Proteus co-founder and CEO, Ray Biederman, recently joined Kyle MacNaught of Aborn & Co on the Consulting Logistics Podcast.
Aborn & Co. is a leading managed freight solution that saves shippers money, increases carrier service, and provides a 360-degree view of a supply chain. In my 8 years in transportation, I interfaced with them multiple times and was routinely impressed. The conversation centered on the basics of information governance, eDiscovery, and its intersection with transportation.
The lightly edited transcript is below. Enjoy!
Kyle: You're listening to Consulting Logistics presented by Aborn & Company. I'm your host, Kyle MacNaughton. Thanks for checking us out.
Often when we talk about data security, we address it from the IT perspective of what can you do to stay safe, but it's just as important to understand where you are legally liable when it comes to data security. So, in this episode I'm going to have Ray Biederman join the show to talk about the legal perspective of data security. In this conversation we're going to focus on two important elements: eDiscovery and information governance.
So, without further ado, Ray, how's it going?
Ray: Great, thank you very much for having me on, Kyle.
Kyle: Absolutely I'm so excited to talk because, like I said, most of the time when we talk data security, it really is from an IT perspective, but I never even thought of the legal ramifications. Before we even get into that, tell the audience a little bit about yourself, you've got an interesting journey. Tell them about yourself and DiscoveryMaster [a sister company of Proteus Discovery Group].
Ray: Sure, absolutely. So I started at Butler University in undergrad as a music major - I got my degree in music education - and during undergrad I had to figure out how the heck to pay for school. So I got a job at an AmLaw 100 firm - AmLaw100 is the one hundred biggest law firms in the country.
And so I worked in their brand new eDiscovery department. eDiscovery was just starting to be a thing at that time. And just a little primer on eDiscovery, this is basically any data that you create that's electronic - it can have some sort of implication in any piece of litigation. And so at this time it was mostly just email. email was pretty new and some companies that are just starting to use it for for all of their processes and so I was in charge of getting that email and reviewing it and then figuring out what was relevant to a case and getting that out the door.
Kyle: So what year was this? Sorry, not to date you!
Ray: Yeah, no, that's fine! I started in January of 2004.
Kyle: Oh, wow. So, eDiscovery really is somewhat of a newer thing in the business sense.
Ray: Yeah, the first rules the first rules surrounding eDiscovery in the court system where applied in December of 2006, so this was very early on. And as the technology increased and I really enjoy working in that space, I ended up going to law school and becoming an attorney at that firm for several years before leaving and starting a law firm and a wholly-owned eDiscovery company. And that happened about five years ago.
During the course of that we decided that we there was a gap in the software space for this particular application of eDiscovery and so we developed a piece of software called DiscoveryMaster. It helps companies understand their eDiscovery spend and understand and forecast out when they'll be able to complete the discovery process. And so we actually just had that for our internal clients and so many people liked it, we decided to launch it as its own product.
Kyle: Oh, wow. That's kinda cool. So, essentially you are a lawyer, you're working mainly with companies and then you just created this platform for yourself because of the time involved - and I know it's something we'll get into with what eDiscovery is and how much of a burden it really is for companies - but so that's how DiscoveryMaster fit in was just, "hey, we have this really good little application and we're using it, other people might enjoy this?"
Ray: So basically selling selling these eDiscovery services, there are a lot of vendors that do it now, so it's a lot like selling sand. And so you need something to say "my sand is better than your sand," and so that's what this piece of software was, and so many people liked it that we decided we'll just make it it's own company and just sell it out to everybody
Kyle: Oh, that's awesome. So let's start, let's describe what sand is. Because, to be honest, I really didn't know about eDiscovery. What is it really? Any electronic kind of communication I have? What does it mean for someone working in the day-to-day of a company? How does it effect them?
Ray: Yeah, there's this statistic that every two years we create as much data as we created from the beginning of time until the beginning of that two year period. So there's just an explosion of data and a lot of this data is corporate data. So you think of email, you think of text messages, you think of phone calls - even even asking your smart phone to play something or asking one of your smart devices what time it is. There's data that's collected on all of this.
And in the context of litigation, there's this concept called discovery, and basically you send a request to the other side and you say "I want all the information related to X or information related to Y." And you have to search through all of your data sources to find information that might be relevant. And as technology increases and different pieces of software we use increase, we are creating just tons and tons of data that may be relevant.
