Microsoft 365

Stay up to date on the latest changes in Microsoft 365 and Purview and understand their impact on eDiscovery and how organizations collaborate and manage their data.

Filter by content type
Select content type
Filter by trending topics
No items found.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Button Text
March 21, 2024
Case Study

Lighthouse Drives First Adoption of M365 by a Major Financial Services Organization

The project included replacing expensive third-party archives with native tools in M365, utilizing an automation solution that Lighthouse had recently prototyped for a large global manufacturer, and other breakthroughs the institution was unable to make before engaging with Lighthouse. Our work with the institution helped unblock their Microsoft 365 deployment and ultimately led to disclosure to regulators for institution’s intent to use M365 as system of record.SIFIs have long wished for a better way to meet their mutability requirement. Historically, they have relied on archiving solutions, which were designed years ago and are poorly suited for the data types and volume we have today. For years, people in the industry have been saying, “Someday we’ll be able to move away from our archives.” It wasn’t until the introduction of M365 native tools for legal and compliance that “someday” became possible.Data Management for SIFIs is Exceptionally ComplexThe financial services industry is one of the most highly regulated and litigious sectors in the world. As a result, companies tend to approach transformation gradually, adopting innovations only after technology has settled and the regulatory and legal landscape has evolved.However, the rate of change in the contemporary world has pushed many financial heavyweights into a corner: They can continue struggling with outdated, clunky, inadequate technologies, or they can embrace change and the disruption and opportunities that come with it.From an eDiscovery perspective, there are three unique challenges: (1) as a broker-dealers, they have a need to retain certain documents in accordance with specific regulatory requirements that govern the duration and manner of storage for certain regulated records, including communications (note that the manner of storage must be “immutable”). This has traditionally required the use of third-party archive solutions that has included basic e-discovery functionality. (2) As a highly regulated company with sizable investigation and litigation matters, they have a need to preserve data in connection with large volumes of matters. Traditionally, preservation was satisfied by long-term retention (coupled by immutable storage) and without deletion. Today, however, companies seek to dispose of legacy data—assuming it is expired and not under legal hold—and are eager to adopt processes and tools to help in this endeavor. (3) They have a need to collect and produce large volumes of data—sometimes in a short timeframe and without the ability to cull-in-place. This means they are challenged by native tooling that might not complete the scale and size of their operations. This particular company’s mission was clear: to use M365 as a native archive and source of data for eDiscovery purposes. To meet this mission, Lighthouse needed to establish that the platform could meet immutability and retrievability requirements—at scale and in the timeframe needed for regulatory and litigation matters. Lighthouse Helps a Large Financial Institution Leverage M365 to Replace Its Legacy Archive SolutionLighthouse is perfectly positioned to partner with financial services and insurance organizations ready to embrace change. Many on our team previously held in-house legal and technology roles at these or related organizations, including former in-house counsel, former regulators, and former heads of eDiscovery and Information Governance. Our team’s unique expertise was a major factor in earning the trust and business of a major global bank (“the Bank”). The Bank first engaged with Lighthouse in 2018, when we conducted an M365 workshop demonstrating what was possible within the platform—most notably, at the time, the potential for native tools to replace their third-party archives. Following the workshop, the Bank attempted, together with Microsoft, to find a viable solution. These efforts stalled, however, due to the complexity of the Bank’s myriad requirements. In 2020, the Bank re-engaged Lighthouse to supports its efforts to fully deploy Exchange and Teams and, in doing so, to utilize the native information governance and e-discovery toolset, paving way for the Bank to abandon its use of third-party archiving tools for M365 data. Our account team had the nuanced understanding of industry regulations, litigation and regulatory landscape, and true technical requirements needed to support a defensible deployment.As a result, we were able to drive three critical outcomes that the bank and Microsoft had not been able to on their own: (1) A solution adequate to meeting regulatory requirements (including immutability and retrievability). (2) A solution adequate to meeting the massive scale required at an institution like this. (3) A realistic implementation timeline and set of requirementsLighthouse Ushers the Bank Through Technical and Industry MilestonesWe spent six months designing and testing an M365-based solution to support recording keeping and e-discovery requirements for Teams and Exchange (including those that could support the massive scalability requirements). The results of these initial tests identified several gaps that Microsoft committed to close. The six month marked a huge milestone for the financial services industry, as the Bank disclosed to regulators their intent to use M365 as system of record. This showed extreme confidence in Lighthouse’s roadmap for the Bank, since a disclosure of this nature is an official notice and cannot be walked back easily. Over the next few months, we continued to design and test, partnering with Microsoft to create a sandbox environment where new M365 features were deployed to the Bank prior to general availability, to ensure we were able to validate adequate performance. During this time, Microsoft made a series of significant updates to extend functionality and close performance gaps to meet the Bank’s requirements. Finally, in February 2021, all the Bank’s requirements had been met and they went live with Teams—the first of their M365 workload deployments. That configuration of M365 met only some of the Bank’s need, however, so Lighthouse had to enable additional orchestration and automation on top. As it happens, we had recently done this for another company, creating a proof of concept for a reusable automation framework designed to scale eDiscovery and compliance operations within M365. Building on this work, we were able to quickly launch development of a custom automation solution for the Bank. This project is currently underway and is slated to complete in June, coinciding with their deployment of Exchange Online.Lighthouse Enables Adoption of Teams and Exchange and Scales M365 Compliance FunctionalityCompliant storage of M365 communications using native tools, rather than a third-party archive. Scaled and efficient use of M365 eDiscovery, including automation to handle preservation and collection tasks rather than manual processes or simple PowerShell scripts.Improved update monitoring, replacing an IT- and message-center-driven process with a cross-functional governance framework based on our CloudCompass M365 update monitoring and impact assessment for legal and compliance teams.Framework for compliant onboarding of new M365 communication sources like Yammer. Framework for compliant implementation of M365 in new jurisdictions, including restricted country solutions for Switzerland and Monaco. Framework to begin expanding to related use cases within M365, such as compliance and insider risk management. Lighthouse Paves the Way for Broader M365 Adoption Across the Financial Services IndustryFollowing the success of this project, we have been engaged by a dozen other large financial institutions interested in pursuing a similar roadmap. The roadblocks we removed for the Bank are shared across the sector, so the project was carefully watched. With the Bank’s goals confidently achieved and even surpassed, its peers are ready to begin their own journey to sunset their archives and embrace the opportunities of native legal and compliance tools in M365.
September 22, 2023
Case Study

Lighthouse Transforms Complex Enterprise Data Protection with Microsoft Purview

The Lighthouse team of SMEs applied their dedication to exemplary customer experience and unique strategy of marrying compliance, security, IT, and legal needs to help a global chemistry solutions and specialty material producer meet the ever-evolving security and compliance demands and challenges facing international manufacturing and regulations to effectively deploy Microsoft Purview across workstreams while preparing for needs and reducing costs. Global Leader in Chemistry Solutions Transforms Enterprise Data Protection with Microsoft Purview An international producer of commercial chemicals and specialty materials upholds a commitment to people safety and well-being as part of their core tenets. As cyber risks increased along with data volumes, the organization extended their commitment to safety to include the security of data accessed, produced, and stored within their enterprise. Now, the company has implemented a comprehensive data protection program using the entire Microsoft 365 Information Protection suite. After careful design, the team is piloting the solution before a global rollout. A Commitment to Physical and Digital Safety As one of the world’s largest acetyl products manufacturers and a top-tier producer of high-performance engineered polymers, the company supplies chemicals across major industries and for a variety of industrial and consumer applications. Over 10,000 employees in offices, technical centers, and 50+ manufacturing facilities work to realize a vision of improving the world and everyday life through people, chemistry, and innovation—with products that impact the lives of millions. For the organization, an operational approach rooted in well-being has always meant physically safe working environments for employees, and safe solutions for their customers and their communities. However, in this digital age, they have expanded their notion of safety to include data protection for employees, customers, shareholders, and the communities in which they operate. The company’s Chief Information Security Officer (CISO) notes that committing to data protection means a “higher level of assurance—making sure that our security controls keep pace with the threats that surround us every day and seek to exploit vulnerabilities in companies like us every day. You can’t stand still. You always have to evolve—you always have to get better, otherwise you’re devolving, and you’re getting worse, and becoming more vulnerable.” Advancing Data Protection with a Trusted Partner A few years ago, when the company decided to make the move to the cloud, they chose Microsoft 365 E5 and Microsoft Azure, building on their longstanding use of Microsoft technologies. Prior efforts to overhaul their data protection program had been unsatisfactory. However, with access to new Microsoft Purview capabilities, the Information Security team saw an opportunity to try again. They hoped to utilize the full breadth of the Microsoft 365 Information Protection suite including Information Protection Classification and Labeling, Data Loss Prevention (DLP), and Insider Risk Management solutions. Microsoft tapped Security Solutions and Advanced Specialization Designation-Information Protection and Governance Partner Lighthouse Global to lead the engagement for their ability to effectively understand complex compliance needs across IT, security, and legal departments. They hoped that together they could develop a solution to realize the investment they’d made in Microsoft 365, and to support their corporate commitment to safety for both employees and customers. “If you were to interview a bunch of companies, those who have actual, very successful DLP and data labeling programs typically have a hodgepodge of solutions that get melded together,” reflected the CISO, “and that’s where Lighthouse was successful…we’ve been able to leverage the investment…and get it to work, [and not] have to go spend more money to hodgepodge together a solution.” Developing a Comprehensive, Scalable Solution The Lighthouse team started by holding a series of working sessions to align the company’s vision and requirements and design the implementation approach. Using Microsoft Compliance Check, Lighthouse scanned the company’s environment to get an understanding of current state activity and sensitivity intelligence. The team also reviewed existing policies and approaches for the handling of sensitive data and data loss prevention to identify any areas of opportunity or gaps that could exist. From there, the combined teams were able to successfully design and configure a holistic data protection solution leveraging multiple Microsoft Purview products including Data Loss Prevention, Information Protection, and Insider Risk Management. Starting with data classification, the team defined the sensitive information types that needed to be identified. From there, they developed a set of sensitivity labels corresponding to the data protection policy. This set of classification techniques and labels were generated in the course of both Data Loss Protection and Insider Risk Management implementation, ensuring a comprehensive data life cycle protection program from content identification through insider threat analysis. Finally, the Lighthouse team supported the integration of the Microsoft products with the company’s third-party HR software to feed HR data into the Data Theft by Departing Employee Policy, enabling the creation of a truly end-to-end solution. Fulfilling a Mission of Security The company’s dedication to safety, security, and well-being across applications and contexts drove this project’s success. “Because we see security as part of our commitment to people and innovation, we take a uniquely holistic approach and have strong support all the way up to our board of directors,” says the company’s CISO. The CISO also credits Lighthouse’s unwavering commitment to partnership. “They helped us not only implement the technology and guide us through some of the critical points to consider as we implemented the technology, but also the process and decision points with data—which ultimately, in the end, actually worked,” they conclude. Now, with the design and implementation of the Microsoft Purview-based Data Protection program behind them, the organization’s information security team is focused on operationalizing the program through a series of pilots scheduled over the next year. Their ultimate goal is total, global implementation of the solution—and total, global protection for all employee and customer data. Corporate Case Studymicrosoft; big-datamicrosoft-365; data-privacy
May 15, 2023
Case Study

Meeting Compliance Burden for Financial-Sector Giant

Lighthouse helps global British bank resolve critical risks during a major technology overhaul. Key Actions Microsoft referred Company to Lighthouse to address eDiscovery needs within Microsoft 365 (M365) Lighthouse assembled a team whose members had former expertise gained from stakeholder departments that were affected by the unresolved needs Key Results Compliance risks were successfully remediated using native M365 tools The Company used its new platform to avoid the need for add-on services or vendors What They Needed M365 Implementation Yields Data Risk Management As one of the nation’s largest financial institutions, the Company’s move to M365 required exceptional time and care—further complicating compliance requirements for record-keeping, data protection, and regulated conduct, and ultimately placing demands on M365 that created uncertainty of whether the platform could be resolved. The complex compliance requirements fueled an internal audit, revealing several risks related to the Company’s management of unstructured data, including its practices for retention, deletion, preservation, and protection of sensitive information. The Company asked Microsoft for help—and Microsoft referred the Company to Lighthouse. Tight Deadlines, Exceptional Solutions Lighthouse was tasked to explore whether M365’s native information governance (IG) and eDiscovery tools could address the risks identified in the audit. The team launched a series of workshops, interviews, and research tasks to: Educate stakeholders about M365’s native capabilities for records and information management (RIM) and IG Define stakeholders’ needs and current workflows regarding RIM and IG Analyze gaps in the current state Test and propose new workflows using native M365 tools Executives intensely monitored this project, as every identified risk was critical, so the pressure on the teams’ proposed workflows was tremendous—not to mention a tight 12-week timeline. Lighthouse prevailed, fielding a team of experienced peers with the Company stakeholders. Every business group—from records management to IT that were responsible for remediating risks—was paired with a Lighthouse consultant who had previously filled a similar role at a comparable institution. Our experts gained rapid credibility with each stakeholder group, and they ultimately accomplished a unified solution that was acceptable to all parties. Our solution succeeded in remediating all flagged risks using RIM and IG workflows within M365. It required the Company to upgrade its M365 licensing agreement from E3 to E5, but the company agreed that the added cost was more than worth it. In the end, Lighthouse achieved two key wins: 1) demonstrating to the Company that M365 could meet even the most stringent security and compliance needs, and 2) securing a new trusted partnership with the customer that has continued to develop. ‍ Corporate Case Studycase-study; big-data; cloud-migration; cloud; cloud-services; corporate; corporation; emerging-data-sources; information-governance; ediscovery; microsoft; legacy-data-remediation; risk-management; record-management; financial-services-industrymicrosoft-365; information-governance; client-success; lighting-the-path-to-better-information-governanceCase-Study, client-success, Big-Data, Cloud-Migration, cloud, Cloud-Services, Corporate, Corporation, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, Legacy-Data-Remediation, microsoft, risk-management, Record-Management, financial-services-industry, microsoft-365, information-governance
October 1, 2022
Case Study

