 My name is John Benson. You may also know me as Jurist, and today we're going to be talking about electronic discovery. We're going to be talking about what exactly it is because it's kind of a concept that is difficult to grasp because the very nature of it being a new topic doesn't make a whole hell of a lot of sense to many people. We're going to talk about why there are so many unknowns out there about this topic in general and we're going to talk about why there are so many unknowns in technology law and why those unknowns, a lot of those same things that Scott was talking about before me, are going to remain foggy and in this kind of gray area for quite some time. We're going to go through why electronic discovery and going through litigation in this modern age is costing companies millions and millions of dollars and we're going to talk about how to mitigate some of those costs and keep those to a minimum if possible. And finally, I'm going to talk about why, I believe at least, this may represent one of the greatest security vulnerabilities on kind of a macro level in existence today for companies and something that all individuals who have personal data somewhere really ought to be concerned about. I've been giving variations on this talk since last October when it was very rough at Pumpcon and I always got a lot of questions afterwards which involved kind of the context. Where does this fit into the legal process? When I submitted to Black Hat and Defcon, I said, boy, it would be great if you guys could give me just a little bit more time so I can talk about that. Well, I was thinking originally maybe 75 minutes. Well, it turns out that they gave me a couple hours. Luckily, we still have plenty of material to cover and I think that you guys are going to learn a lot today. By the time we're done, I'm hoping that you know a lot more about the American judicial system and how it works and allow you guys to analyze situations in a different way than you had before. I hope you get a working knowledge about the litigation process itself and understand how to better interact with your attorneys. And you should have a solid understanding of, of course, the e-discovery process, how it plays out and learn a number of different ways that we can keep the costs and the risks down for corporations as they go through litigation. What we're going to do first, for the first kind of third, I'm going to give you some perspective on the legal process, that stuff that is skipped over a lot through our formal educations and isn't explained very well in the popular media. Next, we're going to go into the e-discovery process itself, see how truly inefficient it is and see where these costs kind of build up. Finally, we're going to turn to some problems, especially security, and some solutions to those problems. But first, of course, I want to tell you guys a little bit about me. I went to the University of Missouri in Columbia and got a finance degree. Yes, go Tigers. I would say something foul about KU, but it would get me into some trouble. Then I went to the University of Missouri in Kansas City and got my law degree, after which I sat for the Missouri Bar Exam a couple of years ago and passed that. And then after I got done with law school, I really wanted to find a job of any kind, really, one where I could use my technology skills and my formal education in law. That led to a period of freelance web design, which is, of course, a nice way of saying, yeah, I'm unemployed, but it's better than saying I'm unemployed. And since you're fresh out of school, you can't actually draw unemployment. So I did that for quite some time, had some real struggles. Communicating to the attorney is the need for people that know something about technology and the law that we'll cover in depth here in a little bit. Then as I ran out of money, I took a job at a very large law firm in Kansas City doing document review, which is, again, a very nice, lawyerly technical word for saying, I read other people's email for a living eight hours a day, 40 hours a week. Now I know we're at a hacker con and we're all sniffing packets and things like this. Let me tell you for a fact, reading other people's email all the time is possibly the most boring thing you will ever do. I can't recommend it to anyone. Find something else to do. So after that, I eventually did find a job at a very large Midwest law firm. And I currently work as an electronic discovery consultant. And what I do is I work directly with companies and their IT departments and map out all of their infrastructure and find out where everything is so that it can eventually be analyzed and produced, things like this. It's a pretty novel position. I'm not aware of too many people out there that are doing things that are similar to myself. And then one more thing that I do want to give a shameless plug to. Recently in Kansas City, we found out what's called the Cowtown Computer Congress. That's going to be Kansas City's hacker space. Yes. And it's going to be a little bit different. We're actually going to reach out to all the other technology communities and all the other user groups and have them become affiliates as well so that we can kind of repair that terrible reputation that the Midwest has as being backwards when it comes to technology. If you guys are interested in some more information, I've got plenty of flyers and find me afterwards. So now that you know that I have a job and I'm an attorney, I think we can all guess what's going to come next. That's right. It's the disclaimer. Nothing I'm about to say is the opinion of my employer or any other organization that I am affiliated with. Nothing I am about to give you is legal advice. And while I am an attorney, I am not your attorney. And I also want to clarify that I am not the attorney of anybody in conjunction with DEF CON or anybody speaking here. So if you have any questions involving any issues that have been coming up in recent days and hours, you'll probably want to pose those to some other people afterwards. You stated a holiday in Express. No, I stated this place, which, you know, I don't know what that says about me. And of course, because I am an attorney, probably nothing I'm about to say should be trusted or relied upon in any way whatsoever. Now, I'm also going to share with you some rather humorous anecdotes and also rather sad anecdotes about some of my fellow members of the bar nationwide. And I want to let you know that some of these names, in fact, have been altered to protect the innocent and the misguided. So with that, it's time to get on with the big show. I do have a lot to cover, which is why I seem to be talking at a mile and a half a minute. I took two and a half hours over at Black Hat for this and I don't want to cheat you guys out of any of that information whatsoever. Let's talk first about the American legal system. I'm going to go out on a limb here and say that my civics education was very typical to most of the people in this room. My civics teacher in high school was also the high school basketball coach. And in the afternoons, after teaching us how to function as members of our democratic society for the rest of our lives, he also taught recreational fitness. So you can imagine that some of these classes are rather low on substance and I could go on and on about civics education in America, but that's a rant for a different time. So what I'm going to do is I'm going to try and let you guys know how the court is structured and why we have so many of these unknowns in the law right now. In the United States, we have what is commonly referred to as a common law legal system. This is contrasted with the civil law system of continental Europe. Common law systems exist in the United States, Great Britain, the Republic of Ireland, and some other former British colonies. The roots of this system date back ages and ages. I've read some accounts that trace it back to the days of William the Conqueror and even some roots of the system back in the book of Genesis. Now, a very, very simplified description of how the common law system works is just that when we're confronted with a new set of facts, the way we analyze the situation and determine how the courts will probably act and when the court looks at things and decides how they will act, they look at previous cases and apply the analysis that was done previously to the current set of facts. So there's a lot of analogizing going on. It's very fascinating. There are lots of different lines of case law. If you ever read one of the Supreme Court cases, obviously they discuss all of the cases that came before it. Some of the most fascinating cases out there that will give you an idea of these analogies that lead to this include, well, Roe v. Wade and Lawrence v. Texas, which outlawed the sodomy ban in Texas a few years ago and actually used Roe v. Wade as a significant basis for that. Of course, there is the most recent case involving Second Amendment rights in a federal context from Washington, D.C. That is quite an opinion. In fact, I have yet to find the time to actually sit there and read the 150 page plus opinion of Scalia. But it is, from what I have read, it is an excellent opinion, which weaves together a lot of previous decisions. So I know you guys can, I can kind of think what you guys are saying. We hear a lot about judicial activism these days and this idea that judges are legislating from the bench and they're out of control and that voters need some way that they can hold judges accountable to whatever the current kind of social and political climate is in existence. Well, that is actually somewhat of a misnomer. There's a principle called stare decisis. That's a little bit of Latin. I'm not going to do too much more. Essentially what stare decisis is, it means that once a court has made a decision on a particular issue, future courts may be bound to follow that decision. So whenever you hear things like, oh, well, if the Supreme Court makeup changes, they're going to overturn Roe versus Wade. That's not going to happen. That would kind of overhaul the way that the judicial system works. Really one of the only times we've seen such a sweeping overturning of previous cases was in Browden versus Board of Education, which desegrated all the schools back in the 1960s. Now what the courts can do is chip away at the standards so they can make the exception and allowances for certain behavior and certain actions to be narrower and narrower and narrower. But they will probably not come out with a flat out we are going to overturn this case. So that's kind of simple. Let's dig down into some more specifics and show you why this will show you why things can get kind of murky. Obviously any decision by the U.S. Supreme Court will be binding on all of the other federal courts below it. Pretty simple right there. That's why they call them supreme. Now where it can get kind of murky is whenever you have a decision at the Circuit Court of Appeals, because the United States is divided up into a number of federal circuits. And when a federal circuit makes a decision, their decision will be binding on the district courts below it, meaning all of the district courts in that region. But it will not be binding on district courts in another region. So to boil it down, you can have slightly a different interpretation