All posts in Legal Developments

Brexit and data protection

As the world contemplates the ramifications of the EU referendum, we’ve speculated as to how Brexit might change the way our clients handle data transfers in litigation and investigations.

What legislative regime would govern the UK?

The UK currently operates under the Data Protection Act 1998, which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain has voted to leave the EU it is likely that the Data Protection Act 1998 will remain unchanged at least during the transition period.

For businesses operating solely within the UK, this means business as usual. However, things become complicated when a business needs to transfer data to or from another European country.

The EU is currently in the midst of replacing the General Data Protection Directive with the General Data Protection Regulation (GDPR) and had Britain voted to remain, British businesses would have had to comply with this new, tougher legislation which includes:

  • Increased fines, up to 4% of the annual global turnover
  • A “Privacy by design” provision requiring that data protection is designed into business services. Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement.
  • Explicit consent being obtained for the collection and processing of data.
  • The appointment of an independent Data Protection Officer.
  • A “Right to be forgotten”. A client has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
  • A prohibition on data being transferred outside the EU without approval from the relevant supervisory body.

However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain becomes part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.  In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate.  However, this would mean that the UK would still be subject to the DPD and from May 2018, the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-UK Privacy Shield?

If the UK does not become part of the EEA, the UK would probably have to negotiate an agreement similar to the EU-US Privacy Shield in order for UK companies to continue to transfer data between the UK and countries in the EU.

In this scenario it is likely the Article 29 Working Party would suggest similar terms to the US:

  • An ombudsman to handle complaints from EU citizens about the UK security services accessing their data.
  • UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.
  • An annual review or audit to check the new system is working properly.

The Upshot

Data protection legislation is changing regardless of the outcome of the referendum and British businesses need to be prepared for these changes. Until the UK finalises its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across European borders. However, business does not have to come to standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices and data centres to continue to process and transfer data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

Brexit: Our position

Although the results of the referendum are clear, the full impact of Brexit on data transfers in litigation and investigations is dependent on whether or not Britain becomes part of the European Economic Area (EEA) or the European Free Trade Association.

If the UK becomes part of the EEA and the EU finds the UK’s data protection safeguards to be appropriate this would make transferring data outside of the UK easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the forthcoming General Data Protection Regulation, when transferring data across borders to comply with legal obligations in other countries.  Both legal mechanisms and technology solutions are relied upon in these situations to safeguard the personal data of European citizens.

If Britain does not become part of the EEA, the situation is more complicated and it is likely that an arrangement similar to the EU-US Privacy Shield would need to be agreed.  This will provide a safe passage for the transfer of data between the UK and other countries in Europe

Until the UK finalises its data protection regime and comes to an agreement with the EU companies need to think carefully about the risks of transferring data across European borders.  Business does not have to come to a standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices to continue processing and transferring data in Europe in a compliant and cost-effective manner.   We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

 

Kroll Ontrack’s Canine Forensics Team: Sniffing out the evidence and cutting costs

Kroll Ontrack is pleased to announce our latest weapon against data theft; our Canine Data Defenders. This new service, believed to be the first of its kind in the UK, will enable clients to reduce initial data forensics costs and speed up computer forensics investigations.

How does it work?

A dog’s sense of smell is unbelievably powerful, between 10,000 and 100,000 times as acute as humans, depending on the breed. A useful way of imagining this is to think of the difference in terms of vision; if a human can see an object one third of a mile away, a dog can see the same object 3,000 miles away. It is because of this ability that the dog’s sense of smell has long been utilised in the medical, military and law enforcement fields to detect cancer cells, explosives and drugs.

What do Kroll Ontrack’s dogs look for?

cf dogThe human endocrine system is extremely complex and to a trained nose, compounds found in sweat can reveal much about the human in question’s behaviour and mental state. Someone using a device for illegal activity, for example, is likely to release a greater amount of stress hormone into their sweat which in turn is transferred onto the device via touch. Kroll Ontrack’s canine team has been trained to pick up on these scents and lead handlers to devices that have been used for nefarious purposes. The process is simple and a team of two dogs can check 100 devices within an hour, which is a marked improvement on a human team handling and scanning each device.