Gap Analysis Solution for IT and Legal Teams Transitioning to M365

Lighthouse saves insurance giant millions of dollars during major technology upgrade. Key Actions Microsoft referred the Company to Lighthouse to resolve existing concerns from the Company’s IT and legal departments that were stifling their automation and transition process to Microsoft 365 (M365). Lighthouse held educational workshops on eDiscovery tools within M365, and devised a comprehensive plan for the compliance. Key Results Unblocked the M365 transition effort and enhanced the partnership between legal and IT. Compliance concerns were answered within M365, saving the company millions of dollars in retaining or updating legacy data management systems. What They Needed Legal Concerns Churn 11th Hour Nightmare for IT Department In 2017, a nationwide insurance giant initiated a transition from an on-premises Microsoft solution to a cloud-based M365 solution fueled by gain from cost, performance, and security improvements. Years later, and well past the intended launch date, the Company’s legal team suddenly halted the transition entirely due to concerns of M365’s eDiscovery capabilities, specifically, how M365 would handle the identification, preservation, and collection of email, instant messages, and files for the Company. The legal department insisted the company retain its custom-built archival solution until all compliance concerns were allayed. These demands put the IT department in an extremely tough spot after having already invested several years into the transition to M365. If forced to extend their aging, on-premises solution, the team would face substantial costs. To help unstick the implementation project, Microsoft suggested the Company engage Lighthouse to assist. Lighthouse immediately understood the legal team’s concerns and acted swiftly to address the Company’s insistence on exercising the transition to M365 with great caution, all while remaining vigilant of the Company’s receipt of hundreds of new legal matters monthly. The sensitive nature of data in this industry and the complex regulatory environment made the potential risk related to mismanagement very high. The process was intricate and complex, and required high-level integration to mitigate the significant risks that were specific to individual privacy regulations, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Hands-on Experience and High-touch Service Bridge the Gaps Lighthouse fielded a team of experts with direct experience in the same or similar roles as the various client stakeholders, ranging from IT to records management, corporate legal, and public affairs. This hand-selected team led a three-part process with their counterparts from the Company: Providing education on the eDiscovery aspects of M365 Analyzing current workflows and performance, and expressing their desired future state Devising a high-level design document for how relevant parties could conduct eDiscovery tasks in compliance with the requirements while using M365 The first two processes helped restore unity among stakeholders, while the design document delivered on the legal team’s concerns, including specified settings for a range of M365 applications and components, such as Exchange Online, SharePoint Online, OneDrive for Business, and Teams. The design document made room for process automation and/or custom workflows, as well as for third-party system integration (for compliance archive, legal hold, matter management, etc.). The initial project success led to a continuing relationship between the Company and Lighthouse, and over time Lighthouse has become a critical element in the Company’s ongoing M365 implementation and adoption journey helping them in charting a path forward. Corporate Case Studycase-study; big-data; cloud-migration; cloud; cloud-services; ccpa; corporate; corporation; data-privacy; data-protection; emerging-data-sources; information-governance; ediscovery; microsoft; gdpr; legacy-data-remediation; legal-holds; risk-management; insurance-industry; record-managementmicrosoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceCase-Study, Big-Data, Cloud-Migration, cloud, Cloud-Services, ccpa, Corporate, Corporation, Data-Privacy, data-protection, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, gdpr, Legacy-Data-Remediation, Legal-Holds, microsoft, risk-management, insurance-industry, Record-Management, microsoft-365, data-privacy, information-governance
June 1, 2023
Case Study

Engineering a Customized M365 eDiscovery Premium Add-on

Lighthouse bridges internal gaps during technology overhaul and solves longstanding compliance issues for a German multinational healthcare manufacturer. Key Actions Lighthouse engaged company stakeholders in operational planning and received funding from Microsoft to devise and integrate a premium Microsoft 365 (M365) add-on to existing Purview Premium eDiscovery, which resolved an outstanding compliance need. Key Results The proof-of-concept achieved a zero-trust security model integrated with third-party software, and satisfied the barring of critical needs for the Company that centralized IT and legal departments after years of dysfunction. What They Needed Automating a transition to M365 commonly yields a clash between IT, legal, and compliance stakeholders if the decision to convert was spearheaded by IT and made without consulting legal and compliance teams. Typically, during planning or implementation of converting to M365, legal teams ask IT how the new platform will manage compliant and defensible processes, and if IT doesn’t have the answers, the project stalls. This was the situation facing a multinational manufacturing Company that engaged Lighthouse for help during the spring of 2020. At that time, the Company was several years into its M365 transition, and the legal teams’ requirements for adoption of native M365 compliance tools barred a complete transition. Pressure to adopt the tools escalated as M365 workloads for content creation, collaboration, and communication were already rolled out, creating an increasingly large and complex volume of data with significant degrees of risk. Lighthouse Responds to Need and Launches New Technology In partnership with Microsoft Consulting Services, Lighthouse organized a companywide M365 “reset,” hosting a three-day workshop to revamp the transition process and generate an official statement of work. The strategic goal was to streamline the stakeholders from litigation, technical infrastructure, cybersecurity, and forensics teams that previously failed to align. The workshop fielded critical topics geared to encourage constructive discussions between stakeholders and to strengthen departmental trust. The outcome of these discussions eventually enabled the company to move forward with critical compliance updates, including the collection and parsing of Microsoft Teams data, and the management of myriad files and email attachments. Lighthouse took stock of the current state, testing potential solutions, and arrived at a proof-of-concept for an eDiscovery Automation Solution (EAS) that augmented existing M365 capabilities to meet the legal team’s security requirements and remediate any performance gaps. Microsoft recognized the potential value of the EAS for the wider market, ultimately leading to Microsoft funding for the proof-of-concept. Inside the eDiscovery Automation Solution (EAS) Technology Azure-native web application designed to orchestrate the eDiscovery operations of an M365 subscriber through Purview Premium eDiscovery automation Maximized Microsoft Graph API “/Compliance/eDiscovery/” functions and other Microsoft API Simplified to Azure AD trust boundary, targeting the M365 tenant hosted within, and enabling full governance of identity and entitlement throughout Azure and M365 security features Benefits Achieved a zero-trust security model Authorized high-velocity, high-volume eDiscovery tasks without outside technology through automation and orchestration of existing M365 eDiscovery premium capabilities native to M365 Mobilized integration with third-party software included in the Company’s eDiscovery workflows Amplified workload visibility by automatically surfacing relevant Mailboxes, OneDrives, and other M365 group-based technologies dependent upon selected Custodians’ access Corporate Case Studybig-data; case-study; cloud-migration; cloud; cloud-services; cloud-security; corporate; corporation; data-privacy; emerging-data-sources; information-governance; ediscovery; microsoft; manufacturing-industry; risk-managementchat-and-collaboration-data; ediscovery-review; microsoft-365; data-privacy; information-governance; client-success; lighting-the-path-to-better-information-governanceBig-Data, Case-Study, Cloud-Migration, cloud, Cloud-Services, Cloud-Security, Corporate, Corporation, Data-Privacy, Emerging-Data-Sources, Information-Governance, eDiscovery, microsoft, manufacturing-industry, risk-management, chat-and-collaboration-data, ediscovery-review, microsoft-365, data-privacy, information-governance
No items found.
March 29, 2023
Podcast

Prioritizing Information Governance and Risk Strategy for a Dynamic Economic Climate

Lica Patterson, Senior Director of Global Advisory Services at Lighthouse, discusses how assessing short and long-term risk can inform a more strategic information governance program.,   As we continue to grapple with a strange and unpredictable economic environment, establishing your legal and information governance priorities can be daunting. While directing investment and energy into the most urgent matters is a reflex during a down economy, neglecting more long-term data issues and risk can be detrimental. How do you balance these interests with already strapped resources? Lica Patterson , Senior Director of Global Advisory Services at Lighthouse, joins the podcast to discuss how assessing short and long-term risk can inform a more strategic information governance program. She also shares how the right technology and teams contribute to accomplishing goals and evolving your program. This episode's sighting of radical brilliance:  3 trends will shape the future of work, according to Microsoft‚Äôs CEO , World Economic Forum,  February 10, 2023. If you enjoyed the show, learn more about our speakers and subscribe on lawandcandor.com , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and  Twitter .   , information-governance; data-privacy; microsoft-365, information-governance, data-privacy, microsoft-365, emerging-data-sources; legal-holds; podcast; record-management; risk-management
March 29, 2023
Podcast

Everything Dynamic Everywhere: Managing a More Collaborative Microsoft 365

Emily Dimond, Managing Senior Counsel, eDiscovery, at PNC Bank, shares practical strategies for managing updates in Microsoft 365 and how to develop an agile governance program.,   Collaborative technology‚Äîgreat for employee productivity but often challenging for legal and IT departments. Balancing the risk and reward requires a deep understanding of ever evolving updates while proactively managing those changes. As organizations adopt cloud-based enterprise software like Microsoft 365, previous change management and governance approaches are often no longer sufficient. Emily Dimond , Managing Senior Counsel, eDiscovery, at PNC Bank, shares practical strategies for managing updates in M365, including recent changes to transcripts and loop components, and how to develop a strong governance program equipped for today‚Äôs dynamic landscape.  This episode's sighting of radical brilliance:  Where is Tech Going in 2023? Harvard Business Review,  January 26, 2023. If you enjoyed the show, learn more about our speakers and subscribe on lawandcandor.com , rate us wherever you get your podcasts, and join in the conversation on LinkedIn and  Twitter .  , microsoft-365; chat-and-collaboration-data; lighting-the-path-to-better-information-governance, microsoft, emerging data sources, podcast, record management, microsoft-365, chat-and-collaboration-data, microsoft; emerging-data-sources; podcast; record-management
March 31, 2022
Podcast

Spring Cleaning for Legal Teams: The Cloud and Defensible Deletion of Data

Law & Candor welcomes Erika Namnath of Lighthouse to discuss new challenges with data retention and deletion in the Cloud, developing a defensible disposal program, and getting stakeholder buy-in., To kick off the show, Bill Mariano and Rob Hellewell discuss another Sighting of Radical Brilliance: How scientists are using AI to identify new drug combinations for children with incurable brain cancer. Next, they interview Erika Namnath  from Lighthouse about how to develop a sound and efficient defensible deletion program and the benefits of getting buy-in for it throughout an organization. Some of the key questions they discuss include: Defensible disposal of data continues to be a key challenge for eDiscovery and information governance programs. Why has this issue persisted and how has it evolved? Historically, because of the risk of deleting important information or not being able to defend deletion, teams have defaulted to saving as much as possible. Why is this approach becoming increasingly impossible and even poses a greater risk? How should leaders approach developing a data retention and disposal program or updating their existing one? When developing these retention policies and updates, we often hear challenges with legacy data and legal holds. How can teams wrap their heads around existing data while also considering what they‚Äôre retaining today?  It seems a significant challenge for these programs is gaining stakeholder buy-in and assigning ownership for retention and deletion. What can leaders do to tackle this? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us wherever you get your podcasts, and join in the conversation on Twitter .  Related Links : Blog post: Cloud Adaptation: How Legal Teams Can Implement Better Information Governance Structures for Evolving Software Blog post: Making the Case for Information Governance and Why You Should Address It Now Podcast: Achieving Information Governance through a Transformative Cloud Migration Article: Scientists use AI to identify new drug combination for children with incurable brain cancer About Law & Candor   Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for eDiscovery, compliance, and information governance. To learn more about the show and our speakers, visit the podcast homepage .  , data-privacy; chat-and-collaboration-data; microsoft-365, cloud migration, legacy data remediation, legal holds, podcast, record management, preservation, risk management, data-privacy, chat-and-collaboration-data, microsoft-365,, cloud-migration; legacy-data-remediation; legal-holds; podcast; record-management; preservation; risk-management
December 15, 2022
Podcast

Anonymization and AI: Critical Technologies for Moving eDiscovery Data Across Borders

