data transfers - Backup strategies - Email Archiving / Management - HR Systems - The Cloud US Litigation eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    26. 26. 26© Copyright 2010 EMC Corporation. All rights reserved. The Data Explosion Different Worlds The UK DPA Meeting Cross-Border Challenges The Sedona Conference eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws 
    27. 27. 27© Copyright 2010 EMC Corporation. All rights reserved. The Sedona Conference • A non-profit educational and research institute dedicated to the advanced study of law and policy • Promotes dialogue (rather than debate) as the best means of promoting developments in the law in a reasoned and just fashion • Concentrates on antitrust law, intellectual property and complex litigation • Seven Working Groups focussing on different aspects of the law eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    28. 28. 28© Copyright 2010 EMC Corporation. All rights reserved. Sedona Conference WG6 • Mission of Sedona Working Group 6 is to address issues that arise in the context of e-information management and e- disclosure for organizations subject to litigation and regulatory oversight in multiple jurisdictions with potentially conflicting internal laws. • Framework for Analysis of Cross-Border Conflicts was released in 2008 and cited shortly thereafter by the European Commission's Article 29 Working Party • Continuing dialogue with EU Commission, Article 29 Working Party, regulators and US judiciary on proper approach to resolving conflicts between disclosure and data protection laws eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws
    29. 29. 29© Copyright 2010 EMC Corporation. All rights reserved. Question and Answers Quentin Archer - quentin.archer@hoganlovells.com James D. Shook, Esq. – jim.shook@emc.com J. David Morris – david.morris@emc.com Hogan Lovells - www.hoganlovells.com Discover More! www.kazeon.com/discover www.kazeon.com/blog - case coverage and eDiscovery topics eDiscovery& eDisclosure: US & UK e Disco ve ry and Privacy Laws

    ×