U.S. Ediscovery and Cross-Border Ediscovery 101 for Civil Law Practitioners

In a speech given at the 3rd Annual European Data Protection and Privacy Conference, in Brussels on 12/4/12, Viviane Reding addressed the reasons for the global interest in the European Commission’s proposed reforms to the EU Data Protection Regime:

“Why is there so much interest in our data protection reform?

…, because data protection is a global challenge. In a world where borders are increasingly blurred, and where data moves at the speed of light, the Union’s rules matter beyond its borders. Our debate is a precursor of future debates in other parts of the world. Many countries have a new generation of data protection laws in the making, in Asia, in Latin America, in Africa. In the U.S., the voices of reform are growing louder. All across the world, people are realising that good data protection rules are good for growth. This is at the heart of our own proposals here in Europe.”

But, while the EU may be leading the global data protection reform movement, there is no doubt in my mind that the US remains the leader in global data collection technologies.

The U.S. Ediscovery industry originated from the very broad Common Law requirement of “Disclosure” or “Discovery” in civil litigation. As digital data became the overwhelming source of data in most companies and organisations, “discovery” became “e-discovery”, the “e” standing for “electronic”. This obligation to disclose is practically non-existant in Civil Law systems.

According to a recent report published by Transparency Market Research, the global e-discovery market was worth USD 3.6 billion in 2010 and is expected to reach USD 9.9 billion in 2017, growing at a CAGR of 15.4% from 2010 to 2017. In the overall global market, the U.S. is expected to maintain its lead position in terms of revenue with 73% of global e-discovery market share in 2017. Another report, published by Research and Markets,  forecasts the Global eDiscovery market to grow at a CAGR of 15.56 % over the period 2011-2015.

The globalization of trade and data flows have lead to an increase in international litigation, with, in Common Law based jurisdictions, the accompanying need for global data collections to satisfy the Common Law “Duty to Disclose” in civil litigation.

Just as the EU Data Protection reform has caused undeniable ripple effects worldwide, the U.S. Edsicovery boom has had an impact on the global practice of law.

For example, at the recent LawTech Europe Congress 2012  held in Prague, CZ, on 11/12/12, I was impressed by the overwhelming interest expressed in U.S. based Ediscovery technologies for application in local internal and Government investigations in bribery, corruption and fraud allegations within EU companies, and, to a lesser extent, for application in cross-border ediscovery procedures.

It is in the particular case of cross-border ediscovery, conducted in the context of U.S. civil litigation, that the clashes between local, EU-style data protection regimes and the need for transfer of data to the U.S., are the most acute and problematic.

In order to solve this very complex problem, I believe, in line with the Sedona Conference‘s philosophy, that dialogue is of the utmost importance. In the case of U.S. cross-border ediscovery in the EU, this dialogue takes on the additional dimension of a dialogue between two vasltly different legal systems: the Common Law system of the U.S. and the Civil Law system of the majority of EU member states. These different legal systems are cause for many misunderstandings between EU and US legal practitioners. On the one hand, U.S. attorneys and judges need to become more familiar with the EU Data Protection regime, and on the other hand, the EU member states’ attorneys, in-house counsel and Data Protection Authorities (DPAs) need to become more familiar with U.S. ediscovery obligations.

In the past, I have explained basic EU Data Protection concepts to U.S. legal practitioners.

At the  LawTech Europe Congress 2012, I attempted to explain U.S. Ediscovery principles to an audience, consisting mainly of Civil Law practitoners.

The presentation can be heard here:

 The Sedona Conference Working Group 6, of which I am an active member, has worked relentlessly to achieve a dialogue between the EU Data Protection Authorities and US attorneys, in-house counsel and Federal Judges. It has published The Sedona Conference International Principles on Discovery, Disclosure and Data Protection in December 2011, which is now open for public comment. The Principles were very well received by the Article 29 Working Party, the EU Data Protection Authorities’ Advisory Body, presided over by Jacob Kohnstamm.

It is the hope of The Sedona Conference that its International Principles will become accepted as best practices, as a code of conduct by U.S. litigants and Judges, as well as by EU member states’ DPAs.

To paraphrase Viviane Reding: ..because litigation is a global challenge. In a world where borders are increasingly blurred, and where data moves at the speed of light, U.S. ediscovery rules matter beyond their borders.

Digital Forensics and Privacy and Technology in Balance at the 34th International Conference of Data Protection and Privacy Commissioners

The 34th International Conference of Data Protection and Privacy Professionals was held this year in Punta del Este, Uruguay, on October 22-26.

Uruguay enacted a comprehensive Data Protection Law, the Ley no. 183331, in 2008, and was recently declared a “third country with an adequate level of data protection” by the European Union.Uruguay was one of the first Latin American countries (after Argentina) to adopt an omnibus privacy law, after which Mexico, Colombia, Costa Rica, Peru and Nicaragua followed suit. Brazil, Chile and Ecuador might be next. We are definitely witnessing a trend in Latin America towards enacting data protection laws, modeled after the European Union data protection framework.