of federal law in California as you do in Missouri. Now are these interpretations going to be drastically different? Probably not. If they are drastically different then there's a good chance that that issue will be brought up through the courts all the way to the Supreme Court and kind of unify the interpretation of the law. Now the other thing that we need to talk about is the difference between trial court and appellate court. Trial courts do one thing. They determine facts. They establish what happened in any given case and situation. When you appeal, you appeal the interpretation of the law that was done at trial by the trial judge. When you get to the appellate level, all they are looking at are the laws and the decisions that were made by that judge. So it's easy to think that if you lose a case, you're going to appeal and they're going to rehear all these facts in front of judges instead of juries. That's not what happens. Once we get to the appellate court level we're only dealing with interpretation of the laws. So what we need when we have murky or unclear laws such as the ones involving private investigators right now and what is the meaning of this term, what is the meaning of that term or when you're dealing with statutes that are extremely broad, so broad that you can drive a truck through like the Computer Fraud and Abuse Act, which defines computers so broadly it's almost laughable in some situations, is you not only need to get through the trial court level, but you also need to get to the appellate court level. And if we're really going to need to solidify some of these laws, you need to go beyond the first appellate level and possibly get all the way to the Supreme Court. So getting through all those courts takes a couple of things, three different things really. First we need a case and a set of facts that is very good. A very borderline case that has a chance of winning up on appeal. Those can tend to be kind of rare. If it's an open and shut case then you're probably, unless you have a judge that makes a very, very poor decision, then it's probably not going to get to the appellate level at all. You're also going to need time and you're going to need money and lots and lots of money. Because if you want to get, and if everybody in this room wants us to get to the point where we have well settled, well decided interpretations of our laws, we need very, very good and probably very expensive attorneys to get to that level and to get to win. So that means if you guys are doing some research and you guys have a situation where you're going to be encountering some of these rather large and obtuse laws, before you go doing anything that may be a little bit questionable, think about the amount of time and the amount of money it's going to take to be able to fight that all the way through. And of course if we are dealing with the Computer Fraud and Abuse Act for instance, you may also need to be sacrificing your freedom to move about the country and spend a little time as a guest of the federal government. You really need to think about if that is something that you are willing to do before you go releasing something to the wild, which may be potentially dangerous, in such a way that you're antagonizing prosecutors, vendors, things like this. Now don't get me wrong here. I'm not saying we all need to close up shop and stop all of our work. I'm just saying everybody needs to be prepared and they need to be smart about what they do. And as we go through all of this and I talk about the e-discovery rules and what they mean, you need to think about this in the context of 18 USC 1030, which is the Computer Fraud and Abuse Act, because the Computer Fraud and Abuse Act provides for two separate things, which will bring us into the two different types of courts. You have civil cases and you have criminal cases. A criminal case decides guilt, whether you're going to go to jail or not. A civil case will decide whether you end up having to pay all of your assets over to somebody because of something that you did or in some instances like negligence, something that you did not do. The Computer Fraud and Abuse Act provides both. You can go to federal prison and you can be sued by an individual that has been injured by your actions in violation of that. So whenever you encounter a situation where let's say you're served with a lawsuit that brings up something like 18 USC 1030, the Computer Fraud and Abuse Act, while you have not been indicted just yet, that complaint is probably a very nice roadmap for a federal prosecutor to take it, make a few quick alterations, hand it to a judge, say, I would like an arrest warrant and I would like a search warrant and we're off to the races and now you're involved in both. So think about all of these situations and all of these costs that I'm about to talk about in the context of you being sued in federal court under the Computer Fraud and Abuse Act. The reason I have O.J. Simpson on here, of course, is he's an excellent example of someone that has seen both sides of criminal and civil law. He was acquitted of the criminal charge of first degree murder, but he was found liable for wrongful death in the civil courts. All right, so with that, let's turn to how the litigation process actually works. The first thing that's going to happen is you're going to have a filing of what's called a complaint, where a plaintiff will outline all of the allegations against the defendant, what they did, how they were injured, things along these lines. Then, of course, the defendant will file an answer to those and either admit or deny or something kind of in the middle to each and every allegation as they go through. Now we're off to the races, so to speak. There's also going to be a lot of stuff which is called motion practice. You can file motions to get a case transferred. You can file a motion to get it dismissed for any number of different reasons. You can say that it wasn't in the correct court. You can get a different judge. This is the stuff that really kind of drags out big litigation. Years and years because of all this motion practice that goes on, it's the bread and butter of big time corporate litigation. It's not very exciting stuff for anybody other than boring attorneys like myself. After all, while all this inside baseball kind lawyering goes on, we've entered the discovery process. The discovery process goes almost throughout the entire litigation from beginning to end at presentation. Once we get through trial, there will be eventually a final judgment. Only a final judgment from a court can be appealed. If somebody settles out a case, that case is over. There can really be no appeal because you admit it's nothing and you paid some money off. So what exactly is discovery? Well, to simplify it, it's looking for that needle in a haystack. It's an investigation conducted by both parties of the other side to find out information about the case. Stuff will eventually be used at trial or depositions or things like this. There are a number of different discovery methods which are employed. There is a document production, which is where electronic discovery fits in. There are interrogatories, which are written questions, which are answered under oath by the parties. There are depositions. Deposition is essentially like it's like being a witness at court except you're not in court. There's a court reporter there, you're under oath. It's not a terribly pleasant experience for people. And then there's also something called a request for admissions where one side will ask the other to admit whether certain facts are true or not. Now, discovery will take up the lion's share of time during civil litigation, as I said, because once before a person can be deposed, we're going to want to see all of their documents that they had control over so we can understand what they were doing, what kind of information that they knew. A lot of times we'll also find ways to catch the person in a lie during the deposition. So the funny thing here, and this is where we get into the rule amendments to the Rules of Civil Procedure, which were passed in 2006, is as soon as litigation starts, the attorneys and the parties are required to get together and talk about all of the different issues involving electronic discovery, involving that document production and transfer of documents of all the data potentially for a given case. This can be lots and lots and lots of data. We've got lots and lots of issues to figure out. You've got to figure out where all the stuff is. You've got to figure out timelines for production. The first conference, which is called a 26F conference, has to happen within 99 days of the start of litigation. Now, that may seem like a lot of time in technological terms, but in terms of a lawsuit, especially a very large federal lawsuit, that is an instant. There's a lot of information to get through, and because of that, a lot of problems can happen along the way. Where is electronic discovery on that list? It's such a big topic, but it's really just kind of a subset of this document production kind of thing. The concepts of electronic discovery and finding relevant or responsive evidence, redacting things, looking for privilege, looking for work product that we're going to retain, has been around for as long as discovery has been used in litigation. So why are we just now hearing about this? Companies have been using computers since the 70s, in some form or another, and even before that. So why is this just now becoming an issue? Well, first of all, you have the amendments to the federal rules that now require the attorneys to pay attention, but those just came around in 2006. That's pretty recently in legal terms. To put it bluntly, the rest of the world left the legal profession in its dust years ago, and the lawyers didn't seem to notice. It's just now that attorneys are realizing that there are these things on people's desks at companies, and they're called computers, and there's stuff inside those computers that is interesting. So we're just now turning to the point where we're really digging down and finding lots and lots of information in there. A large portion of them, well, I won't say a large portion, a certain portion of them, still doesn't understand that companies use computers in all of their business. I heard from one attorney at a cocktail party once that he told me, well, my practice doesn't involve electronics at all. No computers are used whatsoever in this business. And I said, well, that's interesting. What kind of business are you in? He told me, and I said, well, does your clients communicate with you over email? Well, yeah. Do they calculate costs and calculations and run numbers and things? Well, yeah. I said, well, do they use a slide rule? Well, no. Do they use something like Microsoft Excel? Well, yeah, I suppose. I said, well, that's computer-based. Yeah, but we can still do everything still paper-based. We can just print everything off. Okay? It's really scary. You really can't imagine a lot of the stuff that I hear from attorneys. You know, it's pretty awkward for me, too. I mean, I'm not kidding anybody around here. I'm pretty young, right? And you have attorneys that are out there who have been practicing for decades. And because of their fundamental misunderstanding of why the world has changed