Forensics

Lighthouse collected, processed, and imaged 550 GB of data in less than 96 hours, saving a client from an eight-figure sanction. What They Needed Lighthouse’s client, an Am Law 100 firm, had to respond to a request for production in a highly sensitive matter. The client originally contracted another eDiscovery service provider for collection, processing, and production. Much of the collected data was corrupt and the other service provider was unable to handle a large majority of the data. Facing an eight–figure sanction if the production deadline was missed, the client abandoned their provider and contacted Lighthouse. Lighthouse had 14 days to resolve corrupt data, process the data, identify and segregate the already reviewed data, provide the unreviewed data for review, and produce the responsive data. Complicating matters even further, the data set was sizeable—550GBs—and the client needed at least a week to review the data before production. How We Did It Collect, Analyze, Repair A close inspection of the data revealed that another on-site collection would be necessary in order to deal with the corrupt data. On February 9, two forensic experts from Lighthouse collected three email exchange servers totaling 550 gigabytes. Lighthouse was able to repair some of the corrupt data; however, some data was corrupt at the source. This corrupt data could not interfere with the production to the government so Lighthouse processed the non-corrupt data overnight. The client then requested additional searching and culling for a specific list of custodians. Reduce, Process, Deliver As a result of the way the data was stored, Lighthouse had to navigate through a large number of files to identify the data belonging to the list of custodians. Ultimately, Lighthouse was left with 245 gigabytes which it further culled and filtered. Lighthouse’s experts then segregated 8,000 documents that the client previously reviewed so that the client did not have to waste time re-reviewing these documents. With the deadline looming, Lighthouse immediately imaged the documents for review. Lighthouse provided client with just over 25,000 images for review on February 13. Results As a result of Lighthouse’s speed and ability to handle the corrupt data, the client avoided an eight-figure sanction. In a matter of 96 hours, Lighthouse forensically collected 550 gigabytes from three email exchange servers, extracted 245 gigabytes from those servers, identified 8,000 documents in a corrupted media environment, and imaged over 25,000 documents. Law Firm Case Studybig-data; case-study; collections; ediscovery; forensics; law-firm; processing; production; project-managementediscovery-review; digital forensics; client-successBig-Data, Case-Study, collections, eDiscovery, digital forensics, Law-Firm, Processing, Production, Project-Management, ediscovery-review, digital forensics

Lighthouse's forensics experts found hidden clues missed during an internal investigation, proving a departing employee was stealing company data. Lighthouse Key Results By quickly engaging Lighthouse forensics experts: The company stopped proprietary and sensitive information from being disseminated and used by competitors. The company’s law firm was able to quickly take action against the employee, preventing any further malfeasance or damage. Investigation Overview Week 1 Day 1 – 4 — Employee uploads company data onto a personal Google Drive account over the span of four days. ‍ Day 4 – 5 — An internal investigation concludes that all company data has been deleted from the employee’s personal data sources and no further action is needed. However, the company’s outside counsel calls in Lighthouse forensics experts to perform a separate investigation for affirmation. ‍ Day 6 — Lighthouse forensics experts find evidence missed during the company’s internal investigation, indicating that the laptop provided to internal investigators was a “decoy,” and that the employee had actually transferred the proprietary company data onto an as-of-yet undisclosed laptop. Week 2–4 Outside counsel uses Lighthouse’s findings to file a restraining order against the employee and elicit a confession wherein the employee admitted they had downloaded the proprietary data onto a secret laptop—owned by another business. Week 6 Lighthouse forensics team is provided access to the additional laptop and the employee’s private Google Drive account. Although there is no company data stored on the drive, the Lighthouse team dives deeper and immediately finds that the employee had restored the previously deleted company data back to their Google Drive account, transferred it the secret laptop, and then deleted it again from the Google Drive account. These findings enable outside counsel to take additional remediating actions. Suspicious Activity by a Departing Employee Raises Alarm Bells During routine internal departing employee analysis, a global company was alerted to the fact that an employee had uploaded more than 10K files containing sensitive proprietary data to a personal Google Drive account. The company immediately launched an internal investigation and engaged their outside counsel. Over the course of the internal investigation, the employee admitted they had uploaded company data to their Google Drive, and then used an external hard drive to transfer that data onto a personal laptop. However, the employee avowed that all company data had since been deleted—which the company’s IT team confirmed by examining all three data sources. However, due to the sensitivity of the data, outside counsel wanted additional reassurance that the employee was no longer concealing proprietary company data. The law firm had previously relied on Lighthouse forensics experts for similar investigations and knew that they could count on Lighthouse expertise to find any hidden clues that would point to additional hidden data. Finding the Forensic Breadcrumbs Week 1 The Lighthouse forensics team received access to forensic images of the employee’s personal laptop and external hard drive within one week of the first suspicious upload. The team immediately noticed that the employee’s data tracks conflicted with the timelines and statements provided by the employee during the company’s internal investigation. Key Evidence Found by Lighthouse Forensics Experts The external hard drive used to transfer company data had not been plugged in to the personal laptop during the relevant time frame. File paths identified on the external hard drive (which show the file locations where data was downloaded upon connection) did not match those on the personal laptop provided to internal investigators. This evidence led the Lighthouse team to conclude that the laptop provided by the employee was not the laptop used to download company data—and that a different laptop with the stored proprietary company data existed but had not been disclosed by the employee. Week 2–4 A Lighthouse forensics expert provided a sworn declaration explaining the evidence found during the examination of the employee’s personal devices. The company’s law firm used this declaration to file a restraining order to stop the employee from continuing to steal or disseminate proprietary data. The law firm also used Lighthouse’s findings to elicit a confession from the employee, admitting that they had been secretly working part-time for another business, and had transferred the company’s proprietary data onto a laptop provided to the employee by that business. Week 6 Within two weeks of the Lighthouse forensics expert’s sworn declaration, the Lighthouse team was provided access to the laptop owned by the other business, as well as the employee’s personal Google Drive account. Lighthouse’s inspection of the Google Drive did show that all company data had been