Our hosts are joined by Lighthouse's Damian Murphy for a lively chat about what AI solutions can be deployed to optimize eDiscovery workflows and maximize data insights while adhering to privacy laws., In this episode's Sighting of Radical Brilliance, our hosts discuss strategies for putting your data to work outlined in a recent Harvard Business Review article. To elucidate the complexities of moving data across borders, Lighthouse's Damian Murphy , Executive Director of Advisory Services in EMEA, joins the podcast. With Paige and Bill, Damian explains recent updates to data transfer policies, and what AI solutions can be deployed to optimize eDiscovery workflows and maximize data insights while adhering to privacy laws. Some key questions they answer, include: With fines continuing to be issued for GDPR violations and organizations grappling with how to transfer data across regions, data privacy is still not a resolved issue. What are some recent policy changes our audience should be aware of? How have these created challenges for the ways that data is managed and how organizations can ultimately utilize it? Many of our listeners are likely aware of how anonymization and pseudonymization are being utilized, but can you remind us how they work? Is there a typical approach for a client faced with the need to supply data held within the EU in order to comply with an eDiscovery order in the US? If the past is any indication, we should expect privacy policies to continue to change and impact data governance. How are anonymization and pseudonymization, and other approaches, helping prepare for what‚Äôs on the horizon? If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , rate us wherever you get your podcasts, and join in the conversation on  Twitter .  , data-privacy; chat-and-collaboration-data; microsoft-365; practical-applications-of-ai-in-ediscovery, gdpr, cross border data transfers, podcast, privacy shield, data-privacy, chat-and-collaboration-data, ai and analyics, microsoft-365, gdpr; cross-border-data-transfers; podcast; privacy-shield
April 13, 2022
Podcast

Microsoft 365 and the Age of Automation

Microsoft‚Äôs Stefanie Bier joins Law & Candor to delve into the key types of automation required to support Microsoft 365 at scale for large organizations using Core or Advanced eDiscovery., Bill Mariano and Rob Hellewell bring listeners another Sighting of Radical Brilliance. They discuss an episode of Fast Company‚Äôs podcast Innovation Unrestricted that explores how companies can incorporate diversity and inclusion into product design. They are then joined by Stefanie Bier , Senior Program Manager at Microsoft, to chat about how to deploy critical automation in Microsoft 365 and key updates on the horizon. Some questions they explore, include:  Automation is increasingly becoming a critical component of managing data and scaling programs. What are some of the new ways collaboration platforms, specifically M365, have introduced automation? What are the benefits of adopting these automated processes?  What are some of the key types of automation that are necessary to optimize M365?   With the cloud and automated updates, platforms are undergoing faster changes than ever before. How do you stay on top of them and ensure there‚Äôs cross-functional alignment at your organization? Whether it‚Äôs fear of error or worry about loss of control, some are reticent to automate certain aspects of their programs. What are the risks in not adopting automation? Our co-hosts wrap up the episode with advice for amplifying other women‚Äôs voices in the legal and technology industries and some key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , listen and rate the show wherever you get your podcasts, and join in the conversation on Twitter .  Related Links   Podcast: Understanding Microsoft 365 Unindexed Items Blog post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations Blog post: Breaking the Bias: Strategies from Top Women Leaders in Legal Technology Podcast: Innovation Unrestricted ‚Äì How companies can incorporate diversity and inclusion into product design , microsoft-365; information-governance, microsoft, cloud services, podcast, microsoft-365, information-governance, microsoft; cloud-services; podcast
November 16, 2021
Podcast

Understanding Microsoft 365 Unindexed Items

James Hart of Lighthouse and our hosts discuss this complex aspect of Microsoft 365 eDiscovery, identify best practices and mitigation strategies, and proactive tips for the future., Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss a framework for building accountability into AI from an article in Harvard Business Review by Stephen Sanford . In this episode, Bill and Rob are joined by James Hart of Lighthouse. They discuss this critical component of Microsoft 365 and its important role in maximizing the effectiveness of ediscovery workflows and mitigation strategies. Key questions from their conversation include: What are unindexed items and how critical are they to efficiency in ediscovery workflows? After identifying unindexed items, what is the next step and how do you approach it? What are some key strategies for handling unindexed items? How are different organizations approaching unindexed items from a policy perspective? What are best practices for approaching this unique issue in Microsoft 365? In conclusion, our co-hosts end the episode with key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the podcast homepage , rate us on Apple and Stitcher , and join in the conversation on Twitter . Related Links Blog Post: An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations Blog Post: Making the Case for Information Governance and Why You Should Address It Now White Paper: The Impact of Schrems II and Key Considerations for Companies Using M365 Podcast: Keeping Up with M365 Software Updates , microsoft-365; chat-and-collaboration-data; information-governance; lighting-the-path-to-better-information-governance, microsoft, emerging data sources, podcast, record management, preservation, microsoft-365, chat-and-collaboration-data, information-governance,, microsoft; emerging-data-sources; podcast; record-management; preservation
March 23, 2021
Podcast

Keeping Up with M365 Software Updates

In the fourth episode of the seventh season, co-hosts¬†Bill Mariano and¬†Rob Hellewell discuss¬†why diversity in AI is important and how this could impact legal outcomes and decisions.¬†Next, they..., In the fourth episode of the seventh season, co-hosts  Bill Mariano and  Rob Hellewell discuss  why diversity in AI is important and how this could impact legal outcomes and decisions.  Next, they introduce their guest speaker,  Jamie Brown of Lighthouse, who uncovers key strategies to keep up with the constant flow of Microsoft 365 software updates. Jamie answers the following questions (and more) in this episode: What are some of the common challenges associated with M365‚Äôs rapid software updates? How do these constant updates lead to compliance risks? What are some best practices for overcoming these challenges? What recommendations would you pass along to those who are experiencing these challenges? What advice would you give to other women in the ediscovery industry looking to move their careers forward? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , rate us on  Apple and  Stitcher , and join in the conversation on  Twitter . , microsoft-365; information-governance; chat-and-collaboration-data, microsoft, podcast, microsoft-365, information-governance, chat-and-collaboration-data,, microsoft; podcast
March 23, 2021
Podcast

Efficiently and Defensibly Addressing Microsoft Teams Data

Bill Mariano and¬†Rob Hellewell kick off episode 3 with another segment of¬†Sightings of Radical Brilliance, where they discuss¬†Anis Uzzaman‚Äôs Inc.com article that dives into 2021 business and..., Bill Mariano and  Rob Hellewell kick off episode 3 with another segment of Sightings of Radical Brilliance, where they discuss  Anis Uzzaman‚Äôs Inc.com article that dives into 2021 business and technology trends . Bill and Rob review these trends and discuss how they will have an impact on the space. Next, Bill and Rob chat with  Royce Cohen of Lighthouse about key ways to efficiently and defensibly address Microsoft Teams data. In this interview, Royce uncovers the answers to the following questions:  How do you achieve a balance between encouraging collaboration amongst colleagues and the ediscovery impact of that collaboration?  What are some of the challenges associated with the rise in Teams data? How do you overcome those challenges? How do organizations ensure they are overcoming those challenges efficiently and defensibly?  What advice would you give to other women in the ediscovery industry looking to move their careers forward? Our co-hosts wrap up the episode with a few key takeaways. If you enjoyed the show, learn more about our speakers and subscribe on the  podcast homepage , rate us on  Apple and  Stitcher , and join in the conversation on  Twitter . Related Links Blog Post:  Key Compliance & Information Governance Considerations As You Adopt Microsoft Teams Podcast: Tackling Modern Attachment and Link Challenges in G-Suite, Slack, and Teams , chat-and-collaboration-data; microsoft-365, microsoft, podcast, chat-and-collaboration-data, microsoft-365, microsoft; podcast
September 22, 2020
Podcast

Top Microsoft 365 Features to Leverage in Your eDiscovery Program

Microsoft‚Äôs agile development and rapid product enhancement allows Microsoft 365 (M365) users to stay up to date with emerging industry challenges. However, keeping pace with these M365 features,   In the final episode of season five, co-hosts  Bill Mariano and  Rob Hellewell review an article on a recent ILTA>ON panel that examined how  tech has created certain power dynamics in legal space. Next, Bill and Rob bring on John Collins of Lighthouse to walk them through the top M365 features to leverage in an ediscovery program. Together they cover the latest and greatest as well as uncover answers to the following questions:  How many updates and enhancements is Microsoft making? How often/fast are these coming out? What are some of the common challenges around these rapid changes?  What are the top M365 features that folks in the industry should be aware of? Are there other ways and/or resources folks can use to stay up-to-date? The season ends with key takeaways from the guest speaker section. Subscribe to the show here , rate us on Apple and Stitcher, connect with us  Twitter , and discover more about our speakers and the show  here . Related Links Blog Post: Microsoft 365, G-Suite, and the Growing Demand for Consulting and ifying Experts Blog Post: Leveraging Microsoft 365 to Reduce Your eDiscovery Spend Blog Post: Key Compliance & Information Governance Considerations As You Adopt Microsoft Teams Podcast Episode:  Microsoft Office 365 Part 1: Microsoft‚Äôs Influence on the Next Evolution of eDiscovery Podcast Episode: Microsoft Office 365 Part 2: How to Leverage all the Tools in the Toolbox   , microsoft-365; ediscovery-review; chat-and-collaboration-data, microsoft, podcast, microsoft-365, ediscovery-review, chat-and-collaboration-data,, microsoft; podcast
September 22, 2020
Podcast

Achieving Information Governance through a Transformative Cloud Migration

Data migrations are generally perceived as painful and disruptive experiences. However, they also provide unique opportunities to transform the way unstructured data is used and managed within an,   In the first episode of season five, co-hosts  Bill Mariano and  Rob Hellewell , introduce themselves and welcome listeners back for another season of Law & Candor, the podcast wholly devoted to pursuing the legal technology revolution. To kick things off, Bill and Rob begin with Sightings of Radical Brilliance, the part of the show where they discuss the latest news of noteworthy innovation and acts of sheer genius. In this first episode, they dive into a recent article written by the folks at Baker Botts LLP around  Federal Expedited Review in Response to COVID-19 and what that means for the industry. For the guest speaker segment of the show, Bill and Rob bring on  John Holliday of Lighthouse to discuss transformative cloud migrations and how to ensure a successful outcome via the following questions: How do cloud migrations provide an opportunity to transform processes and workflows within an organization?  How does information architecture come into play? What benefits can one achieve during a cloud migration? What are best practices for a successful transformative cloud migration? The episode wraps up with key takeaways. If you enjoyed the show, subscribe here, rate us on Apple and Stitcher, join in the conversation on  Twitter , and discover more about our speakers and the show  here . Related Links Blog Post:  Top Three Things That Could Derail Your Cloud Migration Project Blog Post:  Why Moving to the Cloud is a Legal Conversation   , information-governance; microsoft-365; chat-and-collaboration-data, information-governance, cloud migration, podcast, information-governance, microsoft-365, chat-and-collaboration-data,, information-governance; cloud-migration; podcast
June 23, 2020
Podcast

Emerging Data Sources – Get a Handle on eDiscovery for Collaboration Tools

In the first episode of season four, co-hosts¬†Bill Mariano and¬†Rob Hellewell, introduce themselves and welcome listeners back for a fourth season of Law & Candor, the¬†podcast wholly devoted to...,   In the first episode of season four, co-hosts  Bill Mariano and  Rob Hellewell , introduce themselves and welcome listeners back for a fourth season of Law & Candor, the podcast wholly devoted to pursuing the legal technology revolution. To kick things off, Bill and Rob begin with Sightings of Radical Brilliance, the part of the show where they discuss the latest news of noteworthy innovation and acts of sheer genius. In this first episode, they dive into a recent story around  COVID-19 and the reformation of legal culture .  The guest speaker segment for episode one highlights  Ellen Blanchard of T-Mobile. Ellen, Bill, and Rob discuss the growth in emerging data sources, especially with the introduction of more remote work due to COVID-19. They cover tips on how to manage, collect, process, and review collaboration data for ediscovery purposes via the following questions: What has changed over the last couple of years and even in the last few months with COVID-19? How do you get a handle on these data sources? How do you weigh that balance between risks and what teams need to use to be productive? What are some key tips to keep in mind when managing ediscovery around collaboration tools? At the end of the episode, Bill recaps key takeaways and thanks Ellen for joining. If you enjoyed the show, join in the conversation on  Twitter and discover more about our speakers and the show  here . Related Links Case Study:  Rapid and Reliable Chat Message Review About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , chat-and-collaboration-data; microsoft-365, emerging data sources, podcast, chat-and-collaboration-data, microsoft-365, emerging-data-sources; podcast
March 24, 2020
Podcast

How Microsoft 365 and GDPR Are Driving a Proactive Approach to eDiscovery Across the Globe

Law & Candor co-hosts¬†Bill Mariano and¬†Rob Hellewell kick things off with¬†Sightings of Radical Brilliance, in which they discuss¬†changes the legal system may face thanks to¬†innovation brought...,   Law & Candor co-hosts  Bill Mariano and  Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss changes the legal system may face thanks to  innovation brought about by AI, big data, and online courts .  In this episode, Bill and Rob are joined by  Mike Brown of Lighthouse. The three uncover how Microsoft 365 (M365) and GDPR are driving change for a more proactive approach to ediscovery across the globe and answer the following questions:  How have GDPR and M365 changed company attitudes from a reactive to a more proactive approach to ediscovery? How does Brexit impact this? How does a company actually become GDPR compliant? How do companies prepare? How do DSARs come into play? How does M365 help solve for these concerns? In conclusion, our co-hosts end the episode with key takeaways. To join the conversation, connect with us  Twitter and discover more about our speakers and the show  here . Related Links Blog Post:  Why Moving to the Cloud is a Legal Conversation , data-privacy; microsoft-365; chat-and-collaboration-data, microsoft, gdpr, data-privacy, cross border data transfers, podcast, data-privacy, microsoft-365, chat-and-collaboration data,, microsoft; gdpr; data-privacy; cross-border-data-transfers; podcast
December 4, 2019
Podcast