After a successful pilot study, the Canine Data Defenders will be available to clients from 31st June 2016.

Kroll Ontrack Head of Computer Forensics , John Perro, commented “This is not about substituting human knowledge but about saving our clients’ time and money. Our dogs can pinpoint a machine used for suspect activity within seconds, allowing our human team to get straight into a type 2 data analysis.  We can also see applications in internal compliance investigations.  A quick sweep of an office using our dogs will provide compliance officers with a quick and accurate spot check of the company’s activities.”

A second team of dogs is currently in the final stage of training to provide early-evidence services for our ediscovery team, further cementing the role of dogs at Kroll Ontrack.

How can banks reduce litigation and investigation-related legal costs?

How can banks reduce legal costs?

Last week over 50 corporate in-house counsel and lawyers working in the financial sector gathered in the rather glamorous surroundings of the Banking Hall to join Kroll Ontrack  for our breakfast seminar, ‘Banks or Law Firms: Who holds the purse strings’

After a delicious breakfast, our illustrious panel tackled the complex and often, controversial topic of managing legal costs for banking-related investigations and litigations. The key themes up for debate were:

  • How recent ‘big ticket’ regulatory investigations have affected the banking world
  • Using the latest predictive coding technology to reduce legal costs
  • Leveraging corporate buying power when using law firms and other professional service providers
  • Discussing alternative pricing structures
  • Examining the pros and cons of unbundling legal services

The debate was moderated by Ben Fielding of Kroll Ontrack and our speakers included Elizabeth Meekison a Senior Lawyer in Commercial Litigation atLloyds Banking Group,  Mark Humphries – Senior Partner at Humphries Kerstetter, Thomas Leyland, Partner at Dentons and,  Orion Wisness, Discovery Consultant at Kroll Ontrack. With representation from in-house counsel from banks, senior partners from top law firms and a technology provider, each brought their own experiences and opinions to what was an eloquent, wide-ranging, and informative discussion.

The key points that emerged were:

Priorities for banks:

  • Banks value accuracy, defensibility of process and not necessarily lower costs when it comes to ediscovery
  • Working collaboratively with law firms and technology providers and ensuring regular and effective communication

The benefits of proactivity:

  • The importance of involving an ediscovery provider from the beginning of the disclosure process or investigation.
  • How implementing information governance strategies and managing the quantity and location of your data can reduce costs.
  • How fixed fee modelling could be implemented (and why this might not be a possibility in certain cases.)

Legislative concerns:

  • Are the standard disclosure rules too broad?
  • In light of spiralling data volumes, should the disclosure rules be modified so they are closer to the arbitration model?

The importance of predictive coding technology

With the recent judgement (Pyrrho Investments v MWB Property [2016] EWHC 256 (Ch)) approving the use of predictive coding still hot news, much of the debate and audience’s questions were focused on:

  • How technology such as predictive coding can be used to reduce the burden of big data in litigation and investigations
  • The implications of the recent judgement approving use of predictive coding technology in the UK
  • The need for both corporations and law firms to fully understand exactly what predictive coding entails in terms of both its capabilities and its limitations

We would like to thank speakers for taking the time out of their busy schedules to take part in the debate and share their expertise. We’d also like to thank our guests for joining us and further enlivening the discussion with their considered questions.

 

UK High Court approves use of Predictive Coding in litigation

Last week legal technology providers in the UK had a lot to celebrate as the English High Court approved the use of predictive coding for disclosure in litigation.

The judgement, handed down by Master Matthews, gave official judicial authorisation for the use of predictive coding in High Court proceedings. Summing up his decision, Master Matthews stated that predictive coding is just as accurate, if not more so than a manual review using keyword searches. He also estimated that predictive coding would offer significant cost savings in this particular case and that the possible disclosure of over 3 million documents done via traditional manual review would be disproportionate and ‘unreasonable’.

To read the judgement in full, please click here.

How does predictive coding work?

