TechRepublic's Dan Patterson talked with David Horrigan, legal education director for e-discovery software provider Relativity, about why the new Gmail confidential mode could be a bad choice for businesses required to retain documents.
Patterson: We live in a post-GDPR world, and that means everyone is very conscious about data management and storage. That means every business is conscious about data management and storage, which also means Google is going to roll out a bunch of new products and services so they don't become the lightning bolt of controversy... David, thanks again for your time today.
Gmail confidential mode. It's out for consumers. It's on its way for G suite. What does this mean for organizations that are sometimes required by law to retain documentation?
Horrigan: Dan, as always, thank you for having me back. It's great to be with you. It's a big issue. Preservation of data is one of the biggest challenges that corporations and their lawyers have when trying to figure out how to run their businesses. When the federal rules of civil procedure and the United States were changed in 2015, there was a long discussion back and forth as they tried to formulate the rules on whether or not you would codify in the rules when a legal hold should be placed.
Right now, the standard under the common law has always ... Not always, but has been for a while, the reasonable anticipation of litigation. But that can be tricky. When is the reasonable anticipation of litigation? Is it when you get notice you've been sued? Not really. The courts have come down and said 'No, it can be triggered well before you might get sued.' For instance, if you are a store and there is a slip and fall, once a fall happens, do you put a legal hold on all email and stop any email from being deleted? These data issues are complex.
Right now, we are at this reasonable anticipation of litigation standard. It can sometimes be tricky.
Patterson: What do we do then when we have this kind of push and pull between a personal desire for privacy and perhaps I may want Google in this case, with Gmail, to preserve less of my personal email, but then potentially after the fact have to look at potential litigation or other instances where I need to preserve, like you mentioned a moment ago, well before something is triggered. How do we balance that delicate dance?
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Horrigan: You put it well, Dan. It is a delicate dance. It's a balancing test, as so many things in the law and with running a corporation can be. You mentioned the general data protection regulation, the GDPR, which came into effect last Friday. You and I had spoken on that before. It's a big issue because the right to be forgotten, or the right to erasure, and then data privacy by default, and some of the other provisions of the GDPR can sometimes knock heads with what we see in the United States as the right to information. That specifically comes down in a litigation context.
We now, because we market ... I say 'we' as in businesses in the United States, if you're marketing to EU residents, once again realize, it's not EU citizens, it's residents of the EU, or data subjects, as they are known. You've got a potential GDPR compliance issues if you're marketing there. Bringing it home to the states, a lot of times we think of ourselves as the wild, wild west of data privacy law, but we do have restrictions on privacy and information. We've got HIPAA, for those of you who have been to a doctor at any time in the past several years. You know there are privacy implications there.
Nonetheless, they often come full force into US litigation demands. Historically, we have had very broad based electronic discovery or eDiscovery, to use the short term that we use. There are really pretty broad based requirements for you to produce that data. Now, on occasion, lawyers and litigation teams, the paralegals, the technologists, worth together and using technology to be able to do things to help deal with these rules. You can redact the information where not only do you redact information that may be subject to the attorney client privilege, or the protections of the work product doctrine, you can also redact company confidential information. Now, that's not to guarantee it won't end up in a court of law sometime, but you can use technology to help you address those issues, and I won't say circumvent the law, but meet the requirements of the law in creative ways.
SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)
Patterson: That's great advice. We would never advocate circumventing the law, but we will always advocate taking legal precautions. I'd really like that piece of advice that you can redact portions of emails. I know that companies have different types of retention policies, data retention policies. At CBS, I think it's a couple years. What is a good, at least baseline piece of advice for companies, especially startups and SMBs that may not have access to legal council or maybe very expensive. In a post GDPR world, what should be a good baseline in terms of how to retain what types of information for how long?
Horrigan: The first thing I suppose I should say is to the extent anything sounds like legal advice, it's not. It's friendly advice, not legal advice.
Horrigan: As we like to say in our educational programming.
Horrigan: I had a professor in law school one time who used to put creative things on the board, and takeaways, and famous quotes from academicians and legal scholars on high. One of them was 'don't be a jerk.' That rule can really come into play here. It sounds overly simplified and it is, but if you think about it, we've heard a lot about the potential for fines under the GDPR. In fact, Max Schrems, who famously brought down the Safe Harbor Framework has already filed some litigation under the GDPR. If you look at the fine structure there, there's a two tiered structure to get the most egregious fines. What you're hearing about, the four percent of annual turnover or revenue, as we call it in the United States, really takes some egregious activity.
If you are exhibiting good faith to the data protection authorities, chances are you are not going to be getting those kind of fines. Nevertheless, if you are a small to medium size business, the GDPR isn't your only concern. A lot of times, we're focused on litigation. We have television shows that talk about what goes on in the court room. You really need to watch and be careful that you're following the regulations as well, because the regulators have immense power. The federal trade commission has instituted enforcement actions when there are data privacy violations, because of the breaches, or something along those lines, where these data privacy issues come up. If you have a small and medium sized business, what you want to do is act reasonably.
This phrase, the 'reasonable anticipation of litigation,' if you think you're going to get sued, you might be. We had a webinar earlier today with Judge Francis and Patrick Zeller of Gilead Sciences, where we polled the audience on do you institute a legal hold? That includes preserving all email. Nobody gets to delete anything. The first you hear of a potential slip and fall and an injury accident, a second option was when there's a reasonable anticipation of litigation, when you've gotten sued. That was, by a large margin, the most popular answer. Very few companies, of small to medium size business are going to lock down and do a legal hold if someone slips in the parking lot of the business. Nevertheless, don't go onto mass destruction of data if you at all think that there's a reasonable chance you might have to have that data for litigation or regulation.
With the regulatory authorities, sometimes it's not this reasonable anticipation. Sometimes it is codified in a statute or a regulation that you've got to retain data for a certain period. Being familiar with what statutes and what regulations affect your business is key, too.
- 5 common browser security threats, and how to handle them (TechRepublic)
- Why companies should make security a key performance indicator (TechRepublic)
- How to integrate cyberdefense tactics into a multi-cloud strategy to comply with the GDPR (TechRepublic)
- Data storage and access policies: Here's what you need to think about (ZDNet)
- GDPR: What the data companies are offering (ZDNet)
- GDPR: It's here, so what happens now? (ZDNet)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.