Part of a 1977 Punta del Este Mural by Carlos Paez Vilaro – Picture by Monique Altheim

The theme of the conference was: Privacy and Technology in Balance. As Jose Clastornik of the Unidad Reguladora y de Control de Datos Personales (URCDP), the DPA of Uruguay, declared: since technology is part of the problem, it should also be part of the solution.

The iconic symbol of Punta del Este is the “La Mano” sculpure on Brava Beach. It expresses the action of humans in nature. As such, it was also an appropriate symbol for this conference: How to balance the technological advances created by humans with what most data protection authorities around the globe consider human beings’ natural right to privacy and data protection.

“La Mano” sculpure in Punta del Este by Mario Irarrázabal – Picture by Monique Altheim

Uruguay’s President, Jose Mujica, expressed serious worries about the lack of privacy created by technological developments. He said, jokingly: “Sinners, you’re doomed!” At the same time, he expressed the need for knowledge to move forward and the hope that a proper balance between advancing technology and privacy protection will be achieved.

In Uruguay, technology and knowledge is indeed moving forward at a rapid pace, thanks to the remarkable CEIBAL project. About four years ago, the Uruguyan Government started distributing free laptops to all elementary school students and teachers, and provides no-cost internet connection to all.

From left to right: Diego Caneda, Jose Mujica Cordano (President of Uruguay), Felipe Rotondo (President of URCDP), Jose Clastornik (Member of Executive Council URCDP)

In sync with the theme of the conference, I was asked to moderate a panel on digital forensics, titled: “Forensic Tools: What Our Devices Tell About Us”.

Unfortunately, I don’t know much Spanish. That led to an amusing misunderstanding. A Latin American colleague tried to converse with me in English, and asked whether I had seen the hen yet. I said no, what is the hen? He explained that it was a very famous sculpture on the beach of Punta del Este. I spent whatever free time I had in Punta looking for a hen, but couldn’t find any. It was only when an American colleague pointed to a sculpture on the beach and said: this is the “hand”, that I finally understood.

We all speak different languages, and the misunderstandings this creates can lead to some problems of miscommunication, but they have usually limited consequences. All you need, after all, is a translator, dictionary or Google app to set things straight.

We all speak one language though that is identical: today, we all speak digital. We communicate through email, text messages, videoconferencing and social media. Those data are stored on databases in private companies and government agencies, on our laptops, mobile phones and, increasingly, on servers in the “cloud”. According to a recent IBM report, there are currently 2.7 zetabytes of digital data in the universe. That equals one trillion truckloads full of documents. In the case of a security breach, private civil litigation or internal audit, government civil or criminal investigation, the goal is always to find relevant evidence. How does one find relevant evidence among such monstrous numbers? How do we ensure the authenticity and accuracy of digital evidence? And how do we make sure that data protection and privacy rights of individuals are not trampled upon during the search for evidence?

This is the domain of ediscovery and digital forensics, and my panel of experts examined every aspect of this fascinating issue.

My panel consisted of, from left to right,  Oscar Puccinelli, an attorney and professor of Constitutional Law at the National University of Rosario in Argentina, Jeimy Cano, CIS at Ecopetrol and professor at the Univesidad de Los Andes in Bogota, Colombia, Gustavo Betarte, CTO at Tilsor and researcher and professor at the Engineering School of the Univesidad de la Republica in Montevideo, Uruguay.

And, from left to right, Yoram Hacohen, head of the Israeli Law, Information and Technology Authority (ILITA), and William C. Barker, associate director and chief cyber security advisor at the National Institute of Standards and Technology (NIST).

William C. Barker started by giving us a digital forensics 101 overview, which you can follow in this powerpoint presentation. He explained the different phases of digital forensics, concepts such as digital signatures and hashing, the policies companies and organizations should adopt regarding forensic investigations, and the standards that NIST has developed so far, such as the Computer Forensic Tool Testing (CFTT).

Digital Forensics by William C. Barker (NIST)

Following this excellent presentation, Gustavo Betarte delved into the privacy issues arising out of forensic analysis of deleted data. He explained how amazingly difficult it is to truly delete data from computer systems and how very oftern forensic investigators find troves of sensitive data thought to be deleted.  For example, in the notorious Enron case, many of the incriminating emails were reconstructed from a “deleted data” folder.

After listening to Gustavo  for a while, I started thinking that maybe the whole “right to be forgotten” controversy is just wishful thinking of policymakers with no knowledge of computer forensics.

For more details on Gustavo’s presentation, check out his slides:

Threats to Privacy in the Management of Data Stored in Computer Systems by Gustavo Betarte

Yoram Hacohen gave us a couple of interesting practical case studies conducted by his office involving forensic examinations and privacy.

He explained how his department, with the help of its forensics lab, cracked the biggest privacy breach case that ever occurred in Israel, involving the theft of Israel’s entire Population Registry. See here a previous entry about this notorious case.