Predictive coding is an advanced machine-learning technology which allows computers to predict how documents should be coded (i.e., should a document be tagged ‘responsive’ or ‘privileged’) based on decisions made by human subject matter experts. Put simply, an experienced lawyer trains the computer by coding a sample set of documents, and the computer then learns what to look for based on this training. In the context of edisclosure and other investigative exercises involving electronic evidence, this technology can find key documents faster and with fewer human reviewers, thereby saving on cost and review time.

Who uses predictive coding?

Other jurisdictions, such as the USA and Ireland, have led the way in giving judicial approval to predictive coding, and the UK judgement references these cases in detail. Despite these cases as well as the ever-increasing sophistication of the technology itself, the UK law community has been somewhat reluctant to make use of the technology, as explored in this study by Kroll Ontrack Legal Consultant and former litigation lawyer, Hitesh Chowdhry.

In Chowdhry’s white paper, ‘Rage Against the Machine; Attitudes to Predictive Coding Amongst UK Lawyers’, he notes that his study revealed that the main barriers to adopting predictive coding technology were:

  • Risk aversion and mistrust of the technology’s accuracy
  • Belief that predictive coding would have a negative effect on revenue
  • Satisfaction with existing methods and a belief that existing practices offered more accuracy than studies have suggested
  • Insufficient understanding and knowledge of the complex predictive coding process
  • Diffusion amongst professionals

The UK judgement counters much of the fears uncovered in Chowdhry’s study by stating that the technology is accurate and offers cost savings.

Predictive coding and the Civil Procedure Rules

As data volumes continue to grow and traditional manual reviews using keyword searches become less feasible, predictive coding may be the best path toward complying with the Civil Procedure Rules.

Jeff Shapiro, a lawyer who has written frequently on costs in edisclosure, offered this comment:  “The judgementapproving predictive coding for the disclosure of documents highlights the judiciary’s continued march to proportionate costs in litigation via application of the overriding objective. Review amounts to approximately 70% of total disclosure costs. With the ubiquity of electronic document creation and storage, litigators have an ever-increasing costs’ burden in order to fulfil their CPR disclosure obligations. The judiciary, recognising the realities of modern disclosure where millions upon millions of documents may need ‘to be considered for relevance and possible disclosure’, has proclaimed that predictive coding may be used as a substitute for manual review.”

The cost savings offered by predictive coding will undoubtedly be popular with clients and potentially will give a competitive edge in winning work.

We hope that this judgement will encourage more UK firms to take advantage of the benefits offered by predictive coding.

For more information about this technology, please click here.

No more EU-US Safe Harbor. What are the implications for citizens and businesses?

Introduction

On 6th October 2015, the Court of Justice of the European Union declared in the case Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) that the “Safe Harbor Agreement” between the EU and the US is invalid.

Until now, the so called “Safe Harbor Agreement” was an agreement signed in 2000 between the US Department of Commerce and the European Union that allowed US-based companies to transfer data from EU to the US and to thus comply with the EU Data Protection Directive of 1995. In 2000, the European Commission had declared that the US provides for adequate safeguards for data protection. The “Safe Harbor Agreement” consisted of data protection principles to which to which US undertakings may subscribe voluntarily. Up to date, 4400 companies transferred data to the US under the “Safe Harbor Agreement”.

The online version of the Court judgment is available online here and the press release of the Court of Justice concerning this case is available here.

What is the background of the case?

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by US public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2002 the European Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the Data Protection Commissioner before the Irish High Court. The Court decided to stay the proceedings and to refer questions to the European Court of Justice for a preliminary ruling.

The European Court of Justice ruled that the so-called “Safe Harbor Agreement” was invalid because it allowed US government authorities to gain routine access to Europeans’ online information. The court also explained leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

What are the next steps following this judgment?

The Court of Justice ruling is effective immediately and declares the current “Safe Harbor Agreement” invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the EU Data Protection Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What are the practical implications of this judgment for US-based companies who used to transfer personal data from EU citizens to the US under the “Safe Harbor Agreement”?  

As we know, the recent Court of Justice judgment declared the “Safe Harbor Agreement” invalid. This means, under a strict interpretation, data transfers concerning personal data from EU citizens to the US cannot rely on the “Safe Harbor” anymore since it has been declared invalid.

