Solving the PII Problem: Securing Rogue Data in Discovery


In a recent article, my Kroll Ontrack colleagues Jim Loveall and John Pilznienski discussed the challenges of finding and removing personally identifiable information (PII) during discovery. While most organizations recognize the need to protect their data, they do little to protect or segregate their employees’ PII within their own network environments. Coupled with the constant blurring of personal and workplace data and the growing public policy concerns with privacy protection, the safety and security of PII within company firewalls must become a priority for corporations if they wish to avoid inadvertent disclosures or compromise employee PII during the discovery process. These issues and more are discussed in the article published on the Westlaw Journal: Computer & Internet.

How does PII Sneak into Document Collections?

While many times the collection of PII is purposeful, such as the collection of data from HR records in employment cases, PII is also often unintentionally included through overly broad collections. Employees may send emails to payroll records containing their Social Security numbers, or perhaps to their spouse using their work email to send copies of personal tax records, or even send scanned and emailed health records to submit to an insurance provider. These examples show how easy it can be to leak PII, and the need to comb collections not only for relevance and privilege, but also for PII and personal health information (PHI).

What are Some Steps to Find and Remove PII During Discovery?

Accounting for PII during discovery can be difficult, both because of the ubiquitous nature of PII and the potpourri of applicable data privacy laws. Astute legal teams will deploy both a tested process and innovative technologies in locating PII. Two stages, preservation and review, are critical in these efforts.

Preservation begins with compliance officers employing clear policies regarding employee use of the organization’s systems and devices, and once litigation ensues, litigation teams should be on the lookout for sources of PII from the beginning. Working with a technical consultant to create a data map is one method to know where the organization’s data is stored. With that understanding, a targeted collection strategy can be implemented to exclude documents from the collection population.

Once reasonable means are employed to collect the data in a targeted manner, the next step is to process the data, remove system files and narrow the potential review population. After the likely relevant population is identified, additional searches for PII and PHI, including the use of automated tools such as TAR, can inform the review process and help to ensure the identification and exclusion of personal information from the production set.

The ediscovery process presents a real risk of unintentionally compromising PII and PHI, with personal devices everywhere and data trails being generated in all aspects of our modern life. But if lawyers monitor the shifting state of data privacy regulations and use some best practices, including targeted collection processes and leveraging technologies in the review stage, they can be confident that they have taken reasonable measures to locate and remove PII and PHI during discovery.

Be sure to read the full article, Mission Possible: Securing Rogue Personal Information in Ediscovery, for a more in-depth analysis of the issues surrounding PII and discovery.

November 2015 Ediscovery Case Summaries

Case Law Picture

Court Instructs “More Thorough Search” in Face of Irretrievable ESI       Neonatal Product Group, Inc. v. Shields, 2015 WL 6158810 (D. Kan. Oct. 20, 2015).

Appellate Court Affirms Order to Produce Records in Native Format         In re State Farm Lloyds, 2015 WL 6751057 (Tex. App. Oct. 28, 2015).

Third Circuit Court of Appeals Affirms Appointment of Special Master for Discovery Matters                                                                                                Glover v. Wells Fargo Home Mortg., 2015 WL 5947812 (3d Cir. Oct. 14, 2015).

Court Orders Defendant’s Wife to Produce iPhone for Forensic Examination                                                                                                                   Brown Jordan Int’l Inc. v. Carmicle, 2015 WL 6142885 (S.D. Fla. Oct. 19, 2015).

Court Denies In Camera Review in Light of “Unsupported Suspicions”       Armouth Int’l, Inc. v. Dollar General Corp., 2015 WL 5719123, (E.D. Tex. Sept. 28, 2015).