Yoram put it very succintly when he said: the suspect remained silent, but his computer spoke volumes!

Watch this fascinating briefing to find out how the investigation led to the unmasking and arrest of six suspects and how one fatal “mistake” by the hacker who published the registry online led to his discovery.

As more and more companies and organizations move their IT operations to the “cloud”, it was essential to address the forensics issues arising in this ecosystem.

Jeimy  Cano gave a comprehensive powerpoint presentation on digital forensics in the cloud environment.

This slide gives one an idea of the complexity of conducting digital forensics analysis in a cloud architecture. One of the particularities of cloud forensics is the ability to conduct remote probing into distant systems. There are even applications one can install in order to allow for future remote forensic investigations, should the need arise.

And finally,  cloud computing creates a unique challenge in criminal investigations. Whereas in a physical home search, the police must show a warrant before proceeding, in a remote search of computers or servers in the cloud, the data subject or data controllers/processors are not in a position to ask for a warrant before letting investigators in, since remote digital forensics can be executed without the knowledge of the data subject or the data controller/processor. The same is true when cybercrime investigators install remote trojans to monitor suspect computer systems.

Oscar Puccinelli tackled this thorny issue. He sighed at the fact that the law is always seriously trailing behind the technology, and stressed that currently there is a lack of balance between technology and the law. Technology develops at lightning speed, while the law develops at a snails’ pace. This is especially true concerning the cloud environment. He stressed the importance of international cooperation, and praised the EU and US for their cooperation efforts in this field.

Important efforts harmonizing substantive and procedural criminal law come from the Council of Europe Cybercrime Convention, the leading public international law in this field, which came into force on July 2004 with some 47 signatures, including non-European states such as the United States.

Oscar deplored the lack of a regional agreement in Latin America.

He also mentioned that the cloud is a new space that is strongly monitored under national security laws by most government agencies around the globe.

The “Patriot Act” is not alone.

For example, the German Federal Office of Criminal Investigation (BKA) may, in investigations involving terrorism or national security, use a “Federal Trojan” (a government-issued computer virus) to search a Cloud provider’s servers, monitor ongoing communications, or collect communication traffic data without the knowledge of the target. In addition, the G10 Act provides German intelligence services with the authority to monitor and record telecommunications without a court order in investigations of a serious crime or a threat against national security, such as terrorism.

Oscar ‘s conclusion: Clouds in the cloud.

In order not to end with such a gloomy “weather forecast”, I included a short recording of the lavish party that the Uruguayan organizers had prepared for the conference’s attendees. Besides being served a sumptuous banquet, the delegates were treated to a show of “Candombe” an Afro-Uruguayan traditional dance. Enjoy!

U.S. Cross Border Ediscovery vs. EU Data Protection: Clash of the Titans

Thanks to my dual qualification as an attorney in the U.S., as well as in the EU, I am in a unique position to act as a bridge between the exclusively common law tradition of pre-trial ediscovery in civil litigation in the U.S.  and the EU tradition of data protection of personal data.

The Privacy Law Salon: Dialogue with Policymakers

Yesterday, the first Privacy Law Salon in Washington DC, took place at the National Press Club. The Privacy Law Salon: Dialogue with Policymakers, was “a unique meeting of the most experienced practitioners and corporate executives dealing with privacy law matters, and a unique opportunity to interact with the policymakers affecting the future of privacy.”

The purpose of the Salon was “to facilitate a high-level exchange of ideas and in-depth dialogue on cutting-edge and emerging issues that are vital to clients, corporations, government and the public interest.”

The Salon was held under the Chatham House Rule.

Some of the main points discussed included:

1. Do Not Track: The DNT system will be in place within a year from now.

2. EU and Global Privacy Interoperability:

• The global debate of the EU prescriptive system v. the US enforcement system will take center stage in the coming year.
• The global flow of information has been rephrased as a trade policy issue: the use of mutual recognition and enforcement arrangements, so information can flow freely.
• Many are uncomfortable with the notion of the US seeking “adequacy” status from the EU. The terms “interoperability” and “mutual recognition” are much preferred.
• The single most important action from the US towards “interoperability” with the EU would be the passing of the “Privacy Bill of Rights” proposed by The White House last February, but it is very questionable whether this bill will be passed within the next year.
• Instead, the Safe Harbor and BCR Frameworks will probably be expanded.

3. Context:

• The new “context of interaction “ standard, recommended in the FTC  report of last March, for establishing whether the consumer needs to be provided with privacy choice when personal data are collected, prompted a lot of participants to demand clarification as to exactly what that new standard meant: Is the new standard to be measured by the “Expectation of Privacy” from the consumer, or should the absence v. possibility of harm to the consumer be preferred as a measuring rod in order to determine whether the collection of personal data happened within the “context of interaction”? The latter seemed to be the more popular view.
• This lead to a request from participants for more clarity and guidance as to what exactly constitutes “privacy harm”.

