Inside E-Discovery & Beyond: E-Discovery Complexities Driving Change

The Inside E-Discovery & Beyond survey by BDO Consulting is a national survey conducted by ALM, a global leader in specialized business news and information serving the legal, real estate, consulting, insurance and investment advisory industries, and an independent and impartial research firm. ALM surveyed more than 100 senior in-house counsel at leading corporations throughout the United States to collect their insights for BDO Consulting’s third annual study.

Introduction

Attorneys can be slow to embrace e-discovery. They are taught to identify risks, not opportunities; scrutinize the past for guidance, not train their sights on the future; and tread on new ground only with the greatest of caution. More attorneys are setting aside that old-school mindset, however, simultaneously pushed by an onslaught of data pressures and pulled by mounting evidence that a well-executed approach to e-discovery can deliver positive returns.
 
The challenges of e-discovery—and protecting the data involved in the process—increase each year. The volume and variety of enterprise data grow exponentially, due in large part to the now-ubiquitous use of mobile devices and social media, unrelenting deployment of more efficient data storage systems, and rapid adoption of advanced technologies like cloud services and the Internet of Things (IoT). Further complicating matters are the evolving regulatory and data privacy laws, particularly for cross-border investigations that require compliance with varied, and often times conflicting, localized laws.
 
Organizations are striving—yet more often struggling—to meet these challenges. The third annual Inside E-Discovery & Beyond survey by BDO Consulting examines the opinions and insights of more than 100 senior in-house counsel about changes in their approaches to e-discovery and their plans for the year ahead. Respondents come from corporations with revenues ranging from $100 million to over $5 billion from a variety of industries throughout the United States.
 
As corporations and their outside counsel increasingly rely on more extensive, complex technology and the growing body of concomitant data, in-house counsel are paying far greater attention to data security, with special concern voiced about data breaches. This reminds us that even as we look to avail ourselves of the numerous advantages a well-executed approach to e-discovery can deliver, all of us— corporations, government, law firms and providers—must work more diligently than ever to protect the often highly sensitive data entrusted to us.
 
The survey also found corporate counsel are paying greater attention to improved information governance as one way to lessen the drain of money and strain e-discovery can cause on people. Some with reluctance and others with enthusiasm, in-house attorneys are turning to more sophisticated tools and techniques that can push irrelevant data to the side—including permanently deleting it defensibly—thus enabling a sharper focus on the data that matters most when faced with litigation or investigations.

 
Cybersecurity is a Paramount Concern

Today, every discussion about data should also be a discussion about cybersecurity. As organizations have become more data-centric and business processes more technocentric, legal headaches around data have intensified. An IBM Security Services client survey found that, on average, companies had experienced 64 percent more security incidents in 2015 than in 2014. Size doesn’t matter either; 43 percent of cyberattacks in 2015 were against small businesses with less than 250 employees, according to data from Symantec. Most corporate counsel (74 percent) rank a data breach as one of their organization’s top data-related legal risks, and 68 percent say the legal department is more involved with cybersecurity than it was 12 months ago.
 
“Cybersecurity and e-discovery have been and will continue to be significant points of emphasis and challenges for our company,” one survey participant noted. “Regulators have made cybersecurity and data management a priority, and the cost of meeting the expectations of both regulators and clients continues to grow. Our clients demand simple, fast access to their data and accounts—and expect total protection for both. E-discovery has become more manageable, but it remains a significant cost of doing business.”
 
Law firms, also highly targeted, tend to be more vulnerable than their corporate clients. The biggest data leak ever hit in 2016, with the release of the Panama Papers, an incident that cast a spotlight on law firms’ vulnerabilities. Despite housing highly sensitive legal information, law firms traditionally have weaker cyber defenses than their corporate clients, making them a prime target for hackers.
 
Vendors, too, host sensitive data, but their corporate clients do not always focus on that set of cyber concerns. More than one-quarter (27 percent) of corporate counsel say they either don’t have or are unaware of cyber risk requirements for third-party vendors.