Fall Webinar Line-up: Ediscovery, Second Requests and Antitrust Litigation

Kroll Ontrack recently presented a webinar, Ediscovery Considerations in Second Requests and Antitrust Litigation, detailing the common issues and considerations counsel should keep in mind when dealing with ediscovery in M&A matters. To shed light on these issues, our expert panelists included:

  • Sheldon Noel | Kroll Ontrack
  • Charles Moore | White & Case
  • Edward Sharon | Wilmer Hale
  • Adam Strayer | Kroll Ontrack

Second Requests & Antitrust Litigation: 5 Ediscovery Considerations

For merging parties, a Second Request or antitrust litigation requires a different approach to ediscovery. There are 5 unique considerations, which the webinar panelists discussed.

Posture and Timeline – Merging parties have an incentive for being helpful and cooperative towards one another so that agencies can approve the merger as quickly as possible. To that effect, merging parties should consider collecting documents before the Second Request is even issued. Once the Second Request is issued, it is critical to produce as quickly as possible (in either a rolling production or single document dump format) to shift the pressure to the reviewing agency to examine the information submitted.

Cost – Money is a significant factor in Second Requests, and merging parties have every incentive to keep the costs down. To do so, parties must be prepared for every monetary contingency a Second Request can bring, including ways to staff the document review team to control costs and utilizing predictive coding as a method of mitigating costs during review.

Scope – To successfully locate and produce these documents, corporations must negotiate and identify custodians, focusing on the most relevant materials first. Also, as business transactions become more international, the presence of foreign language documents must be considered in the collection and production process of a Second Request. Lastly, be sure to consider the protection of trade secrets and privileged documents as well.

Technology –The successful use of technology, whether it be predictive coding or case mapping tools, offers a level of accuracy and consistency that is higher than the levels offered by manual review. Using technology to identify the most relevant documents can expedite and save costs in the long run, especially in a Second Request or antitrust matter.

Be sure to check out Kroll Ontrack’s Second Request webinar to gain a deeper understanding of ediscovery in Second Requests and antitrust litigation.

Looking for more?

For more information regarding ediscovery, be sure to keep an eye out and register for Kroll Ontrack’s upcoming November webinar, Ediscovery Gotchas: Frequent Headaches that Give You the Most Pain in Ediscovery and Tactics to Combat It.


New Study Finds Ghost Data Haunts Devices


As the leaves change colors, the air becomes crisp and pumpkin-spiced everything fills the shelves, we think of little (and big) kids going door to door for candy, apple picking, and all those Halloween ghost stories. Not the stories that end with “BOO!” But the stories that make your hair stand on end and your skin crawl. One such horror story has been revealed in a recent study conducted by Blancco Technology Group and Kroll Ontrack.

Ghost Data Haunts Second-hand Equipment

In an examination of 122 pieces of second-hand equipment—mobile devices, hard drives and solid state drives purchased online from Amazon, eBay, and—48%of the hard drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos, and videos were retrieved from 35% of the mobile devices. This study highlights the prevalence of ghost data on second-hand devices and technologies.

The study further found that 57% of used mobile devices and 75% of used hard drives had unsuccessful deletion attempts previously made before their sale. In addition, the survey also found that only basic delete functions were performed prior to the resale on 11% of the devices, and that the often-used “quick-formatting” functions are unreliable, having been performed on 61% of the drives with data still present. These ghastly numbers are even more disconcerting when you consider the growing secondhand marketplace for used devices—even more so when you consider the increasing prevalence of BYOD policies.

Residual Data Enough to Identify Original Users

Perhaps most startling, however, was that the residual data left on two of the secondhand mobile devices were significant enough to discern the original users’ identities. Whether it is a person’s emails containing his or her contact information or media files involving a company’s intellectual property, data haunting old devices can have serious consequences.

Together, all of the findings in this joint study serve as a powerful warning about the importance of using effective data erasure methods and the need to mitigate security risks that may occur when done improperly or incompletely and has sparked further conversation over at Legaltech News on the prevention of improperly deleted data. At the very least, it should raise some hairs—or some eyebrows—as to the amount of data haunting our old devices, long after it should have been dead.