Kyle: Wow. Okay, so my mind is turning right now. As we moved to this work-from-home thing - and we'll go back into the transportation element of this - but how does it work with personal devices? Especially if you're texting on your own personal phone to a colleague or a coworker, I mean, a lot of us suddenly found , "hey, you're working from home, you can't come to the office, you have to use your own technology," how does that work out? And then never mind the whole data privacy right now that's at the top of everyone's - sorry! Yeah, I got a lot of questions! So let's see, with that first thing, how do personal devices play into eDiscovery?
Ray: So, for better or worse, they are in play. There have been several cases - in fact there was a case in the Southern District of Illinois just a few years ago where someone posed that exact question. "Well, all of our sales reps are using their personal devices, so we're not going to search them" and the judge said
- for one, he fined the company a million dollars
- and then second he said, any person who thinks their personal device isn't subject to this litigation, I want them to come to this court and explain to me why.
Typically at the beginning of a litigation, what you're supposed to do is put together what's called a litigation hold letter. And this is basically a memorandum that it goes to every employee that may have information that's relevant to a case and it says
- you can't delete anything
- we're going to need to get an image of your personal device
- and we're going to keep all of this information in some sort of information platform.
And so, it's very common. And most people don't think about it until they get sued and.
Frankly, email has gotten a lot better. When email first started people were very candid in their emails, saying just - saying things that they should not say. And then as text messages started moving into more prevalence people started to get a little more business-like in email, but then the texts were like, you know, there were some flame throwers in there. And so then we started collecting that stuff and, you know, that makes people squirm pretty easily, and now that's moving into the Slack messages, instant messages within companies, and Teams chats.
Kyle: What about the data privacy element of everything? Like, A) I'm a marketer, right. So, GDPR or all of those California privacy rights, I feel like the big battle for privacy kind of comes in, like, "I don't want marketers coming to me," but how does privacy work into the legal sense of things. Like, are you not entitled to any privacy in terms of the eDiscovery?
Ray: So, if it's responsive and relevant to the litigation, that has predominance over all of it. And even in even in a lot of those laws, you know, you have to preserve data in a in a certain way, you have to keep it in certain silos - like, GDPR, right - so you can collect data, but depending on the application
- you have to keep that data in that European country
- and you have to review it in that country
- and you can't export anything that's not relevant out of that country.
Kyle: Wow. That's crazy. I can see why, like you say, companies need someone to help you with the eDiscovery. I mean, the sheer amount of data is fascinating. How much are people are aware of this? I mean, I'm sure you're dealing with people at the time they are becoming aware, and I know that we are going to talk a little bit later about information governance, but right now, I mean, in your estimation, are companies or individuals aware of this stuff?
Ray: So, most companies that haven't been in litigation don't really think through this very much, and then as soon as they get into litigation and they get the bill for eDiscovery services, then they start thinking about the information governance. And so that's usually our best sales pitch for selling information governance services. We'd like it to be the opposite, where people think about their information governance needs at the beginning and then we can cull down the the available data to a reasonable amount. That really is the best way to reduce costs on eDiscovery in litigation.
Kyle: Yeah, I mean, being proactive instead of reactive is always going to be the best way. So, our audience mainly is the shippers, right, the people in the day-to-day. Which of the transportation documents falls under eDiscovery? Is it stuff like the bill of lading, invoices, volume trackers, is it anything that you are using could be part of eDiscovery? Because I know that they already struggle with the data for that, but, anything electronically being sent could fall under it?
Ray: Absolutely. So, it obviously depends on what is happening in the case, but if you've got, you know a breach of contract case, the bills of lading, invoices, volume trackers are key, right? If you have a personal injury lawsuit you'll have all of the communications related to that, you'll have, tracking devices on an individual trucks, you'll have all of that telemetry data related to where people were and when and the time at which people press the brake on the truck before the accident. We've been involved in a lot of cases that have involved that type of a black box data, we have to extract that and, you know, that some of that becomes pretty critical to the case.
Kyle: I've got to imagine, too, because I've been reading about the nuclear deals and stuff that we're seeing where the motor carriers are getting the blame because the courts and the judges and the juries tend to fall for the victims, even if there's stuff, like, "how was the truck supposed to avoid snowy conditions? They had to get there at this time," but I'm guessing that the email correspondence brokers or shippers could have with motor carriers helps almost puts them at risk of liability, even if you're not saying, per se, "drive through the snow, I don't care," but you're just checking in and then the motor carrier can be like "this company is also liable," am I wrong there?