Data Preservation in the World of Ephemeral Data, Mobile Devices, and Other New Challenges in Forensic Technology

Co-hosts Bill Mariano and¬†Rob Hellewell share details around the¬†five biggest data breaches of the year so far in¬†Sightings of Radical Brilliance and what this means for the future of legal...,   Co-hosts Bill Mariano and  Rob Hellewell share details around the  five biggest data breaches of the year so far in Sightings of Radical Brilliance and what this means for the future of legal space. Next, Bill and Rob bring on  Jerry Bui , Executive Director of Digital Forensics at Lighthouse, to help uncover the answers to the following questions around data preservation when it comes to ephemeral and encrypted data:  What do ephemeral and encryption mean? What are the different types of enterprise communication platforms? Which platform gives you the most in terms of investments from a legal and compliance perspective? What about data privacy on these platforms? How is the personal data treated? What should IT and Legal departments keep in mind when it comes to platforms that are not encrypted? The show concludes with key takeaways from the guest speaker segment. Join the conversation on  Twitter and discover more about our speakers and the show  here . Related Links Podcast: Digital Forensics Future About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click  here .   , chat-and-collaboration-data; forensics; information-governance; microsoft-365, emerging data sources, preservation and collection, podcast, digital-forensics, chat-and-collaboration-data, digital-forensics, information-governance, microsoft-365, emerging-data-sources; preservation-and-collection; podcast; digital-forensics
September 20, 2019
Podcast

Moving to the Cloud: A Law Firm Journey

In the final episode of season one, co-hosts Bill Mariano and Rob Hellewell share their thoughts around AI-enabled deep fakes in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they chat about the...,   In the final episode of season one, co-hosts Bill Mariano and Rob Hellewell share their thoughts around AI-enabled deep fakes in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they chat about the implications and dangers around this technology and what that means for the legal space and beyond. Bill and Rob bring on David Arlington , Special Counsel at Baker Botts, to discuss the move to the Cloud from a law firm‚Äôs perspective. Bill and Rob cover the following questions with David in the season finale: Why did the firm decide to move to a cloud-based service? Did you get any pushback or fear around moving to the Cloud, and, if so, how did you handle it? How long did it take to get up on the Cloud, from the initial decision to getting up and running on the Cloud? What were some of the unanticipated surprises that popped up during this process? What kind of advantages have you seen so far? The season ends with key takeaways from the guest speaker section and a reminder to watch for the release of season two in December. Connect with us Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , information-governance; microsoft-365, microsoft-365, information-governance, self-service, spectra; cloud-migration; podcast; law-firm
September 20, 2019
Podcast

Microsoft Office 365 Part 2: How to Leverage all the Tools in the Toolbox

In the fourth episode of season one, co-hosts Bill Mariano and Rob Hellewell begin with SIGHTINGS OF RADICAL BRILLIANCEaround the dawn of realistic face masks as well as retina scans and...,   In the fourth episode of season one, co-hosts Bill Mariano and Rob Hellewell begin with SIGHTINGS OF RADICAL BRILLIANCEaround the dawn of realistic face masks as well as retina scans and fingerprints for authentication, and the security and legal concerns that hide beneath. Next, Bill and Rob introduce guest Chris Hurlebaus , eDiscovery Architect at Lighthouse, to discuss the tools that are available in Office 365 and how to leverage them. The speakers cover the following questions in this episode: What do I need to know around Office 365 licensing when having an ediscovery conversation? What Office 365 tools are currently available to users? What are the different options/subscription levels? What are the advanced features of Office 365? What about reporting of ediscovery activities in Office 365? What is Microsoft looking to do next around this technology? In the end, our co-hosts wrap up with a few key takeaways. Follow us on Twitter and discover more about our speakers and the show here . Related Links Case Study: The Benefits of an Office 365 Workshop About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , microsoft-365; information-governance; chat-and-collaboration-data, microsoft-365, information-governance, chat-and-collaboration-data, microsoft; podcast
September 20, 2019
Podcast

Moving to the Cloud: A Corporate Journey

Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss Rob Robinson's recent article around the eras of ediscovery and...,   Law & Candor co-hosts Bill Mariano and Rob Hellewell kick things off with Sightings of Radical Brilliance, in which they discuss Rob Robinson's recent article around the eras of ediscovery and where the industry is going next. In today‚Äôs episode, Bill and Rob are joined by Alex Shusterman , eDiscovery Manager at Accenture. The three discuss key components for corporate legal teams to keep in mind when considering the move to the Cloud as well as the benefits. Below are the questions they address: What are the key aspects corporate legal teams should keep in mind when considering the move to the Cloud? Why is it critical for Legal and IT to be in collaboration for these types of moves? What should corporate legal teams avoid when moving to the Cloud? What are lessons learned from moving to the Cloud? What are some of the benefits of moving to the Cloud? In conclusion, our co-hosts end the episode with key takeaways. To join in on the conversation, connect with us Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , information-governance; microsoft-365, information-governance, microsoft-365, self-service, spectra; cloud-migration; corporation; podcast
September 20, 2019
Podcast

Microsoft Office 365 Part 1: Microsoft’s Influence on the Next Evolution of eDiscovery

Co-hosts Bill Mariano and Rob Hellewell introduce the issues around ephemeral data in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they look at the huge growth rates in Snapchat users and what...,   Co-hosts Bill Mariano and Rob Hellewell introduce the issues around ephemeral data in SIGHTINGS OF RADICAL BRILLIANCE. In particular, they look at the huge growth rates in Snapchat users and what the continued growth of ephemeral data means for the legal space. Next, Bill and Rob bring on Mo Ramsey , General Manager of Global Advisory Services at Lighthouse, to help uncover the answers to the following questions around Office 365 in the ediscovery space: What does Microsoft‚Äôs evolution of ediscovery capabilities in Office 365 look like? What‚Äôs Microsoft doing within ediscovery and how do they want to differentiate? What specific actions are advanced users able to perform in Office 365? What should teams consider when evaluating Office 365? The show concludes with key takeaways from the guest speaker segment. Join the conversation on Twitter and discover more about our speakers and the show here . About Law & Candor Law & Candor is a podcast wholly devoted to pursuing the legal technology revolution. Co-hosts Bill Mariano and Rob Hellewell explore the impacts and possibilities that new technology is creating by streamlining workflows for ediscovery, compliance, and information governance. To learn more about the show and our speakers, click here .   , microsoft-365; information-governance, microsoft-365, information-governance, microsoft; podcast
July 23, 2019
Blog

Why Moving to the Cloud is a Legal Conversation

There is a common theme buzzing around the legal tech and eDiscovery industry – the Cloud and how in-house lawyers should be aware of the implications of their companies moving to the Cloud. Due to its regular appearance, there is an increasing focus on the legal implications of moving to the Cloud, rather than IT and operational considerations, within organisations.Setting the StageThe Cloud is familiar to most people thanks to the way we store photos and save emails. However, the impact of the Cloud in such a short space of time, even for personal users, is remarkable. Google now gives away cloud storage space worth around $15,000 per person at 1995 prices to its users (of which there are approximately 1 billion). In other words, what would have cost a combined $15 trillion just 24 years ago is now being offered for free (Goldin and Kutarna. Age of Discovery. 1990. Print.).The common response to the question of moving a companies' data to the Cloud is typically around perceived issues of both cost and security. Both of these topics are fundamental but are limited in scope when considering the wide-ranging potential of enterprise cloud technology from the perspective of data governance, compliance, and eDiscovery.Reducing or eliminating IT spend on building and maintaining infrastructure is a driving force for companies to move to the Cloud. Another is the need to provide employees with the tools they need to not only continue their everyday tasks but also to adapt and innovate. Microsoft recently quoted that, “97% of Fortune 500 and 95% of Fortune 1000 companies have Office 365 to benefit from streamlined infrastructure, data management, and collaborative technology opportunities.” They have discovered that cloud-based productivity has moved far beyond just standard applications like Word or Excel. Networked applications fuel employee innovation. According to a study by Vanson Bourne, “companies leveraging cloud services increased their time to market by 20.7%. At the same time, IT spending decreased by 15.1%, and, as for employees, productivity jumped 18.8%.”When compared to cost savings and data security, data governance, compliance, and eDiscovery often get less consideration. This is because a transition to the cloud is a core business decision, taken on at an enterprise-wide level to streamline the company and provide business-critical tools to employees. The legal capabilities of the technology may seem peripheral to the IT teams focusing on transitioning from on-premise infrastructure to cloud-based data centres. However, when you consider the variety of ways in which data is generated and the volume of this data, legal needs to lead the way in managing risk and adding value to how collaboration is managed across the company.Driving Home the PointIronically, cloud-based technologies like Office 365 make it even easier to generate ever-larger amounts of data. It is, therefore, no surprise that the same technology can (and should) be used to govern this data. Legal needs to consider how to take ownership of the companies' data for risk management purposes if nothing else.An example of this is persistent chat using Skype, Teams, Yammer, etc. Legal rather than IT needs to drive the key questions. Is this functionality available to everyone? How long is chat data stored? Does the company utilise more than one chat solution and do they interact with each other? Is the data discoverable if necessary and can it be searched? Can a legal hold be placed on this content? When deleted, does that fit with the overall data retention policy and is that consistent across multiple locations?Just one aspect of data governance that, of data retention and associated policies and logistics, can be overwhelming. Every organisation has many applications that employees use. A switch to a cloud-based environment doesn’t just mean the data is stored somewhere else. It means that tools are probably available for employees to work more intelligently and collaboratively. This is a positive thing for both efficiency and most likely profitability. It is also positive in terms of data governance and compliance. Policies such as data retention and categorisation can be refreshed so that they are not written and ignored. They can be hardwired into the very applications that generate the bulk of a company's data, from email and business documents to persistent chat applications, financial data, and internal social media.Cloud-based technology such as Office 365 can be utilised to manage contentious matters more effectively and proportionally (crucial for Subject Access Requests), without the need for large-scale intervention from third parties who deploy forensic data collection experts to ship large volumes of data elsewhere for eDiscovery purposes.Furthermore, failure to provide modern workplace technology often means that a shadow IT environment develops within a company, a phenomenon that makes governance and compliance even more difficult than it already is. Employees will use whatever technology they can to make their job easier, regardless of policy. Again, legal, not IT, can lead the way in aligning policies with the use of modern workplace tools.Fortunately, security concerns have done little to hold back the tide of progress to cloud-based infrastructure. Microsoft may be a company that has the most attempted external hacks, but it also has a budget of over $1 billion annually to ensure the data it holds is secure. Other cloud-based providers also understand the value of managing their clients’ data and have similar impressive ways and large budgets to protect it. Microsoft's share price demonstrates what shareholders think of their focus on the cloud over the last five years. Windows is not discussed as widely these days compared to Office 365.Looking Forward IT and security may be the departments responsible for a transition to the Cloud but legal and compliance are the departments that should take ownership of the generation and governance of the data. This should not be seen as a burden, but a welcome change in how to align a modern workplace with a comprehensive framework to manage risks inherent in big data.If you would like to discuss this topic further, please feel free to reach out to me at MBrown@lighthouseglobal.com.data-privacy; ediscovery-review; information-governance; microsoft-365cloud, information-governance, cloud-security, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; information-governance; cloud-security; blogmichael brown
November 5, 2020
Blog

Why Moving to the Cloud can Help with DSARs (and Have Some Surprise Benefits)

