Time for another thought leader interview on eDiscovery Today!  My latest interview was with an expert on digital forensics and eDiscovery who has been involved in IT and eDiscovery for over 20 years!

As Chief Information Security Officer and President of Forensics at HaystackID, John Wilson is a certified forensics examiner, licensed private investigator, and information technology veteran with more than two decades of experience working with US Government and both public and private companies.  John provides expertise and expert witness services to help companies address various matters related to digital forensics and eDiscovery, including leading investigations, ensuring proper preservation of evidence items and chain of custody. He develops processes, creates workflows, leads implementation projects as well as GDPR data mapping services for clients including major financial institutions, Fortune 100 companies, Am Law 100 law firms as well as many other organizations small and large. In addition, he provides expert witness services and consulting in matters of all sizes. His work spans some of the largest litigations and matters on record in the United States and many of the 39 countries where has worked on cases.

John, you’ve been involved in information technology and eDiscovery for well over 20 years now. What’s your take on how the eDiscovery industry has evolved over the years?

From my perspective, the eDiscovery industry has evolved and it has been a cycle-driven nature. At the beginning, we had Z-Print which was really just a print screen functionality that gave you the ability to start converting electronic formats into this flat format that could be reviewed – originally TIFFs or JPEGs, eventually PDFs as well.  Z-Print was the initial standard, and Discovery Cracker followed it, and then LAW PreDiscovery followed that as the standard.  So, it was very cycle-driven. Usually, three to five-year cycles seem to have persisted through the eDiscovery world where we’ve gone from Z-Print and Discovery Cracker to LAW, then to Summation, then to Relativity, then to Technology Assisted Review (TAR).

I think we’re at the edge of the next cycle of eDiscovery, and I really think that’s going to be this whole concept of remote eDiscovery, which includes remote collections, remote review and so forth.  Everything’s being pushed into the remote world due to the advent of the COVID-19 pandemic. There are big companies providing remote services in various portions of the EDRM life cycle, but it hadn’t become widespread before the pandemic. Companies have been fearful of it, just like they were during the days of Discovery Cracker and Z-Print. People weren’t sure that the products would get everything, they weren’t sure it would be reliable and they weren’t sure it would provide an accurate representation.

Very similarly, there are eDiscovery companies that have been doing good bits of remote work, but there hasn’t been any widespread adoption of it until the COVID-19 pandemic began.  Now, the rest of the world has discovered that these processes do actually work pretty well and they can help people achieve the goals they need to achieve without people having to meet and congregate together to get things done.  So, I think it’s a very cycle-driven evolution for eDiscovery. It has been since I’ve been involved in the mid-90s, and we weren’t even calling it eDiscovery or forensics back then, when it was still a fringe activity before it began to slowly evolve through these cycles.

You brought back memories with mentions of Z Print and Discovery Cracker. I worked with both back in the day, so I definitely remember those experiences.

Yes, they were good times. I remember having to work on a Z-Print production that took us 72 hours and worked day and night three days in order to achieve a desired goal, but it was the cutting-edge standard at the time.

Sure was. So, as CISO at HaystackID, I’m sure you noticed that California still proceeded with enforcement of the California Consumer Privacy Act (CCPA) starting July 1, despite calls for it to delay it because of the pandemic. How well do you think organizations today are equipped to adhere to data privacy legislation such as the General Data Protection Regulation (GDPR) and CCPA?

That’s a great question, Doug. I don’t think the companies in today’s world are truly prepared for full enforcement of CCPA or GDPR. As GDPR has become more established since summer 2018, companies have implemented many policies and many mechanisms, but there hasn’t been firm enforcement of those policies. Certainly, there has been enforcement in some cases, but not at a mass scale.  And, whether you’re talking about CCPA, or the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD) or even the currently proposed New York Privacy Act (NYPA), enforcement is the big question. For CCPA, California has said that they’re setting aside a substantive budget for this program for the state and they plan to fund that budget through enforcement. So, there’s certainly intent to enforce the CCPA and many companies have worked hard to implement the policies, but much of it has just been wordsmithing so far.

Companies have a policy and they post it to their website and make their users acknowledge it as they visit the website before they provide their info, but it’s forgotten after that. There’s been very little else done about it except for a few fringe players that do take it more seriously, perhaps because some of them may have been stung by a GDPR action. But, I really do feel that most organizations are not truly prepared for it. They’ve put out the privacy policy and the acceptable use policies on their websites, and maybe they’ve shared that with some other employees, and it’s in their vendor language when they engage with other vendors, but there’s very little real substantive action around it.

So, it’s going to be interesting to see the challenges unfold. How will California proceed with enforcement – especially in light of COVID-19 – and how will they actually investigation and enforce the policies?  It’s going to be rather difficult to do so, but many organizations today are definitely not equipped. They’ve done superficial things to appear to be ready for it, but in practice, I don’t think many are ready for it. We’re consulting with quite a few of our clients as they have GDPR and related privacy issues that come up.

We’re just getting started!  Part Two of my interview with John Wilson will be published on Wednesday.

So, what do you think?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.