and the amount of data that's out there and the amount of hidden data that's out there, they're somewhat being left behind. There was a speaker at the RSA conference, who's another attorney. I haven't seen the talk yet. But the gist of it is that the legal profession is almost reaching a crisis because attorneys are not really competent to represent their clients because they don't understand where their data is, what's being done with it. Okay? Those are strong words. I even stood in front of a continuing education class a few months ago, and I flat out told a roomful of attorneys, which was pretty interesting to try and do, that over the next 15 years a lot of them will be professionally irrelevant unless they adjust to this new environment. I got a lot of funny looks until I explained to them that the people coming out of law school over the next 5, 10 years and onto infinity, at least with their skills and technology, are going to be, they're going to resemble me a whole lot more than they're going to resemble that old guard of attorneys, right? And I think that kind of made some things click in their minds that things are changing. Another one I was, there was a law firm that I used to work at, and I got a phone call from one of the partners, and he had a question about Excel, because he had to send over this document to opposing counsel, and they wanted it in electronic format, and of course he'd heard some things here and there about manipulation of data in spreadsheets, imagine that. And he asked me how in the world you could do this, and I was, you know, I'm trying to explain, you know, some pretty high-level stuff, and then I realized he didn't understand that you needed to click in the formula bar to see where some of those calculations were made. That's very, very shocking, and people tend to wonder why lawyers drink so much. So why, how has this really come to pass? You know, the world changes and the legal profession has no idea. Well, one immediate response is that, you know, the people that are in charge of the law are really completely out of touch, that they're just old, okay? Well, I'm sure that there's lots of people in this room that would dispute that age has anything to do with technology, but when I was giving these CLE talks this spring, I had a couple of guys come up to me afterwards and say that I was by gum dead on, that the legal profession really needed to change, and then they started talking to me about all these super cool things that they'd been doing to automate their legal practice, and they were able to work out of their home and fire all their support staff. You know, one guy was saying that he was writing all kinds of scripts and things to automate everything, and this guy was, you know, he was an attorney and easily in his 1970s, extremely cool. So it's not necessarily age, but I think it does, you know, age does have somewhat of a factor. The Supreme Court, before Judge Roberts and Judge Alito joined the Supreme Court, the average age was 77 years old, okay? That's not exactly a spry bunch there. I think another factor that has led to attorneys being somewhat out of touch with this stuff is the fact that their jobs over the past couple decades were that they didn't need to interact with computers every day and all the time. Why? Because our time is extremely expensive. So whenever we can, we delegate some task to somebody else. So if it makes more sense for the attorney to dictate something and have his secretary type it up, then it's certainly a lot better for all of the clients out there because you're not paying $360 an hour to have an attorney sit there and hunt and peck on a typewriter, right? So they haven't really had to work with them. They pretty much think that everything is, that technology is the purview of the administrative staff. Some of you guys about the problems I had when I was getting a job and at one point I had sent my resume into a firm in Kansas City that does a lot of federal criminal defense, including things involving criminal fraud and abuse act from time to time. I thought this was a great opportunity, you know? This would be a great way to use both sides of my skills to do criminal law which I find to be very exciting and if you ever have to do legal research do criminal law because it's very amusing as you read some of these cases. But I got denied, of course, and I called up the partner that sent me the nile letter and I said, I really like some feedback because this job search just isn't going very well for me right now. Is there something that I can change about my resume that will make it pop a little bit more? And she said, well, you know, a lot of that stuff you did in law school, trial advocacy, that was pretty good. You're pretty involved in the community but you've got this whole section at the bottom on technology and you probably ought to take that off because one of the reasons that we didn't decide to have you in for an interview is we just don't really need another secretary right now. So, yeah, I was pretty speechless when I heard that. I didn't really know what to say so I just kind of hung up the phone and maybe someday they'll figure it out. Unfortunately, for many members of the bar nationwide, the legal profession is changing in such a way that's exposing them to personal liability in a lot of instances where attorneys and clients haven't been adequately producing documents to the other side. The courts are beyond just sanctioning only the companies involved and the clients that are involved but also the attorneys themselves and these aren't small sanctions either. In fact, earlier this year, within the last 12 months, we had attorneys in California in Qualcomm versus Broadcom patent litigation that were actually sent up to the California bar for ethics violations for some of the shenanigans that they were pulling during the exchange of documents and essentially playing dumb. I mean, it was either they knew what they were doing and they were playing dumb, which is also very bad, or they were so out of touch that at least somebody believed that the bar needed to take a look at whether or not they should be practicing anymore. Now, they weren't disbarred or anything like that and I think there are some decisions still pending about what's going to happen to those attorneys. That's a very interesting case about that. This low level of understanding about technology leaves attorneys to be vulnerable to a number of different things. One of the things I like to say about electronic discovery is it's driven by two things, buzzwords and urban legend. What happens is the attorneys go to CLEs, continuing legal education classes, and they hear some stuff. They hear some vendor pitches for scalable enterprise level solutions that are going to fix all their problems and they grasp on to these terms. So whenever they get into situations where they're having to deal with technology, they throw out all these different buzzwords, but they're missing a lot of the core issues. So what are some of these buzzwords? What are some of the things that you can expect to hear when you talk to corporate attorneys? I think the earlier you hear these things in the conversation and the more you hear about them being the core of the conversation, the more you can understand their real knowledge about the situation. The first one is a big one, metadata. The origin of this urban legend comes from a story about an attorney that was writing up a brief for the courts and he was not very fond of the judge that he had. So when he was drafting this, he used some very pejorative terms for the judge, probably something rather profane as well. So of course, as he's going through and editing it, he eventually goes back and he changes all the references to the judge to something more proper. He goes ahead and he submits it to opposing counsel and submits it to the judge, and then the judge opens it up and flips that switch in Microsoft Word to reveal all of the changes. Then the judge sees all of these terms about him and things like this and is certainly not too happy with the attorney. This makes sense for a couple of reasons. First of all, if this was federal court, everything's done in PDF. Second of all, the idea of a judge being savvy enough to figure out how to do that is a good deal of a stretch. And when I bring up judges too, especially for this crowd, and go off on a slight little tangent here, when you're dealing with judges, their level of understanding about technology is probably a good deal lower than attorneys across the board. So judges may be more likely to be persuaded by certain terms that are used in complaints and filings with the court, like the word hacker. So it makes it a very precarious situation for people doing security research that they can be subjected to a decision that happens because of that knee-jerk reaction because of that word. So other than metadata, let's keep going with metadata. Let's see what attorneys are writing about metadata. This is a screenshot from a weblog written by an attorney. And of course, this gentleman spells it also cleverly, B-L-A-W-G. And I don't know if you guys in the back can read this. The headline is metadata in photos. There's a lot of hidden information in digital photos. And essentially he goes on and on to talk about his groundbreaking discovery that there's information about pictures that's being generated by his digital camera. Now, he's obviously kind of new to this, considering I use Aperture on my computer and there's actually a tab that deals with metadata. There's this fear about metadata. How many people in this room have to use one of these plugins for Microsoft Office that will scrub all metadata before it goes out the door to somebody else? You know, it's buggy as can be, makes words slow down even more. And it's a real hassle. The reason you're seeing that is because of the attorneys and you're seeing this fear of metadata everywhere. And you can see it here. Another headline from the next article from this gentleman by the way that I think is rather revealing is he's writing about the service Jot. And he says that it's a great way to send email by dictating it. So what are some other terms that we can listen for? Well, there's backup tapes. The focus on backup tapes comes from the Morgan Stanley case of a few years ago. And essentially what happened here, and this is an actual case, not necessarily an urban legend, essentially what happened was a high level individual within Morgan Stanley was brought in for a deposition. And he was asked about the production of documents that they had made and whether or not it was complete or not. And he said unequivocally, absolutely, we've given you everything that we possibly have. Sorry about that other data, we just don't have it. Well, and he gets home and I picture in my mind that he gets home in his big easy chair and he's having a cocktail and he scratches his head and thinks, wow, that was kind of a bold claim. Maybe I ought to go down to the office in the morning and poke around. What was the first thing he found in the very first place that he looked to see if there might be other data sitting around? Boxes and boxes of backup tapes laying around. In fact, they found, I believe, a warehouse of backup tapes laying somewhere with so much information that was not produced to the other