Ray: So the structure of proximate cause is the element you're talking about, that remains the same. There's this big decision called Palsgraf that had to do with a train and an explosive device that was near a train and figuring out who was responsible, whether the train company was responsible in some way because of the departure time, or whether it was just the person that had the explosive device - so those concepts stay the same, but the facts surrounding it is what changes and you have a much more robust factual basis with all of this electronic data.
Kyle: Interesting. So let's talk a little bit about data breaching, especially because we see the supply chain is kind of vulnerable. What would a company be required to provide during eDiscovery if they do suffer a data breach? How does the data breach side of things effect eDiscovery, or what would people have to be ready for?
Ray: Yeah, so we get involved on the Proteus Discovery Group, which is our wholly-owned eDiscovery company, we get involved in a lot of data breach analysis. So, what's important obviously the first thing is shutting off the intrusion, right?
After that there's the analysis of what was actually compromised. And so you take a look at "well, this SQL database or this Oracle database was compromised." And then we usually come in and take a copy of that database and run a series of queries against it to figure out what PII might have been compromised in that database and we put together and notification list. And this will identify
- what type of PII was potentially compromised
- whose PII it was
- and their current contact information.
And each state has a different definition of what PII is, and so so we have to look at all fifty states because in a lot of these cases this data is across the country. So we look at all fifty states and identify what is defined as PII in that state, and then you have to give a notice to the attorney general in each of these states where where someone might have that compromised information and say
- "this is what happened
- this is the steps we went through to figure out whose information was compromised,"
- and then you're required to give a notification to each person whose data was potentially compromised.
Kyle: And PII is their personal identifier?
Ray: Yeah, personal identifying information. So this could be a anything from a credit card number, a bank account number, we've seen copies of canceled checks that didn't redact out the bank account and routing number, social security numbers, obviously. And then it's really interesting. There are some pretty picayune details in different states as to what would constitute PII. So in some states a birthday is PII, in other states a birthday's not PII. So it gets real complicated real quick.
Kyle: It sounds like it's super complicated. How important is a company focusing on eDiscovery now help in the long run of everything?
Ray: Yeah, so if you think about this as a continuum, the furthest left side, the beginning side, is information governance. And this is
- what data do we have?
- Where do we keep it?
- How is it secure?
- And what is the schedule for us reducing this data?
And there are a whole lot of government regulations that play into this. If you have a state contract in Indiana, you have to keep employment records for seventy five years - which is a big number. If you're subject to Sarbanes Oxley, you have to keep all financial data or any information relied upon to contribute to the financial report for seven years. And so, you know, that's a pretty broad a definition.
It gets pretty specific to:
- what industry you're in
- what regulatory scheme you're under
- and then what state you're in as to how long you need to keep certain data.
Kyle: So, for a company that hasn't done that kind of work, in your estimation, how much time, money, and resources does it typically take a company to do their eDiscovery? It sounds like it's going to be almost impossible to say because of the state laws and all of these types of things, but how how long does this typically take if a company that did nothing?
Ray: If a company did nothing and was involved in a pretty high stakes lawsuit, you're looking at hundreds upon hundreds of thousands of dollars to get everything. To get all the assets marshaled in the right way and then get everything into a document review platform, hire a team of contract attorneys to review the documents, remove anything that may be privilege (communications with attorneys or communications about a pending piece of litigation) - and then negotiate with the opposing counsel everything that should be produced or should not be produced - that's easily several a hundred thousand dollars.
Kyle: And then time-wise, does it just all depending on case of how long it's going to take?
Ray: Yeah, so I've been involved in cases where the discovery portion lasts six months, and I'm also involved in cases where the discovery portion that's been going on for ten years. So it is a wide gamut of how long it lasts.
Kyle: Wow. Typically how much - and this is probably the dumb question because again, it's it's going to be based off of case, right - but how much does it take people-wise? Is it "the more resources you to pay for the quicker it happens, but the more it's going to cost"? It's probably a diagram, all interconnected, but it's not something that you can throw an intern on say, "all right, hey, you need to go collect everything we have," right?
Ray: Right, so the largest one I was involved in, which actually was the spark of DiscoveryMaster, we had 350 contract attorneys for eighteen months. So it was a lot
Kyle: Oh my gosh. This sounds horrible. I hope anyone listening to this is kind of like "uh, oh no!" But let's transition and I know we've been talking about it but let's talk a little bit more about information governance. You did a good job explaining what it is. I mean, is there anything else that you find people don't really understand when it comes to what information governance is?
Ray: Yeah, so, lot of people don't think about information governance until after they've been hit with a lawsuit and had to go through the eDiscovery process. But, you know, having good information governance practices helps mitigate some of the concerns that you aired right at the beginning about personal privacy.