deleted, as had been confirmed by internal investigators. However, Lighthouse immediately went deeper into the Google Drive and found conclusive evidence that the employee had subsequently “restored” the deleted proprietary data just a few days after the internal investigation ended, in an attempt to continue with the data theft. Key Evidence Found by Lighthouse Forensics Experts Despite the fact that no company data was stored on the employee’s personal Google Drive account at the time Lighthouse received access to it, Lighthouse forensics experts went above and beyond to do a deeper forensic dive into the user activity log, email account, and internet searches stored on the Google Drive. That deeper analysis showed that: Two days after the internal investigation ended, the employee began conducting numerous internet searches for ways to “restore” deleted files on Google Drive. Two weeks later, the employee emailed a private IT company asking for help restoring deleted Google Drive files. One day after sending that email, thousands of files were restored to the employee’s Google Drive. Those restored files were once again deleted a few days later. Before the restored files were re-deleted, the employee downloaded some of the files containing company data to the “secret” laptop owned by another business. Keeping a Lid on Pandora’s Box The evidence found by Lighthouse forensics experts after their initial examination of the employee’s personal devices enabled the company’s law firm to take legal action against the employee less than one month after the first suspicious data upload. Within one day of being provided access to the employee’s personal Google Drive account, Lighthouse forensics experts were able to find exactly how and where the stolen proprietary and sensitive data was hidden. This enabled the company to permanently prevent any dissemination of that proprietary and sensitive data to competitors. ‍ ‍ Corporate Case Studycase-study; corporate; corporation; g-suite; forensics; investigations; collections; fraud-detection; red-flag-reporting; departing-onboarding-employeedigital forensics; client-successCase-Study, client-success, Corporate, Corporation, -G-Suite, digital forensics, investigations, collections, fraud-detection, Red-Flag-Reporting, Departing-Onboarding-Employee, digital forensics

Lighthouse partners with a rapidly expanding pharmaceutical company to streamline its eDiscovery workflow and meet obligations more efficiently. What They Needed A large pharmaceutical client received subpoenas from several regulators. The subpoenas covered multiple product lines, implicated 60 custodians, and virtually all the company’s email. The client’s IT group identified over 35TBs of data requiring collection, processing, and review. Complicating matters further, the company had only 60 days to respond, well outside its estimated time of nine months to complete the project. Faced with this near impossible timeline, the client looked to Lighthouse for support. How We Did It Relying on procedures outlined in a jointly developed eDiscovery Playbook, Lighthouse’s data collection and forensics experts worked closely with the client’s legal and IT groups to implement a defensible strategy that greatly reduced the amount of data requiring collection. Experts from Lighthouse’s Advisory Services group worked with the client to implement a legal hold and data retention policy, customized to the various subpoenas. Lighthouse provided a unified review database, allowing outside counsel (who was responding to separate subpoenas) to leverage each other’s work product, greatly reducing review costs and preventing the inadvertent production of privileged and other sensitive materials. The Results Our combined efforts reduced the originally estimated 35TBs of data requiring review to less than 3TBs. By greatly reducing the amount of data requiring processing and review, the client saved significant review costs and reduced the estimated project completion time from nine months to only four weeks. Review cost reductions were achieved by leveraging Lighthouse’s project management team as well as the company’s proprietary suite of technology-assisted review offerings. These, and other efficiencies discovered during the project, have been implemented in future matters, continuing to drive down costs and increase value. Corporate Case Studyadvisory-services; big-data; case-study; collections; corporate; corporation; ediscovery; forensics; information-governance; investigations; pharma; privilege; privilege-review; processing; project-management; tar; tar-predictive-coding; technology-assisted-reviewediscovery-review; digital forensics; ai-and-analytics; information-governance; client-successAdvisory-Services, Big-Data, Case-Study, collections, Corporate, Corporation, eDiscovery, digital forensics, Information-Governance, investigations, Pharma, privilege, privilege-review, Processing, Project-Management, TAR, TAR-Predictive-Coding, technology-assisted-review, ediscovery-review, digital forensics, ai-and-analytics, information-governance

Lighthouse red flag report prevents proprietary data from being taken by departing employee. Key Actions A global company partnered with Lighthouse to create a proactive departing employee program to prevent data loss and theft. Lighthouse forensics experts prepared Red Flag Reports for every departing employee that fell within a specific category of employees. Each report outlined the risks associated with the departing employee based on a skilled forensic examination of their activity and data. Soon after implementing the program, a Lighthouse Red Flag Report alerted the company to suspicious activity by a departing employee indicating a high risk for data loss. Key Results Because of Lighthouse’s analysis and quick response, the company was able to: Prevent sensitive data from being disseminated outside the company. Avoid costly litigation associated with proprietary data loss. Reevaluate the departing employee’s severance package due to breach of contract, resulting in additional cost savings. ‍ What They Needed A global company was dealing with an increased risk of data loss and theft from departing employees. The company retains large volumes of proprietary data spread across their entire data landscape. Much of that data is also highly sensitive and would create a competitive disadvantage for the company if it were to end up in competitors’ hands. The company was also facing a higher volume of employee turnover—especially within roles that had access to the company’s most sensitive data (e.g., company executive and management roles). The company was concerned that these factors were creating a perfect storm for data theft and loss. They realized they needed a better system to catch instances of proprietary data loss before any data left the company. Company stakeholders reached out to Lighthouse because they knew our forensics team could help them build a proactive, repeatable solution for analyzing and reporting on departing employee activity. How We Did It Lighthouse forensics experts worked with the company to create a custom departing employee program for data loss prevention. With this program, Lighthouse experts prepared a Red Flag Report for every departing employee that fell within specified high-risk categories (e.g., employees above a specific seniority level, or employees that had access to highly sensitive company data, etc.). Each Red Flag Report was prepared by a Lighthouse forensics expert and summarized the data theft risk associated with the underlying employee. Every report contained: A high-level summary of the risk of data theft presented by the employee. A collection of attachments with highlights and comments by the Lighthouse forensics examiner (for example, a list of