side which had highly relevant information that the court imposed sanctions against Morgan Stanley. And the sanctions in this case were the most severe of all the sanctions in here. And these are the kind of sanctions that you should all be concerned about whenever you're thinking about potentially being sued in federal court for anything involving digital evidence. It's called an adverse inference. And what that means is if we can't find the evidence and the evidence isn't going to make it into court, that lack of evidence can be used to infer guilt. Essentially, no evidence is proof of wrongdoing, right? That's an automatic loser, people. If you get the adverse inference instruction, you're done. That should be a serious concern to everybody that thinks, well, as soon as the feds show up, I'll just start destroying my hard drives. I've got enough thermite in my house to melt everything down to the ground, right? That's a bad idea. Not only have you now burned down your house, you've also burned up all your assets because you'll be paying off this lawsuit and this judgment against you forever, right? So be concerned about those kinds of sanctions. So this backup tape story and the jury verdict in that Morgan Stanley case, which was actually overturned, was actually in excess of a billion dollars. So it's serious money that we're talking about here in some of these big cases. Usually what happens now is there's a conversation between law, the legal department, and IT. Lawyer calls up to the IT department. This is IT. What can I do for you? Have you tried turning it off and turning it back on again? We've got to find the backup tapes. What? We've got to find the backup tapes. All of them. We have to preserve the data right now. Well, we have a number of backup tapes. Which ones are you looking for? Every single one of them. I understand that you have this recycling program where you reuse them. You've got to stop that program immediately, save every single one of them. Well, that's kind of expensive. These tapes aren't cheap. It doesn't matter. We've got to save the backup tapes. We've got to preserve all of this data. Well, what about these incremental backup tapes? It's going to be kind of redundant data and it's going to be very costly. The volume of these backup tapes is going to be we're going to fill a warehouse or anything that matters. It doesn't matter. Save them all immediately. How many people in this room have had that conversation or received that kind of phone call? That's a pretty fair share here. That certainly illustrates the level of understanding of backup systems and where data is for people in the legal profession. The next term is a largely vendor-driven term called a data map. You may encounter a point where you hear from inside counsel or outside counsel, we've got to find a data map. Guys in IT, create a data map so we know where everything is. Well, here's the problem. What's a data map look like to you guys? Some guys, if you're a backup administrator, it's the schedule of where the backups are. For somebody that's in networking, it's a network diagram. It can be any number of things. I've heard it described by vendors and all these other people that I've heard described as a table, like an Excel spreadsheet. I've heard it described as a graphical set of data. I don't like using the term data map. I like to use the information architecture map because it's more broad. It implies that there's more information there. We'll talk about all of the things that this can contain here later on. The point here is that if you do receive a call from in-house counsel or outside counsel saying, we need to come up with a data map, you need to ask what in the world that they are looking for so that that way it can be used by somebody down the road. Otherwise, we're going to be going back and forth and doing this over and over again. What about corporate America? If the attorneys are having a problem coping with these changes, how are companies preparing? Well, despite what you may hear from a lot of the very large vendors saying that companies have now adjusted to the rule changes and now they're prepared to... they're certainly prepared to deal with any kind of litigation as it comes in, that is absolutely, absolutely not the case. Companies are not prepared for electronic discovery. What's scary about this is is that there seems to be a day lack of understanding about e-discovery within companies too. Therefore, they'll get a call from vendors who say, we have a scalable enterprise level solution for you that will solve all of your e-discovery problems. You will be able to comply. You will be able to produce all documents without any kind of problem with a flip of a switch. You will be done with your litigation in no time with our tool. And by the way, it costs in excess of $250,000 to implement. It's very scary because it's not that simple. There is no single solution out there. There is no single tool that can be used to map infrastructure. There is no single tool that can be used to capture all data in existence. It's the only way we can do it is through good cooperation between IT and Legal to identify where all this information is, graph very good policies so that we can control where the data goes and then have a good response plan whenever it's time to start litigation. This brings me to another kind of misunderstanding here. e-discovery is talked about within a context of compliance a lot. People associate it a lot with Sarbanes-Oxley. There's some sort of standard that we need to comply with. Well, it differs from Sarbanes-Oxley in a couple of different ways. First, you don't have to do anything to prepare for electronic discovery at this point. Absolutely nothing until you get sued at which point you're going to be subject to all of these rules in the way litigation works. It's not necessarily a compliance issue. The other difference between electronic discovery and Sarbanes-Oxley is there's no knife at the back of management saying, you've got to make these changes. So who can fault managers and businesses who had to spend so much money on Sarbanes-Oxley compliance that now they're hearing that they have to spend all this money and bile of these scalable enterprise-level solutions for the e-discovery stuff when they just dump so much money into Sarbanes-Oxley? I can certainly understand why they say whenever they hear that they don't necessarily have to do something right now, that they say, fine, I'm not. Well, let's now turn to the electronic discovery process itself. How does this play out? How does the litigation process play out in conjunction with it? What you see here on the screen is what's known as the electronic discovery reference model. That graph has a lot of information and can take a while to absorb everything that's there. You can find that at the website, www.edrm.net. At that website, you will also find a moderated wiki that has information on each of these stages in excruciating detail, all come up with by people that are heavily involved in project management, things like this. If you're going to be going through e-discovery, you ought to take a look at this and see what's ahead and see what some of the general thinking is on the best way to go through this. Notice that I avoided my most hated buzzword right now of best practices. That should go the way of the dodo. So, instead of talking my way through that model, I have something that's a little bit more simplified for everybody. These are the different phases of the electronic discovery process. First there is the identification phase where we have to find where all the data is. Second is the preservation stage where we make sure that it all stays around and is safe until we can analyze it and decide whether or not we need to keep it, produce it, delete it, whatever. Then is the collection where all the information is gathered from the client and then sent to a vendor who will process the information into a form that the attorneys can review and eventually produce. Then is the most expensive portion, review, and that is when the attorneys are going to sit there and go through all of these documents and make a number of decisions on whether or not they can or should be produced. Next is the actual production where we ship the things on DVD or hard drive, something like this, over to the other side, and then when the other side receives it, it's going to start all over. They're going to start reviewing it to find the actual stuff that is relevant to the case and try and find that smoking gun email which everybody is trying to find all the time. Then finally is presentation. Presentation occurs at deposition, at trial, things like this. What happens at the very beginning of litigation? When does that identification and preservation stage need to begin? An organization has a duty to preserve information whenever they can reasonably anticipate litigation. Well, there's that lawyerly word that we all love so much, reasonable, right? It's kind of like it depends. It's one of our favorite terms out there. When can you reasonably anticipate litigation? Well, a few things are blatantly obvious. First, you get served with a lawsuit or you file a lawsuit. Those are hard cutoff dates, easy to see. But you can anticipate litigation well before that as well. If you're calling your lawyer saying, we've got a problem, at that moment you can reasonably anticipate litigation. It's time to start preserving your data. If you are getting ready to file a lawsuit against somebody, at that time when you call your attorney you can reasonably anticipate litigation. And even if you're a plaintiff, you are subject to the same obligations under the federal rules. So how does this play out? The duty of the preserve arises and legal calls in all of the key players. The executives, some of the people that know all the information about the issue. They call in the leaders from IT. We figure out where all the data is. We start the preservation process and we start our preparation for the 26F conference. In 99 days, we're moving right along, right? Well, I think it's actually a little bit more like this. In reality, preservation steps aren't taken. In fact, the lawyers that will eventually be handling this case at trial may not even be involved. They don't even know anything is going on because it hasn't gotten to that point just yet. You have a situation where there's no communication between legal and IT. In the old days, you would just send a letter informing people that they had a duty to preserve information to those employees saying, stop shredding things, stop throwing things away. That's the way this still occurs. But what's the problem with that? IT doesn't hear about it. Automatic deletion procedures stay in place. Backup tape recycling of older data that is certainly relevant, which is about ready to be deleted, is destroyed. And nobody has any idea until weeks or months down the road. The scary thing is if you're going to avoid those very frightening sanctions like the adverse inference instruction, it's the very first days of litigation that are the most critical to avoid this. But it's also the time when the identification and preservation phase are the most overlooked by legal teams and by corporations right now. Nobody expects at the beginning of litigation that there are going to