However you view a DSAR, for any entity who receives one, they are time consuming to complete and disproportionately expensive to fulfill. Combined with the increasing manner in which they are being weaponized, companies are often missing opportunities to mitigate the negative effects of DSARs by not migrating data to the Cloud.Existing cloud solutions, such as M365 and Google Workplace (formerly known as G-Suite) allow administrators to,for example, set data retention policies, ensuring that data cannot routinely be deleted before a certain date, or that a decision is made as to when data should be deleted. Equally, legal hold functionality can ensure that data cannot be deleted at all. It is not uncommon for companies to discover that when they migrate to the Cloud all data is by default set to be on permanent legal hold. Whilst this may be required for some market sectors, it is worth re-assessing any existing legal hold policy regularly to prevent data volumes from ballooning out of control.Such functionality is invaluable in retaining data, but can have adverse effects in responding to DSARs, as it allows legacy or stale data to be included in any search of documents and inevitably inflates costs. Using built-in eDiscovery tools to search and filter data in place in combination with a data retention policy managed by multiple stakeholders (such as Legal, HR, IT, and Compliance) can mitigate the volumes of potentially responsive data, having a significant impact on downstream costs of fulfilling a DSAR.Typically, many key internal stakeholders are frequently unaware of the functionality available to their organization. This can help to mitigate costs, such as Advanced eDiscovery (AED) in Microsoft 365, or Google Vault in Google Workspace. Using AED, a user can quickly identify relevant data sources, from mailboxes, OneDrive, Teams, Skype, and other online data sources, apply filters such as date range and keywords, and establish the potential number of documents for review within in minutes. Compare this to those who have on-premise solutions, where they are wholly dependent on an internal IT resource, or even the individual data custodians, to identify all of the data sources, confirm with HR / Legal that they should be collected, and then either apply search criteria or export the data in its entirety to an external provider to be processed. This process can take days, if not weeks, when the clock is ticking to provide a response in 30 days. By leveraging cloud technology, it is possible to identify data sources and search in place in a fraction of the time it takes for on-premise data.Many cloud platforms include functionality, which means that when data is required for a DSAR, it can now be searched, filtered, and, crucially, reviewed in place. If required, redactions can be performed prior to any data being exported externally. Subject to the level of license held, additional functionality, such as advanced indexing or conceptual searching, can also be deployed, allowing for further filtering of data and thus reducing data volumes for review or export.The technology also allows for rapid identification of multiple data types including:Stale dataSensitive data types (financial information/ PII)Customer-specific dataSuspicious / unusual activitiesBy using the inbuilt functionality to minimize the impact of such data types as part of an Information Governance / Records Management program, there can be significant changes and improvements made elsewhere, including data retention policies, data loss prevention, and improved understanding of how data is routinely used and managed in general day-to-day business. This, in turn, has significant time and cost benefits when required to search for data, whether for a DSAR, investigation, or a litigation exercise. Subject to the agreement with the cloud service provider, this may also have benefits in reducing the overall volume and cost of data hosted.With a sufficiently robust internal protocol in place, likely data sources can be identified and mapped. Now, when a DSAR request is received, an established process exists to rapidly search and cull potential cloud-based data sources, including using tools such as Labels or Sensitivity Type to exclude data from the review pool, and efficiently respond to any such request.Migrating to the Cloud may seem daunting, but the benefits are there and can be best maximized when all stakeholders work together, across multiple teams and departments. DSARs do not have to be the burden they are today. Using tools readily available in the Cloud might also significantly reduce the burdens and costs of DSARs.To discuss this topic further, please feel free to reach out to me at MBicknell@lighthouseglobal.com.data-privacy; ediscovery-review; information-governance; microsoft-365cloud, dsars, cloud-services, blog, data-privacy, ediscovery-review, information-governance, microsoft-365cloud; dsars; cloud-services; blogmatt bicknell
October 6, 2020
Blog

Trends Analysis: New Sources of Evidentiary Data in Employment Disputes

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com that features Lighthouse's John Shaw.A highlight of the challenges arising from the increased use of collaboration and messaging tools by employees in remote-work environments.Our “top trends” series was born out of a desire to help in-house lawyers with their horizon scanning and with assessing the potential risks heading their way. Each post focuses on a specific area, providing companies and their lawyers with quick summaries of some of the challenges heading their way.Our latest piece in the series looks at the top 3 trends in-house lawyers should take notice of in the area of employment disputes, and was carefully curated by one of our experts – Lighthouse director of business development John Shaw. The Covid-19 pandemic has affected every sector of law and litigation, and employment law is certainly no exception. From navigating an ever-changing web of COVID-19 compensation regulations, to ensuring workplaces are compliant with shifting government health guidelines – the last six months have been chaotic for most employers. But as we all begin to regain our footing in this “new normal”, there is another COVID-19-related challenge that employers should be wary of: the increased use of collaboration and messaging tools by employees in remote-work environments.This past spring, cloud-based collaboration tools like Slack and Microsoft’s Teams reported record levels of utilisation as companies around the world were forced to jettison physical offices to keep employees safe and comply with government advice. Collaboration tools can be critical assets to keep businesses running in a remote work environment but employers should be aware of the risks and challenges the data generated from these sources can pose from an employment and compliance perspective.Intermingling of personal and work-related data over chatAs most everyone has noticed by now, working remotely during a pandemic can blur the line between “work life” and “home life.” Employees may be replying to work chat messages on their phone while simultaneously supervising their child’s remote classroom, or participating in a video conference while their dog chases the postman in the background. Collaboration and chat messaging tools can blur this line even further. Use of chat messaging tools is at an all-time high as employees who lost the ability to catch up with co-workers at the office coffee station transition these types of casual conversation to work-based messaging tools. These tools also make it easy for employees to casually share non-work related pictures, gifs, and memes with co-workers directly from their mobile phone.The blurring line between home and work, as well as the increased use of work chat messaging can also lead to the adoption of more casual written language among employees. Most chat and collaboration tools have emojis built into their functionality, which only furthers this tendency. Without the benefit of facial expressions and social cues, interpretation of this more casual written communication style can vary greatly depending on age, context, or culture.All of this means that personal, non-work related conversations with a higher potential for misinterpretation or dispute are now being generated over employer-sanctioned tools and possibly retained by the company for years, becoming a part of the company’s digital footprint.Evidence gathering challengesEmployers should expect that much of the data and evidence needed in future employment disputes and investigations may originate from these new types of data sources. Searching for and collecting data from cloud-based collaboration tools can be a more complicated process than traditional searching of an employee’s email or laptop. Moreover, the actual evidence employers will be searching for may look different when coming from these data sources and require additional steps to make it reviewable. Rather than using search terms to examine an employee’s email for evidence of bad intent, employers may now be examining the employee’s emoji use or reactions to chat comments on Teams or Slack.Evidence for wage and hour disputes may also look a bit different in a completely remote environment. When employees report to a physical office, employers can traditionally look to data from building security or log-in/out times from office-based systems to verify the hours an employee worked. In a remote environment, gathering this type of evidence may be a bit more complex and involve collecting audit logs and data from a variety of different platforms and systems, including collaboration and chat tools. A company’s IT team or eDiscovery vendor will need to understand the underlying architecture of these tools and ensure they have the capacity to search, collect, and understand the data generated from them.Employer best practicesEmployers should consider implementing an employee policy around the use of collaboration tools and chat functionality, as well as a comprehensive data retention schedule that accounts for the data generated from these tools. Keep these plans updated and adjust as needed. Ensure IT teams or vendors know where data generated by employees from these new data sources is stored, and that they have the ability to access, search, and collect that data in the event of an employment dispute.chat-and-collaboration-data; microsoft-365microsoft, cloud, emerging-data-sources, blog, chat-and-collaboration-data, microsoft-365microsoft; cloud; emerging-data-sources; blogthe lawyer
October 19, 2022
Blog

To Reinvigorate Your Approach to Big Data, Catch the Advanced AI Wave

Emerging challenges with big data—large sets of structured or unstructured data that require specialized tools to decipher— have been well documented, with estimates of worldwide data consumed and created by 2025 reaching unfathomable volumes. However, these challenges present an opportunity for innovation. Over the past few years, we’ve seen a renaissance in AI products and solutions to help address and evolve past these issues. From smaller players creating bespoke algorithms to bigger technology companies developing solutions with broader applications, there are substantial opportunities to harness AI and rethink how to manage data.A recent announcement of Microsoft’s Syntex highlights the immense possibilities for, and investment in, leveraging AI to manage content and augment human expertise and knowledge. The new feature in Microsoft 365 promises advanced AI and automation to classify and extract information, process content, and help enforce security and compliance policies. But what do new solutions like this mean for eDiscovery and the legal industry?There are three key AI benefits reshaping the industry you should know about:1. Meeting the challenges of cloud and big data2. Transforming data strategies and workflows3. Accelerating through automationMeeting the challenges of cloud and big data Anyone close to a recent litigation or investigation has witnessed the challenge posed by today’s explosion of data—not just volume, but the variety, speed, and uncertainty of data. To meet this challenge, traditional approaches to eDiscovery need to be updated with more advanced analytics so teams can first make sense of data and then strategize from there. Simultaneous with the need to analyze post-export documents, it’s also clear that proactively managing an organization’s data is increasingly essential. Organizations across all industries must comply with an increasingly complex web of data privacy and retention regulations. To do so, it is imperative that they understand what data they are storing, map how that data flows throughout the organization, and have rules in place to govern the classification, deletion, retention, and protection of data that falls within certain regulated categories of data types. However, the rise of new collaboration platforms, cloud storage, and hybrid working have introduced new levels of data complexity and put pressure on information governance and compliance practices—making it impossible to use older, traditional means of information governance workflows. Leveraging automation and analytics driven by AI advances teams from a reactive to proactive posture. For example, teams can automate a classification system with advanced AI where it reads documents entering the organization’s digital ecosystem, classifies them, and labels them according to applicable sensitivity or retention categories implemented by the organization—all of which is organized under a taxonomy that can be searched later. This not only helps an organization better manage data and risks upfront—creating a more complete picture of the organization’s data landscape—but also informs better and more efficient strategies downstream. Transforming data strategies and workflows New AI capabilities give legal and data governance teams the freedom to think more holistically about their data and develop strategies and workflows that are updated to address their most pressing challenges. For eDiscovery, this does not necessarily mean discarding legacy workflows (such as those with TAR) that have proven valuable, but rather augmenting them with advanced AI, such as natural language processing or deep learning, which has capabilities to handle greater data complexity and provide insights to approach a matter with greater agility. But the rise of big data means that legal teams need to start thinking about the eDiscovery process more expansively. An effective eDiscovery program needs to start long before data collection for a specific matter or investigation and should contemplate the entire data life cycle. Otherwise, you will waste substantial time, money, and resources trying to search and export insurmountable volumes of data for review. You will also find yourself increasingly at risk for court sanctions and prolonged eDiscovery battles if your team is unprepared or ill-equipped to find and properly export, review, and produce the requested data within the required timeline. For compliance and information governance teams, this proactive approach to data has even greater implications since the data they’re handling is not restricted to specific matters. In both cases, AI can be leveraged to classify, organize, and analyze data as it emerges—which not only keeps it under control but also gives quicker access to vital information when teams need it during a matter.Advanced AI can be applied to analyze and organize data created and held by specific custodians who are likely to be pulled into litigation or investigations, giving eDiscovery teams an advantage when starting a matter. Similarly, sensitive or proprietary information can be collected, organized, and searched far more seamlessly so teams don’t waste time or resources when a matter emerges. This allows more time for case development and better strategic decisions early on.Accelerating through automation Data growth continues to show no signs of slowing, emphasizing the need for data governance systems that are scalable and automated. If not, organizations run the risk of expending valuable resources on continually updating programs to keep pace with data volumes and reanalyzing their key information.The best solutions allow experts in your organization to refine and adjust data retention policies and automation as the organization’s data evolves and regulations change. In today’s cloud-based world, automation is a necessity. For example, a patchwork of global and local data privacy regulations (GDPR, California’s CCPA, etc.) include restrictions related to the timely disposal of personal information after the business use for that data has ended. However, those restrictions often conflict with or are triggered by industry regulations that require companies to keep certain types of documents and data for specific periods of time. When you factor in the dynamic, voluminous, and complex cloud-based data infrastructure that most company’s now work within, it becomes obvious why a manual, employee-based approach to categorizing data for retention and disposal is no longer sustainable. AI automation can identify personal information as it enters the company’s system, immediately classify it as sensitive data, and label it with specific retention rules. This type of automation not only keeps organizations compliant, it also enables legal and data governance teams to support their organization’s growth—whether it’s through new products, services, or acquisitions—while keeping data risk at bay. Conclusion Advancements in AI are providing more precise and sophisticated solutions for the unremitting growth in data—if you know how to use them. For legal, data governance, and compliance teams, there are substantial opportunities to harness the robust creativity in AI to better manage, understand, and deploy data. Rather than be inhibited by endless data volumes and inflexible systems, AI can put their expertise to work and ultimately help to do better at the work that matters. practical-applications-of-ai-in-ediscovery; ai-and-analytics; chat-and-collaboration-data; microsoft-365; lighting-the-path-to-better-information-governancemicrosoft, ai-big-data, cloud-security, blog, record-management, ai-and-analytics, chat-and-collaboration-data, microsoft-365,microsoft; ai-big-data; cloud-security; blog; record-managementmitch montoya
March 18, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Background