files stored in an employee’s personal cloud storage account, with an explanation of why that activity may indicate a higher risk of data theft). A forensic artifact categorization with associated risk ratings (e.g., if there were no suspicious search terms found during a scan of the employee’s Google search history, the examiner assigned that category a lower risk rating of “1”). Recommended next steps, with options for substantiating high-risk employee behavior. Reports were delivered to a cross-functional group of company stakeholders, including IT, human resources, and legal groups. The Results The Lighthouse program very quickly paid off for the company. Soon after initiation, Lighthouse escalated a Red Flag Report for a departing employee that showed a high risk of data loss. Specifically, the Lighthouse forensics examiner flagged that the employee had connected two different external thumb drives containing sensitive company data to their laptop. This activity was flagged by the Lighthouse forensics examiner as high risk because: The employee had already been directed by the company to return any device that had corporate data saved on it; and The employee had previously indicated that they didn’t have any devices to return. As soon as Lighthouse escalated the Red Flag Report, company stakeholders scheduled an interview with the employee. This interview resulted in the employee admitting that they had taken corporate data with them, via the two thumb drives. Because Lighthouse was able to quickly flag the employee’s suspicious activity, the company was able to retrieve the thumb drives before the proprietary data was disseminated to a competitor. The company was also able to reevaluate the employee’s severance package due to the breach of company policy, resulting in a significant cost saving. Even more importantly, the company now has a proven, proactive, and customized solution for preventing data loss and theft by departing employees—implemented by Lighthouse’s highly skilled forensics team. ‍ Corporate Case Studycase-study; corporate; corporation; forensics; investigations; collections; fraud-detection; red-flag-reporting; departing-onboarding-employeedigital forensics; client-successCase-Study, client-success, Corporate, Corporation, digital forensics, investigations, collections, fraud-detection, Red-Flag-Reporting, Departing-Onboarding-Employee, digital forensics

Our hosts chat with Lighthouse's John Bair about implementing proactive data management programs and emerging challenges with remote working, including mobile devices and collaboration data., Law & Candor returns for Season 10 with co-hosts  Bill Mariano  and Rob Hellewell. They kick off the episode with a discussion of a Harvard Business Review article about the ways AI can make strategy more human. Next they are joined by John Bair , Senior Consultant in Digital Forensics at Lighthouse, to discuss bring your own device (BYOD) policies, implementing proactive data management programs, and emerging data challenges with remote working. Some questions that they tackle include: From a data governance and management perspective, what are the greatest challenges that have emerged from working from home and BYOD policies? Many organizations may have governance programs in place but still struggle with new data sources or devices. What can make some programs inadequate to face these changes? For those needing to refresh their governance approach, or build something new, what advice do you have for creating a more proactive program to get ahead of these data challenges? How should legal teams work with IT to ensure these types of programs are a success? How should we think about their roles? As mobile devices and virtual work continue to advance, how can teams ensure their data governance programs keep pace? If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , listen and rate the show wherever you get your podcasts, and join in the conversation on  Twitter .  , chat-and-collaboration-data; data-privacy; forensics; lighting-the-path-to-better-information-governance, collections, emerging data sources, departing/onboarding employee, podcast, preservation, risk management, chat-and-collaboration-data, data-privacy, digital-forensics,, collections; emerging-data-sources; departing-onboarding-employee; podcast; preservation; risk-management

In the very first episode of season six, co-hosts Bill Mariano and Rob Hellewell, introduce themselves and welcome listeners back for another season of Law & Candor, the podcast wholly devoted to...,   In the very first episode of season six, co-hosts Bill Mariano and Rob Hellewell , introduce themselves and welcome listeners back for another season of Law & Candor, the podcast wholly devoted to pursuing the legal technology revolution. To kick things off, Bill and Rob begin with Sightings of Radical Brilliance, the part of the show where they discuss the latest news of noteworthy innovation and acts of sheer genius. In this episode, they dive into a recent article from ITPro.com that discusses the increase in insider data breaches with the remote work shift .  For the guest speaker segment of the show, Bill and Rob bring on Jerry Bui of Lighthouse to discuss cellular 5G and how it could lead to more fraud and misconduct risk via the following key questions: How does 5G lead to fraud and misconduct?  What insider threats are there (i.e. shadow IT, encrypted messages, etc.)? What about outsider threats (i.e. outside of IT‚Äôs purview, data breaches, hacking, etc.)? How does this impact compliance programs?  How does one overcome 5G challenges?  Are there other recommended best practices related to this topic? The episode wraps up with key takeaways. If you enjoyed the show, subscribe here , rate us on Apple and Stitcher, join in the conversation on Twitter , and discover more about our speakers and the show here . , forensics; chat-and-collaboration-data, preservation and collection, podcast, digital-forensics, digital-forensics, chat-and-collaboration-data, preservation-and-collection; podcast; digital-forensics

Co-hosts Bill Mariano and¬†Rob Hellewell share details around the¬†five biggest data breaches of the year so far in¬†Sightings of Radical Brilliance and what this means for the future of legal...,   Co-hosts Bill Mariano and  Rob Hellewell share details around the  five biggest data breaches of the year so far in Sightings of Radical Brilliance and what this means for the future of legal space. Next, Bill and Rob bring on  Jerry Bui , Executive Director of Digital Forensics at Lighthouse, to help uncover the answers to the following questions around data preservation when it comes to ephemeral and encrypted data:  What do ephemeral and encryption mean? What are the different types of enterprise communication platforms? Which platform gives you the most in terms of investments from a legal and compliance perspective? What about data privacy on these platforms? How is the personal data treated? What should IT and Legal departments keep in mind when it comes to platforms that are not encrypted? The show concludes with key takeaways from the guest speaker segment. Join the conversation on  Twitter and discover more about our speakers and the show  here . Related Links Podcast: Digital Forensics Future About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , chat-and-collaboration-data; forensics; information-governance; microsoft-365, emerging data sources, preservation and collection, podcast, digital-forensics, chat-and-collaboration-data, digital-forensics, information-governance, microsoft-365, emerging-data-sources; preservation-and-collection; podcast; digital-forensics