So if you have an employee workforce that's using their personal devices for both work and personal use, not having any information governance policy on those personal devices can lead to some significant issues later.
- One, if that employee leaves on not-so-good terms and they have data you need for a case, that can create a sticky situation.
- Two, depending on what jurisdiction you're in - here in Indiana, if we were to let an employee go, I could probably press a button on my computer and wipe their device and and it would be fine. But in other jurisdictions you could get sued for that.
And so so having a policy in place about what you're going to do with employees' devices with the corporate data on their device when an employee departs, that's a very basic information governance policy that can be created. And that was a huge deal maybe three or four years ago when when people who are really starting to think about having their personal devices at work.
Kyle: I hate to take us off this, but what's been happening, I mean with work-from-home, you've had to do this and it's not big companies either, everyone's had to adjust to using personal devices. Is there any kind of change on the horizon in the Courts to help this or is it truly on companies to say "hey, unfortunately we live in this new data age that you're going to have to use personal devices, we're going to have to be collaborative and how we're going to kind of handle this type of thing."
Ray: Yeah. So typically courts work several years behind so we'll probably see the first parts of this next year or the year after. And I actually I recently spoke on this issue because we we talk about that hockey stick growth of electronic data - well that's just exploded with with work from home the amount of people using Teams and Slack and Zoom has just created an unbelievable amount of data, especially if you're recording, these sorts of things, they're all in play.
And how do you search it, right? Because it's all audio, how do you how do you run search terms against something like that? So the need for a translation services, the need for talk-to-text is going to increase exponentially.
And getting to this data it is it going to be really expensive at first and then as more participants get in to this eDiscovery marketplace that cost is going to be driven down but, it is going to be there and it's going to be on companies to deal with that. And that part's not going to change.
So there's this concept in the law called proportionality. And so if you have a case that, has an amount of controversy of ten thousand dollars courts aren't going to make you spend a hundred thousand dollars in discovery costs for that, ten thousand dollars case. And there're a bunch of factors that go into play here and this is all argument. So you know, you hire an attorney to argue, "well, we don't have to do X, Y and Z based on proportionality because there's not a lot at risk in this case, the issues aren't that important."
Or there's this other concept called cost-shifting. And so if you can demonstrate good cause on proportionality to not do something, but the other side is like, "no, we absolutely need this"
the court can say, "well, if you need it so bad that you could pay for it." And so those two things I think are are going to see some increased use, especially with all of this new data we're creating.
Kyle: But still at the end of the day, you know that means you're going to have the lawyer fees and all that stuff, the better way to go about this is information governance.
Ray: Absolutely without a doubt.
Kyle: So, aside from setting up those policies and principles when it comes to personal devices, how does an organization set up their information governance? What are their first steps, which should they be doing?
Ray: Yeah. So, figuring out what industries you're working in and getting a set of regulations for data retention is is an excellent first step to this process.
{utting in policies with regard to how long you keep email at a corporate level - So, "all email is kept for forty five days, and if it's not move to a folder then that email is deleted." And you can set those policies in Office365 or any other software that you're using for email management. And that's critically important.
Also, when when there is a law suit you have to take steps to suspend that automatic deletion for those particular users, and some people that's where some people get caught up as they put the policy in place, but forget to suspend it. And then a bunch of information gets deleted it and it causes more issues and the litigation. So you just have to be proactive about it and follow up on it.
You could do the same for text messages. You can set a thirty day policy on your device and all of those texts go away after thirty days. If you have a corporate policy related to that, that is also a good thing.
Kyle: Now what about flipping the norm, right? So say I'm in operations. I know that invoices and ninety day thing. Is it flexible enough to say, like, "hey, the transportation emails we don't delete these for X number of days" or, like you said, you'd, probably just move it to a folder, but is that sort of a bigger web and than just like the line in the sand? Is that acceptable or how does that work with information governance?
Ray: Yeah, so, it's a little bit of both, which is the lawyer answer to any question. But, you would want to look at the regulatory scheme that you're under. So if it has to do with transportation of nuclear material, I imagine that needs to be preserved for a lot longer than your typical of the transportation of, you know, a bundle of socks. And so you can't put a line and this and say "invoices lasts for this long across the board," you know, if their invoices related to a certain type of thing that may need to be kept for longer.