In 2016, European companies doing business in the US were able to breathe a sigh of relief. The European Commission deemed the Privacy Shield to be an adequate privacy protection. For the next half a decade, this shield, as well as Standard Contractual Clauses (SCCs), created the foundation upon which most global businesses were able to manage the thousands of data transfers that occur in each of their business days.Everything changed in July 2020 when the Court of Justice of the European Union gave its seismic judgment in a case generally known as Schrems II. As we will see, the decision has a particular impact on any companies relying on, or moving to, a cloud computing strategy. Businesses have been left needing to make a risk decision with seemingly no ideal outcome. Some legal, privacy, and compliance teams may be advocating for staying away from a cloud approach in light of the decision. The business teams, however, are focused on the vast array of benefits that cloud software offers.So what is the right decision? Where does the law stand and how do you manage your business in this uncertain time? In this four-part blog series, we’ll explain the impact of Schrems II, provide practical tips for companies in the midst of making a cloud decision, give specific advice regarding companies who have, or are implementing, Microsoft’s cloud offering (M365), and offer our view as to the future.Schrems II and Its ImpactFirst, let;s look at the Schrems II decision. The background to the case is well worth exploring but for the sake of brevity and providing actionable information we’ll focus on the outcome and the consequences. The key outcomes impact the two primary ways in which most data transfers between Europe and the US:The EU-US Privacy Shield was invalidated with immediate effect.SCCs (the template contracts created by the EU Commission which are the most common way in which data is moved from the EU) were declared valid, but companies using SCCs could no longer just sign up and send. A company relying on SCCs would have to verify on a case-by-case basis that the personal data being transferred was adequately protected. This process is sometimes called a Transfer Impact Assessment, although the court did not coin that phrase. If the protection is inadequate, then additional safeguards could be needed.The consequences of the decision are still revealing themselves, but as things stand:The Privacy Shield (used by more than 5,000 mostly small-to-medium enterprises) has gone with no replacement in sight (although the Biden administration appears to recognise its importance with the rapid appointment of the experienced Christopher Hoff to oversee the process).There have been significant developments in relation to SCCs, additional safeguards, and transfer impact assessments:The US published a white paper to help organisations make the case that they should be able to send personal data to the US using approved transfer mechanisms.The European Data Protection Board (EDPB) published guidance on how to supplement transfer tools.The European Commission published draft replacement SCCs.The EDPB and the European Data Protection Supervisor adopted a joint opinion on the draft replacement SCCs requesting several amendments.There is not a clear timetable as to when the replacement SCCs or EDPB guidance (which has completed a period of publication consultation) will be finalised. The sooner the better because there seem to be inconsistencies between them. For example, the Schrems II judgment and draft replacement SCCs permit a risk assessment (i.e., it is possible to conclude that personal data might not be completely protected, but that the risk is so small that the parties can agree to proceed), whereas the EPDB recommendations seem to deal in black and white with no shades between (i.e., there is either adequate protection or there is not). It will be important to monitor which, if any, of these drafts moves and in which direction. Whether the SCCs are supported with a risk assessment or analysis along the lines of the EDPB recommendations (or perhaps both), going forward using SCCs may be rather cumbersome particularly in a cloud environment where the location and path of the data is not always crystal clear. Companies are therefore in something of a grey triangle, the sides of which are a judgment of the highest European Court, a draft replacement to the SCCs the Court reviewed in its judgment, and draft guidance about additional safeguards. In part two </span><span>of the series, we will offer companies some practical guidance on how to move forward in light of this grey triangle.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, data-privacy, blog, privacy-shield, data-privacy, microsoft-365, information-governance,microsoft; data-privacy; blog; privacy-shieldlighthouse
March 26, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Future

The Schrems II decision invalidated the EU-US Privacy Shield – the umbrella regulation under which companies have been transferring data for the last half-decade. In earlier parts of this four-part series, we described the impact of the Schrems decision, discussed how companies should evaluate their risk in using cloud technologies, and took a deeper dive on M365 in light of Schrems II. In sum, if you are a global business that previously relied upon Standard Contractual Clauses (SCCs) to transfer data, there is no clear guidance on what to do currently.It is even murkier in a cloud environment because the location of the data is not as transparent. Fortunately, there are ways to undertake a risk assessment to determine whether to proceed with any new cloud implementations. In the case of Microsoft products, there is also additional support from Microsoft with changes in its standard contractual terms and features in the product to mitigate some risks. Even so, many companies are holding off making any changes because the legal landscape is evolving. In this final part, we opine on what the future may hold. We can expect in the first half of this year that the European Commission will finalise the amended SCCs. We can anticipate that the EDPB will also produce another draft of its recommendations concerning data transfers. We should see plenty of risk assessments taking place. Even for companies adopting a “wait and see” policy in terms of taking significant steps, those companies should still be looking at their data transfers and carrying out risk assessments to make sure they are as well placed as possible for the moment when the draft SCCs and EDPB guidance are finalised.It would not be a surprise to see Microsoft continue to expand and develop M365 so that it offers yet more services that could be used as technical measures to reduce the risk around data transfers. These changes would strengthen the position of any company doing business between Europe and the US using M365.We do not have a crystal ball, and like many of you, are eager to see what happens next in this space. We will continue to monitor and keep you up to date with developments and our thoughts. If you have any questions in the meantime, feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governance; chat-and-collaboration-datamicrosoft, cloud, data-privacy, blog, law-firm, data-privacy, microsoft-365, information-governance, chat-and-collaboration-datamicrosoft; cloud; data-privacy; blog; law-firmlighthouse
March 22, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: The Cloud Environment

In part one of this series, we described the state of the EU-US Privacy Shield and the mechanisms global companies have relied upon to transfer data from their multiple locations. In short, a recent decision – Schrems II – invalidated the Privacy Shield and shook the foundation of Standard Contractual Clauses (SCCs). Companies are now left asking the question of how to respond.In this post, we will share our view on how to navigate forward. If your organization is not already highly reliant on cloud software, we recommend weighing the benefits and risks of making that move. As you assess your options, keep in mind that this move may come at a higher cost because of the need to do periodic risk assessments during this uncertain time. For those already in the Cloud, the motto here is “do everything that you reasonably can.” The position no company wants to find itself in is one of stasis. It is difficult to see such a position being looked upon favourably should regulators start to investigate how companies are responding to Schrems II and the consequences that go along with it.The touchstone is the EDPB guidance and its six-stage approach to assessing data transfers, which we recommend companies undertake:Identify your data transfers: It is an obvious first step, although in practice this could prove challenging. You’ll need to know all the scenarios where your data is moved to a non-European Economic Area (EEA) country (at the time of writing this article, the UK, although out of Europe, is still under the European umbrella until at least the 30th of June).Identify the data transfer mechanisms: You need to decide the grounds upon which the transfer is taking place, such as on the basis of an adequacy decision (this does not apply to the US), SCCs, or a specific derogation (such as consent).Assess the law in the third country: You need to assess “if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.” There is more guidance from the EDPB as to how the evaluation should be carried out (i.e., an independent oversight mechanism should exist). How effective or practical it is to suggest each company has to perform its own thorough legal assessment as the entire range of relevant legislation in any importing country is open to debate and might perhaps be considered further as these recommendations are refined.Adopt supplementary measures if necessary to level up protection of data transfers: The EDPB has published a non-exhaustive list of such measures, which essentially fall into one of three categories - technical (i.e., encryption), contractual (i.e., transparency), and organisational (i.e., involvement of a Data Protection Officer on all transfers). We’ll have a look at these measures in more detail below in relation to Microsoft 365.Adopt necessary procedural steps: If you have made changes to deliver the required level of protection, these need to be embedded into your operation (i.e.., by means of policy).Re-evaluate at appropriate intervals: This is not a job that can be completed and then left. It needs continual monitoring. There is no specific guideline as to what an appropriate interval is, but quarterly is probably a reasonable approach.Essentially this boils down to carrying out a risk assessment and taking steps to mitigate the risks that are uncovered. If your cloud strategy includes Microsoft 365, the next part of this blog series is a must-read. We will share what Microsoft has done in response to Schrems II as well as some specific configuration options that will influence steps 4 and 5, listed above. Bear in mind that these recommendations could change and you should watch the space. To continue the discussion or to ask questions, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
March 24, 2021
Blog

The Impact of Schrems II & Key Considerations for Companies Using M365: Microsoft’s Response

In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; andwill compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus: Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers. Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR. Microsoft is following the legal landscape closely so expect to see quick responses from them as things change. But what kinds of changes should companies expect and when? Read the final part of this blog series on what the future may hold.To discuss this topic further, please feel free to reach out to us at info@lighthouseglobal.com.data-privacy; microsoft-365; information-governancemicrosoft, cloud, data-privacy, blog, corporate-legal-ops, data-privacy, microsoft-365, information-governance,microsoft; cloud; data-privacy; blog; corporate-legal-opslighthouse
March 5, 2021
Blog

Now Live! Reed Smith's M365 in 5 Podcast Series

Lighthouse Microsoft 365 (M365) experts, John Holliday and John Collins, recently teamed up with Reed Smith to present the M365 in 5 Foundation Series on Reed Smith’s Tech Law Talks podcast. The series dives into operational considerations when rolling out M365 tools related to governance, retention, eDiscovery, and data security across a broad range of applications, from Exchange and SharePoint to all things Microsoft Teams.Check out the lineup below and click the titles of each podcast to give them a listen.M365 in 5 – Part 1: Exchange Online – Not just a mailboxDiscover the enhanced functionality of EXO, including new data types and the potential for enhanced governance.M365 in 5 – Part 2: SharePoint Online – The new file-share environmentHear about the enhanced file share and collaboration functionality in SharePoint Online, including real-time collaboration, access controls, and opportunities to control retention and deletion.M365 in 5 – Part 3: OneDrive for Business – Protected personal collaborationLearn about OneDrive for Business and how organizations can use it for personal document storage, such as giving other users access to individual documents within an individual’s OneDrive and acting as the storage location for all Teams Chats.M365 in 5 – Part 4: Teams – An introduction to collaborationListen to an introduction to Teams and how it is transforming the way organizations are working and communicating.M365 in 5 – Part 5: Teams Chats – Modern communicationsUncover the enhanced functionality of M365’s new instant messaging platform, including persistent chats, modern attachments, expressive features, and priority messaging, which enhance communication but can bring increased eDiscovery or regulatory risks.M365 in 5 – Part 6: Teams Channels – The virtual collaboration workspaceHear how Teams Channels are changing not only the way organizations work and collaborate, but also key legal and risk considerations that should be contemplated.M365 in 5 – Part 7: Teams Audio/Video (A/V) ConferencingDive into the functionality and controls of audio/video conferencing capabilities, including the integration of chats, whiteboards, translation, and transcription services.The Tech Law Talks podcast hosts regular discussions about the legal and business issues around data protection, privacy and security; data risk management; intellectual property; social media; and other types of information technology. For more information regarding the show, follow the link here: https://reedsmithtech.podbean.com.If you have questions about how to develop and maintain legal and compliance programs around M365, reach out to us at info@lighthouseglobal.com.microsoft-365; information-governancemicrosoft, blog, microsoft-365, information-governancemicrosoft; bloglighthouse
March 4, 2021
Blog