Nevertheless, US-based companies should still be able to transfer data from EU citizens to the US by using alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations.  Standard contractual clauses are model clauses that have been issued by the European Commission and are designed to facilitate transfers of personal data from the European Economic Area (EEA) to third countries that are not designated to be ”adequate” for the processing of personal data by the European Commission. The model clauses  provide sufficient safeguards for the protection of the privacy of individuals.

“BCR” are internal rules such as a Code of Conduct adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. To that extent, “BCR” ensure that all transfers are made within a group benefit from an adequate level of protection. Once approved under the EU cooperation procedure, “BCR” provide a sufficient level of protection to companies to obtain authorisation of transfers by national data protection authorities. It should be noted that the “BCR” do not provide a basis for transfers made outside the company group.

As to derogations, the EU Data protection rules include derogations under which personal data can be legitimately transferred to the US on the basis inter alia of[1]:

  • performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract];
  • Important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.];
  • The vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person’s own interest];
  • Or if there is no other ground, the free and informed consent of the individual;

From a pragmatic standpoint, although there is no official “grace period” following the invalidity of the Safe Harbor, US-based companies that transfer personal data from EU citizens to the US cannot be expected to cease such transfers immediately since this would affect numerous business operations.

Frans Timmermans, the First Vice-President for the European Commission, who will be charged with carrying out the ruling, and Vera Jourová, EU Commissioner, tried to ease the concerns of companies. Their official press release is available here. They said businesses could still move European personal data to the United States through other mechanisms including standard contractual clauses, binding corporate rules (“BCR”) and derogations.

How will this judgment affect the ongoing discussions concerning the new Safe Harbor Agreement, the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector?

Frans Timmermans, the First Vice-President for the European Commission and Vera Jourová, EU Commissioner, explained that the European Commission has been in discussions with the US over the past two years to revise the existing Safe Harbor. Negotiations are still ongoing but the aim is “to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic”.

As to the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector, they explained that both are well on track and will most likely be finalised this year. The Data Protection Reform which will see the passing of a new EU Regulation to replace the Data Protection Directive aims amongst other things to strengthen the powers of national data protection authorities, which have an essential role in upholding individuals’ rights to data protection. In their view, this is fully in line with the recent Schrems’ ruling.

The EU-US Umbrella agreement differs from the Safe Harbor. It does not itself enable data transfers. Rather, it sets high data protection standards in the area of police and criminal justice cooperation. They explain that the Umbrella agreement will improve the protection of personal data of Europeans in the U.S. as it will make sure that citizens will have recourse to judicial redress possibilities in the U.S. in case of privacy breaches, once the US Congress has adopted the respective draft Bill.

Finally, Mr. Timmermans and Ms. Jourová explained that the European Commission would work with national data protection authorities to ensure that the court’s decision (Schrems’ recent judgment) is carried out in a uniform fashion across the European Union. They concluded saying “As citizens need robust safeguards and businesses need legal certainty; the guidance should help avoid a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike”.

What should companies do while the current legal situation is being clarified?

  While the new Safe Harbor Agreement is being discussed between the EU and the US and the EU Data Protection Reform is finalised, companies that used to transfer personal data from the EU to the US under the Safe Harbor Agreement should now use alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations described above.  We also suggest that companies seek guidance and approval from the respective national data protection authorities in the countries in which they have business operations.

In addition, if companies, for example, are in litigation in the EU that requires the services of an ediscovery provider or at least they need to process and host EU citizen’s personal data, we recommend that they opt for in-country solutions within the EU so as to comply with EU data protection regulations. In practice, this means for example, that if a German company has to collect data from their employees based in several locations in Germany with the assistance of an ediscovery provider, that data should be processed and hosted in a German data centre so as to comply with strict German and EU data protection regulations. The data should thus not leave the German borders. In our view, the Schrems’ recent judgment reinforces the need to use local solutions so that when data is processed and hosted to carry out electronic searches, data remains within the respective countries of the custodians concerned and above all remains within the EU. If data from the European custodians does have to leave the European Union and needs to be transferred to the US then it will have to be within the framework of the alternative mechanisms described above.