4. Hot Topics: As current “hot topics” in Privacy were mentioned:

• Social Media Policies and their need for compliance with the NLRB rules.
• The need for coherence in policymaking and applications of the rules.
• The need for more technical knowledge from the regulators.
• The gaps in health data coverage by HIPAA. The example was cited of the physician who does not accept health insurance, and therefore is not covered by HIPAA.
• The “Cloud” and access to personal data by Governments.

5. FTC Enforcement Issues: Participants expressed a desire for more transparency and for more disclosure of standards used in FTC settlements. It was pointed out that, even though the right to appeal the FTC settlement decisions exists, it has never been exercised.

The lack of jurisprudence in this area was unanimously deplored.

U.S. – EU Safe Harbor Framework News and Views

In 2000, the EU and the U.S. agreed on the Safe Harbor Framework as a means to ensure adequate protection for personal data, transferred from the EU to be processed by U.S. companies.

At the recent EU Conference on Privacy and Protection of Personal Data, held in Washington DC,  the last panel took the opportunity for taking stock and discussing the way forward for this agreement. In this session, businesses and regulators presented their views and experiences with the U.S.-EU Safe Harbor Framework.

Francoise Le Bail, Director-General for Justice, European Commission, started by reassuring all stakeholders that the current reform in EU Data Protection Law would not put the Safe Harbor Framework at risk as one of accepted ways for adequate transfer of personal data between the EU and the US, as was mentioned in the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson.
“In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”.

The panelists considered the framework to be mostly a success story, with 3,000 US companies currently enrolled in the program, 50% of which are small and medium enterprises, but most agreed that the system could use some improvement.

David Smith of the British Data Protection Authority, the ICO, recounted the “absolutely awful” birth of the framework, the difficult young years and the current maturing into a working instrument for data protection interoperability between the US and the EU. “The mistrust is gone, as we believe the US is acting in good faith.” He did concede though, that a larger amount of audits would ensure better effective compliance by all companies.

Michelle O’Neill, of the Department of Commerce, added that in order to ensure better compliance, the supervising  departments needed more resources.

She announced that her department is currently discussing the expansion of the Safe Harbor Framework to non-profit organizations.

Hugh Stevenson, of the Federal Trade Commission, stressed the importance of enforcement and awareness raising in order to make compliance the norm, but deplored the lack of resources to achieve that goal. He appealed for more international enforcement cooperation as well.

Jan Philipp Albrecht, Member of the European Parliament, concurred that Safe Harbor was performing well but was in need of improvement on the compliance front. He suggested the granting of individual rights of action for consumers in order to ensure better compliance by the Safe Harbor certified companies. Currently, enforcement of Safe Harbor rests with the FTC, under section 5 of the FTC Act, which prohibits “unfair and deceptive trade practices”.

Nuala Kelly O’Connor, Senior Counsel – Information Governance & Privacy at General Electric, advocated for more global privacy interoperability, in addition to Safe Harbor, which is limited to the EU – US transfer of personal data.

For a complete overview of this panel, please watch this 4 Gigabyte HD video, which I taped and uploaded on my YouTube Channel EdiscoveryMap.

Moderator: Armgard von Reden, Lecturer at SRH and Quadriga University, Berlin
Participants, from left to right:
• Françoise Le Bail, Director-General for Justice, European Commission
• Michelle o’Neill, Deputy Under Secretary for International Trade,
US Department of Commerce
• Jan Philipp Albrecht, Member of the European Parliament
• David Smith, Deputy Information Commissioner, United Kingdom
• Hugh Stevenson, Deputy Director for International Consumer Protection, Federal Trade Commission
• Nuala O’Connor-Kelly, Senior Counsel – Information Governance & Privacy, General Electric

EU – US Privacy and Protection of Personal Data: Americans Are from Mars, Europeans Are from Venus

The High Level EU Conference on Privacy and Protection of Personal Data, held on March 19, was organized by the European Commission and hosted by the US Institute of Peace in Washinton D.C. The conference was held simultaneously in Brussels as well, via a video conference link.

This conference was meant to deepen transatlantic dialogue on commercial data privacy issues in order  to achieve further interoperability between the two systems at a time, when both the EU and the US have taken significant steps towards new data potection legislation.

On January 25, the European Commission had published a draft proposal for a new Data Protection Regulation , and on February 23, the White House had released its privacy blueprint, including the Consumer Privacy Bill of Rights.

On the occasion of this conference,  Commerce Secretary John Bryson and European Union Commissioner Viviane Reding announced in a joint statement a new commitment to collaborate on privacy issues and laws.

While most all panelists on the EU side insisted on the necessity of a binding set of laws, accompanied by individual rights of action in order to get significant privacy compliance from data controllers, most panelists on the U.S. side affirmed that voluntary codes of conduct, combined with enforcement by the FTC would achieve the same result, while allowing for more flexibility in adapting to the constantly changing technological landscape.