Mitigating eDiscovery Risk of Collaboration Tools

Below is a copy of a featured article written by Kimberly Quan of Juniper Networks and John Del Piero of Lighthouse for Bloomberg Law.Whether it's Teams, Slack, Zendesk, GChat, ServiceNow, or similar solutions that have popped up in the market over the last few years, collaboration and workflow platforms have arrived. According to Bloomberg Law's 2020 Legal Technology Survey, collaboration tools are being used by 77% of in-house and 44% of law firm attorneys. These tools are even more widely used by workers outside of the legal field.With many companies planning to make remote working a permanent fixture, we can expect the existing collaboration tools to become even more entrenched and new competitors to arrive on the scene with similarly disruptive technologies.This will be a double-edged sword for compliance and in-house legal teams, who want to encourage technology that improves employee productivity, but are also wary of the potential information governance and eDiscovery risks arising because of these new data sources. This article explains the risks these tools can pose to organizations and provides a three-step approach to help mitigate those risks.Understand Litigation and Investigation RiskThe colloquial and informal nature of collaborative tools creates inherent risk to organizations, much like the move from formal memos to email did 20 years ago. Communications that once occurred orally in the office or over the phone are now written and tracked, logged, and potentially discoverable. However, a corporation's ability to retain, preserve, and collect these materials may be unknown or impossible, depending on the initial licensing structure the employee or the company has entered into or the fact that many new tools do not include features to support data retention, preservation, or collection.Government agencies and plaintiffs’ firms have an eye on these new applications and platforms and will ask specifically about how companies and even individual custodians use them during investigations and litigations. Rest assured that if a custodian indicates during an interview or deposition that she used the chat function in a tool like Teams or Slack, for example, to work on issues relevant to the litigation, opposing counsel will ask for those chat records in discovery. Organizations can mitigate the risk of falling down on their eDiscovery obligations because of the challenges posed bycollaboration tool data using this three-step approach:Designate personnel in information technology (IT) and legal departments to work together to vet platforms and providers.Develop clear policies that are regularly reviewed for necessary updates and communicated to the platform users.Ensure internal or external resources are in place to monitor the changes in the tools and manage associated retention, collection, and downstream eDiscovery issues.Each of these steps is outlined further below.Designate IT & Legal Personnel to Vet Platforms and Providers‍Workers, especially those in the tech industry, naturally want to be free to use whatever technology allows them to effectively collaborate on projects and quickly share information.However, many of these tools were not designed with legal or eDiscovery tasks in mind, and therefore can pose challenges around the retention, preservation and collection of the data they generate.Companies must carefully vet the business case for any new collaboration tool before it is deployed. This vetting process should entail much more than simply evaluating how well the tool or platform can facilitate communication and collaboration between workers. It also involves designating personnel from both legal and IT to work together to evaluate the eDiscovery and compliance risks a new tool may pose to an organization before it is deployed.The importance of having personnel from both legal and IT involved from the outset cannot be understated. These two teams have different sets of priorities and can evaluate eDiscovery risks from two different vantage points. Bringing them together to vet a new collaboration tool prior to deployment will help to ensure that all information governance and eDiscovery downstream effects are considered and that any risks taken are deliberate and understood by the organization in advance of deployment. This collaborative team can also ensure that preservation and discovery workflows are tested and in place before employees begin using the tool.Once established, this dedicated collaborative IT and legal team can continue to serve the organization by meeting regularly to stay abreast of any looming legal and compliance risks related to data generation. For example, this type of team can also evaluate the risks around planned organizational technology changes, such as cloud migrations, or develop workflows to deal with the ramifications of the near-constant stream of updates that roll out automatically for most cloud-based collaborative tools.Develop Clear Policies That Are Regularly Reviewed‍The number of collaborative platforms that exist in the market is ever evolving, and it is tempting for organizations to allow employees to use whatever tool makes their work the easiest. But, as shown above, allowing employees to use tools that have not been properly vetted can create substantial eDiscovery and compliance risks for the organization.Companies must develop clear policies around employee use of collaborative platforms in order to mitigate those risks. Organizations have different capabilities in restricting user access to these types of platforms. Historically, technology companies have embraced a culture where innovation is more important than limiting employees’ access to the latest technology. More regulated companies, like pharmaceuticals, financial services, and energy companies, have tended to create a more restrictive environment. One of the most successful approaches, no matter the environment or industry, is to establish policies that restrict implementation of new tools while still providing users an avenue to get a technology approved for corporate use after appropriate vetting.These policies should have clear language around the use of collaboration and messaging tools and should be frequently communicated to all employees. They should also be written using language that does not require updating every time anew tool or application is launched on the market. For instance, a policy that restricts the work-related use of a broad category of messaging tools, like ephemeral messaging applications, also known as self-destructing messaging applications, is more effective than a policy that restricts the use of a specific application, like Snapchat. The popularity of messaging tools can change every few months, quickly leading to outdated and ineffective policies if the right language is not used.Make sure employees not only understand the policy, but also understand why the policy is in place. Explain the security, compliance, and litigation-related risks certain types of applications pose to the organization and encourage employees to reach out with questions or before using a new type of technology.Further, as always with any policy, consider how to audit and police its compliance. Having a policy that isn't enforced issometimes worse than having no policy at all.Implement Resources to Manage Changes in Tools‍Most collaboration tools are cloud-based, meaning technology updates can roll out on a near-constant basis. Small updates and changes may roll out weekly, while large systemic updates may roll out less frequently but include hundreds of changes and updates. These changes may pose security, collection, and review challenges, and can leave legal teams unprepared to respond to preservation and production requests from government agencies or opposing counsel. In addition, this can make third-party tools on which companies currently rely for specific retention and collection methodologies obsolete overnight.For example, an update that changes the process for permissions and access to channels and chats on a collaborative platform like Teams may seem like a minor modification. However, if this type of update is rolled out without legal and IT team awareness, it may mean that employees who formerly didn't have access to a certain chat function may now be able to generate discoverable data without any mechanism for preservation or collection in place.The risks these updates pose mean that is imperative for organizations to have a framework in place to monitor and manage cloud-based updates and changes. How that framework looks will depend on the size of the organization and the expertise and resources it has on hand. Some organizations will have the resources to create a team solely dedicated to monitoring updates and evaluating the impact of those updates. Other organizations with limited internal access to the type of expertise required or those that cannot dedicate the resources required for this task may find that the best approach is to hire an external vendor that can perform this duty for the organization.When confronted with the need to collect, process, review, and produce data from collaboration tools due to an impending litigation or investigation, an organization may find it beneficial to partner with someone with the expertise to handle the challenges these types of tools present during those processes. Full-scale, cloud-based collaboration tools like Microsoft Teams and Slack are fantastic for workers because of their ability to combine almost every aspect of work into a single, integrated interface. Chat messaging, conference calling, calendar scheduling, and group document editing are all at your fingertips and interconnected within one application. However, this aspect is precisely why these tools can be difficult to collect, review, and produce from an eDiscovery perspective.With platforms like Teams, several underlying applications, such as chat, video calls, and calendars, are now tied together through a backend of databases and repositories. This makes a seemingly simple task like “produce by custodian” or “review a conversation thread” relatively difficult if you haven't prepared or are not equipped to do so. For example, in Teams communications such as chat or channel messages, when a user sends a file to another user, the document that is attached to the message is no longer the static, stand-alone file.Rather, it is a modern attachment, a link to the document that resides in the sender's OneDrive. This can beg questions as to which version was reviewed by whom and when it was reviewed. Careful consideration of versioning and all metadata and properties will be of the utmost importance during this process, and will require someone on board who understands the infrastructure and implications of those functions.The type of knowledge required to effectively handle collection and production of data generated by the specific tools an organization uses will be extremely important to the success of any litigation or investigation. Organizations can begin planning for success by proactively seeking out eDiscovery vendors and counsel that have experience and expertise handling the specific type of collaboration tools that the organization currently uses or is planning on deploying. Once selected, these external experts can be engaged early, prior to any litigation or investigation, to ensure that eDiscovery workflows are in place and tested long before any production deadlines.ConclusionCloud-based collaboration tools and platforms are here to stay. Their ability to allow employees to communicate and collaborate in real time while working in a remote environment is becoming increasingly important in today's world. However, these tools inherently present eDiscovery risks and challenges for which organizations must carefully prepare. This preparation includes properly vetting collaboration tools and platforms prior to deploying them, developing and enforcing clear internal policies around their use, monitoring all system updates and changes, and engaging eDiscovery experts early in the process.With proper planning, good collaboration between IT and legal teams and expert engagement, organizations can mitigate the eDiscovery risks posed by these tools while still allowing employees the ability to use the collaboration tools that enable them to achieve their best work.Reproduced with permission. Published March 2021. Copyright © 2021 The Bureau of National Affairs, Inc.800.372.1033. For further use, please contact permissions@bloombergindustry.com.chat-and-collaboration-data; ediscovery-review; microsoft-365emerging-data-sources, blog, corporate, chat-and-collaboration-data, ediscovery-review, microsoft-365,emerging-data-sources; blog; corporatebloomberg law
July 17, 2020
Blog

Leveraging Microsoft 365 to Reduce Your eDiscovery Spend

In the early days of electronic discovery, technologies that legal teams utilized were researched and procured by specialists independent of information technology teams. Getting IT, legal, compliance, records managers, and other stakeholders to come together to discuss and strategize as a team was almost impossible. The move to the Cloud is changing that dynamic, as corporations move to address data challenges including eDiscovery, information governance, data privacy, and cybersecurity, in a more holistic fashion. When a corporation leverages Microsoft 365 (M365), they have procured a technology that not only meets their data storage requirements but provides eDiscovery, privacy, data governance, and cybersecurity features as well.With the upside that a single platform can provide, there are also challenges including the continued growth in data and new data types that M365 presents. Most eDiscovery professionals are still working to understand how to leverage the functionality in M365 and how to incorporate it into their existing program. Teams usage, for example, has risen with the addition of 31 million new users in one month when the COVID-19 pandemic first hit. Based on that statistic, it is clear that Teams is new to many professionals and eDiscovery teams need to understand how to deal with Teams data in discovery.eDiscovery features in M365 vary based on licensing, but can include data culling, data processing, and even some high-level review. The functionality in no way is an end-to-end solution for discovery. It can achieve some basic needs and other technologies are still required to address limitations in the platform.M365 is also an incredibly dynamic program. It is a challenge to track modifications and updates to the system. Organizations need to invest in personnel to test their M365 environment proactively to identify potential issues that could occur in the discovery process, understand limitations, and capture benchmarking data on the time and effort certain tasks can take in the system. This information should be discussed with legal teams, as it can impact their discovery negotiations and should be considered for proportionality assessments. It’s vitally important to train internal and external legal teams on the capabilities and the limitations of the technologies.Keeping pace with M365 often requires multiple resources. Consider having a dedicated team to test the new tools and ensure any new updates get incorporated back into your workflows. Reach out to your peers at other organizations to learn from their experiences with the tool. Working with service providers who have deep expertise in the tool and the roadmap is extremely beneficial. Microsoft is open to receiving feedback on your experiences outside of simply support tickets. In fact, there is a formal design change request option available to M365 users. Contact your Microsoft representative to learn more about that alternative.When it comes to leveraging M365 for eDiscovery, keep these key takeaways in mind:The explosion of data, new technology, and cybersecurity risks have all led to a continual evolution of the M365 tool.Staying up to date with these continuous evolutions can be a challenge, be sure to (1) have dedicated resources to test new capabilities and report back; and (2) ensure these new updates get incorporated into training and workflow documentation.Train both your internal and external teams on your M365 needs.Collaborate with your various partners (i.e. providers, third-party vendors, outside counsel, etc.).To discuss this topic further, please feel free to continue the discussion by emailing me at PHunt@lighthouseglobal.com.microsoft-365; information-governance; chat-and-collaboration-data; legal-operationsmicrosoft, legal-ops, blog, microsoft-365, information-governance, chat-and-collaboration-data, legal-operationsmicrosoft; legal-ops; blogpaige hunt
December 22, 2021
Blog

Cloud Adaptation: How Legal Teams Can Implement Better Information Governance Structures for Evolving Software

There is much out there about cloud solutions and how they improve the lives of users, offer flexibility for expansion and contraction of business, and can lighten the lift for IT. There is even a lot of specific commentary about how cloud can help legal teams and enable change management for the department. But what about the day-to-day tasks? How does the cloud change the legal team’s work and what new governance and skills are necessary to handle that change? This blog will tackle these questions so you can be more prepared and agile as cloud technology advances.Why does a shift to the cloud matter for legal teams?From a practical perspective, it means having to be reactive in areas where legal has traditionally been more proactive. Things like data storage timelines and locations, internal access permissions, and document history are now ever-changing with software updates being automatically pushed to corporate software environments. Many organizations that manage on-premises software have historically had an effective software governance structure in place. They can meet, discuss upcoming upgrades and their impacts, and make decisions about when to execute a software upgrade. Now, in an agile cloud approach, upgrades come frequently, without much notice, and sometimes have highly impactful changes. Traditional governance structures are no longer sustainable given the new timing and volume of updates – sometimes hundreds in a week. Legal and IT teams now need to collaborate more often to quickly analyze any impacts updates will have on the organization and what, if anything, needs to be done to mitigate cloud security risks.Given this, how should corporate legal teams adapt?A typical legal department is organized around areas of expertise – you may have employment, litigation, business advice, and contracts, for example. The department may also have a legal operations function, or a member of the team assigned to certain process improvement and/or corporate programs. One of these programs covers technology changes at an organization. It is this latter set of responsibilities that become much more important, and more voluminous, in an agile software environment. Analyzing the potential risks of cloud updates, advising the business on how to mitigate those risks, and changing any associated legal workflows can become a full-time or close to full-time set of responsibilities. In addition, the culture of the department must change to one that embraces frequent change, understands change management, and is consistently updating and improving processes and procedures.Traditionally, in an on-premises environment, an IT organization would typically manage an upgrade governance structure. They would plan for a software upgrade every six months, outline the changes that are due with each upgrade, and analyze what departments it impacts and the risks of those impacts. Finally, they would present this information to a cross-functional committee who would discuss when the upgrade can be made and what kind of work needs to precede the upgrade. Legal was typically part of that committee. Now, in a cloud environment dozens (or even hundreds) of changes get pushed out weekly and, although there may be some advanced warning, the timing isn’t as flexible, it isn’t uniform across users, and there is usually less time to prepare. In addition, changes may be pushed out, rolled back, and potentially reversed. Updates may also occur without any warning, which can contribute to the cloud challenges for corporate legal departments[1]. To minimize risk in this agile environment some specific steps can be helpful: a similar governance committee needs to meet more frequently, the analysis of impact and risk needs to be done very quickly, and changes need to be made almost immediately to ensure you get ahead of any potential impacts. Due to the frequent nature of these changes, and supervising process updates to mitigate risk associated with the changes, managing cloud updates can be more time-consumingWithout structure, these cloud updates can add stress and increase reactive work. However, with some structure and clearly delineated oversight, they can be managed more efficiently. Although many organizations may not have a structure in place, those that do pull together a committee for each enterprise technology. This committee has IT, legal, compliance, and business-focused representation. It may have multiple representatives from some of these groups, depending on the perspectives needed. The goal is for the business representative to advocate for users of the technology, the legal and compliance representatives to mitigate risk and take into account regulatory, litigation and privacy considerations, and the IT team to represent management of the platform and be a voice for the platform provider. The committee should have access to a sandbox-type environment where they can test changes and should be empowered to lead companywide changes – or at least be able to work with a project management office or other resource to make these changes.Most legal departments run pretty lean so creating a new governance structure can be a significant challenge, but there are ways to make the process easier. First, you can hire outside support to handle all, or some, of this work. For example, outsourcing the creation of the governance structure to manage software updates and staffing that group with your own resources or have your external partner staff and manage it until a time when you are ready to take it over. Second, instead of hiring outside support, you can share your risk concerns with IT and rely on them to raise any potential impact that upgrades may have on risk and legal processes. For example, when IT receives an email from a software provider outlining updates, they would analyze them for potential impact to legal workflows, retention policies, or any other issues you have flagged. They would then test the updates and remediate any negative impacts. Finally, you can rotate governance committee membership so that the work is being shared across your team. Whatever approach you choose, keep in mind that changes in the cloud environment are happening frequently and having someone within your company watching from a legal perspective will pay dividends when it comes to accessing data for legal, compliance, investigative, or other reasons down the line.[1] Victoria Hudgins, “Big Adjustment: Legal Departments Struggle with Lack of Control Over Cloud Technology,” Legaltech news, November 29, 2021, law.com information-governance; microsoft-365; lighting-the-path-to-better-information-governancecloud-security, cloud-migration, blog, risk-management, information-governance, microsoft-365cloud-security; cloud-migration; blog; risk-managementlighthouse
September 30, 2020
Blog