When the Federal Rules of Civil Procedure were amended in December of 2006 to include “electronically-stored information” as an information category subject to discovery, even the most visionary eDiscovery practitioners could not have anticipated what this would mean in the years to come.Although the tech-savvy among them may have anticipated the future challenge of increasing data volumes, who could have foreseen the impact of the Cloud and the exponential growth of data types and communication applications? No one in 2006 could have anticipated the explosion of third-party messaging apps (think WhatsApp, Signal, Snapchat, Telegram, WeChat, etc.) proliferated by a worldwide pandemic. Some of these applications allow users to send encrypted messages or ephemeral messages (messages that disappear after sending) and usually exist outside of native Apple or Android apps. Therefore, they raise uniquely challenging data governance and eDiscovery issues. Unfortunately, for a variety of reasons, organizations have had trouble implementing compliance policies that directly address those downstream eDiscovery and data governance implications. Mobile device policies tend to focus heavily on security considerations, with little attention given to how corporate communications can be preserved, collected, and/or produced should the need arise.Information use policies that require employees to use certain systems for work-related communications and collaboration do not always account for the realities of the business. Additional complexities include the proliferation of chat applications in the market, practical challenges collecting mobile device data (including forensic imaging in some cases), the co-mingling of personal and work data, and privacy implications.But while organizations have struggled to implement policies that address the full breadth of these challenges, eDiscovery obligations remain constant. Given the rise in the use of third-party applications for work communications (in some cases to potentially evade recordkeeping policies for more traditional tools like email), government agencies and regulators have increased scrutiny of how these systems are being used and managed. In doing so, they increasingly consider company policies that manage records and whether adequate controls are in place to ensure compliance. Both in-house and outside counsel have a responsibility to their clients to stay abreast of this increased scrutiny in order to advise them. In light of this responsibility, we are providing an overview of recent regulatory changes, as well as best practices for companies to survive within this new regulatory era. Focus on messaging apps by government agencies and regulators Until very recently, government agencies and regulators investigating companies have focused their attention on communications contained in traditional ”workplace” messaging applications, i.e., systems designed purely for business purposes. Regulated entities have recordkeeping requirements that mandate the retention of specific categories of records for a designated period of time, including communications, with penalties for record-keeping violations. Financial institutions have paid billions in SEC and Commodity Future Trading Commission penalties to settle related allegations. Private equity firms have been in the crosshairs as well. In an ironic twist, the SEC itself has been under scrutiny for similar behavior as members of the House Financial Services Committee and other House panels question whether the agency has suffered similar recordkeeping lapses, illustrating how widespread these apps are and how difficult it is to curtail their use. The 2022 Monaco Memo and subsequent sanctionsAmidst this backdrop, the Department of Justice ("DOJ") stepped up significantly with new directives and corporate compliance guidelines for personal mobile devices and third-party chat applications. In September 2022, Deputy Attorney General Lisa Monaco issued a memo to the DOJ Criminal Division to provide "best corporate practices regarding use of personal devices and third-party messaging platforms" in what has become known as the "Monaco Memo." Monaco stated, "[t]he ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation. The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge." 2023 DOJ best practice guidelines and DOJ sanctions In February of 2023, the DOJ filed a memorandum in support of sanctions against a large technology company for alleged "intentional and repeated destruction of company chat logs" that the U.S. government sought to use in an antitrust case against the company. The DOJ filing indicated that the company set chats to delete after 24 hours. The Federal Rules of Civil Procedure required the company to suspend its standard retention upon notice of the government's legal action in 2019, which it did not do until it received notice of the 2023 motion for sanctions. In March of 2023, after those sanctions, the DOJ updated its Evaluation of Corporate Compliance Programs ("ECCP") to emphasize the importance of preserving business communications on personal devices, various communications platforms, and messaging applications, including those offering ephemeral messaging. In subsequent remarks announcing the 2023 ECCP best-practice guidelines, Assistant Attorney General Kenneth A. Polite, Jr. pointedly noted that when companies fail to produce communications for DOJ investigations, "a company's answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability. So when crisis hits, let this be top of mind." The 2023 DOJ guidelines state that prosecutors will consider three factors when evaluating the adequacy of corporate policies governing the use of personal devices, communication platforms, and messaging applications: 1. Existing communication channels2. Policies governing the existing communication channels3. Whether the corporation is adequately communicating and consistently enforcing the policiesThese new DOJ guidelines significantly expand the scope of an organization's duty to preserve corporate communications. They create a new preservation duty targeted at business-wide compliance operations. Where internal legal departments may have struggled in the past to implement culture-changing mobile device policies, compliance teams may succeed in garnering the requisite executive buy-in.A path forward for organizationsAs law enforcement agencies and regulators continue to take a more rigorous stance towards messaging applications, companies will need to explore more expansive policies to comply with various obligations to retain and preserve data. But it’s a sticky problem for both sides to address, given the different capabilities of each system, incompatibility of certain tools with regulatory recordkeeping requirements, and the hard realities of today’s workplace. For some organizations, the risks of using certain third-party applications (including the inability of the organization to comply with certain regulatory requirements) simply does not outweigh the benefit to the business, and in these circumstances, companies might choose to not permit them. There may be legitimate business reasons for employees to use these apps—they are readily available, convenient, and provide certain security and data reduction benefits. However, organizations will need to weigh whether those benefits are worth the risk of possibly losing relevant data or enabling potentially nefarious behavior.Policies, procedures, and information governance—again “Guidance” and “controls” are the operative words here. For most businesses—and certainly for those in regulated industries or frequently subject to litigation—information governance and compliance functions only increase in importance as the datasphere continues to become more complex. Guidance: To reduce exposure and risk, businesses first need to consider the requirements they are subject to and clearly define their