Even though the panelists went through great efforts to stress the common values and goals of the EU and U.S. policy makers, there is no denying that the European and American “privacy DNAs”remain vastly different. One major difference is the fact that, even in the commercial realm, privacy and data protection is a human and constitutional right in the EU, while in the U.S. it is at best considered a consumer right, if a right at all.

Did the conference achieve its goal of bringing the two sides a little bit closer together?

In order to enable those who could not attend the conference, either live or through video transmission, to judge for themselves, I wrote a “play” in three acts, based on the actual discussions that took place during three panels.

Americans Are from Mars, Europeans Are from Venus

Act 1: A Law or not a Law?

 Francoise Le Bail (EC): I realize I am in the Lion’s Den (giggle), but I shall be brave. It is critical to have a privacy LAW, so that people will TRUST the internet!

 Daniel Weitzner (White House): We will call on Congress to legislate in order to provide people with the necessary TRUST in the new information economy. But, meanwhile, we hope that the stakeholders will create their own little codes of conduct.

 David Vladeck (FTC): We all agree! Yay! By the way, did you know that in the U.S. Voluntary Codes of Conduct are just like Laws? We are so good, we even obey the law, when there is no law! And they are so flexible, to boot!

 Douwe Korff(EDRi): Waddya all talking about?? Did you know that in the EU, privacy is a human right? You need a CONSTITUTION to guarantee a human right! Voluntary codes of conduct, humph.

Mark Rothenberg (EPIC): I see a window of opportunity. I see legislation on the horizon.

Vivian Reding (EC): One-Stop-Shop!

John Bryson (White House): This will be a landmark year for data protection!

Ed Markey (D-MA): The Europeans are coming! I love them. We must legislate, especially my own very excellent proposal. Do it for the children, folks! It’s immoral not to.

APPLAUSE FROM THE EUROPEANS. END OF ACT 1.

Act 2: The Interoperability Dream

Lawrence Strickling (DoC): Yes, we can!

Jennifer Stoddart (Privacy Commissioner Canada): If the Europeans can do it with the Canadians, they can do it wit the Americans too!

Peter Hustinx (EDPS): Now wait, little children: first eat your voluntary codes, and make them binding, and then we shall see. I might have a surprise for you!

Daniel Pradelles (HP): Self Regulation Rocks! Plus, we at HP are the only ones to have BCRs approved by all DPAs of all the EU Member States.

Claus-Dieter Ulmer: (Deutsche Telekom): Will you make up your minds already?  The faster and the easier the solution, the better for us. Either way, we need to know.

Marie-Helene Boulanger (EC): First, second, third and finally, fourth. And if you Americans will get off your a..es and legislate already, well then, we might just become interoperable with you guys.

Axel Voss ((MEP): What we really need is global data traffic regulation.

Joe Alhadeff (Oracle): HOW on earth are you going to do all this?

END OF ACT 2. LUNCH.

Act 3: Let Me Count the Ways I Enforce Thee

Julie Brill (FTC): We at the FTC protect the Global Community with our fierce enforcement actions!

Cameron Kerry (DoC): The FTC is the Global Leader in enforcing privacy protection!

Paul Nemitz (EC): Global Leader?? Global Leader in P.R., ha!

Maneesha Mithal (FTC): Paul Nemitz, we make sure to publicize our daring dawn raids, so the bad guys will tremble in their board rooms, ha!

Jacob Kohnstamm (Dutch DPA) (with an inexplicable tired look on his face): We need to enforce to get compliance. And FYI, opt-out in OBA is NOT adequate. You give me explicit consent, I give you adequate, capice?

Kostas Rossoglou (BEUC): I wish we had class actions for data protection law suits.

Jeff Chester (CDD): The FTC enforces, and Google and Facebook are expanding their data collection like never before. Please listen to me, the entire world is analyzing the entire world!

Law Student Max Schrems (Europe v. Facebook) (fresh faced): I took Facebook to task, so why can’t you, old geezers?

Maneesh Mithal and Jacob Kohnstamm (in unison): if I were a rich man, lala lala lala la, all day long I’do nothing but enforce, la la la la la!

THE END

PANEL 3, moderated by Cedric Laurant, or where can be heard what really was said :

Safe Harbor, discussed during the fourth panel, will be the subject of a seperate post.