[1] For further derogations please refer to Article 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

New Frontiers in Ediscovery

We are very excited to be launching the inaugural edition of our report entitled: ‘New Frontiers: An Insight into the global expansion of ediscovery.’    The report contains a compendium of 15 articles focusing on how ediscovery is being carried out in various countries around the world.  We have also have included a series of feature articles examining:

  • how ediscovery technology is being used to detect cartels
  • what uses are being found for ediscovery technology in the financial services sector
  • the latest trends in computer forensics
  • new technologies in ediscovery.

Ediscovery has evolved from its origins as a legal procedure used primarily in the USA and UK in litigation matters. Kroll Ontrack’s global expansion over the past ten years has shown there is demand across Europe and Asia for ediscovery technology to search for and review electronic evidence, particularly for competition matters and internal investigations. Download the full report here >>

What does ediscovery look like in 2015?

We asked our global network of legal consultants to report in depth on the state of ediscovery in their respective countries, providing insight into global trends around ediscovery adoption, uses and advances in technology.

The New Frontiers report documents how ediscovery is becoming an important element of the business landscape, even for countries that do not have an obligation to provide ediscovery as part of their legal framework. The important drivers for these countries, including Germany, France, the Netherlands, China and Singapore are more likely to be related to increased scrutiny by regulators, the transparency and compliance agenda, the need to manage mountains of big data and the overriding requirement to reduce legal cost.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, commented:

“As a leader in the global industry, we believe it is important to document these changes and to highlight ediscovery’s rapid growth as a problem-solver for everything from regulatory compliance to dealing with dawn raids, and from unbundling legal services to forensic investigations.”

The New Frontiers report is available in full here.

Are we ready for the drone revolution?

In 2014, over ten thousand civilian drones were sold in the UK and future sales are predicted to increase rapidly. Despite recent legislation regarding privacy and aviation safety, there could still be unintended consequences should drones use become widespread, particularly around data theft and the use of data collected on drones as evidence in court.

Are drones secure?

As with any wireless device, drones can be commandeered or made uncontrollable by third parties. Data can be intercepted by third parties such as data thieves, authorities and hackers. According to white hat hacker Samy Kamkar, hijacking a drone is relatively simple. To prove his point, he adapted a Parrot AR drone, which is commonly used for taking aerial photographs and has video recording capability, and combined it with a Raspberry Pi system. By running his customised software, Kamkar was able to use his hacked drone to track down and control other Parrot drones.

Kamkar has since shared his software with the manufacturers so they can take steps to patch the security holes exploited but the exercise highlighted that drones are vulnerable and the data collected by a drone can be stolen. Until drone security develops and improves, commercial drone users should be cautious of collecting sensitive data via a drone.

Extracting evidence from drones

Should legal action result from the use of drones, for example, when data is stolen and a damages action follows or sensitive personal data is captured and penalties for breaching data protection law ensue, then the data captured by drones may need to be analysed and disclosed in legal proceedings

When faced with a drone a computer forensic expert called upon to extract data from it, would need to consider how the data is stored, whether or not it is encrypted and if it is hard to get to what other sources of the data can be tracked down. There is sometimes a lag between the release of a new device and the development of the tools able to access the data stored on them but often computer forensic experts are able to locate electronic evidence from new devices to support legal proceedings.

A changing legal climate

As drones grow in popularity, so too will the number of disputes regarding their use. Undoubtedly, drone guidelines, which are currently in their infancy, are likely to develop as the legislation evolves to encompass technological advancements. Any organisation, whose business can be affected by drones, whether positively or negatively, should make it a priority to keep abreast of legislation to best protect themselves from future legal action.

Technology, big data and the regulatory arms race

In 2010, the then Office of Fair Trading (OFT) launched an investigation into a suspected price-fixing cartel between aviation giants, British Airways and Virgin Atlantic. The airlines were alleged to have conspired to fix fuel surcharge prices. However, the case collapsed following the discovery of 70,000 emails that had not been disclosed to the prosecution until the last minute due to a technical error.

The collapse of the case caused the OFT to be universally criticised, with commentators describing the investigation as a “fiasco” and the OFT exhibiting “incompetence on a monumental scale”.