stance on the use of ephemeral data apps. It helps to have in place a solid information governance framework, with applicable written policies and procedures that reflect that stance. As with all data-related responsibilities, employees should be provided explicit guidance regarding personal devices and messaging tools during onboarding with continual reinforcement during routine training on policies and procedures that should be a part of any robust compliance program. Evidence of rigor in communicating to employees the appropriate use of these messaging platforms vis à vis data retention obligations can only be a benefit in case of an investigation or litigation. Controls: In addition, appropriate controls should be in place to monitor compliance and ensure required preservation, with effective means to handle non-compliance. If personal devices are approved for use, they should be subject to mobile device management (MDM), as well as policies and procedures that address their use to help ensure data safety and security.Realistically, whether or not a company allows the use of third-party apps doesn’t mean employees are sticking with the plan. It is the responsibility of the business to know what their employees are doing. Periodic testing and auditing of messaging applications is well-advised, and any employee misconduct in violation of company policies related to ephemeral messaging should be addressed and documented. Voluntarily self-disclosed misconduct can go a long way in mitigating potential damage and fines. Due consideration should also be given to whether there is the necessary IT infrastructure, resources, and budget to undertake surveillance of employee behavior and to respond to regulatory or legal requests for information, including proper implementation of a legal hold. If ephemeral messaging is allowed, can it be disabled in the event of potential litigation so that potentially relevant material is preserved? If not, there could be a problem.ConclusionThe datasphere is only going to become increasingly complex as more data-creation (and deletion) tools emerge. With regulatory recordkeeping and data retention mandates likely to remain in place, government agencies will continue to scrutinize third-party messaging applications. A robust information governance approach, as usual, is key. Companies with a defensible and effective electronic records retention policy that covers the legitimate use of messaging apps—with employees that are trained in related policies and procedures and how best to use them—will have the best chance of avoiding trouble and/or defending themselves against potential wrongdoing. chat-and-collaboration-data; forensicsforensicsdaniel black; jodi daniels

In case the complexities of corporate data weren’t creating enough turbulence to keep corporate and legal teams up at night, along comes a prolonged pandemic to really shake things up. Because now, a complex data landscape has also become a complex employee landscape.What has been dubbed the “great resignation” (approximately 38 million workers voluntarily quit their jobs in 2021) has left many companies shaken as they struggle to adapt their organizations to a reconfigured and remote workforce. With little time to plan for the risks and contingencies such a seismic shift would normally entail, companies are now playing catch-up, seeking ways to ensure proper data management, better responses to fast-moving litigation and internal investigations, and enhanced security as they grapple with offsite employees, transformative applications, and the impact of an exodus that may have caused company data to escape its bounds.These unique circumstances present a number of challenges for companies and their legal teams alike. In a webinar with Today’s General Counsel, I was pleased to join Scott McVeigh, industry principal from Onna, to discuss the ways in which many companies have been affected. We looked at the recent workplace disruption and considered the impact: What data risks have emerged or intensified? What efficiencies or advantages? What areas of the company data environment deserve renewed focus? What steps can internal teams take to help ensure that data concerns are addressed and legal imperatives met? A Shift to Remote Work Accelerates Transition to the CloudPrior to the pandemic, an estimated 20% of the U.S workforce was working remotely. By December, 2020, that number had increased to 71%. Even with offices now deemed safer as the pandemic wanes, it is anticipated that more than 51% of the U.S. workforce will continue to be remote or hybrid.The impact of this shift has already been profound, reshaping the use, format, and storage of data. As many as 81% of organizations say the pandemic accelerated their cloud timelines as they raced to engage with new tools and applications that flooded the market to accommodate the remote workforce. Online collaboration has now become the new normal, with document sharing apps, chat functionalities, and web conferencing becoming the dominant forces that underpin daily work. Enhanced Collaboration — A Mixed Blessing While this shift may have resulted in some efficiencies as more informal practices took hold, the explosion of collaborative data technologies has also created significant challenges, especially for data and records management, security, and legal teams. As a result, some important enterprise areas are ripe for renewed attention and innovation:Information governance models: The disrupted workforce has made information governance efforts more complicated—and more necessary. Remote collaboration and sharing applications mean more data in more places, making it harder for internal teams to create and maintain a cohesive vision of the data landscape to contain and control growing data volumes.Rapid data growth from both authorized and unauthorized tools and new forms of communication (think gifs, memes, and emojis) makes it easier for data to proliferate, morph, even disappear, which may call for modified or additional policies and procedures. From a data security standpoint, privacy breaches coupled with other security stressors are magnified as siloed data, a perennial problem, pressure-tests existing processes and policies.eDiscovery and preservation imperatives: In the implementation of cloud applications, preserving and collecting data in a defensible manner has not been a top priority. More tools enabling informal, dispersed, and fluid content challenge the paradigm of traditional collection and review. Where is a particular kind of data living and who controls it? Who is the custodian or author of content in shared collaborative spaces? With so many new data types, what is now the definition of a “document” or a conversation?Employee transitioning: As employees moved offsite or departed during the pandemic, company data may have gone with them — if not through malicious exfiltration, then just because HR and IT, with reduced teams as well, could not keep up with the onboarding and offboarding process. One top concern for organizations is that the lost data or IP could have gone to a competitor. Training requirements: With workers at a distance, training on company privacy, security, and preservation policies — which should be intensifying — may be taking a back seat to other business priorities impacted by the pandemic. Too, cultivating a data-sensitive culture is now more difficult with employees often untethered from the norms of company data access and storage and little to no face-to-face interaction with other employees and their own managers. Law Firms and Legal Departments Not Exempt from DisruptionTo complicate matters, as companies were transformed by the pandemic, so too were the law firms and legal departments that support them. Already in a state of flux, the