Twitter Weekly Updates for EUdiscovery

• “A Time Bomb For Civil Liberties”: France Adopts a New Biometric ID Card http://t.co/S1BKqwj5 #privacy #IAPPSummit #
• MT@FordhamCLIP Great summary of Cmr. Brill’s speech at #CLIPconf on risks of #bigdata misuse http://t.co/n3OArVZI #IAPPsummit #IAPP #
• Droids:Scan this QR to install a cool #privacy information app. #IAPP #IAPPSummit http://t.co/DwJYpr33 #
• Update on European Union Proposal to Reform Data Protection Rules http://t.co/TPM0iB1D #IAPP #IAPPSummit #Privacy #
• Scan your iPhone/iPad on this QR to install the coolest #privacy information app. http://t.co/N2qMiWHX #IAPP #IAPPSummit #
• This app will keep Android mob.device owners up to date on the latest #privacy news! http://t.co/rDQvkjRr #IAPP #IAPPSummit #
• Court Imposes Sanctions for Failure to Conduct Reasonable Inquiry and Late Production http://t.co/1h41pXkd #
• iPhone/iPad owners: the “Altheimlaw” App will keep you up to date on the latest #privacy news! http://t.co/f0kS38Uy #IAPP #IAPPSummit #
• Attention iPhone/iPad owners: the mobile app “Altheimlaw” will keep you up to date on the latest #privacy news! http://t.co/f0kS38Uy... #
• RT@RichNet FTC Brill : #DNT should address both collection and use of data online … it’s not “Do Not Target” #IAPPsummit #IAPP #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @legaltechbytes @mcafeedlp @tanejagroup @iainhull #
• At #IAPP Summit with Renato @OpiceBlum http://t.co/KTyHvdbt #
• Sotto Discusses White House Administration’s Consumer Privacy Bill of Rights http://t.co/rgHTk3lP #
• Everything’s leaking everywhere: McGill shuts down website that revealed donor records http://t.co/D3BYS4nP #
• Ethics of Electronic Discovery – Part Two – For Part One, see here. Ethical Analysis of the Hypothetical What ethica… http://t.co/txZnwcnY #
• Twitter yanks @LindenLeaks account, but some damage was already done http://t.co/VYCW7kg1 #
• Hey Teacher (And Employer), Leave Those Facebook Passwords Alone http://t.co/QlUp17zj #
• Six Months Until Texas Data Breach Amendment Takes Effect – As a reminder, unless it is repealed or delayed in the n… http://t.co/G8c3Fnpo #
• The Sears Dilemma: ‘It’s Hard Out There For A Platform’ – An unusual offering from Sears caught the eye of a blogger… http://t.co/9ADSKbIu #
• CBI for the Cloud – A growing number of companies are implementing cloud computing solutions to lower IT costs and i… http://t.co/nTYoxwaw #
• Germany: Parliament Appoints Hogan Lovells Lawyer as Expert for Public Hearing Regarding Whistleblower Jurisdiction … http://t.co/ip7hmZ0t #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @gbillois @vlex @infogovernance @hutko #
• Ca: UBC computer with sensitive data recovered http://t.co/86RkQdPQ #
• Seventh Circuit Strikes VPPA Claim for Retention Damages – The Seventh Circuit held yesterday, in a decision written… http://t.co/q5kVHmVR #
• Japanese hacker arrested in Thailand http://t.co/97y7htew #
• I’m a DPO, get me in here! – The 500 lucky winners of this year’s “Get a place at the ICO’s Annual Data Protection O… http://t.co/Xrey25uj #
• Do Government Agencies Regularly Spy On Federal Employees’ E-Mails? http://t.co/ZNP3WW7m #
• Members of LulzSec Charged for Crimes Affecting Over One Million Victims; “Sabu” Turned on Fellow Hackers http://t.co/oVUOSsRW #
• What Employers Are Thinking When They Look At Your Facebook Page http://t.co/5q3q03hx #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @_elisa278 @kcuracorp @tanejagroup @tools4everuk #
• 2012 IAPP Global Privacy Summit – Hunton & Williams privacy professionals will be featured speakers at the Internati… http://t.co/1Jhx6bYG #
• Hogan Lovells Submits Comments on Proposed EU Regulation to UK Ministry of Justice http://t.co/93IW1Yg7 #
• Belfast city councillors’ bank details disclosed in data foul-up http://t.co/daKP7dmD #
• My next speaking engagement in L.A. on international ediscovery http://t.co/ry4o8L7e #
• Correction Of The Day: Age Is Just A Million-Dollar Number – Junie Hoang, the formerly-anonymous actress suing Amazo… http://t.co/D1rWhH8v #
• The Drone That Crashed Into A S.W.A.T. Team’s Tank – During a test flight at a Vanguard Defense Industry training fa… http://t.co/3As4WcRY #
• Digital Playground becomes hackers’ playground http://t.co/z3a3P9nK #
• London Privacy Workshop Seeks Input for UK Consultation – Hogan Lovells partners Quentin Archer, Roger Tym and Winst… http://t.co/WI6aH72Z #
• HHS Publishes Standards for Health Care Electronic Funds Transfers and Remittance Advice http://t.co/cNQanexO #
• Really – You Disclosed All Responsive Documents? – In a must read decision, the Court imposed sanctions (costs and a… http://t.co/X3sOp567 #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @johnwadeovc @helgibjorgvins @kuan0 @ali_foi #
• Facebook Can Tell You If A Person Is Worth Hiring – There’s another good reason for checking out a candidate’s Faceb… http://t.co/BdCjkCIh #
• AU: Defence under investigation after privacy breach http://t.co/U5VOrcVX #
• A Hash of It – I’m teaching e-discovery at the University of Texas Law School this semester, and though it’s been a http://t.co/ZlVLC7Cv #
• Ethics of Electronic Discovery – Part One – I have been interested in the ethical issues surrounding electronic disc… http://t.co/NfEJImrX #
• Judge Peck’s Opinion on Predictive Coding in Ediscovery http://t.co/fH7kXSFD #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @akerman_law #
• A battle hymn for the chocolate factory – If you can access electronic media, you must have been reading about Googl… http://t.co/DoGfa5Ro #
• University of Washington and other universities hacked. Again. And again. http://t.co/yLMOkVzC #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @crossroadssys #
• Stealing kids’ identities: Miami-Dade schools sleaze http://t.co/6CxojdHs #
• Thnx! RT @ComplexD: Bring More Cowbell? Weekly Top 5 “Cowbellers” @LarryBodine @BenKerschberg @EUdiscovery @eddblogonline @LitSuppGuru #
• NTIA Seeks Comment on Beginning Conduct-Code Discussions – The Department of Commerce’s National Telecommunications … http://t.co/ef4OMo2p #
• #CLIPConf #CLIPConf Panel on The Ethics of Big Data Collection and Use with @omertene #privacy(pic)http://t.co/FZKxBb6g #
• #CLIPConf Panel on The Ethics of Big Data Collection and Use with @omertene #privacy #
• Republican Senators Introduce SECURE IT Act – Yesterday Senator John McCain (R-AZ) introduced the Strengthening and … http://t.co/rJVTRfvP #
• #CLIPConf @EdFelten :Re-identification is the norm #privacy #
• #CLIPConf Panel moderated by @PrivacyWolf with @JaneYakowitz @EdFelten @paulohm Ari Schwartz, Felix Wu. #privacy http://t.co/dt756CaG #
• EU/US Privacy: Who blinks first? – I want to return to the theme I referred to yesterday about the different privacy… http://t.co/mlZXLc97 #
• Andrew Breitbart’s Fans Mark His Passing With An All-Out Assault on Rolling Stone’s Matt Taibbi http://t.co/aCNSQAYe #
• #CLIPConf Brill(FTC): Data Minimization essntl to prevent harm in case of data breach & non-trad. backgr.screening falls under FCRA(2/2) #
• #CLIPConf Comm.Brill (FTC): Sentiment Analysis must remain anonymous, Sensitive Information must get heightened protection(1/2) #
• Leakage from website poses threat to Chinese netizens http://t.co/XcS2ZyBK #
• #CLIPConf Tal Zarsky: automated predictive practices lead to new forms of redlining. (a.k. weblining) #privacy #
• Ediscovery and DataProtection Daily is out! http://t.co/0vWJxEQJ ▸ Top stories today via @daraghobrien @nevr @valdesjo77 @vigitrust @ronpatz #
• Panel on Public Perceptions on Information Aggregation #CLIPConf #privacy http://t.co/jo8Lo07I #
• #CLIPConf Alessandro Acquisti: we’re moving towards PPI: personally predictable information #privacy #
• At #CLIPConf for #BigData Symposium #