Information Governance Gains Prominence

Organizations’ insatiable appetite for data is particularly problematic when it comes to litigation and investigations. Corporate counsel recognize that making a bigger upfront investment can reduce headaches down the road. By establishing clearer controls around when, where, how and for how long to store data, they can dramatically improve the discovery process. For 41 percent of in-house counsel, the most important part of managing e-discovery in litigation is to manage their information before the e-discovery need arises. Similarly, 42 percent of respondents rank under- or over-preservation of data among their top three legal risks concerning data—a problem better information governance can help address.
 
Sixty-two percent of survey respondents report they will increase their investment in information governance, 36 percent expect to maintain a consistent spending level and only 2 percent project a decrease in information governance spending. In fact, twice as many respondents plan to increase information governance spending (62 percent) as those who think their e-discovery spending will go up (31 percent).
 
The legal team isn’t working alone when it comes to information governance; success requires a cross-functional effort. Respondents believe stakeholders giving information governance the highest priority are privacy and security professionals (43 percent), legal (28 percent) and IT (28 percent). Striking a discordant note, in-house counsel see only 17 percent of RIM (Records and Information Management) stakeholders assigning information governance the highest priority.

Other Top Concerns: Reining in Costs and Complexity

For 39 percent of corporate counsel, escalating costs is one of the top three e-discovery issues that will have the greatest business impact on corporations. This concern is reflected in expectations about spending on e-discovery in the coming year. Thirty-one percent of respondents expect they will increase their e-discovery spend, with 15 percent anticipating those expenses will grow by at least 50 percent. Sixty-five percent think they will stay the same and only four percent look forward to decreases.
 
How are in-house counsel working to make e-discovery more manageable? The largest group of respondents (41 percent) agree the best method is to improve information governance—in particular by managing information before e-discovery needs arise. The second-best approach, according to 31 percent of participants, is to focus early in the case on understanding the universe of potentially responsive evidence. Coming in at number three (22 percent) is reducing e-discovery costs.
 
The mobility of the workforce adds another layer of complexity for e-discovery, changing how enterprise data is stored, protected and accessed. By 2018, 70 percent of mobile professionals will conduct work on personal smart devices, according to Gartner. More than one-third (35 percent) of corporate counsel rank BYOD (Bring Your Own Device) as having the biggest e-discovery-related impact on their organization, and 32 percent cite managing mobile data as the biggest impact. Similarly, 27 percent of respondents rank mobile data management as one of their organizations’ top three data legal risks. Those legal risks go beyond issues specific to e-discovery, implicating areas such as identifying the people entitled to particular privacy rights and expectations, who owns the data and how a corporation gains legitimate access to that data.

Cross-Border Concerns Complicate Matters 

Cross-border concerns present a dizzying array of complexities in the e-discovery process. Twenty-eight percent of respondents rank cross-border data as one of the top three data-related legal risks facing their organization. Fifty-three percent place data privacy—often a major consideration when contemplating bringing data across borders—in the top three.
 
For 60 percent of corporate counsel surveyed, the biggest challenge in cross-border e-discovery comes from the myriad and often conflicting international privacy and security laws. That concern is up nine percentage points from 2015. It far surpasses other concerns, such as access to data (12 percent), communication barriers (10 percent) and coordination with local resources (eight percent).
 
Thirty-seven percent of respondents say the region outside the U.S. presenting the biggest cross-border e-discovery challenge is the EU. Much of that concern likely stems from the European Court of Justice’s move to invalidate the 15-year-old Safe Harbor agreement in late 2015, allowing each EU member state to establish its own set of rules and regulations. Its replacement, the EU-U.S. Privacy Shield, helps reconcile some of the data privacy protections across different countries, but some requirements, such as those around employee personal information, still vary.
 
In an attempt to better unify data protection rules under a “Single Digital Market” within the EU, the General Data Protection Regulation (GDPR) was finalized in April 2016 and will become law in every member state in May 2018. It is hoped that the GDPR will bring more clarity to data protections in the EU, but the potential for hefty fines may significantly expand the
Data privacy and security laws scope and enforceability of the EU’s data privacy regime.
After the EU, the regions outside the U.S. presenting the biggest cross-border e-discovery challenges are Canada, Mexico, the Caribbean (17 percent) and China (16 percent).  All other regions are in the single digits.