legal market was highly impacted by both employee departures and the migration to remote work, relatively foreign to an entrenched in-office culture. Lack of attention to document management, often a law firm weakness, has just added fuel to the fire.The resignation-induced talent drain has likely affected workflows, adding to inefficiencies and duplicative work as corporate and legal knowledge, both in-house and outside, dissipated with the overall disruption of formerly routine processes and responsibilities. It has certainly impacted eDiscovery processes; legal professionals are still working to master the art of conducting discovery remotely from cloud-based data sources.Bucking the Trends: Take These Steps to Reduce RiskThe disrupted workplace calls for renewed diligence, nimbleness, and a certain amount of creativity on the part of internal teams responsible for data and its management. Most of all, it requires rigorous attention to potential risks exacerbated by a still-evolving landscape.Here are some important steps companies can take to reduce risk: Scrutinize what may now be a very different data landscape. As in pre-pandemic times, knowing where data resides and in what format is a big part of the battle. With new tools and cloud storage locations making everything even more complex, thinking through applications and the data they generate before they roll out can save time, effort, and grief down the line. Analyze: Who uses what applications? Where does the data go and how is it stored? Who has control over it? From an eDiscovery standpoint, with so much data in play, it pays to scale efforts to potential returns; focusing on the most-used data sources is more fruitful than “boiling the ocean.” Cultivate stakeholder partnerships. As the workforce transforms, partnerships among internal stakeholders, especially IT, compliance, data privacy, records management, and information security teams — in close coordination with business units — are more important than ever in controlling how and by whom data is created and used. Corporate silos only enhance risk, especially when workers are remote and unsanctioned applications may be proliferating. Remember, though, that data initiatives are most effective when they come from the top, especially if funding is required. Engage the C-suite as much as possible. Improve information governance capabilities. As data pools from multiple collaborative sources and cloud applications proliferate, making prior linear processes cumbersome and expensive, a shift in focus to the left side of the Electronic Discovery Reference Model (EDRM) makes even more sense now. With the right cloud-based tools and services, as well as good information governance models, teams can perform better upstream and reduce downstream costs.Foster a culture of data awareness and protection. Training, training, training — for both current and incoming employees — is critical. Sound policies mean nothing if employees are unaware of or don’t abide by them or don’t understand the nature of the risk they are meant to address. Educate employees on data “ownership” best practices. Encourage sound data hygiene and enhance onboarding and offboarding procedures to take data risks into account, especially those related to preservation imperatives. Remember that inbound data from new employees that works its way into the company can be just as problematic as data exfiltration. Review and, if necessary, update records management policies. Records management policies should be considered programmatically to align with the nature of the business. Reducing company exposure by updating policy gaps that may be caused by evolving privacy regulations (e.g., GDPR, CCPA/CPRA, etc.) should be a top priority for any company’s records and data management teams. Remember that training goes hand in hand with any policy changes.Engage experts where you need them. Data complexities of today, especially related to privacy and security, may require the expertise beyond that routinely found in-house. Be sure to work with providers and experts well-versed in today’s challenges.Leverage technology where possible, with expertise in mind. Various data automation tools can provide the power to import, manage, and modify records in ways never before possible. AI and categorization tools can be used to assess data in place, potentially mitigating the need for linear collection, processing, and review of data in discovery. Automated tools can enable a more managed examination of departing employee data. But technology not carefully deployed or without the right experts behind the scenes can diminish the potential benefits. Know what questions to ask. Be an informed and thoughtful user: implement wisely. If you are interested in this topic, feel free to reach out to me at dblack@lighthouseglobal.com. chat-and-collaboration-data; forensics; information-governanceemerging-data-sources, cloud-security, red-flag-reporting, departing-onboarding-employee, pii, blog, record-management, risk-management, chat-and-collaboration-data, forensics, information-governance,emerging-data-sources; cloud-security; red-flag-reporting; departing-onboarding-employee; pii; blog; record-management; risk-managementdaniel black

Long gone are days when the majority of discovery records were kept in paper format. Documents, invoices, and other related evidence needed to be scanned and printed in the tens (if not hundreds) of thousands. Today, a huge number of discovery efforts (internal or external) revolve around digital content. Ergo, this article will highlight the collection of digital evidence and how to best prepare your case when it comes to preservation and collections as well as processing and filtering.But, before we get into that, one of the core factors to keep in mind here is time, which will always be there irrespective of what we have at hand. It is especially complicated if multiple parties are involved, such as vendors, multiple data locations, outside counsels, reviewers, and more. For the purposes of this blog, I have divided everything into the following actionable groups - preservation and collection as well as processing and filtering.Preservation and CollectionIn an investigation or litigation there could be a number of custodians involved, for example, people who have or had access to data. Whenever there are more than a handful of custodians the location may vary. It is imperative to consider where and what methods to use for data collection. Sometimes an in-person collection is more feasible than a remote collection. Other times, a remote collection is the preferred method for all those concerned. A concise questionnaire along with answers too frequently asked questions is the best approach to educate the custodian. Any consultative service provider must ensure samples are readily available to distribute that will facilitate the collection efforts.Irrespective of how large the collection is, or how many custodians there are, it is best to have a designated coordinator. This will make the communication throughout the project manageable. They can arrange the local technicians for remote collections and ship and track the equipment.The exponential growth in technology presents new challenges in terms of where the data can reside. An average person, in today’s world, can have a plethora of potential devices. Desktops and laptops are not the only media where data can be stored. Mobile devices like phones and tablets, accessories such as smartwatches, the IoT (everything connected to the internet), cars, doorbells, locks, lights…you name it. Each item presents a new challenge and must be considered when scoping the project.User-generated data is routinely stored and shared on the Cloud using a variety of platforms. From something as ancient as