Altitude Woes: Avoiding the Dangers of BYOC in Ediscovery

In a recent article, my Kroll Ontrack colleague, Michele Lange, discussed the ominous presence of the Bring Your Own Cloud (BYOC) movement within corporations. As with all new technologies, the BYOC movement has its advantages and disadvantages. On one hand, by allowing employees to use personal cloud storage systems, there is an increase in efficiency, a decrease in the cost of sharing data and greater access to corporate information. However, there are lurking risks associated with such benefits. Last week’s Legaltech News included an article called Avoiding the Dangers of Bring Your Own Cloud in E-Discovery which discussed these issues in detail.

Interconnection of Devices

The greatest strength of cloud storage – the ease of access and efficiency – is also one of its major weaknesses. Cloud services are interconnected, which means that when users upload corporate information onto one device with cloud storage, the cloud server replicates the files and makes them available to other connected devices, creating multiple copies of potentially confidential data or documents across devices which may lack proper security measures. One employee’s decision to use a third-party cloud may seem inconsequential, but when hundreds or thousands of employees begin storing important documents and data on third-party clouds outside the control of corporate security, problems arise.

Dark Data, Dark Clouds

Beyond problems of security, confidentiality, compliance, and possible theft of corporate intellectual property, the use of cloud storage threatens effective ediscovery. In litigation, virtually anything is discoverable if it pertains to the case, including the information stored in personal clouds – sometimes termed “dark data.” Often, no one else at a corporation is aware of the data that resides in an employee’s personal cloud. How then must a corporation be responsible for collecting and producing said data? The efforts associated with thorough searching and production of such data may contribute to increased ediscovery costs and complication.

The future of the BYOC movement seems bleak, but there is a silver lining. If employees, IT departments and legal teams are willing to collaborate and work together to offer cloud storage with the necessary compliance and security protocols, the future use of BYOC may be sunnier than anticipated.

For a more in-depth analysis of the issues of cloud storage, be sure to check out the full article, Avoiding the Dangers of Bring Your Own Cloud in E-Discovery, on Legaltech News today!

October 2015 Ediscovery Case Summaries

Case Law Picture

Court Finds No Obligation for Plaintiff to Produce ESI in a Preferred Search Engine
United States v. Meredith, 2015 WL 5570033 (W.D. Ky. Sept. 22, 2015).

Failure to Comply with Court Proceedings Results in Default Order
United States v. Alacran Contracting, LLC, 2015 WL 5829710 (N.D. Ill. Oct. 5, 2015).

ESI Production Sufficient; No Further Discovery
Dwoskin v. Bank of Am., N.A., 2015 WL 5836785 (D. Md. Sept. 30, 2015).

Court Denies Spoliation Motion, Stating that Sanctions would not Alter Case Outcome
Deanda v. Hicks, 2015 WL 5730345 (S.D.N.Y. Sept. 30, 2015).

Necessary Document Production Results in Award of Production Costs
Mobile Telecomms. Techs., LLC, v. Samsung Telecomms. Am., LLC, 2015 WL 5719123, (E.D. Tex. Sept. 28, 2015).

Information Governance – It’s a Jungle Out There!


Building information governance (IG) protocols from scratch can feel like getting lost in a jungle. Often it is difficult to know which direction to go to get started on your journey, especially with a thick forest of documents standing in your way. But orienting yourself in the IG jungle is essential to avoid the possibility of leopards attacking you, birds swooping down on you, or those sneaky critters that might come back to bite you. Luckily, we’ve created a handy IG Guide to help you navigate through the underbrush and into the clear!

The guide includes critical information on IG, such as how to amplify the value of enterprise information, manage data and control ediscovery, as well as how to reduce data governance risks and costs. Also included is a look into how a hypothetical company, Healthy Nuts, found their way through the IG jungle. Find out more about their story and information governance here.