be fights down the road about how adequate a production was or how extensive the identification was. But you have to go into any litigation expecting the worst and hoping for the best. Unfortunately, in the legal profession, it's pretty common for us to do lots and lots and lots of lots of work with absolutely no payoff because the case eventually settles. That will also happen in this kind of situation. So what is the right way to do things? Some way to avoid these train wrecks. Well, obviously, you're going to need to put together a plan. And what do we need to do to prepare for this? Well, one thing that is growing in popularity is the concept of a litigation response team or an e-discovery team. Does anybody in here work for a company that has a litigation response team? Just a few, just a few. I'm guessing those probably aren't the same people that got the backup tape call. The litigation response team can be made up of different types of individuals. You're going to want it to be multidisciplinary. You're going to want somebody from legal in-house, maybe somebody from outside council. You're going to want somebody from the IT department, probably not the chief technology officer, the chief information officer, probably somebody that actually knows what's going on and is involved in the day-to-day process. Probably somebody that knows all of the deep dark secrets about the firm and what is going on with all the data, meaning people in this room. What do you need to do at that meeting? What do you need to cover? We need to figure out what kind of lawsuit it is. Who's involved? How many departments are going to be there? How many departments are going to need to have their data preserved? This way you can make an effective response because every situation is going to be different. A response to a litigation for sexual harassment, for example, is going to be completely different than the response that's going to be required for a class action lawsuit involving a company's only product that they sell nationwide, for example. So in every situation, get everybody together on a conference call, say what it is, figure out what the next steps are. I did read an article a few months ago that brought up a heck of an idea. If you don't trust your users, which nobody should, if you don't trust certain users because they may be personally implicated in a lawsuit for something that they did and they have a high reward for destroying data whenever they find out that the men are coming to get all of their stuff, one thing you can do is actually image their hard drive before you send them the litigation hold. This way, if they do start destroying data down the road, you still have that backup copy somewhere. It doesn't need to be forensic, and maybe not necessarily at that point because you're doing it before they knew that they could start deleting data to save themselves. Should you start collecting data immediately whenever a lawsuit starts? Probably not. I'm going to talk a little bit about that here in just a second and tell you why. So now that we know that we have a duty to preserve, we need to figure out where all of our information is, and that means that data mapping process. So let's dig into that. What needs to be done and on what kind of timeframe? You don't have a lot of time to get your attorneys all of this information. So you need to move quickly, and it would help if you had a lot of this stuff available and ready to go. Some of the stuff that I would look for when I go through this process with clients are policies and procedures. I want all of the destruction policies all the handling policies, the procedures that people follow down whenever you're moving around backup tapes, things like this. Really, I want... If you have an entire policy manual just for IT, I want that. That way I can see what's going on, what happened before the litigation started, and then I'm also going to want the policies and procedures that went into place after litigation started. This way I can go to the court and I can say, this is why we complied with our duty to preserve. This is how we did it. You can take your sanctions motion and shove off, right? But also we have to figure out where all the data is to make sure we found all of it. So I like to look for just about everything. I like to say, if you have network diagrams, send them to me. If you have charts with IP addresses and capacities on them, send them to me. Yeah, that's a lot of very sensitive information that you guys probably don't like giving up, but it is something that is going to be very valuable and potentially save your company from sanctions down the road, okay? You need to make sure that that information alone is well secured by whoever you're working with for very obvious reasons. In my case, I'm pretty savvy with all this stuff, so I say, give it all to me in the raw format so you guys can get back to your jobs and let business continue. But you may be encountering somebody that is not so savvy, so work with them to make sure they understand the terminology that you're using and dumb it down to the adequate level for them if you possibly can. I'm going to want to know where people save their data. What are the actual practices? First off, I would actually have to go talk to the individual users or find out from individual departments what their practices were. Thank you. Are we putting everything on a network drive? Are we allowing people to save things on local hard disks? Do we allow people to have thumb drives? Do we have people that are backing all their stuff up using external hard drives sitting on their desk? What are the general practices going on? Here's a frightening one for you. Do employees have remote access so that they can work on work stuff from their home computer, specifically so that they could save documents to their home computer? And here's why. If I'm dealing with a situation where I'm looking for a certain draft of a document and I know that an executive can and did work from home on his own personal machine, I'm probably going to be very interested in his home machine and I can probably convince a court to let me go after it. And that's because, think about it, if you're working on, you know, you're working something up, you're at the office, you're like, well, I'm not done yet, I'll send it home and I'll do a little bit more work on it this evening, then I'll finish it up in the morning before I send it in. You send it to the home computer, you save it on the desktop or the My Documents folder, you work on it, get a little bit of stuff done, you save it back and you're done. Well, the final product is going to be on the work drive. The draft is going to be sitting there on the home machine. I want the home machine. Depending on the situation, I may be wanting to map an individual's data and where they keep stuff to a very granular level. I mean, this is when we start getting into that forensics kind of thing. You know, do you have an iPhone? Do you have a digital picture frame that you could smuggle things out of the office with? But we're not going to need to get down to that level in every single instance, only in certain situations. But the more detail and the more information I can get about my client's stuff, the better it is. So, what's the best thing about this data mapping thing? I mean, we've got a very short amount of time to do it if we're in litigation. Well, the very nice thing is that we don't have to wait for litigation to do this. I mean, guys, we could go home right now and start this process. And you could have a binder full of all the information so that when you do get sued, you can pull it off the shelf, hand it to the attorney, and he can circle and highlight all of the areas that need to have data preserved. We can get done with the preservation stage. We can go on to the negotiation of the discovery protocol and actually to the merits of the case. Shocking in these days that we actually would talk about the merits of the case early on in the lawsuit instead of all of this tail wagging the dog e-discovery nonsense, right? One other thing that I find that is very critical that I almost forgot about is that you need a list of all of the applications that are used by your company and in your company. Why is that? Well, that's because whenever we send this data to a vendor, they can only process certain types of information. One of the answers that I get a lot is, well, we use Microsoft Office and we've got such-and-such and such-and-such. Well, that's all fine if it's on the standard image, but those aren't the documents that are going to be causing me the problems. The documents that cause problems down the road and the problems that cause companies to miss production deadlines are these obscure programs, you know, the chemical engineering programs, AutoCAD, stuff like that. Heck, even personally, you know, random programs that employees may have downloaded to their machines to, you know, make an e-card or something ridiculous like this. We need to know where, you know, what is out there so we can be prepared for it. If I know that we have certain files that aren't going to be able to be processed, I can tell the other side and we can negotiate a situation where we produce it in native form, you know, where we produce it in paper form, something along those lines. So pull everything that you possibly can. The other thing that is extremely useful to take care of this backup tape hell situation is to have a written description of data as it flows through backup tapes. So that way you can go to the attorneys and say, okay, here's why we don't need to save the, why we don't need to retain every nightly incremental backup tape from now until the end of this litigation. Once they see that, they can say, oh, I understand now. In this case, we're going to take this, this, this, and this, and then we can go out about our business. But that's pretty difficult. I mean, you know, backup, it's not that tough of a concept once you've looked at these policies and procedures, but for somebody that doesn't deal with that on a regular basis, it can be kind of confusing. Well, let's move on to the next phase. Now that we've preserved all of our information and we've identified it. Oops, sorry. We're going to collect the information. Now, I'm sure we have a lot of guys still hanging out in here from the forensics talk. There's a certain reaction from a lot of people to say, well, let's go out and we'll forensically capture every single hard drive and every server out there, and then we'll be able to do a complete forensic analysis on everything and find absolutely all of the goods. That is one extreme, and it would be a very costly and time-consuming extreme. And to be honest, one question I guess is, you know, why do the attorneys seem to not care about unallocated space whenever I talk to them in any discovery context? Well, it's because we're going to be dealing with gigs and gigs and gigs of email. You know, with all of that information out there, to be honest, if somebody did delete something, then it's deleted and it's gone. We'll find it probably somewhere else because somebody else didn't delete it, right? So that's one extreme. Now, forensic capture is absolutely necessary in some instances. If you're dealing with an employee that probably deleted data because they