Many corporations are facing the impossible. They have PII and IP, but once exposed, they face the risk of either data privacy breaches or revealing company secrets that would have given them market advantage. The major question becomes: how can we remain compliant without losing our edge?
Who does not know the problem: Personally Identifiable Information, PII for short. Suddenly, it sounds great to use the term without really knowing what it is and what to do with it. My trip will lead to document review, but I should first describe the initial situation.
It should be noted that the dilemma begins with defining the term. The National Institute of Security Technology (NIST) has adopted the following definition, which is unofficial but most commonly used: “Any information about an individual held by a government agency, including (1) all information used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name or biometric records, and (2) any other information that can be linked to an individual, such as medical, educational, financial and work-related information.” In short, it is any data that can be used to identify an individual. But NIST goes a step further and shows nuances between two types of PII, (a) direct or (b) indirect connection to the person. The difference is easy to explain: with a direct connection the person is immediately identifiable while with an indirect connection, it depends on the combination of at least two components.
But it gets a little more complicated when you notice that there is also the General Data Protection Regulation (GDPR), which speaks of “personal data” or the California Consumer Privacy Act (CCPA), which in turn puts “personal information” in the foreground. Give me one more minute to get to the point: all terms have one thing in common, no matter what jurisdiction or country. If you have to remember one thing only, let it be the following: it’s always about data and about the ability of each person to determine what, who, when, and how is collected and shared about them.
But this regulatory complexity gives people like me who work in legal tech, specifically forensic technology, more opportunity to act proactively and offer technical solutions. What is certain is that technology can only be used with a solid strategy so that it does not become an innovation blocker. Another point worth mentioning is the heightened consumer awareness and demand for transparency. Consumers want to know where their data is and have the answer even with a snap of their fingers. For companies, it means gaining the trust of their consumers and reassuring them that their data is secure, that it is not being shared, and that data management is adapted and, above all, mastered.
And now Forensic Tech Partners come into play. Because our team can take a close look at the data, organise the data landscape and understand what technology is wed with PII, most of the time we are called in when there has already been a data leak. Too late? One might think, but as I read so beautifully on the Relativity website (relativity.com): one should remain calm at every stage. Businesses can help by proactively participating in their data and the governance of it. Only if a company knows where the data is and creates a comprehensive data map, which of course has to be adjusted in the event of changes. Companies should also think about possible anonymisation of the data and how long they will keep it.
But what happens if there are no data maps and PII data is still lost? What happens after a data breach affects PII as well as IP and third-party data? As there are specific timeframes for potential customer inquiries, it is very important to customers that we organise a quick document review that complies with legal conditions and data protection challenges. Most of the time there are no data maps, so what matters most to customers is that the legal tech provider masters the entire eDiscovery spectrum, starting with data acquisition, to processing, production, and presentation. Needless to say, each station has to comply with GDPR requirements. So how do we proceed after reassuring the customer? I should mention that this is a very important point that many overlook. At the end of the day, the customer should feel comfortable, so when engineering and using the latest technology, one should not forget Emotional Intelligence.
Without distinguishing between PII and IP, we first apply custom technology to pre-process and analyse the multi-digit byte data. After that, a team is put together, which adapts the work process (workflows) to the given situation, can set up search queries, enables machine learning, and can also establish customised search term reports. When acquiring the data, great importance is attached to the legal framework in relation to PII and it is also ensured that this spreads to all employees. It should also be mentioned that the data is processed and analysed in ISO27001-certified forensic data centres.
Okay — now you understand the why, how, and what to do with PII to make sure nobody knows when and where you were born and where you live. But what happens to intellectual property, i.e. IP? In the September issue of Harvard Business Manager (HBM 09/ 2022; pp. 18-19), Kiran Sharad Awate writes about this problem. When intellectual property wants to enforce rights and unintentionally reveals secrets. It “only” refers to pharmaceutical companies, but this could happen in almost any industry with creativity. His research has shown that after almost every court hearing, counterparties have a new speed in launching new products similar to those disclosed. His research covers 3,000 patent lawsuits filed by pharmaceutical companies in the US, so it’s not necessarily a global problem, but it should be.
The problem arises after the court hearing, with data on studies ranging from animal to clinical studies being disclosed to the opposing parties. From a technical point of view, my first question at this point would be: How were the documents viewed by the company? Document review, unfortunately, is still seen as the stepchild of the Electronic Discovery Reference Model. It’s just a quick look at the documents. However, this perspective does not take into account that consultation with the review managers, who usually have a legal background, can be very useful. Through close cooperation with the three stakeholders (customer, Doc Review, and the IT staff who process the data), “subjective coding masks” that are precisely tailored to the customer, i.e. transparency plates adapted to customer needs, can be set up on the transparency platform. It is described that clients mostly do not think about the risk and the long-term consequences of the disclosure as they are often only focused on the current litigation. But this is exactly where you should know that technology can help! And here it has to be said that it is only the installation of a selection box for doc reviewers: in addition to the confidentiality level “Confidential”, which only relates to secret data, you would have to install another level of “Highly Confidential”. Prior agreement with the other party must determine that documents containing intellectual property are assigned to this category. Only the opposing party’s lawyer may view these documents in order to confirm the correctness of the assignment. In his research, Kiran Sharad Awate refers to the well-known Amgen vs. GenI case, in which Amgen disclosed all the flawed research in court, which then saved GenI some work and time in their own research. The companies and lawyers involved are certainly aware that their witnesses are well prepared, but here, too, the focus is more on each step of research being explained explicitly without thinking about the consequences. Because the consequences are the acceptance of the research results.
What is the result of the initial question “We have PII and IP… and what now?” Simple: you first have to choose the right legal tech provider. You should also be aware of the risk. In the future, documents related to research should be identified so that they can be seen on data maps. A simple inscription will suffice. This is because these documents can be discarded either at the time of data acquisition, data processing, or review as described above. In this way, you raise the awareness of your employees, you have an accurate data folder, and you ensure that you have no competitors for your own products.
About the Author
Dr. Nina Mohadjer, LLM has worked in various jurisdictions where her cross-border experience as well as her multilingual capabilities have helped her with managing reviews. She is a member of the Global Advisory Board of the 2030 UN Agenda as an Honorary Advisor and Thematic Expert for Sustainable Development Goal 5 (Gender Equality) and the co-founder of Women in eDiscovery Germany.
- Awate, K. S. (2022). Ideenklau im Gerichtssaal. Harvard Business Manager, 9, 18–19.