Fast-forward four years and both the OFT and the Competition Commission (CC) have been dissolved and replaced by the Competition and Markets Authority. Thanks to the technological failings seen in cases such as the Virgin-British Airways price-fixing case, the two authorities may have created the impression that competition authorities lack technological prowess when it comes to investigations. Yet corporations hoping that this new authority will follow in the footsteps of its predecessors in the handling of electronic evidence should take heed; the CMA has a completely different approach .

How does the CMA differ from its predecessors?

More funding

The Treasury has granted funds which have allowed the CMA to invest further in the capacity it needs to increase the number of cartel cases it can pursue and the speed with which it can do so.

Increased quality and quantity of staff

According to Stephen Blake, Senior Director of the Cartels and Criminal Group at the CMA, the CMA has doubled the size of its Cartels and Criminal Group. In addition to doubling the size of that team, the CMA has also focused on building a team with the ability to work proactively and follow an intelligence-led investigation strategy. With this in mind, the CMA have hired a coterie of senior investigators and experienced intelligence officers.

Sophisticated technology

According to an experienced competition expert in London, “Enforcement authorities have learnt a lot over the past few years. They will have seen a change in the volume of documentation that needs to be collated and reviewed and this will have driven the change in approach which is now becoming apparent in their approach to information requests and general case management. The CMA has had the benefit of the hard lessons learned by the OFT, and will be far more engaged on this topic and cautious in planning how to manage an investigation, not just in terms of adhering to best practice but also in managing an investigation to criminal standards.”

To avoid repeating incident such as the Virgin-British Airways data mishandling, the CMA has adopted the same ediscovery and investigatory tools used by law firms and corporations undergoing scrutiny. In a dawn raid scenario, this means they are now able to process very large volumes of data quickly, scan entire corporate IT landscapes and drill down and forensically examine or analyse specific trails of evidence, in detail.

More collaboration

As part of the CMA’s commitment to implementing intelligence-led detection and enforcement strategies, leadership at the CMA has promised to foster closer partnerships with the police and other criminal enforcement agencies.

What will these changes mean for corporate compliance officers and in-house counsel?

The CMA has more funding, highly-trained and motivated staff and is actively pursuing investigations, as well as addressing the cases inherited from the OFT and CC. With the technological gap between authorities, law firms and companies now closed, the best way for corporations to prepare is to take a proactive approach to compliance. This can take the form of conducting regular internal investigations, streamlining and understanding data estates and for the ultimate in preparedness, arranging a mock dawn raid.

About Tracey Stretton

Tracey Stretton is a legal Consultant at Kroll Ontrack in the UK. Her role is to advise lawyers and their clients on the use of technology in legal practice. Her experience in legal technologies has evolved from exposure to its use as a lawyer and consultant on a large number of cases in a variety of international jurisdictions.

The Certainty of Information Governance’s Uncertain Future

IQPC

As I approached the Waldorf Hilton’s main entrance, my umbrella struggled and lost its battle with the cold, slicing rain. The doorman, smartly dressed in a bonded overcoat and bowler hat, directed me into the Palm Court and to the 10th annual Information Governance & eDiscovery Summit. Most attendees milling about the room seemed to pay little mind to the meteorological events beyond the room’s frosted double doors, and why would they? The only evidence of the weather was an occasional faint clap of thunder. They were focused on refining and perfecting existing information governance (“IG”) strategies. Perhaps it was my twisted umbrella, but I couldn’t stop wondering if the weather signalled the need for a new approach to IG.

IG can trace its roots to medical recordkeeping in the 1990s. Faced with ‘the development of information technology and its capacity to disseminate information rapidly and extensively,’ the National Health Service commissioned The Caldicott Report to address the tension between the need to share information versus patients’ expectations of privacy.

