Editor: What are your qualifications to discuss this topic?
Mack: Five years ago, former Judge Ronald Hedges, Carole Basri and I developed a plan for chartering a board-approved eDiscovery compliance program, including information governance and risk, modeled on the seven elements of the U.S. Federal Sentencing Guidelines for Organizations.
Editor: Can you tell us a little about your own background?
Mack: For 20 years prior to entering the eDiscovery field, I worked hands-on at all levels of information technology in Fortune 500 companies, from data entry and network management to developing whole systems from scratch. As enterprise technology counsel for ZyLAB, I handle international eDiscovery and information management. Before that I developed the forensics and collection practice at Fios, Inc. I am the coeditor of eDiscovery for Corporate Counsel, published by Thomson Reuters West, which is now in its fifth edition. During my 13 years working directly with counsel on criminal, regulatory, investigatory and civil eDiscovery, I have encountered situations where data or information takes many unexpected forms.
Editor: What is “radical transparency”?
Mack: Radical transparency captures the idea that even the most secret information is vulnerable to being revealed, as exemplified by the Snowden and Manning affairs. There are millions of individuals holding security roles high enough to access classified (or proprietary) information. USB drives, smartphones and tablets have enormous empty capacity in which data can be stored and removed from the government’s or a company’s premises. There are people working in private corporations that at the most inconvenient times potentially can unleash wave upon wave of unexpected disclosures of material that is embarrassing at best, and devastating at worst.
Editor: What are some examples of information that corporations need to protect?
Mack: Intellectual property, individual privacy, trade secrets and strategic plans are only a few of the very legitimate items an enterprise might want to protect. I am suggesting that circumstances have changed, and an enterprise must understand its vulnerabilities before the world does.
Editor: What about external threats?
Mack: While inside threats are generally the most damaging, the quantity of information collected by the alleged NSA monitoring has been stunning from a technical as well as legal perspective. Generally, the government is a few years behind the hackers, so I would expect that there is more we do not know about.
Editor: Should board members be concerned about unauthorized disclosures of their company’s data?
Mack: Probably the biggest risk is reputational for board members and the corporation. The price of a damaged corporate image can be paramount. Also, a disclosure may trigger some type of government investigation, perhaps white collar, FCPA or under 17 C.F.R. 229.407(h) disclosure regarding the board’s role in risk oversight. Liability may also be triggered by HIPAA or other privacy breaches. There could be shareholder action. Most business relationships depend upon trust, and lawsuits generated by intrusions into a company’s confidential information can significantly impact its bottom line.
Editor: How should a company protect itself from intrusions into its data?
Mack: The Sentencing Guidelines spell out a clear plan of how to create a sustainable program by (1) creating standards, processes and procedures, (2) having responsible top management and the board become knowledgeable about information governance, providing adequate resources, and appointing a specific individual with responsibility, (3) excluding certain persons from the program via background checks, (4) communicating the standards and procedures through training, (5) auditing, monitoring and reporting, including whistleblower lines, spot audits and systematic audits, with the results reviewed by the general counsel and board quarterly, (6) incentives and penalties to support the program and (7) continual renewal to make sure technology and lessons learned are incorporated into the program.
But the biggest challenge is locating PII. Every effective path to compliance with privacy and data protection laws begins with assessing which information needs to be secured and where it is located. In this interview, I have outlined how technology can help.
Editor: Where can our readers get a copy of the Sentencing Guidelines?
Mack: It can be found in chapter 18 of eDiscovery for Corporate Counsel. Many of your readers have a subscription to these publications through the West library. Carole, Ron and I are always happy to discuss this with your readers.
Editor: The Sentencing Guidelines include doing a background check of employees. To what extent does ZyLAB's technology provide a way to check social media sources where an employee may have done some loose talking?
Mack: Our technology allows information on social media sites that are public to be collected on a regular basis and then, depending on the consent of the employee and the state or country the employee lives in, you can also ask for passwords and collect that as well and then apply a set of screens that are appropriate to the situation. Another way is to do data leakage audits where you are able to see the domains to which emails are going. For example, if your employee is sending emails with attachments going to the employee’s Gmail address (and you are not a corporate Gmail platform user), the attachments might have intellectual property, strategic plan or personal identity information.