How EdiscoveryMap Kept You Informed in 2011

A short recap of EDiscoveryMap’s Monique Altheim‘s activities in 2011 to help keep her readers informed in the areas of Privacy, Ediscovery and Social Media:

• She attended nine conferences worldwide (Brussels, Lisbon, Mexico City, Washington D.C., Arlington, New York) related to Privacy, Ediscovery, Social Media and the Internet, to keep informed on the latest developments in those fields.
• She posted ninety two articles on her blog EDiscoveryMap.
• She created a Facebook Page and a Google + Page as new platforms for sharing information.
• She tweeted thousands of Privacy, Ediscovery and Social Media tweets via her three Twitter handles @moniquealtheim, @EDiscoveryMap and @EUdiscovery
• She produced, filmed and posted topic relevant videos on her EDiscoveryMap YouTube Channel and power point presentations on her EDiscoveryMap SlideShare site.
• She created two news aggregator sites: a Summify newsletter, and the EDiscovery and Data Protection Daily
• She ran a social media campaign for the CFP Conference.
• She developed an information sharing mobile app for iPhone/iPad and Android devices.

And finally, she created a new website for her law firm, The Law Office of Monique Altheim.

Wishing all a Happy 2012, and looking forward to share even more information this coming year via old and new channels and platforms.

Attention EU Readers of EDiscoveryMap: We are bringing EDiscovery to Brussels on January 26

EDiscoveryMap is pleased to announce that Monique Altheim will moderate E-Discovery Sessions at the Computers, Privacy & Data Protection Conference (CPDP) in Brussels on January 26, 2012.

