Christopher Wall, HaystackID: “privacy laws expect organizations to know what data they have”
Document cabinets are probably a thing of the past, but one could argue that digitization of data brought on more privacy, security, and retrieval challenges than traditional manila folders ever could.
The amount of information to sift through when searching for data in legal proceedings is huge. The process often includes risks of the data being changed, leaked, deleted, or compromised. Authorized access control, training, and compliance with privacy laws may be a part of the solution to this problem, but there is always more to consider when securing and handling data.
Cybernews reached out to Christopher Wall, who is the Special Counsel for Global Privacy and Forensics and Data Protection Officer at HaystackID. We talked about the complicated processes of retrieving sensitive digital data needed for legal investigations, as well as about technology’s role in the legal field.
How did the idea of HaystackID come to life? What has your journey been like since?
My journey has been a long and non-traditional approach to forensic investigations. I provided my first legal advice to a technology client back in 1998 – a week after passing the bar – in exchange for MCSE training, and then went to practicing law at BigLaw, and finally left traditional law practice to join the technology consulting ranks. It’s been a fascinating, exciting, and incredibly fun journey, but probably not one that I could have mapped out at the beginning of my career.
At HaystackID, you specialize in a practice called eDiscovery. Can you briefly explain how it works?
Much of what we do at HaystackID certainly involves eDiscovery, which is the information-gathering and information-sharing component of litigation. But perhaps more accurately, I would say that we at HaystackID specialize in e-evidence and electronic forensics. Our day-to-day work involves forensic preservation, collection, extraction, searching, and review of electronic data in litigation as well as in other contexts like data breaches and other cyber investigations, internal employment investigations, and regulatory proceedings. The approach we take in terms of chain of custody, application of sound principles of forensic analysis, etc., is the same whether in eDiscovery or some other context, but the use cases for our work can really take a lot of different forms. An often unheralded part of what we do is on the prevention side of the equation.
While we’re often known for the data sifting work we do, a big part of what we do is to help our clients reduce the costs and risks they might face before they get to litigation or to the point where they have to conduct discovery or some sort of investigation. Since we know where the pain points and potentially expensive hazards are down the road, we’re in a good position to help our clients put into place proactive and preventative Information Governance (IG), privacy and security, and data hygiene plans so that they can mitigate some of those risks before they appear.
What technology do you use to select valuable information from vast amounts of data?
It’s not uncommon for HaystackID to be asked to collect, process, analyze, and review terabytes of data as quickly as possible. Our forensic collection tools include Cellebrite, XRY, and EnCase. We also use a combination of tools, depending on need, to sift through the collected data to find those relatively few files that our clients really need. Tools like Nuix, Reveal (Brainspace), and Relativity, among others, help us with analysis and review. If it makes sense based on data volume and the nature of the case, we may apply artificial intelligence, machine learning, and analytics tools to help sift through the data. But those are just the tools in our toolbox. The real value comes from the incredibly smart and talented folks on our team who know how to use those tools.
How did the pandemic affect the legal industry? Were there any new challenges you had to adapt to?
HaystackID was well-positioned for the pandemic since the company has been investing heavily in developing and deploying remote 100% virtual document review teams, infrastructure, and technology staff over the past decade. The remote-work thing wasn’t new, and in many ways, for HaystackID employees, the pandemic and the lockdowns meant business as usual.
Lawyers traditionally love their facetime (actual face-to-face interaction with clients, not necessarily the app). The legal industry is built on trust, and on that basis, the in-person human element of the legal industry is never going to go away entirely. Nonetheless, the pandemic created an opportunity for the legal profession and the broader legal industry to grow beyond old models. Virtual meetings replaced many of the physical conference room meetings, and a silver lining of the dark pandemic cloud was that it caused many in the industry to look at how efficient in-person meetings could be compared to virtual meetings. In that sense, the virtual exercise probably helped make the eventual return to in-person meetings more efficient and effective. Of course, there are also tradeoffs with productivity. As with many other industries, with no commute and less water cooler time, the legal industry saw productivity rise in many respects, even while professionals found new ways to balance personal demands while working from home.
