As we look to 2019, the question of what changes will take place in the world of e-discovery over the next year will certainly entice answers from the many legal minds who work with e-discovery. Those answers, however, are not so obvious. The questions that the e-discovery community will address and the factors that can play a large part in providing those answers may be far more obvious, as they arise from the many changes in the law and digital technology discussed at great length in 2018. Which answers, however, the community will prefer will depend upon the legality, complexity, cost and availability of those answers, as well as the community’s sense of its own strengths and weaknesses. In this month’s column, I will look at ongoing discussions of or references to those questions and answers in an attempt to get a picture of what we can expect in the coming year.
GDPR and Other Legal Standards
The General Data Protection Regulation, or GDPR, which took effect in the United States in May 2018, is a European Union (EU) law governing data security for all data housed in or transferred from the EU. Inasmuch as a considerable amount of data is transferred from the EU to the United States (as with so many legal requirements, the American personnel who must discharge those GDPR requirements often has no sense of just how large the volume at issue is until the requirements are enforced), and, given that a considerable amount of American data is stored (either for active use or backup) in “the cloud,” which very often means on servers kept by providers in the EU, the GDPR requirements touch upon many more users—including lawyers, firms and their clients—than an American user not caught up in discussions about the GDPR would initially believe. In addition to the GDPR, other data security laws have taken effect, and more are sure to follow. It is easy to imagine that a considerable amount of protected data—pertaining to personal identification, financial transactions, scientific research and numerous other matters to which the public, in general, should not have access—will be found in materials under review for or produced as e-discovery.
The principal affect of these laws on lawyers, then, will be to force them to take the steps needed to comply with the GDPR and other privacy laws. On a technical level, that means making sure that whatever services providers the lawyer uses (contracted directly or provided by the landlord), whether they are to maintain the lawyer’s or firm’s digital data, or to provide services specific to e-discovery production, provide services in compliance with such privacy laws. To take such steps, the lawyers at issue will have to be well-versed in the privacy laws, so as to be able to speak intelligently with the service providers and confirm that the providers are, in fact, complying with such laws. Lawyers can contract with experts in the field and have those experts oversee the security of the service providers, but the lawyers would still have to talk to these experts as they would to the service providers, so they cannot avoid the requirement that they gain expertise in the fields of the legal requirements of data privacy and what technical and other (e.g., background searches, proper internal procedures, etc.) steps must be taken so as to speak intelligently with the service providers they have contracted.
The discussion of the GDPR and other privacy laws above, in particular the locations of data, alludes in a small way to a telling change in the e-discovery community—the increase in how many within that community possess a fundamental to sophisticated understanding of the technical issues that e-discovery presents. That increase in understanding can allow for many other changes.
If one goes back to the first seminal e-discovery cases, Zubulake v. UBS Warburg, 382 F. Supp. 2d 536, 231 F.R.D. 159 (2005) and its related cases, the reader will see explanations of how hard drives work, what it means to preserve or delete data, and other aspects of digital data storage and communications that were not well understood at a user level and very poorly understood at the expert level. The legal world in 2005 was almost exclusively either completely ignorant of or intimidated by e-discovery and the basics of how computers worked, e.g,, what was a hard drive, what were digital programs, what was a server and how did it differ from a hard drive, how was data “backed up,” how was data copied such that it could be proven or disproven that the copy was identical to the original, and so on.
Over the past 10-plus years, both the digital world and attorneys’ understanding of it has increased dramatically. To provide but one example, Artificial Intelligence (AI) or, as specific to e-discovery, Technology Assisted Review (TAR), applications where decisions made early on in the “thinking” processes lead to results that, if done mechanically, would take considerably longer and with far less accurate results, did not exist.
Today, such applications are considerable, and an increasing number of lawyers and support staff understand what they do and how to use them well. There are several reasons for the increase in knowledge by the legal community. To provide a personal example, in 1989, I was one of the “sophisticated” users in the Philadelphia District Attorney’s Office because I, along with a handful of others in a population of over 400 lawyers and investigators, had a pager. I became even more “sophisticated a month or two later when I acquired my very own desktop computer. Recently, I saw on TV for the millionth time the wonderful film, “Definitely, Maybe,” which contains a scene in which Ryan Reynolds, 22 years old, bright and sophisticated, new to New York City and, in 1992, working to get Bill Clinton elected president, is handed a device weighing one to two pounds and about three to four times larger than a soda can. Reynolds has no idea what it is: it is a cellphone. By 2005, when the first of the Zubulake opinions was published, “sophisticated” users had Blackberries.