Kyle: Right. So it sounds like - and again, I'm not trying to put words in your mouth - but it sounds especially for your information governance to be helpful, not to just be this blank "look, we did it guys, let's go to Chili's and get some riblets, everyone did their job" - you do need to have a good line of communication with your data team and your operations team and most likely every team to explain what you're doing, because I know that the data team doesn't really know shipping, doesn't need to know how freight and all that stuff moves. But they also need to be aware and your legal team needs to kind of be able to communicate to everyone here's, "how we need to save this stuff."
Ray: Yeah, and going back to your Chili's analogy, it probably wouldn't be good to sit down over a set of riblets and discuss these things between operations teams and have a regular cadence where that conversation occurs, because there are all of these new regulations that come out, and just keeping apprised of those and seeing how that impacts the rest of the business units is is pretty key to having a strong information governance policy
Kyle: Well, listen, I always down and get some riblets at Chili's, their queso is amazing. But yeah, that's one of the vital things that comes up time and time and time again in my podcast, like, it's all communication,. You're going to need to communicate, it's not just "set it and forget it." This isn't an Instapot. You do need to continue talking, because, like you say, things change. Things change in the legal side, things change on the transportation side. So you spoke to this a little bit but aside from helping to reduce costs and disruption, why is having a robust information governance program vital to a company? What's the thing they don't think about?
Ray: Yeah. So, I think that on some level it feeds on itself, right? So, you if you have a a beginning point where these conversations occur, I think it helps streamline all of your business processes because people to understand "if I make a decision X, this is the impact it has across the board." So it creates a a stronger framework for the whole company, and you can see some savings in other areas, just just by having that continued communication.
Kyle: Yeah. No, it honestly it is kind of like I'm having "ah ha moments" with this type of stuff or like, hey, this is an easy way to make divisions talk to each other, which is always kind of the bane of business, right? "This group doesn't talk to this group because of blah, blah, blah," but "nope, we can be sued for a lot and it's going to be a lot of money, so we have to figure this out," it seems like a really good reason for information governance, they're kind of be built into the culture of the company.
Ray: Yeah, absolutely.
Kyle: So, to wrap I want to talk a little bit about DiscoveryMaster because I was reading some blogs and I love this line that you had in one of the blogs you wrote about where you came up for the idea for DiscoveryMaster, and you said "teaching, coaching and bringing out the best in passionate young musicians was a huge joy to me. DiscoveryMaster is one way I channel my undergrad education to professionals passionate about innovating in the legal profession." I love the idea of you taking this music education to bring innovation. Talk a little bit about why you have that passion. Why is it so important for you?
Ray: Yeah. So, lawyers went to law school to practice law, they didn't go to law school to create fancy Excel spreadsheets. And so what most people end up doing in this discovery process is that they have to put together just a ton of spreadsheets a with a lot of reporting and no one understands what numbers are going in and it's a very difficult process. And it's a huge time suck. So when I was working on that case with the three hundred and fifty contract attorneys I would lose a day a week just putting together reports on how things were going.
And so I developed this tool DiscoveryMaster, to take away a lot of the need for those Excel spreadsheets, so people who got up-to-date information, they understand what they're looking at because we we do it in a very visual way so people can see where we're at in in the progress of the case, where we're at on the budget, how much time it will take until it's completed - and just kind of the stuff that they care about. And so, for me, I think that that sort of innovation is that spark of creativity that I really enjoyed in teaching music. So you see someone have that kind of "ah, ha moment" in teaching and I'm bringing that to the legal technology space and it's pretty cool.
Kyle: I love what you guys are doing, it sounds fascinating. For anyone who's interested where where can they go to kind of get some more information, how did they get in contact with you?
Ray: Yeah, absolutely. So, our web site, we have proteusdiscovery.com for development of information governance policies and discoverymaster.co is our piece of software if you want to take a look at that. And you can reach out to me ray@proteusdiscovery.com.
Kyle: Jeez, you've got a lot of emails, so you better to have a good information governance policy in place! I know a little a little bit about it. We can go to Chili's if you want to talk some more about this. What about LinkedIn? Is that Linkedin in a good location for them to reach out to you? I try to include all the links in the show notes so people can kind of see everything, but on LinkedIn is that a good place?
Ray: Yeah, LinkedIn is great, too.
Kyle: Yeah, awesome. All right, cool. Well, Ray, thank you so much for this information. I have a feeling we're probably going to have to talk more because I'm sure as more and more we try to figure out this whole work-from-home there's going to be more information governance policies that people aren't me thinking about coming up
Ray: Oh, well, it's it's been great to be on here and thank you very much for having me.
Kyle: Oh, actually I had a blast, like, this is a great conversation rate so thanks for joining me.