email servers to “new” rudimentary storage locations, such as OneDrive, Google Drive, Dropbox, and Box.com. Others include collaborative applications, such as SharePoint, Confluence, and the like.Corporate environments also heavily rely on some sort of common exchange medium like Slack, Microsoft Teams, and email servers. These applications also present their own set of challenges. We have to consider, not just what and how to collect, but equally important is how to present the data collected from these new venues.The amount of data collected for any litigation can be overwhelming. It is imperative to have a scope defined based on the need. Be warned, there are some caveats to setting limitations beforehand, and it will vary based on what the filters are. The most common and widely acceptable limitation is a date range. In most situations, a period is known and it helps to set these parameters ahead of time. In doing so, only the obvious date metadata will be used to filter the contents. For example, in the case of emails, you are limited to either the sent or received date. The attachment's metadata will be ignored completely. Each cloud storage presents its own challenges when it comes to dates.Data can be pre-filtered with keywords that are relevant to the matter at hand. It can greatly reduce the amount of data collected. However, it is solely dependent on indexing capabilities of the host, which could be non-existent. The graphical contents and other non-indexable items could be excluded unintentionally, even if they are relevant.The least favored type of filter among the digital-forensics community is a targeted collection, where the user is allowed to guide where data is stored and only those targeted locations are preserved. This may not be cost effective, however, it can restrict the amount of data being collected. This scope should always be expected to be challenged by other parties and may require a redo.Processing and FilteringOnce the data collected goes through the processing engine the contents get fully exposed. This allows the most thorough, consistent, and repetitive filtering of data. In this stage, filtering relies on the application vetted by the vendor and accompanied by a process that is tested, proven, and updated (when needed).The most common filtering in eDiscovery matters is de-NIST-ing, which excludes the known “system” files from the population. Alternatively, an inclusion filter can be applied, which only pushes forward contents that typically a user would have created, such as office documents, emails, graphic files, etc. In most cases, both de-NIST-ing and inclusion filters are applied.Once the data is sent through the meat grinder (the core processing engine) further culling can be done. At this stage, the content is fully indexed and extensive searches and filters will help limit the data population even further to a more manageable quantity. The processing engine will mark potentially corrupt items, which are likely irrelevant. It will also identify and remove any duplicate items from all collected media from the entire matter data population. Experts can then apply relevant keyword searches on the final product and select the population that will be reviewed and potentially produced.I hope this article has shed some light on how to best prepare your case when it comes to preservation and collections as well as processing and filtering. To discuss this topic further, please feel free to reach out to me at MMir@lighthouseglobal.com.digital-forensics; information-governance; chat-and-collaboration-datacollections, ediscovery-process, preservation-and-collection, processing, blog, digital-forensics, information-governance, chat-and-collaboration-data,collections; ediscovery-process; preservation-and-collection; processing; blogmahmood mir

As the corporate workplace continues to evolve—encompassing hybrid work environments, bring your own device policies, and cloud-based storage—companies are well-advised to consider areas of increased vulnerability and whether their policies, procedures, and forensic tools are keeping pace with reality. A hybrid or remote workforce and a more collaborative data infrastructure only exacerbate data risks that were easier to manage when employees were comfortably situated at their desks. Adding even more complexity to these risks are broader labor trends, including “the Great Resignation and Reshuffle” and an aging work force, which are changing staffing and recruiting strategies and impacting knowledge transfer and IP creation.Employee intake and departure: crucial points of data security Two areas likely needing renewed attention are the moments of employee onboarding and offboarding, when a company’s most prized assets—people and data—are on the move. Departing employees present a particular risk as the potential for data exfiltration of IP and other sensitive information, whether intentional or not, is high. Often, employees take corporate IP with them inadvertently, a situation bound to get worse as turnover rates grow (Gartner anticipates a 20% jump in turnover from the pre-pandemic national average).Since people usually take jobs similar to the ones they leave (and often with competitors), taking company data along with their coffee mug and potted plant may seem justified (I wrote this stuff, so it’s mine)—or simply inconsequential. Cloud storage services such as Dropbox, Box, or Google Drive, and collaborative apps such as Microsoft Teams or Slack make it all the easier to appropriate files, lending credence to a feeling of personal data ownership. No matter how it happens, the escape into the wild of proprietary items such as source code, strategy documents, contact lists, and financial information exposes the company to untold risk, including the danger of running afoul of any number of privacy regulations if personal data is exfiltrated from its protected environment—an additional headache for the company if things go south. Are current entry and exit protocols enough? Although most companies have entrance and exit protocols usually siloed as HR and IT functions, the recent surge in employee turnover has put those very teams under pressure as they face their own personnel and budget deficits. Further, responsibilities have become less defined at a time when offboarding tasks—many now carried out at a distance—should be fortified to include proactive data monitoring and oversight, activities such teams may not be equipped to handle. The challenge, of course, is the growing complexity of the data landscape. Knowing what information is where, who accesses it, and for what purpose becomes more difficult to track as software and storage options grow, yet this is key to keeping important data protected. Data security: start training early and reinforce often Onboarding procedures can play a key role in keeping data where it belongs and helping employees navigate through and understand their responsibilities in this increasingly intricate data terrain. First, a sound onboarding protocol can ensure that new employees aren’t bringing troublesome data into the environment. No company wants to deal with the fallout of being in possession of some other company’s IP or sensitive information. More importantly, onboarding offers the most opportune time to clearly communicate expectations regarding data management and safety—information that should be reinforced with frequent (and up to date) training that emphasizes data protection and ownership. It's easy to forget as time goes on what data may be confidential or sensitive, and even easier to forget that data belongs to the business, not the employee. In short, data awareness should be instilled as part of the company culture right from the start. Seize the moment: identify and monitor offboarding risksThe