As for some of the other challenges presented by the pandemic, like most other industries, the legal industry had to find ways to be more efficient about moving and interacting with data. Working remotely presented logistical, technical, and security challenges. Before the pandemic, for example, much of our computer forensic work was done in a physical lab. The need for those forensic services certainly didn’t slow during the pandemic. The pandemic made us find ways to perform many of the same technically and legally defensible tasks from remote locations rather than in a centralized lab.
We needed to figure out how to make sure everyone had the hardware and software they needed in their remote environment, that they were able to use those tools in their remote environment, and were able to do so in a secure fashion. The legal industry deals with a lot of sensitive, confidential, and often privileged information. During the pandemic, we needed to find a way to maintain the security of that information while our professionals were working with that information at their kitchen table. In retrospect, it was what I like to call a “probletunity.” What we learned and the methods we developed during the pandemic made many in the industry more mindful of information security and positioned us to better serve clients in the future, post-pandemic.
Does the recent rise in cloud solutions complicate eDiscovery in any way?
Most IT professionals will agree that cloud solutions present a lot of great benefits. Among other things, they can be much more powerful than on-premise solutions. They can help reduce IT costs. They can streamline IT management for a lot of companies. They can do the same things for eDiscovery. During the pandemic, for example, cloud solutions were integral to eDiscovery service providers since they allowed a very efficient way to provide eDiscovery services. Before the pandemic, HaystackID’s Core offering addressed both on-premise and cloud use cases, so it was a little less of a change for us, but for the industry as a whole, the move to the cloud was vital.
But cloud solutions also create new risks and new complications. One of the great advantages of cloud services is that they allow data to move freely to wherever users need it, anywhere around the world. But the cloud’s strength is also its complicating factor. Not all clouds are equal—and from a data protection standpoint, not all jurisdictions in which each cloud is hosted are equal, either. We’re much more aware of individual privacy today, and much more of today’s eDiscovery is cross-border in nature. So, when we conduct eDiscovery using cloud resources, we now have to consider whose data is going into the cloud, the nature of that data, and where that cloud and its backups sit around the world. That can be a complicated analysis, and once the analysis is done, we need to make sure we have in place the appropriate legal rules or contractual clauses and assess whether and how data should be moved into a particular cloud environment.
From your experience, what are the most common reasons an organization might opt for eDiscovery?
Nearly all of today’s business is conducted electronically, and that means when there is a question of fact—or a need to answer the who, what, when, why, or how something happened in the workplace—we turn to an organization’s data for answers. Because of that, there probably aren’t many organizations that have the luxury of choosing whether to do eDiscovery these days. Unfortunately, in the increasingly litigious world in which we live, eDiscovery is typically forced upon an organization, whether they like it or not. eDiscovery can be expensive, and when an organization is facing eDiscovery related to litigation (or generally in any other context), they need to decide whether a proportional response involves conducting eDiscovery. Like many things in the legal industry, it’s a balancing test. For example, if the burden or expense of eDiscovery outweighs its likely benefit – considering what is at stake in the case, the amount of money in controversy, the resources the organization has to engage in eDiscovery or the expected importance of the eDiscovery in resolving the issues – then an organization may decide to settle or otherwise seek a negotiated outcome.
In your opinion, what are some of the biggest mistakes people tend to make when it comes to handling sensitive data?
There are so many things that can go awry when handling sensitive data, but spoliation and privacy immediately come to mind. Spoliation occurs when data that is supposed to be preserved is changed or deleted. That’s not a good thing during litigation or an investigation when the integrity of the data (including all of the metadata) is paramount. We see it often: An innocent act, such as simply moving files from one folder to another with good intentions or a desire to help, could change a particular file’s metadata. That simple act could then result in bringing the authenticity and, therefore, the usefulness of that file into question. There are tried and true methods that many cyber professionals use to avoid spoliation, but I think all of them will attest to the fact that those methods aren’t always applied the way they should be.