had stolen trade secrets, if you're dealing with a sexual harassment situation or employment discrimination, something along those lines, every situation is different. You need to talk to the lawyers and figure out whether it's going to be relevant and whether you're actually going to find information there. On the other extreme is the situation where we just tell all of the employees to find all of the stuff on their computers relating to product X, throw them in a folder, burn into a DVD, and send it to a law firm. I don't like that for a number of reasons that are very obvious. A, we never trust any of the employees. B, it's taking decisions about relevance and responsiveness to lawsuits out of the hands of attorneys and putting them into parties who may be interested in not producing documents fully. And because of some of this obsession with metadata for good or ill, you're going to have employees altering system level metadata, especially in the early stages of litigation when there is no discovery protocol. You don't know what the other side is going to say must be preserved and you don't know what the court will say must be preserved. You don't want to risk altering some of that stuff. The happy medium here is to actually hire a third party, a discovery vendor or a forensics vendor to come in and just collect all of the active files. That's a situation that I like a lot. Now, it's good to have people that are very adequately trained and able to be qualified in court as forensics people to conduct that collection. On another point, if your attorney starts saying we'll send somebody from our IT department to come out and collect this stuff, be concerned about that because what can happen is if that IT person who works for the law firm messes up in some way, that's going to create an immediate conflict of interest and then you just lost your law firm. You've got to go find another one. So, a third party is a great way to go. Going pretty well on time, actually. Next, we're going to talk about the processing phase. This is where things start to get expensive and really expensive. Once we've got all of the data collected, it's going to need to be converted into something that can be produced. This is where we start getting into the antiquated world of law firms again. One of the very common forms of production is to convert everything into TIF format. They'll extract all of the metadata. They'll extract all of the OCR text and they'll produce TIF images. I think that's because back in the day when they started scanning documents and manually coding them into databases, TIF was a very commonly used image form. I'm an advocate of PDF personally, but a lot of tools out there are compatible with PDF and some attorneys have some concerns about PDF and redaction, hello GE. But this process is very problematic because it thinks of everything in terms of 8.5x11 pages We all know that digital information is outside that framework of thinking. We're dealing with databases. We're dealing with spreadsheets that have incredibly high volume. They just don't fit on an 8.5x11 TIF image. This is why it's important to know what kind of data is out there so that the attorneys can negotiate a protocol that makes sense. What will result otherwise is a situation where attorneys are reviewing spreadsheets one printed page at a time just on the computer screen. I'll talk about how incredibly ridiculous that can get later on. Another example, you know, AutoCAD drawings. AutoCAD drawings shouldn't really be reduced to an 8.5x11 page on the screen. The resolution may be poor. So it's very difficult to get through this process. Now here's the staggering part. For everybody that has very broad policies out there for your employees to save email, for instance. How much does it cost to run data through these processing systems? As a rule of thumb, which can be very widely, plan on about $1,000 per gigabytes to process that information. That can add up very quickly once you decide that you're going to have, I don't know, 10 or 12 individuals have all of their data collected, including their, you know, 4 or 5 gig PST full of all emails sitting in their inbox that have never been sorted or filed anywhere. Well, that's a new interruption. Yeah. I don't have my radio. Alright. We'll just kind of continue, I suppose. Some people are leaving. Goons. The hotel here was having people setting these off at the hotel. Well, it's like storage, like if you keep your stuff in Salesforce or your email engineer. We'll talk about that later. Oh yeah, absolutely. Security Goons, what are we doing? Excellent. Thank you. Right, right. Alright then. We will continue with the alarm. This is awesome. Oh, the Goons said that if the alarm was real, then the alarm would also be providing a very nice voice saying something to the effect of GTFO. Oh God. Who feels safe? Yeah. I swear, first I speak at the same time as Dan Kamiski this week, and now this. Awesome. Alright, so let's assume for a moment that we've processed all of this information, and it's eventually in a form that all of the attorneys can go through and start reviewing. How efficient is this process? How big is the size of the case? We're going to have, you know, hundreds and hundreds and hundreds of gigs of stuff and thousands and millions of pages of information that's going to need to be reviewed. Now we're not going to go through and actually read every single piece of your email that you've ever since received or thrown away. We're going to do that in a selective manner using that high-tech search function of keyword searching and date restrictions. That's created out by the attorneys as part of the discovery protocol. Now, this is not terribly accurate, which is actually why we still have attorneys sitting there and putting eyes on documents. You're going to get a lot of false positives. It's also going to miss a lot of documents. But it will cull things down. But remember, in a lot of instances you have attorneys sitting there reading one page at a time on a person's machine, potentially. And hourly rates aren't exactly what you'd call low at this point for attorneys. We got to eat, too. Even though this is handled a lot of the times by contract attorneys as vendors like to call them, they act like they're these small little furry minions that scurry around in basements somewhere. But the rates for them are not low either. I remember what I got and it certainly wasn't insignificant when I was doing that job. This is a large source of income for law firms. The billable hours coming in for large document reviews can be very high. Especially later on when you can put some mid-level associates making a few hundred dollars an hour and they're reading other people's email. It just takes a lot of time. How much time and why? Here's the process of the review that I experienced at one point in my life. The data was sent to the vendor. Then it came back from the vendor after it was called for all the keywords. The individual reviewers reviewed it for responsiveness. Meaning, does it have something to do with this lawsuit? If yes, then the answer is yes and we move on to the next page. After it's reviewed for responsiveness, it's going to be reviewed for privilege and work product. Essentially, whether or not this is a communication between the attorney and the client so that it can be retained and should be retained. In conjunction with a determination of whether or not it's privileged, there's an entry into what's called a privilege log which is where an attorney says this is why we're doing this. This is why we can retain this information. Lots and lots of time there. Now, in order to speed up this review for responsiveness, one of the common practices is to also do a keyword search for names of attorneys and names of law firms as the data is processed. Well, you can imagine how many law firms and how many attorneys deal with a large company at any given time, especially over a period of years. And this is done through keyword searching. Now, consider the situation where in-house counsel somebody that communicates with all kinds of employees has a name like Johnson. So that means that every time that employee Johnson writes an email or authors a document, it's going to come up as potentially privileged. And that privilege determination is going to be made by a higher level attorney and therefore by somebody that has paid more money per hour. Right? So we're getting pretty high already. You've got problem files. Like I said, a lot of those file types that you can't process. You've got to figure out later on what in the world this is, can I open it, if I can open it? And then what are we going to do to get it converted into 8 1⁄2 by 11 TIF images? That's a great time. I did that for a few months. So then comes the real fun part, which is redaction of information. A lot of the times, companies will negotiate with opposing counsel, especially if you're dealing with trade secrets or patent litigation, that we're not going to show you all the information about our other products. These are trade secrets we're going to retain, and then we agree upon that. Well, currently the technology that is generally in use doesn't allow for automatic redaction of information. Currently, that needs to be done by those contract attorneys, or paralegals in some instances, sitting there and drawing boxes on the screen and blacking this information out. Now that seems not like it's that big of a deal right now, but consider what we're dealing with. You have all of these spreadsheets that are spanning different pages, you know? So many columns and so many rows that it's all over the place. So what happens is you get this spreadsheet and it's a financial document of some kind that lists all the products the company makes and sales for that. Well, I've got to redact lines 10, 12, 14, and 25. So I write that down on a piece of paper. I black that out with my box. I find the next page over. I count on the screen down and do this. It is incredibly labor-intensive, it is incredibly time-consuming, and it will drive a person nearly insane. In fact, I remember when I was working doing some of this work, I found a buddy's house and he had the new Command & Conquer game on his computer and I hadn't played that in years. So I sit there and, you know, I start moving my guys around and I realized, oh my god, I'm drawing boxes on the screen. I can't handle this. And I had to walk away. I used to be completely addicted to that thing when I was in college, and I seriously cannot play real-time strategy games anymore because of redacting documents. So after we get the redactions completed, we have to send all these documents back to the vendor because we're going to re-OCR them so that we don't produce all of the underlying data that we just redacted. Then an overlay is applied a lot of times to protect employee information so that it's kind of like the middle ground between redaction and clear text. And then eventually, you're going to be making the production. So now you can understand why the review process costs so incredibly much as companies go through it. Right? So how much this information would you expect is actually used in depositions or trial? Very, very, very little. So think about this process. We've spent all of this time identifying all of our information. We've retained backup