recent and ongoing workplace disruption calls for a hard look at offboarding data risks and an evaluation of potential vulnerabilities to protect data before an employee leaves the company, bolster the exit protocols to have in place when they do, and have the proper forensic and analytic tools to handle data monitoring and address potential wrongdoing. Most companies do have standard offboarding checklists that address employee assets, data access, and preservation obligations as they leave the company. But there’s more to data protection at this crucial moment than ticking off boxes. Expand and optimize the offboarding checklistSavvy companies implement a more proactive, programmatic approach that begins earlier, with monitoring procedures that include defensible and repeatable processes to guard against the exfiltration of company data while helping to fortify the company’s position in case of a breach. A few important things to consider as part of the offboarding process:Know which employees warrant departure attention. Develop risk profiles with business stakeholders to identify which classes of employees, whether based on role, circumstance of departure, seniority, or access to sensitive information could present an exfiltration risk.Understand the company’s data landscape. Make sure there are mechanisms in place for tracking where sensitive data and IP may reside and when such data has been accessed.Explore activity and assets with the employee prior to their departure. An expert, friendly review of a departing employee’s recent computer activity with the employee, including an audit of their recent network activities, use of peripherals, cloud uploads, and email sends, can reveal and help mitigate potential trouble.Preserve employee devices and data as warranted with state-of-the-art forensic tools. Forensic preservation is critical to ensuring valid evidence down the line, especially since investigations today regularly involve new and novel devices, data sources, and artifacts that must be diagnosed and understood.Document all offboarding information. A paper trail of findings during the exit procedure is important if further analysis is recommended or necessary and will be crucial for subsequent investigation, if it comes to that. Have a plan if there is evidence of wrongdoing. Part of any data security effort is having an action plan to execute if there are signs of a breach. Preservation, collection, and a forensic analysis may be required should legal action ensue. ConclusionThe recent upheaval in employee turnover along with more collaboration tools and storage options present increasing risk for today’s enterprise. Companies that acknowledge new vulnerabilities and leverage opportunities to revamp outdated policies and protocols are better positioned to stop data exfiltration before it becomes a problem. The best solution: Implement robust onboarding and offboarding solutions that include data monitoring, reporting, and forensic analysis to enable a quick pivot to actionable remediation steps if trouble is brewing. digital-forensics; information-governancedeparting-onboarding-employee, blog, risk-management, digital-forensics, information-governancedeparting-onboarding-employee; blog; risk-managementdaniel black

One of the unanticipated consequences of the COVID-19 pandemic and the ensuing shift of office employees being forced to work from home, is the impact on counsel who must continue to direct forensically defensible collections for eDiscovery, investigations, and regulatory response scenarios. As employees adjust to remote work, they are increasingly commingling personal data sources, home networks, and corporate data, which in turn creates a wealth of new data sources that will need to be collected as potentially-relevant ESI.In my recent webinar, I discussed this significant shift to the “new normal” of digital digital-forensics and how information governance policies and IT security practices should be proactively extended to remote employees, as well as ways to mitigate future complications around forensic collections that will now need to be almost exclusively remote. Here are a few of the most important aspects to consider on how working from home impacts digital digital-forensics, and practical workflow strategies for handling remote ESI collections.Working from Home: The Digital digital-forensics ImpactThere’s a behavioral impact that automatically comes with working entirely from home, with less delineation between the workday and home life, and subsequently more temptation to use your work laptop for personal reasons. This behavioral impact is also mirrored in the reverse scenario where personal devices become more convenient to use for work. Although we were already seeing quite a bit of intermingling of data pre-COVID-19, this habit is dramatically increasing as home has quickly become the only workplace and there hasn’t been time for organizations to adopt new IT policies to tackle these issues.With the advent of this new remote workplace era, data (mis)management will remain with us for future matters and there will be a permanent impact on collections going forward. Among the top adjustments that need to be made is custodian questionnaires must be enhanced to scrutinize whether any relevant work-related data or communications reside on the custodians’ home devices. The same scrutiny will need to be applied to personal data potentially residing on work laptops as the opportunities for this type of data intermingling or “contamination” will undoubtedly continue to increase.ESI Collections: Practical Workflow StrategiesEven though we’re currently not able to travel onsite to acquire device and data source evidence, we can continue collections by relying on sound and defensible forensic remote strategies that are already in place. Collections from the Cloud are status quo and conducted remotely by definition, but for other ESI sources, we will favor targeted and logical collections over full physical forensic images.For remote collections on premise at an office that’s closed, if there’s a skeleton IT crew in place, screen sharing can be utilized to mimic the exact scenario of a digital-forensics professional being onsite to help load a hard drive or provide access into a server. For custodians sitting at home, the same process can apply and technical guidance can be provided remotely. If shipping is a safety concern, data can be uploaded by secure encrypted file transfer protocol (FTP) using software that can resume broken uploads or by utilizing fast data transfer solutions such as Aspera. Whether figuring out a safe way to transport encrypted hard drives back and forth or using remote data transfer technology, we’ll need to plan for increased turnaround times due to varying upload speeds from home and/or decontamination procedures that are implemented for shipping protocols.Key TakeawaysAs company and personal custodian data commingling grows during COVID-19, a permanent shift is happening in digital digital-forensics and eDiscovery. From a legal standpoint, it’s settled that company-related communication on personal devices is subject to discovery, thus custodian interviews and other information-gathering techniques to identify the relevant scope of a collections effort must be enhanced. And although data preservation and evidence acquisition tasks may take longer to conduct when onsite collections is not an option, the technology is already in place to ensure forensically sound and defensible remote collections now and in the future.To discuss this topic further, please feel free to reach out to me at JBui@lighthouseglobal.com.digital-forensics; information-governancelegal-operations, digital-forensics, information-governancecloud; collections; cloud-security; bloglighthouse