The panels will feature an international roster of thought leaders and practitioners in the field of Cross-Border E-Discovery and EU Data Protection:

Willem DEBEUCKELAERE, Privacy Commission (BE), Master Steven WHITAKER, Royal Court of Justice (UK), Chris DALE, e-Disclosure Information Project (UK), Amor ESTEBAN, Shook, Hardy & Bacon, LLP (USA), James DALEY, Daley & Fey LLP (USA), Nigel MURRAY, Huron Legal (UK), George RUDOY, Integrated Legal Technology LLC (USA), Monika KUSCHEWSKY, Van Bael & Bellis (BE), Natascha GERLACH, Cleary Gottlieb Steen & Hamilton (BE), Dr. David EVANS, Evans LLC (USA), Dominic JAAR, KPMG (CA), and Erik LUYSTERBORG, Deloitte (BE)

With the increased globalization of the economy, companies in the EU are often subject to litigation holds and requests for production of relevant data by US litigants. If those data contain personal information, there is a serious conflict with the EU Data Protection Laws, which deem preservation and production of such data in principle illegal.

Since the concept of pre-trial discovery is practically non-existent in the European Union member states with a Civil Code tradition, the session will start with a discussion of the general principles of the U.S procedure of discovery of electronically stored information (ESI) in civil litigation, for the benefit of EU attendees.

What triggers the duty to preserve data relevant to litigation? What are litigation holds? What is spoliation? What are the sanctions for non-compliant parties? These are some of the topics that will be addressed.

What happens when the data, relevant to U.S. litigation, contain personal information and are located in an EEA member state?

The second panel will explore these complicated conflicts between U.S. Ediscovery obligations and EEA Data Protection obligations and propose some practical solutions.

The just published Sedona Conference International Principles on Disclosure and Data Protection, as well as the draft EC Proposal for a Data Protection Regulation, and their impact on the future of Cross-Border Ediscovery will be discussed.

What technological innovations can be applied to minimize the personal data preserved and collected in EAA member states?

What happens when relevant data are located in the cloud, on social media sites or on mobile devices? Which national law applies to determine the applicable data protection regime?

These and other emerging topics in cross-border Ediscovery will be tackled by the last panel.

The CPDP Conference, titled “European Data Protection: Coming of Age” will run from Wednesday, January 25 until Friday, January 27. It will coincide with the official publication of the EC’s Proposal for EU Data Protection Regulation and with the European Privacy Day on January 28.

To take advantage of the early bird registration fee , register here before December 30.

The Thief, The Programmer,The Hacker and The Data Protection Authority: How ILITA Cracked The Case

At the 33rd International Conference of Data Protection and Privacy Commissioners, (CDPP), held in Mexico City on November 2 and 3, Yoram Hacohen, Head of Israeli Law, Information and Technology Authority (ILITA) and Ariel Shoham, Deputy Head of the Enforcement Department of ILITA, held a private briefing, where they explained how they cracked the biggest privacy breach case that ever occurred in Israel.

Just a week earlier,on Monday, October 24, ILITA (The Istraeli Law, Information and Technology Authority in the Israeli Ministry of Justice), Israel’s Data Protection Authority, had made the following announcement on its website::

“ILITA (The Israeli Law, Information and Technology Authority in the Israeli Ministry of Justice), Israel’s Data Protection Authority, has cracked the case involving the theft of Israel’s Population Registry, the development of bespoke search and navigation software, and their dissemination online.

 ILITA’s investigation revealed that in 2006, an individual outsourcing service provider to the Ministry of Welfare and Social Services downloaded and stored at his home a complete electronic copy of Israel’s Population Registry, which contains numerous data fields such as full name, identification number, address, date of birth, date of death, date of immigration to Israel, family ties etc. for more than 9 million Israeli citizens, including minors and the deceased.

The suspect disseminated to a third party a copy of the database, which subsequently reached a software developer who developed a program called “Agron 2006” to enable users to run complex searches and queries on the data, including navigating among family ties of the entire Israeli population. The “Agron” software was then cracked and eventually uploaded by a hacker to online peer to peer networks and disseminated worldwide. The hacker went further to create a website promoting the download and use of “Agron”, while implementing sophisticated means, such as proxy servers and purging of traces on his computer, to conceal his identity and try to evade Israeli jurisdiction .”

In this video, filmed by this author during the briefing at the CDPP Conference ,Yoram Hacohen, Head of ILITA and Ariel Shoham, Deputy Head of the Enforcement Department of ILITA, explain how they cracked the biggest ever Israeli privacy breach case.

They started by mapping the entire information infrastructure of the Ministry of Interior, where the breach had occurred, to understand the information flow. ILITA’s forensic lab then retrieved sixty five terabytes of information from diverse sources, most of which were obtained with court orders. Over 135,000 phone calls, 111 external hard drives, 3,232 CD’s, 25 desktops, 13 laptops, 15 USB drives, 45 internal HDs and 25 mobile phones were analyzed.

Watch this fascinating briefing to find out how the investigation led to the unmasking and arrest of six suspects and how one fatal “mistake” by the hacker who published the registry online led to his discovery.