Outside Publication

Understanding Ethics and Obligations Regarding Global Big Data, The Legal Intelligencer

January 07, 2015

It is a basic tenet of professional responsibility that lawyers obtain sufficient proficiency to ensure competent representation of their clients. The challenge in today's world of Big Data and corporate globalization and outsourcing of IT infrastructure is that the level of technological proficiency required is not always clear. Understanding your obligations and establishing defensible processes will be necessary to fully demonstrate competence in discovery should an issue arise.

Ethical and Procedural Framework

Federal Rule of Civil Procedure 34 requires a party to "produce documents as they are kept in the usual course of business or to organize and label them to correspond to the categories in the request." In practice, this requires counsel to establish and supervise the process through which all responsive nonprivileged documents are produced on a timely basis. Easy enough, right?

Well, the recently enacted amendment to Model Rule of Professional Conduct 1.1 throws a bit of a monkey wrench into that plan. It states that "competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." Comment 8 to the rule clarifies that "to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject."

Finally, Model Rules 5.1 and 5.3 require the supervising lawyer to take full responsibility for all work performed by outside vendors, including document reviewers. In engaging and supervising the vendor or review lawyer, counsel must make a reasonable effort to ensure that the end-to-end process is compatible with the professional obligations of the lawyer.
In a paper world, or even an early electronically stored information (ESI) world, this kind of supervision was easy. The lawyer in charge established a collection plan, visited all the custodians, and physically took possession of any relevant paper. Then the lawyer wrote a review protocol and had the review lawyers physically situated in close proximity to the case team for the duration of the review, allowing for real-time review monitoring as well as question-and-answer discussion with the review lawyers. Fast-forward a few years and enter ESI, the global corporate client, outsourcing trends and Big Data, and supervision is not quite so easy and can potentially subject the lawyer and client to new potential pitfalls, both procedurally and ethically.

To be competent today, a lawyer must understand the technology at issue, be knowledgeable about the impact of privacy laws on any collection or review activity, and oh, by the way, also be knowledgeable about the subject matter of the case to determine relevance to claims and defenses. Seem impossible? Not really, but it does involve rethinking traditional discovery roles and processes. The key to meeting all of your obligations as counsel in this globalized Big Data world is to establish a new reasonable process for global supervision, allowing for the same checks and balances that you had in the paper world. Easier said than done?

Ethics Meets Global Big Data

Assume you are the lawyer tasked with managing a complex commercial case that involves discovery of potentially relevant documents and data located in the United States as well as in various foreign countries. The scope of discovery in the litigation is likely broad and involves a large volume and range of data types. There may be structured databases containing responsive data over the life of the contracts in dispute. The discovery can also touch on various types of unstructured data sources such as email, text messages, presentations and instant messages from the custodial files of the employees involved in the dispute. The custodians can be located in several countries around the world.

When most lawyers think about supervising discovery, they immediately think about the review. But in a case like the above example, your duty to supervise begins at the identification and collection stage and continues through the production stage.
Identifying and collecting data from a global client is not only costly but wrought with its own unique risks, such as navigating the ever-expanding network of privacy laws around the world. What a company can or cannot do with respect to personal data of its employees (in most countries email is considered personal data, even if on a company network) will vary from country to country and dictate differing collection and processing protocols. Knowing how to navigate among the various privacy laws and understand the technological capabilities and limitations that might exist (and therefore affect production timeframes) is the key to managing this part of the process.

Not a computer whiz? You still have options. You can rely on various discovery vendors around the globe who do this on a regular basis or engage discovery counsel that are very comfortable navigating these issues. The commentary to Model Rule 1 and several federal district rules specifically requires that counsel associate with someone knowledgeable in these areas if they are not. Sometimes it takes a village.

Duty to Supervise Expands With Big Data

Given the explosion of data and globalization and outsourcing of traditional IT infrastructures, it is becoming more important to associate with outside counsel that have similar global-reaching capabilities. The days of drafting a simple protocol and walking down the hall to train your reviewers face-to-face are gone. Whether domestically or internationally outsourced, many corporate clients are already creating their own global preferred vendor networks including document review. So how do you adequately supervise a vendor or reviewers that might be halfway around the world? Process and documentation are key. Making allowances for the potential 24-hour review with teams in different countries requires strict process management, implementation of quality control measures, and a meaningful way to exchange case and issue information. Whether your firm engaged the vendor or not, as counsel you are responsible for supervision of the review just as if it were occurring in the office next door.

What Is a Lawyer to Do?

All of this knowledge and obligation now being assigned to counsel can be daunting to the uninitiated. But rest assured, you can competently assist your clients with even the largest global discovery projects by following a few fundamental principles:
Establish a strategic protocol for identifying and collecting the relevant data. Prepare a custodian map showing affected countries, privacy requirements or other local restrictions on transfer of data. Once armed with such a map, you can competently investigate and retain local or national vendors that can assist in each jurisdiction. Create a library of sample forms, such as consents, that can be modified to meet specific jurisdictional requirements.

Trust but verify. Always fully vet discovery providers (whether located in or outside the United States) for compliance with technical and physical security requirements. Are the facilities secure? Do they have adequate monitoring capabilities? Where possible, the lawyers should visit the provider site (even if just virtually).

Think before you transfer. Once you have determined what data can go where and if you need to manage a review locally in the country, you need to understand the physical and technical logistics of the review. What technology is being used and where is the data being hosted? Is the platform powerful enough to support multiple reviewers?

Calling all document reviewers. Understand where in the world you will have concurrent reviews and ensure that all teams are working off the same protocol (modified where necessary for language or cultural differences). Understand the qualifications of each reviewer—legal qualifications differ from country to country and may not mirror U.S. legal training. Will you require U.S.-admitted lawyers or will non-admitted J.D.s from the offshore country be sufficient? If using an offshore team, understand the hiring practices and turnover rates for the offshore provider—high retention rate, benefit packages and career advancement opportunities generally motivate higher-quality work product from the reviewers.

Communication and training. Ensure that adequate training is provided to all review teams, regardless of country, preferably contemporaneously so that the global review team has the benefit of lawyer questions and insights at the other locations. In the past, such a training was enormously costly. But today, with advanced videoconferencing capabilities and real-time collaboration tools, it is possible to conduct a single training and have any number of review teams participate. Once the review teams are trained and the review is up and running, schedule daily check-ins with the local review team managers to learn of any problems or issues that might arise. Frontload your quality control efforts, particularly if you have not worked with a particular offshore provider before. Catching misunderstandings of the protocol early will save time and money down the line.

Still feeling uneasy? While the framework suggested above will not completely eliminate counsel's risk of liability for inadequate supervision or a data protection violation, it defines a reasonable and practical approach that should minimize the risks substantially. And remember, reasonableness, and not perfection, is the goal.

Tara Lawler is a senior attorney in Morgan, Lewis & Bockius' e-data practice, resident in its Philadelphia office. Laura Kibbe is of counsel in the firm's e-data practice, resident in the New York office