In the ensuing decades, IG grew from a niche healthcare concern into broad-based principles applicable to organisations across all industries. A few key points in IG’s evolution include:

  1. The NHS created and implemented its 2003 IG Toolkit “to enable organisations to measure their compliance against the law and central guidance and to see whether information [was being] handled correctly.”
  1. ARMA sought to take the general concepts underpinning the IG Toolkit and expand their applicability to all organisations, regardless of type or activity, with its 2009 Generally Accepted Recordkeeping Principles®.
  1. The collaborative efforts in 2011 and 2012 between ARMA and EDRM culminated in the updated Information Governance Reference Model which highlighted the fact that efficient, effective IG comes from “the relationship between duty and the value of information assets.”
  1. With the 2013 Practice Direction placing limits on costs in disclosure and the 2015 proposed FRCP highlighting proportionality and preservation, two leading countries’ procedural laws now systemically advance IG principles.

Today, at its core, IG is “an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information.” Organisations which fully utilise IG will be able to better respond to anticipated, as well as unforeseen business realities, whether in regulation, investigation, or litigation. While good in theory, in practice the adoption of an IG programme is difficult as organisations not only have to seek buy-in across departments and amongst individuals but must also make commercial arguments for the value of IG. Too often, IG, like ediscovery, is brushed aside, relegated until a specific need presents itself.

 Even when organisations do embrace IG, successful use is becoming more difficult as information continues to grow. A key tenet of IG is information disposition; and, “[i]n order to dispose of any form of information, organisations need to know the value of that information.” How practical in today’s business world is it for organisations “to know the value of [its] information”? With the explosive growth of structured and unstructured data as well as the bottom-line drive toward profit, what organisations have the means to enact version control; label, tag, and otherwise organise files and emails; control the number of chat systems used; keep personal and business communications separate; archive audio and video data; etc.? ‘Information management and governance tasks are viewed as an anathema.’

None of this is to suggest IG’s time has passed, and in fact, most “[i]ndustry experts are optimistic about the future of IG.” Rather, we need to align IG with the big data realities of the modern world. Within an ediscovery context, organisations have begun using predictive coding and other advanced analytics as well as using multi-matter management repositories to help retrieve information more efficiently and accurately than previous methods. Could analogous technologies help transform IG? Imagine a world where there was no need to ever delete data, everything was stored securely, and through human-trained artificial intelligence, anything an organisation needed could be quickly and easily found.

As I thought back upon the two days of the summit, I was struck by the calibre of the attendees. It is a rare thing to have so many leading individuals and organisations all in one place, working together to move the conversation forward. Before I exited the hotel after the final session, I stopped briefly to admire the Palm Court’s oversized skylight, casting diffuse light upon the sunken tiled floor. The room has remained largely unchanged since its construction over 100 years ago. In the world of technology, few things last quite so long. What will the future hold for IG? Will the iterative process of improvement continue, or will disruptive technologies enter the fray?

I looked at my umbrella, almost tossing it into the rubbish bin beside the front doors before thinking better of it, and I put my sunglasses on. The clouds had parted, and oranges and magentas filled the sky to the west. Such is the weather of London, ever-changing. But in that is a comforting certainty: ‘adapt . . . or scramble when the torrent falls’.

About Jeff Shapiro

Jeff joined Kroll Ontrack in July 2013, working as a Case Manager within the Legal Technologies practice group. In October 2014, Jeff was promoted to the newly created role of Managed Services Consultant. He provides end-to-end project management and consultancy for ediscovery and edisclosure clients, with emphasis on Fortune 500 companies, as well as Am Law 200 and Global 100 law firms. Jeff ensures that projects are carried out to the highest possible standards, within relevant timelines, and to the specification and cost as agreed with the client. He consults on the technical requirements of Civil Procedure Rules and practice direction, including disclosure forms, production formats, predictive coding, and Case Management Conference planning. Jeff specializes in commercial litigation, regulatory commission requests, and internal investigations, with emphasis on early case assessment and review strategy. Whilst with Kroll Ontrack, Jeff developed a ‘Case Management Manual’ to capture and consolidate existing procedures, document unwritten knowledge, and identify cost-efficient opportunities to enable a consistent and high-level of service to clients. Prior to moving to the UK and joining Kroll Ontrack, he worked for several years with leading law firms in their international ediscovery practice groups. Jeff received his Juris Doctorate from The Syracuse University College of Law, and he is licensed to practice law in the State of Virginia.