tapes for eons and we have a warehouse full of them and really nothing to do with them now that we've got them. And they may not have even been restored in the first place. We've paid all of our attorneys all of this time to go through these documents and if it goes to trial, maybe you'll have five bankers' boxes full of highly relevant documents that are identified. Out of all the information that we started with in your corporation. Or even more frustrating is a settlement occurs and then we've just spent all this money really on not a whole lot other than eventually paying off the lawsuit and kind of losing, if you will. So the problems and the risks are starting to mount here. So for the next 30 minutes we will be talking about some of these. One of the major problems is poor communication between... Nope. Here we go. First, we're dealing with idiot users. Users have problems using computers. They... The computer more uses them and they put things in lots and lots of different places and they can't find stuff once they put them somewhere. And data gets spread all over the place. Keep in mind I did read other people's email for a long time so I know how users treat their data. You've got people who have presentations that give them multiple times. And every time that they give these presentations they change the title slide and then save another copy on their drive of that presentation. That means that it's now different. It's now not de-duplicated and that entire presentation gets to be reviewed over and over and over again. Right? Here's another one. Email attachments. You have some people that think it's a great idea to take giant spreadsheet files and email them to lots and lots of people inside the company instead of putting them in a central location for everybody to look at at the same time. As much as we would love to be able to run the MD5 hashes across lots and lots of custodians and really narrow this down so that we're only reviewing one copy of every single spreadsheet that doesn't exist. So every single time that that spreadsheet went out to somebody else that means that spreadsheet that I just spent an entire day and a half redacting. Depending on luck of the draw I may get to spend a day and a half redacting it next week. Over and over and over. Right? This is why single instance email and centralized storage is a dream. This will help things a good deal if you can teach people to send links to files on internal servers. We have the technology. This is something that email administrators, everybody in this room probably has been looking for and wanting for quite some time. For once a lawyer helping you get what you want. Get excited here people. What else? I have so many stupid user stories. It's kind of ridiculous. Communication between legal and IT. We talked about that bizarre conversation where all backup tapes have to be retained forever. You have broken communication channels. Attorneys tend to latch on to people in IT that they get along with. So you may have somebody that has a buddy down at the help desk. Maybe that buddy at the help desk is now the guy that gets the litigation hold and is now in charge of preserving all the information for everybody. That's not a good thing. There's that potential huge gap between the beginning of litigation and that IT gets notice of it. This could go on for weeks and weeks and weeks until finally an attorney becomes involved that recognizes the need to start preserving information and says so did you contact IT and send them the litigation hold? You can give responses everywhere from well why in the hell would I do that? They're not document custodians to stun silence and realization that we've probably messed up in a big way which then leads to the backup tape question. What we can do is start forming litigation response teams. Not to tread down that dreaded CISSP type thinking and business continuity kind of deal but a litigation response plan should be incorporated into IT policy and procedure just like any other disaster response plan is. We need to know where everything is and where to go and we need to talk to the lawyers more. We're from completely different worlds. We speak completely different languages but it is absolutely critical that these two communities get together in order to prevent companies from losing lots and lots of money in lawsuits. In fact, I've heard stories about people in information technology who knew about duties to preserve and things like this and as a result of that, whenever they heard litigation started, they started taking steps to preserve independently of what the attorneys took them. Those people probably single handedly saved their company from millions and millions of dollars in sanctions. When you know something is happening at your business where they're going to be sued, pick up the phone and call the lawyer and say, hey, I haven't heard from you. I know this is going on or I've heard rumors of this. What do we need to be doing? Take a real proactive approach to it. Here comes the big one. Security. Where is let's talk about we're going to start with the vendors I believe. When we send all of this information out to be processed, we want to send it out to somebody that's going to take very good care of it. I'm in the enviable position of being somewhat technical, so therefore when discovery vendors call my law firm a lot of the times they're directed to me. Obviously we all have our biases in the things that we find important and of course one of the things I find important is security. What is the most commonly, what is the most common answer that I get when I ask a vendor about security? We use the same type of security that banks use. 128-bit SSL encryption. I say okay. That's interesting. These guys here's the real scary part, right, because inherently if a vendor is hosting other companies data they're not going to just have the data of one company. They're going to have data from multiple companies. So if you are an attacker out there looking to get some information on a certain company, why go after the company itself that has teams of security professionals that come to things like Black Hat and Def Con when I could potentially go to a vendor that has no idea what in the world they're doing? Not only am I going to get the information from company X I'm going to get the information from companies Y and Z for free. Where are all these, where is all the data going? It's not just one vendor. It's going to be going to your vendor. It's going to be going to your law firm. Then it's going to be produced to their law firm and that's going to be produced to their vendor for searching and things like this. That's an incredible amount of locations for very sensitive data and of course as we move down the chain there, this is all even more sensitive data and more important data that could do some potential damage in the hands of somebody else. What about law firm security specifically? The law firm I work at obviously takes security very seriously. We've got a whole team dedicated to it but that's probably not very typical considering where attorneys are at in technology adoption. It's very difficult for somebody to go to the managing partner and say, okay, so we need to spend a whole bunch on security so that we can be safe from these hacker people. Well, was that going to make me work better or faster? No. How much is this going to cost? I think so. I'm sure that happens a lot of places that are high and have a large size, medium large size and have large IT staffs but what about the people at the further down the chain? The plaintiff's firms. I used to work at a small plaintiff's firm. It was one man's shop. We did some personal injury stuff and we did some federal criminal defense. The first day that I was there, one of the secretaries was instructed to show me how to use the computer and we sit down and she's showing me some things and she's showing me where all the client files are and I mean all the client files all in one folder on this guy's computer and I'm like, okay and as she's showing it to me it blue screens and she reaches down immediately and just shuts the power off. Reboots it and what is the screen that I see come up? Windows Millennium Edition. Gonna give away my age here I suppose. That was in 2005 that they were running Windows Millennium Edition. I said, so tell me does that happen a lot? Fully knowing the answer of course. Oh yeah, that usually happens two or three times a day. Okay. Is this backed up anywhere? No, this is the computer. Everything is here. I think by the end of that summer we actually spent more money on IT infrastructure than I made that summer. But in small place outfits, the guys that are going to be suing the companies and the ones that are going to be getting all that highly relevant information they're gonna have things like open wireless and file sharing Windows file sharing between computers on their open wireless. These guys are going to be highly vulnerable to all kinds of very basic attacks, potentially. There is none known at this point. I pity the poor bugger that becomes the model for that. The question was what is the standard for a person being held liable for legal malpractice because of poor information security practices? Nobody knows. All this stuff is so new that we just haven't reached that point yet. I mean, I don't know of a story of a law firm having a major data breach at this point. So, you know, it's okay. As far as they know. Now actually, I take that back. I did talk to somebody at one of the conferences that I was at this year that said that they had knowledge of a private investigator that would sit outside the office of opposing counsel and actually sniff packets all day long. That was a story here say, of course, but that's scary. Very scary. And what kind of information are we talking about here? It's easy to forget when we talk about gigs and gigs and just data in general. What's there? Well, what do employees have on their machines at work? Well, they still have personal email, between their spouses. They've got instant messaging logs, probably personal conversations, as well as business ones. You have fights with spouses playing out over email. You have all of the HR files. And that's your HR files as well as mine and all of the employees. A lot of people will keep personal financial data on their work machines and their work devices for some reason. There's also an instance where Quicken can be installed on a palm pilot at some point, believe it or not. I don't know who came up with that bright idea that I'm going to keep my credit card numbers in my unencrypted palm pilot, but I have seen that kind of thing. And of course, pornography. Employees still look at pornography on their work computers as one of the people that had to deal with all the problem files in 8.5x11 images. I was given the task of going through all the media files. So that was why I actually got an office so that I didn't have to share the porn with everybody else in the office. But we also have all of that information that's important to companies. All of their trade secrets. All of their financial data. All of their financial projections for future quarters. All of their customer data. That means information about all of you. That means social security numbers. That means names and addresses. That means