The bigger mistake we see, especially over the past few years, is not having effective privacy and security policies and practices in place. From a security standpoint, passwords and portable storage can present problems, which should be no surprise to most cyber professionals. Employees automatically tend toward weak passwords, they use the same password across applications and services, or when they do use unique passwords, they record them and store them in obvious places. Portable storage presents issues because personnel often lose those devices, and the company may not know whether the lost device contained sensitive information. In other cases, where personnel uses organization-issued devices with built-in security, the users get frustrated with the security and disable it for convenience.
That brings me to privacy. From a privacy standpoint, California and the EU seem to get all of the attention, but there’s a growing number of jurisdictions in the US and around the world in which the security lapses I just described could lead to serious financial and reputational risk. Sensitive data from a privacy standpoint often involves personal information—information that belongs to individuals and not the organization. In many jurisdictions, individuals have the right to do certain things with that information, even if the data associated with it resides deep within a 20-year-old Oracle database or sits on a Pegasus email backup tape in a dusty closet somewhere. Not being able to respond to those individuals’ exercise of their privacy rights can lead to the big EU fines everyone talks about. That kind of infraction on the part of an organization could lead to a fine of 4% of annual turnover or €20 Million, whichever is greater. Organizations need to know what data they have. That includes the 20-year-old data, which, by the way, the company hopefully has a really good reason under its IG policy to still have lying around. Many of the emerging privacy laws around the world expect organizations to know what data they have, to know where it is physically stored, and be able to identify individuals’ personal information in their possession. That means that the organization has conducted a privacy assessment tied closely to its IG policy. Effective privacy and security policies that have strong executive support, accompanied by monitored practices and regular training, are critical if an organization wants to mitigate security and privacy risk and avoid the “big” mistakes.
Besides data discovery, what other digital legal solutions do you see becoming commonplace soon?
I see AI and machine learning continuing to make headway in the legal industry. That technology has the potential to significantly drive down eDiscovery costs and eventually allow organizations to classify and organize documents at inception, thereby lowering the institutional risk associated with ineffective IG policies or practices.
Mining of structured data, in addition to or in combination with unstructured sources like email, will become more commonplace as organizations look to be able to paint a more complete factual picture using all of the data available to them. We’ve heard people talking about using big data for what seems like forever now, but the real advance will be to marry data stored in rows and columns (including all of that data we have on the mobile devices tucked into our pockets) with the email and business docs that we’ve almost exclusively looked at for so long. Putting the two together is going to become more and more common, not just in the eDiscovery and compliance space, and not just in the legal industry, but in the business world in general. Having a holistic panorama of an organization’s activity is going to allow it to make better, more informed, and potentially more timely business decisions.
Finally, there’s privacy. Data protection assessments have already taken off as organizations become increasingly aware of their legal privacy and security obligations, and more and more the organization’s customers expect it. So, along with privacy and security audits becoming more commonplace, the natural outgrowth of those assessments will include stronger password requirements across the board, data anonymization – or de-identification of personal data when possible – and closer analysis of an organization’s sub-contractors' privacy and security practices. We’ll see more and more individuals exercising their rights to their personal information by asking for access, deletion, or correction of their personal information that an organization may hold.
Share with us, what’s next for HaystackID?
HaystackID began as a computer forensics and cyber investigations firm, and the forensic principles and practices established doing that work will always be core to what we do. But as we look to the future, HaystackID is working to transform how cybersecurity, IG, and eDiscovery professionals think about e-evidence. We’re pushing the boundaries in the use of AI, data science, and machine learning, and marrying those technologies with skilled human reviewers to provide organizations with actionable insight more quickly and cost-effectively than ever before.
Perhaps more exciting is what we’re doing on the privacy and data protection front. To help our clients analyze data for sensitive information ranging from PII and PHI to data breach code anomalies, we’re rolling out HaystackID’s Protect Analytics. When we combine that with HaystackID’s ReviewRight Protect offering, we can harness the power of technology and human review and point them directly at detecting, identifying, reviewing, and notifying sensitive data-related breaches and anomalies.
While e-evidence and eDiscovery will always be our bread-and-butter, we’re excited about what we’re bringing to the industry to make it more effective, more efficient, and more cost-effective for our clients.