Editor: Tell us about some of the ways information may find its way into the hands of the government or be uncovered by the use of special search techniques.
Mack: Where a corporation has produced to a particular government agency, it may also be available to other agencies. Agencies (including international agencies) do information sharing among themselves. The document may be in the hands of the opponent or the regulator before the legal team working on the matter knows that it’s there. Also, PDFs may have material in them that does not show up in a search on one platform, but will show up on another platform with better indexing or by doing an optical character recognition sweep of the content.
Editor: Please describe the impact of foreign privacy laws on international email traffic.
Mack: Interestingly enough, the French court just released a ruling that allows French employers to treat their employee email as corporate unless it is specifically marked as private. That is a big change. France in particular has been one of the most strict jurisdictions. The name of the case is Monsieur X v. Young & Rubicam France, Cour de Cassation [Cass.], soc., 19 June 2013, No. 12-12138. When challenged after Snowden’s disclosures, the Irish privacy director has said that the U.S. is operating under the Safe Harbor. The EU is taking a look at that, but until then the Safe Harbor stands. The EU is working on privacy regulations. Some American companies are very upset with some of the provisions in the draft, and the climate is definitely more chilly.
Editor: Does ZyLAB keep its users informed of developments in the EU that affect their operations?
Mack: Absolutely. We recently had a webcast specifically involving international privacy, especially in the EU.
Editor: Is concern about privacy increasing in the U.S.?
Mack: Yes. The new HIPAA provisions, which expand those responsible to include law firms, among others, are coming online in September. Privacy rules are a European invention. The HIPAA laws are actually based on the EU laws around privacy. In the U.S., it’s sometimes a little hard to put the privacy genie back in the bottle with all of the information we give up to use the apps, or to shop.
Editor: I would think that law firms would be an important target of hackers.
Mack: The ABA Cybersecurity Legal Task Force has released a great handbook about computer security for law firms. Law firms have been a target of hackers, both domestic and abroad, due to perceived lax security. The FBI and law firms are cooperating more on data breaches, and law firms are bolstering their defenses. If news of a pending merger or transfers of intellectual property or highly sensitive privileged documents were to be disclosed, that would be very difficult for both client and law firm.
Editor: How can ZyLAB help?
Mack: As a 30-year-old international company, privacy is built into our products from the ground up. We’ve worked with the three-letter agencies for years and understand the level of diligence they can bring to an investigation. Our eDiscovery and information management software can be installed and used within the confines of a company’s firewall. This reduces the possibility that data will cross the open Internet where it is exposed to intrusion.
ZyLAB recently released our visual search, which can find copies of passports, licenses, forms, pictures of people and other items missed by text-based indexing. For example, using it on the cleaned-up Enron data set, we found an individual’s unredacted IRS form that normal text-based tools missed.
Editor: How can you be sure you have captured all the text for your searches?
Mack: Where there is no text that is readable by conventional systems, our system can do an optical character recognition sweep. You need a system that will read the information in a PDF or PowerPoint that might have a picture or a graph, for example. That level of diligence is not necessary for every case, but it is available.
Editor: What other tools do you offer?
Mack: With our audio search tool, you can, without translating the audio to text, pinpoint words in a conversation, in a voicemail, a trading floor tape or in a recorded conference call for investors. It allows you to search the voice files without listening to them one at a time.
We enable the user to search schematics, including everything from construction blueprints and floor plans to a diagram of how a computer chip works to a diagram showing how an automobile is put together. The distinguishing thing about a schematic is that it may be so large that most eDiscovery systems can’t handle it unless they have the original program that created it. Our system will index the schematics no matter how big they are and then also index text that might not be going left or right - it might be going up and down. It’s particularly important in construction and intellectual property litigation.
We also do professional text mining. Simple text mining pulls out all the organizations, all the names of people, or pulls out all the dates and meeting places. That’s called entity extraction, which is one form of text mining. Professional text mining enables you to pull up all emails that sound angry or where there are other patterns or sentiments.
We also are asked to do legacy data cleanup and also data leakage assessments. Our eDiscovery software can identify protected data and trade secrets easily. It can also find out where it resides, who has access, and where it has been shared.
The data protection that ZyLab provides enables corporate counsel to assure the board that in this time, when ethics and mores around information are changing so rapidly, the corporation has taken positive steps to meet the challenges of radical transparency.