if you take pharmaceuticals or people know that you're taking certain drugs, that's probably in there. This is scary stuff. Engineering drawings for facilities, for example. There is just a treasure trove of information which is now being taken from your company and put in multiple locations all over the place which you guys don't really control. It's pretty much the whole enchilada. It's everything that everybody is looking for. Everything that every malicious attacker is looking for. Identity, theft, corporate espionage. Everything. Maybe being sent out to vendors and things like this. So let's talk about the vendors. What is so hot right now nationwide with businesses? What are they looking to implement? They're looking to implement web-based applications because that's the wave of the future because web browsers were intended to be operating systems. Right? I don't think we need to go into security of web applications too much here because I think we're all pretty aware of how insecure they can be. A lot of these web applications, and stuff out to other smaller shops for document review and things like this. What you have then is one version being sent out to multiple smaller shops and multiple other IT departments that then have to implement all the patches and maintain these systems. Maybe not necessarily at the same pace that these need to be patched. A lot of vendor, this is a huge industry, as you can tell from the process of going through this process. Everybody in their brother-in-law is getting into this business, including people that traditionally only made copies for attorneys. It's like, well, you know, Discovery is now electronic. Well, I'll get into this business. I'll buy this product over here, install it, and I'll host data, and now I'm an e-discovery vendor and expert. Probably not necessarily an expert in security. Like I said, I talk to a number of vendors, and I get the 128-bit SSL encryption answer a lot. Well, let's go beyond that. Talking to one vendor, and I have pictures for vendors, I have one vendor and I we're talking to him and getting that pitch. It's an evergreen solution, which is terribly exciting, and I ask whether or not they had had, because they obviously host their own data in addition to reselling this product, I ask whether or not they have regular penetration tests done on their systems, or if they had known of any recent breaches as a result of weaknesses in their web-based application. He said, well, yeah, we've heard of that a few times in the past. Really from who? Oh, our clients that had hired their own pen testers and analyzed all the systems and found this vulnerability, and I said, really? So then as a result of that, do you guys contract for that regularly and could you provide me with reports before we start using your product if we do? Well, no. And I said, so what you're telling me is I'm going to contract with you to host my data and I need to hire my own penetration tester to test your system for you. Yeah, that's pretty much it. I hung up the phone on that one. Another one. Talking to the vendor, same kind of conversation I asked about the penetration testing. And he said, his response to penetration test was, you mean you want us to pay somebody to come in and break into our system and maybe make it stop working for a while? Yeah. Why in the world would we want to pay somebody to hack our system? That's some scary stuff right there. So here's another good one. Talking to a vendor and he's sitting in my office, real nice guy, and we start talking about shipment of data back and forth. And I said, you know, whenever clients send you the data, do you guys use one form of encryption over another? How do you secure that data in transit? Well, you know, believe it or not, in all these years that I've been doing this, nobody's really asked whether or not they should use encryption whenever they send data. I said, soap stuff just kind of sits in the mailroom? Yeah, you know, that's a hell of an idea. I'll bet a guy could make a little bit of money if they started trying to secure some of this stuff. So, you know, there's the mailroom hack there available. Now, here's another fantastic one. This one happened one day at a place that I used to work. And it was after DEF CON. So I was wearing this, you know, the red shirts that GMARK had done, the Hacksord shirts that are very obvious and out there, you know, look at me, I'm a crazy lead hacker guy. And it was Jean's Day, so I wore this shirt in and the vendor happened to be in town to deal with some separate issues. And I go and I'm talking to these guys wearing the shirt and I say, you know, asking them all kind of information. Of course, they're just giving up the goods to me. Yeah, I'm an employee and everything like that, but why would you tell an employee of another firm all about the systems that they're using that they don't really need to know? And I said, we were having problems getting certain files to refresh after images had been updated. And of course, I jumped on some documentation for Apache, so I mean, that was what they were using, and I figured you could make some adjustments to make the time to live lower for any certain file type. And I suggested this to them. I said, you think this would solve the problem if we just adjusted, you know, X file type to zero? And the guy said Apache, and this is a developer, by the way, Apache, what's that? I said, well, it's kind of a popular program. What are you guys running IIS? I don't have any documentation on that, but I'm sure I could look it up. No, no, actually, we roll our own web server. And once again, you kind of like the secretary comment, I'm speechless. In fact, I went back to my desk and spent the next half hour Googling why in the hell you would roll your own web server and put it out there for production stuff with all of this information on it. Um, very, very frightening. So, um, whoop, cruise through these real quick. Um, a few final thoughts before we wrap up. Um, electronic discovery and technology law in general is and will remain unsettled for quite some time because of the way our system works. And it's easy to say, well, that system's antiquated. We need to move on. We need to find some way that we can change the laws faster. Well, we don't necessarily need to do that. The world has changed before and the common law system has handled this in the past. Yeah, these are novel situations, but over time they will work themselves out. But we all need to realize that we are operating in somewhat of a gray area right now. So unless you have the time and the disregard for your personal freedom when you're thinking about doing something that is a legal gray area and you think that it might get yourself in trouble, think long and hard about whether you're willing to put up your assets and your freedom in order to achieve something. Um, and, you know, but, you know, if you're willing to do that and you're more than willing to become that example and that famous case that money, hey, go right ahead. But think long and think hard about that. Electronic discovery is putting corporate and personal information at risk. Everybody's personal information. And if these, if the information is not treated properly it could potentially lead to some very, very major data breaches in the very near future. Companies need to start doing a better job of vetting the places where this data is being sent. Honestly, that means talking to your law firm about what kind of securities they have in place there. Um, find out what vendors that this law firm has been using. Find out all of those, all of that information that you possibly can in order to protect your data. Now as far as sending things to opposing counsel that's kind of another issue because you don't have nearly the relationship with that. But you want to try and minimize the risk as much as possible. Some good news though. Technology will over time level the playing field between litigants. What do I mean by that? You know, there's always the story of the old days where you had small individuals suing the big large corporation and the monstrous law firm that has so many resources that they can produce truckloads of documents. And then, you know, deadline comes for small five-person law firm to receive the documents from the huge corporation and to semis roll up with boxes and boxes of documents and they just kind of dump them on the steps. Nobody has the resources to be able to go through all that and eventually the plaintiff who may be, uh, who may have to settle because they just don't have the resources. The good news is technology is changing. There are a lot of developments out there. There's a lot of advanced technologies involving searching. I'm sure a lot of you guys know about it um, potentially because you're involved in the federal government potentially because you're in private industry but a lot of those technologies are filtering into the legal system right now to be used. It's gonna take a while before they're in full adoption because the courts need to accept them as being accurate. The lawyers need to start getting comfortable with their accuracy. There is a study ongoing that compares the accuracy of a human-based review to a purely computer-based review. Um, those results should be out within the next 6, 8, 12 months and those are gonna be very interesting and hopefully it can start leveling this playing field. One problem, though, is that some of these advanced technologies are massively expensive. Massively expensive. So expensive that only the largest law firms and therefore the ones that are representing the big companies out there, only they can afford right now. I don't want to be like a certain blogger that just declared that he wanted a $100 laptop and asked the commenters on his blog to chip in but if the open-source world could come up with something to deliver to all the law firms out there that would be free for them to use, for them to be able to deal with some of these problems, the impact on our system of justice would be enormous. Not only would we be giving some advantage back to small plaintiffs but at the same time as the big corporations who have to face lawsuit after lawsuit after lawsuit that are extremely frivolous because believe me there are lots of those out there with some of these advanced technologies they can cull through all the data they can find exactly why this case should be dismissed and crush these frivolous lawsuits with absolutely no problem. Clearly I'm still young and idealistic. What can I say? Justice is certainly going to be best served by lots of cooperation between the legal and technology communities. That means getting out there and interacting with the lawyers. Do what you can. Work with local bar associations to build technology education programs for all these people. It's really exciting because so many of the changes that made the business world and the world so much better as far as improvements in communications because of technology those things I hope will soon be coming to the legal profession and really improve that and get back to the core goals of our justice system. I really appreciate you guys coming out today. I'll be in the Q&A room. I think we're just about out of time so we'll do everything in the Q&A room later on if you have questions. Thank you very much again.