#throwbackthursday: Don’t Get Burned by Legal Wildfires

Legal Hold

Happy Autumn! As the leaves start changing color and the infusion of pumpkin-flavored food dominates our culinary palates, let’s take a moment to look back to the days of Spring, with blooming flowers, baby birds, and…wildfires?!

Back in April, Kroll Ontrack launched a red-hot Legal Hold Guide that explored the importance of document preservation in litigation and regulatory matters. With data volumes on the rise, organizations need to have an effective legal hold plan in place to avoid being burned with spoliation sanctions.

Take the time to reminisce, but don’t get too comfortable. Be on the lookout next week for an exciting new Information Governance guide that promises to be wild…

September 2015 Ediscovery Case Summaries

Case Law Picture

Failure to Engage in Basic Litigation Hold Results in Sanction
HM Electronics, Inc. v. R.F. Technologies, Inc., 2015 WL 4714908 (S.D. Cal. Aug. 7, 2015).

Court Orders New Search Parameters for Document Preservation
New Orleans Reg’l Physician Hosp. Org., Inc. v. United States, 2015 WL 5000512 (Fed. Cl. Aug. 21, 2015).

Proper Litigation Hold Results in Denial of Sanctions
Grove City Veterinary Serv., LLC v. Charter Prac. Int’l, LLC, 2015 WL 4937393 (D. Or. Aug. 18, 2015).

Court says FTC has Power to Regulate Corporate Cybersecurity Policies
Fed. Trade Comm’n v. Wyndham Worldwide Corp., 2015 WL 4998121 (3d Cir. N.J. Aug. 24, 2015).

Court Orders Inclusion of Technology Specialist Fees in Award Calculation
Gen. Protecht Grp., Inc. v. Leviton Mfg. Co., 2015 WL 4988635 (D.N.M. Aug. 3, 2015)

A Light in the Dark: Protecting PII in Ediscovery

65% of ediscovery projects contain at least one document with the XXX-XX-XXXX number format.

65% of ediscovery projects contain at least one document with the XXX-XX-XXXX number format. Accidentally disclosing Personally Identifiable Information (PII) could lead to a messy discovery process and costly penalties. Do you know how to best protect PII in ediscovery?  Check out this new PII infographic to learn more.

What is PII?

Personally Identifiable Information (PII) is any information about an individual maintained by an organization that can distinguish, trace or link to that individual.  This can include anything as benign as a person’s full name to confidential medical, educational, financial and employment information or a social security number.

What’s at Risk in Ediscovery?

While the threat of identity theft looms over individuals who fail to safeguard their personal information, litigation teams are in a unique position. They must be the safeguard that ensures opposing counsel doesn’t accidentally receive confidential medical records, social security numbers or other PII during the discovery process. In a perfect scenario, all PII would be redacted prior to production, but with exponentially increasing volumes of data, PII becomes increasingly at risk of being unintentionally compromised in litigation. If an inadvertent disclosure occurs, a legal team may face sanctions.

Assisted Redaction: A Sophisticated Solution

At a basic level, the manual redaction process completely removes targeted content from an electronic document, making it irretrievable and unavailable for view, print, search or copy.  Building beyond manual redaction, ediscovery platforms can utilize an automated approach to identifying, verifying and applying user-defined redactions to maximize efficiency in a process known as “assisted redaction.” The assisted redaction application, featured in Kroll Ontrack’s Relativity offering, provides users with full control to review, approve or reject each applied redaction across an entire data collection workspace or subset of data. Assisted redaction streamlines the manual redaction process, reducing the risk of inadvertent disclosure while allowing counsel to quickly and correctly apply user-defined redactions throughout the data.

A Light in the Dark

The ediscovery process may put PII at risk when not carefully managed, but much of that risk can be alleviated when paired with a strong legal team and savvy technology. Shine some light on PII  protection in ediscovery before watching Kroll Ontrack’s new video to learn more about assisted redaction and other new capabilities within Kroll Ontrack’s Relativity offering.