General Date Protection Regulation (GDPR) 

The EU General Data Protection Regulation (GDPR), which replaces the Data Protection Directive 95/46/EC, is set to go into effect in May 2018. It promises to harmonize data privacy laws across Europe and contains a number of new data protections as well as significant penalties for non-compliant data controllers and processors. A few notable highlights of the new regulation include:

• Both the data controller and processor are responsible for proper data protocols (previously, the controller bore primary responsibility).

• The territorial reach of the new privacy regime stretches further than before, including non-EU organizations with EU “establishments” engaging in “processing activities” in connection with offering goods or services to, or monitoring the behavior of, European data subjects.

• Data protection for individual European citizens is strengthened, including the “right to be forgotten.” If an individual requests erasure, controllers must remove their data, including all copies and links to it, and inform other controllers of the request.

• The broader reach of the new rules can impact U.S. law firms and e-discovery service providers that take possession of protected data as a “processor” for litigation or investigations. Erasure rules may also present new challenges particularly for investigators trying to collect potentially relevant evidence that may be temporarily or permanently unavailable under EU law.

Advanced Data Analytics in E-Discovery Becoming More Mainstream 

In the business world, more organizations are employing sophisticated data analytics to help extract meaningful business intelligence from their growing volume of data. This broader adoption may be a key reason inside counsel are becoming more comfortable with incorporating data analytics technologies and techniques into their discovery processes.
 
“Data analytics assists in making e-discovery more efficient and effective than human review,” one survey participant said. “However, it must be done with a vetted vendor using good technology.”
 
Technology-assisted review (TAR), or predictive coding, is the most widely embraced technological advance in e-discovery, currently used by 40 percent of respondents. The use of data analytics and visualization techniques across three or more EDRM stages comes in second, at 30 percent.
 
Visual analytics is a hot growth market overall, with Technavio analysts expecting compound annual growth rate (CAGR) of more than 22 percent in the market between 2016 and 2020.
Mobile document review is the third-most-commonly used e-discovery advancement, receiving a much higher adoption rate in 2016 (27 percent) than in 2015 (18 percent).
 
There is still plenty of room for improvement. Thirty-six percent of respondents say they do not use any of the identified e-discovery innovations or technological advances. Another 33 percent say they currently use only one. This emphasizes the need for more and better e-discovery education, particularly with respect to more advanced capabilities such as data analytics and visualization.

Who Can Help?

Fifty-six percent of in-house counsel name the courts as their most important source of e-discovery guidance. Perhaps this is because twice the federal court system has made major amendments to the Federal Rules of Civil Procedure to address e-discovery concerns. The 2006 changes were meant in large part to drive home the point that electronically-stored information actually is discoverable. The 2015 amendments sought to bring e-discovery costs under control, emphasizing, for example, that discovery should be proportional to the needs of the case.
 
After the courts, in-house counsel turn to their corporate and law firm colleagues. Thirty-four percent of respondents say they weight the guidance of outside counsel on e-discovery most heavily. Nineteen percent look first to fellow inside counsel. Only four percent look to the guidance of e-discovery providers over that of courts, corporate counsel or outside attorneys.

 
What Lies Ahead?

Before looking toward the future, it’s worth acknowledging how far we’ve come. Technology is no longer a dirty word in the legal dictionary—though we’re sure plenty of legal professionals still curse its name. But while the adoption of new technology comes with a learning curve, the reality of today’s vast digital universe makes functioning without it a distinct competitive disadvantage, if not impossible. As analytics converges with automation and artificial intelligence, we’re on the cusp of the next evolution of legal technology solutions that will transform the way we look at information and what we’re able to do with it. Over the next five years, we can expect to see a mindset shift in how organizations view e-discovery and the information it stores, moving from a cost center expense model to a revenue center or asset model.

As technology becomes increasingly indispensable to corporate counsel and law firms alike, we also face a new era of data-driven risk. How will organizations mitigate the rising risks of cyberattacks, including ones that target e-discovery? What will be the best way to navigate the regulatory landscape to avoid running afoul of changing individual privacy protections? There is no silver bullet—yet.
 
One thing is clear: The legal teams of the future will need to be conversant in tech. Technological e-discovery tools are an invaluable aid, but savvy individuals and strategies are the real key to unlocking e-discovery’s fullest potential. 

---