The 40-year-old (and older) law partners of the 1990s, who knew “everything,” are gone or going now. The 20-something associates of the 1990s are 50-somethings now and have lived their entire professional life in a digital environment. A great many have no interest in that environment, but even they can operate the applications lawyers need to discharge their professional duties, whether that entails searching a database for caselaw, reviewing emails and texts, drafting a legal document, and so on. Today’s younger associates are, for the most part, highly literate in digital matters and in no way intimidated by them.
One consequence of the changes discussed above is that lawyers and legal professionals at the law firm can now perform many of the tasks which, just a decade ago, only e-discovery providers could perform. Do not be surprised if more firms are taking in-house e-discovery processing, review (using applications such as the widely used Relativity) and production. Large review projects, involving dozens of review attorneys, may be conducted in-house by lawyers, interns supervised by lawyers, or only a few attorneys cutting through innumerable data files using TAR applications.
There are still many tasks that fall outside of the expertise of lawyers and legal professionals at the firm, involving setting up and overseeing IT connectivity and various devices (cellphones, desktop and laptop computers, servers, etc.), data security and other tasks. Again, do not be surprised if more of these tasks are brought in-house, taken care of by employees with college degrees in IT who know a great deal, cannot believe how much the law firm pays them for what they love to do, and want to impress their bosses with their knowledge and work ethic. All of these changes will allow firms to internalize the cost of many of their e-discovery and IT steps, bringing those costs down and allowing the firms to profit more from providing those services to their clients.
One more task to be brought in-house will be the retention by law firms of experts who can explain, and testify to, all of the steps in the e-discovery process, from identification of data sources and forensic data collection to data processing, review and production. Given that these witnesses should understand in granular detail all of the steps of the e-discovery process, and that they will likely not be testifying frequently, it is likely that they will be the overall supervisors of the technical aspects of e-discovery at the law firm or the firm’s client, called to testify when needed.
A side consequence of these changes is that e-discovery companies will find themselves cutting back on some services they now routinely perform. If, for example, more technically sophisticated lawyers at firms can draft intelligent motions to challenge the collection of data by their opponent’s client, leading producing parties to collect and search data in a forensically sound manner (as opposed to having their clients simply copy whatever data they can find), review systems to ensure that the data collected was not in any way touched by anyone hacking into the client’s system, and so on, and if technically sophisticated personnel at law firms or their clients can testify with regard to these matters, e-discovery companies will find themselves either no longer providing such expert witnesses or doing so far less frequently than at present.
Given the almost daily increase in the volume of digital files, the changes discussed above will probably not result in a decrease of billable hours or services by e-discovery companies, but they most likely will cause them to provide the sophisticated services that law firms try to avoid requesting so as to bring down costs and will try to provide but find that doing so will not be cost-effective. Thus, services that today are considered somewhat exotic will likely soon be standard, while others now considered standard will be provided in-house and not given nearly as much thought. And, of course, let us not forget that experts in IT security shall be called upon to monitor the compliance of all systems with the GDPR and all data security laws and agreements.
It is relatively easy to sound convincing when predicting the future, but much harder to get it right. Of course, I cannot guarantee that what I anticipate will happen actually will take place. It does, however, stand to reason that because now most of the legal community has grown up in the age of computers, it is far more comfortable with and knowledgeable of the digital world than was the legal community in place when e-discovery exploded not that long ago. This level of comfort and knowledge, along with the advances made both within the devices and applications that create, store and transmit data files, as well as to the applications that gather, process and review such files so as to produce e-discovery, should allow, if not compel, law firms to internalize many of the services now provided by e-discovery companies. At the same time, the increasing legal requirements, resulting in increasing technical requirements, to maintain IT security shall result in more companies—perhaps e-discovery companies called upon less to provide e-discovery services—providing such services to law firms and their clients.
Leonard Deutchman is a legal consultant recently retired from one of the nation’s largest eDiscovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney’s Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses. Contact him at email@example.com.