Cloud Based Collaboration Tools are not Just Desirable, but Necessary for Keeping Workforces Productive

Below is a copy of a featured article written by Denisa Luchian for The Lawyer.com, where she interviews Lighthouse's Matt Bicknell. Lighthouse business development director EMEA Matt Bicknell talks to The Lawyer about how in today’s remote environment, cloud based collaboration tools are not just desirable but a necessity – but also the challenges they pose for eDiscovery processes.What is the driving force behind the massive migration to cloud-based environments over the last few years?There are a few factors at play here. Prior to the Covid-19 pandemic, companies were already moving their data to the Cloud (both public and private) in droves, in order to take advantage of unlimited data capacities and drastically lower IT overhead. The move to the Cloud is also being driven by a younger workforce that feels at home working with cloud-based chat and collaboration tools, like M365 or G-Suite. However, the worldwide shift to remote work due to the pandemic really broke the dam when it comes to cloud migration. We’ve seen a seismic shift to cloud-based tools and environments since March of 2020. In a completely remote environment, cloud-based collaboration tools are not just desirable, they are necessary to keep workforces productive. Migrating to the Cloud can greatly reduce the need for workers to be physically present in an office building.What are some of the challenges that cloud migration can pose to the eDiscovery process?Unlimited storage capacity at low cost can be a great thing for an organisation’s bottom line, but can definitely cause issues when it comes time to find and collect data that is needed for a litigation or investigation. Search functions built for cloud-based tools are often built for business use, rather than for the functionality that legal and compliance teams require in order to find relevant information. In addition, collecting and producing from collaboration tools like Teams or Slack can be much more complicated than a traditional email collection. Relevant communications that previously would have happened over email now happen over chat, through emoticon reactions, or through collaboratively editing a document. All of this relevant data may be stored in several different places, in a variety of formats within the Cloud. Even attachments are handled differently in cloud-based applications – instead of sending a static document as an attachment via email, Teams defaults to sending a link to the document in Teams. This means that the document could look significantly different at the time of collection than it did when the link was sent. Collecting from those types of sources, producing them in a format that makes sense to a reviewer/opposing counsel, and accounting for all the dynamic variables can be a difficult hurdle to overcome if the organisation hasn’t planned for it.How can companies prepare for eDiscovery challenges in a cloud environment?First, make sure compliance, legal and IT all have a seat at the table and have input into decisions that may affect their workflows and processes. Understand where your data resides and have effective retention, data governance, and compliance policies in place. Your policies should spell out which cloud-based applications employees may use and also have rules in place regarding how they can be used and where work product should be stored. Understand your legal hold policy and what type of data it encompasses. Make sure you have the right talent (either within your organisation or through a vendor) who understands the underlying architecture behind Teams, G-Suite, or any other cloud-based tool your organisation uses and also knows how to collect relevant information when needed. Ensure that your IT team or vendor has a system in place to monitor application and system updates. Cloud-based updates can roll out on a weekly basis; those changes may significantly impact the efficacy of your data retention and collection policies and workflows.As cloud technology continues to evolve, what does the future hold for eDiscovery? Because of the near endless storage capacity of the Cloud, the amount of data companies generate will just continue to exponentially expand. As a result, the technology behind AI and analytics will continue to improve, and those tools will eventually be less of an option to use in certain matters and more of a necessity to use for most matters. I also think as more companies feel comfortable moving their data to the Cloud, we will start to see more and more of these companies bring their eDiscovery programs in house. Vendors are already beginning to offer subscription-based, self-service, spectra eDiscovery programs which hand over the eDiscovery reigns to the organisation, while the vendor stores and manages the data in the Cloud (both public and private). This type of service allows companies to eliminate the middleman, control their own eDiscovery costs, and easily scale up or down to meet their own needs, while leaving the burden of data storage security and maintenance with the vendor. Finally, look for vendors to start offering subscription-based services to help organisations manage the near-constant stream of application and system updates for cloud-based services.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud, g-suite, blog, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; cloud; g-suite; blogthe lawyer
May 18, 2022
Blog

IT at the Helm: Change Management for Cloud-Based SaaS is Key to Minimizing Risk

Cloud computing dates to the mid-1990s – so why is this relatively old concept still such a hot topic? Haven’t we figured it all out by now? And isn’t the benefit of today’s SaaS cloud environments that someone else, namely the SaaS provider, handles software management? What else is there to figure out? Having spent the last several months talking to legal, compliance, and IT professionals about their Microsoft 365 environments, I am confident that there is still a lot that corporate IT departments are grappling with. In fact, a recent survey conducted by Lighthouse of 106 IT managers and executives found that although most organizations had a change management process in place for on-premises feature updates and upgrades, and most organizations planned to have change management in place for enterprise-wide SaaS technology updates in the next five years, only 16% had something in place today.[1] To better harness this technology as it continues to evolve and to minimize risks along the way, it’s important to understand why these change management gaps exist, what their impact is, and how legal and IT teams can work together in new ways to close them.Managing the Evolution of SaaSThe adoption of enterprise SaaS cloud technologies has only become prevalent in the last decade and growth has skyrocketed over the last couple of years. In fact, Microsoft 365 had 23.1 million consumer subscribers five years ago (Fiscal Year 2016) and that number has grown to 58.4 million. As such, IT organizations have not had to support SaaS enterprise offerings at scale until very recently and today most IT departments are supporting both on-premises and SaaS cloud environments. The first priority in supporting this explosive adoption was to implement and migrate over to the new system. It is only recently that focus has shifted toward governance and processes around these systems.Even with a newer focus on process, one of the touted benefits of SaaS cloud technology is less maintenance and software support by the in-house IT team. Of course, there is the need to set up process to resolve user questions and to ensure systems have been set up to facilitate the business running properly. But, planning and executing hardware or software upgrades is mostly managed by a third-party provider so there is not an urgent need to set up robust change management. In addition, the old change management process where major developments are analyzed, tested, and timed for deployment to desktops still applies to Microsoft 365.However, using the old process for new applications can have drawbacks. First, not all updates that Microsoft or others make are configurable updates where there is a choice on how, and whether, to implement. Second, if users are logging into a web environment (as opposed to desktop apps), IT teams don’t necessarily have control over the version their users are utilizing. Finally, given that most organizations have differing levels of IT permissions, meaning some groups are upgraded sooner than others, teams must move quickly to handle unpredictable and varied update schedules. With the speed and variability of new feature updates, the old process may not be agile enough to handle them. The differences between SaaS and on-premises environments (where you have full control of the upgrade schedule) can leave some gaps even when organizations review, analyze, and test the roadmap and updates from the Microsoft Message center.The old process often fails to prepare the business for these changes because IT, legal, and other teams are not always communicating about the broader risk or implementation implications. Because the IT team is focused on availability and scalability, it often misses how certain changes can introduce business risks outside of their ken. Solely relying on IT professionals to determine the broader impact of updates can mean that business, regulatory, and other risks outside of IT’s awareness are overlooked.Measuring the Impact of UpdatesWhether these management gaps are tolerable is a risk decision that each organization must make—one that can put the user experience in tension with a developed IT process. In discussions with legal, compliance, and information governance professionals that focus on SaaS services, handling the cadence and speed of these updates is a concern that keeps them up at night. But, quickly providing users new features has considerable benefits for the business too. It’s important for IT to prioritize ensuring that users can access their business data and that the business can continue without interruption over cumbersome update management.When weighing these risks and benefits it’s important to fully appreciate their potential impacts. An example of where these priorities conflict is highlighted in a change around Microsoft Teams meeting transcripts. In March 2021, Microsoft made an update that allows for a live transcript of certain Teams meetings. In November 2021, Microsoft expanded that functionality to Teams Channel meetings and upgraded the features of live transcripts to include name attribution to the speaker. This is helpful functionality for users and, given that it is an automatic upgrade, there may be little to do from an IT perspective. From a risk and legal perspective, however, there are a couple of key considerations. First, where is the transcript stored after the meeting and do retention policies apply? Second, is the data subject to ongoing regulatory or litigation requests and how is it accessed? The answers to those questions are complicated by the fact that the location of the data depends on whether a user downloaded the transcript after the meeting. Many IT organizations caught this change by reviewing the Microsoft Message center for updates—and in doing their own testing they determined that disabling the functionality was the best course of action. This was an update with obvious data ramifications that outweighed the potential benefits in a risk assessment from both IT and legal. For updates that are less obvious, IT may not have consulted legal. For updates where the value to users may seem to outweigh the risk, where the risks aren’t initially apparent, or when there are no configuration options—IT may have a more challenging decision to make.Reimagining a Change Management ProcessHaving a cross-functional framework in place to discuss and implement these types of updates is key to managing changes. Many organizations have some sort of accountability in place around updates—an individual or group of people are responsible for reviewing the Microsoft Message center. Although this structure is lower in cost and requires fewer resources, it has a few drawbacks. First, if only IT is involved, you may have only one perspective on the impacts of updates and that can be too narrow to determine the effects on the broader business. Second, many organizations do not have a tracking mechanism to determine what Microsoft updates they have read, evaluated, tested, and taken action against. With dozens of messages, many of which don’t need action, it is easy to lose track of what has been evaluated. Finally, if there isn’t clear accountability with dedicated resources the process can lose legitimacy and fail. Organizations who choose to minimize their business risk do not have to put in place a heavy structure to manage updates. In fact, the process around on-premises software upgrades can easily be adapted to the cloud situation.The single most important thing that an IT team can do for an effective SaaS support practice is to adapt and enforce existing change management and organizational controls. More specifically, IT organizations should consider:Dedicating a resource to track and review changes from service and cloud providers to ensure updates and changes are properly evaluated for risk and business continuity.Relying on a robust change management system with stakeholders throughout the organization to provide clearly articulated approval, risk identification, testing, and risk management.Partnering with your compliance team to ensure adherence to governance frameworks, organizational commitments, and client requirements. The compliance function is trained to manage risk and is uniquely chartered with authority and independence with a company’s governing body.Collaborating with legal. Lawyers are trained to spot issues and manage risk for the entire business. Often times, individual departmental stakeholders are responding to team-level incentives. Legal teams are also learning to adapt their governance structures to evolving cloud solutions.Leveraging the Project Management Office to ensure that stakeholders and risks are identified at the start of any specific project (i.e., measure twice, cut once).One of the most effective ways to get the right stakeholders’ input is to create a Change Approval Board (“CAB”) with subject matter experts from every business group to meet on a periodic basis. The CAB provides a framework that ensures IT has input from across the business while still giving it the opportunity to own and manage the support of the software.One of the benefits of SaaS technologies is the ability to utilize and optimize with the newest features and to take some of the hardware management burden off IT. By putting in place a cross-functional team to review and manage the update process, you can mitigate your organizational risk while allowing users take full advantage of the benefits.[1] In February 2022, Lighthouse surveyed 106 IT managers or above who had Microsoft on-premises and now have Microsoft 365. The survey found that only 16% had implemented a change management process for M365 and 62% of organizations planned to implement one in the next 5 years.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, cloud-migration, cloud-services, blog, microsoft-365, chat-and-collaboration-data, information-governance,bloglighthouse
June 29, 2021
Blog

An Introduction to Managing Microsoft 365 Updates that Present Legal and Compliance Considerations

Increasingly, opportunities for cloud-based collaboration and efficiencies, and challenges presented by the rapid proliferation of complex data, are incentivizing organizations to transform their corporate data governance and eDiscovery operations from traditional self-managed infrastructure to the Microsoft 365 (M365) Cloud. Benefits in terms of convenience, security, robust functionality, and native capabilities related to eDiscovery and compliance are the primary drivers of this move.While there are many benefits to moving into the M365 ecosystem, it requires legal and compliance teams to take on new considerations regarding the constant evolution that characterizes cloud software. With continually changing applications, establishing static workflows for eDiscovery, legal holds, data dispositions, and other legal operations is not enough. As the M365 software and functionality changes, workflows must be constantly evaluated to ensure their validity, relevance, and defensibility.Exacerbating this challenge is the reality that the traditional IT change management paradigm designed to preemptively address cross-organizational considerations (including impacts to legal, compliance, and eDiscovery operations) does not fit the Cloud/SaaS framework. Organizations must now rethink their change management approach as they modernize with M365.This is the first in a series of blog posts devoted to highlighting key changes that have been released into the M365 production environments. One of the biggest challenges for organizations is identifying which of the myriad of updates pose potential risks to eDiscovery operations. Distinguishing the changes that do and do not pose a significant eDiscovery impact can be extremely difficult unless the reviewer has some level of subject-matter expertise and understands the specific workflows deployed within the organization. Here are some common scenarios with potential eDiscovery impact that could easily go unnoticed by the untrained eye:Updates that create a new data sourceUpdates that change a backend data storage locationUpdates altering the risk profile of features that were previously disabled due to legal / privacy riskUpdates that render an existing eDiscovery process obsoleteEach subsequent blog post in this series will highlight an example of a software update related to our key software scenarios, detailing the nature of the change, the potential impact, as well as when and why organizations should care.microsoft-365; chat-and-collaboration-data; information-governancemicrosoft, compliance-and-investigations, blog, cloudcompass, advisory-services, microsoft-365, chat-and-collaboration-data, information-governance,microsoft; compliance-and-investigations; blog; cloudcompass; advisory-serviceslighthouse
No items found. Please try different search parameters.