Tag Archives: privacy

February 12, 2025 · 12:22 PM

X1 Enterprise Successfully Passes GDPR-Mandated Data Protection Impact Assessment

By John Patzakis

The European Union (EU) General Data Protection Regulation (GDPR) requires that subject organizations ensure and demonstrate the protection of personal data under their control. GDPR Article 35 mandates that when implementing new data collection technologies or engaging in a major new project involving significant data collection, an organization must perform a Data Protection Impact Assessment (DPIA).

Recently, a Fortune 500 company with global operations successfully implemented X1 Enterprise to address their eDiscovery and information governance requirements throughout the EU region, involving both Microsoft 365 and on-premises data sources. This implementation required the vetting of X1 Enterprise by auditors and the internal Data Protection Officer through an extensive DPIA process, which X1 passed. The effort provides important industry insights into how our Fortune 500 customer leveraged X1’s unique, on-premises index-in-place and targeted search and collection features, as well as other data minimization capabilities, to meet the DPIA requirements.

The EU provides official guidance and a checklist for conducting an Article 35 DPIA. Among the key requirements is the consideration of the “current state of the technology” in the area and that the technology and collection processes have adequate “proportionality measures” in their collection capabilities to “ensure data minimalisation.” If processes and technology engage in overly broad data collection, the guidance suggests considering alternative technologies and methods.

The team at our Fortune 500 customer emphasized the following unique data minimalization capabilities and features of X1 Enterprise in their DPIA:

  1. Index and Search Data In-Place. X1’s proprietary micro indexes enable the searching of data on laptops, file servers and Microsoft in-place so that only the potentially relevant data is collected for eDiscovery and data audits, which fulfills the GDPR’s proportionality requirements. In contrast, tools that require full disc imaging for basic eDiscovery collection are extremely problematic.

    As the court said in In re Ford Motor Company, 345 F.3d 1315: “[E]xamination of a hard drive inevitably results in the production of massive amounts of irrelevant, and perhaps privileged, information…” Even worse, the collected data is then re-duplicated, often multiple times, by the examiner for archival purposes. And then the data is sent downstream for processing, which results in even more data duplication. Load files are created for further transfers, which are also duplicated. Notably, EU guidance for a DPIA analysis requires that organizations consider alternative data collection technologies and methods that have better “proportionality measures” to “ensure data minimalization.”
  2. Blind Searches and User Enabled Review. Using X1 Enterprise, an administrator can run detailed system wide searches and receive a detailed search result report without having access or possession of the target data. Instead, the administrator can direct X1 to first present the search results to the end-user employee to review and apply tags to identify personal, relevant or non-personal data, thereby applying clear and detailed consent to the subsequent collection of any relevant information.
  3. Segmentation of Data Regions vs. Creation of Central Data Lakes. X1 can be deployed behind an organizations’ firewall or their own private cloud instance in the EU. Each custodian/employee is associated with a single micro-index. This allows X1 to target searches to specific EU counties and segments of users. This contrasts to archiving or other eDiscovery tools that require bulk copying and intermingling of all user data to a central location, where additional back-up copies are made, all which directly run afoul of the data minimalization and proportionality requirements of the GDPR.
  4. Delete Data In-Place. GDPR requires the deletion of non-compliant on demand. Purging data on managed archives does not suffice if other copies are on laptops, unmanaged servers and other unstructured sources. X1’s on-premises distributed architecture uniquely enables the systematic deleting of data in place.
  5. Platform to Enforce GDPR and Privacy Policies. In addition to asserting X1 met the requirements and standards under GDPR mandated DPIA, our Fortune 500 customer noted as further justification in their DPIA that they also planned to utilize X1 Enterprise to enforce privacy policies and provisions under the GDPR. X1 Enterprise is an ideal platform to respond to Data Subject Access requests, proactively audit data sources to identify and remediate personal information, as well as systematically purge unneeded data that may contain personal information of EU data subjects.

    Ready to Learn More?
    For companies navigating complex information governance and eDiscovery requirements, including those involving M365, the  X1 Enterprise Platform ensures compliance while protecting privacy. By implementing X1 Enterprise, organizations can not only reduce costs and save valuable time but also gain a strategic advantage in managing their information governance needs. For a demonstration of the X1 Enterprise Platform, contact us at sales@x1.com. For more details on this innovative solution, please visit www.x1.com/solutions/x1-enterprise-platform.

Leave a comment

Filed under Best Practices, Case Study, Cloud Data, compliance, Data Audit, eDiscovery & Compliance, GDPR, Information Governance, Information Management, law firm, m365, Preservation & Collection

Tagged as , , , , , , , , ,

November 19, 2024 · 11:47 AM

Industry Experts Address Information Governance Challenges in Microsoft 365

By John Patzakis

Successful information governance in a Microsoft 365 environment can be extremely challenging. Organizations require ways to operationalize their compliance processes, in order to effectively address their information governance use cases, such as PCI compliance, ROT, Data separation, and GDPR. However, Microsoft’s Purview eDiscovery platform is a very expensive add-on to M365 that does not scale to the data throughput requirements of a typical information governance project.

This is because M365 is a massive data ocean that is not purpose-built for compliance and eDiscovery, and so a new “compliance index” must be created with data carved out of the M365 ocean to initiate an eDiscovery or compliance case in Purview eDiscovery to ensure proper and complete content indexing. As a result of this disjointed two-step process, users are encountering significant problems with low throughput and defensibility. Many customers report to us that Microsoft Purview Premium’s documented inability  to handle anything other than small matters due to their 2GB per hour throughput limit. A matter involving 100 custodians at 10GB of M365 data would take several weeks to complete with Microsoft Purview Premium.

Last week X1 hosted a webinar with industry leaders Randy Kahn and Chas Meier to discuss information governance challenges in an M365 environment. Kahn outlined information governance principles and priorities in general and then emphasized how technical automation is essential to enforce and execute on any implemented information governance policies and procedures.

Kahn’s overview segued into Meier’s discussion and demonstration on how the X1 Enterprise Platform is the best solution available for managing M365 data sources as well as on-premises sources like laptops and file shares. Meier highlighted recent case studies involving large-scale projects where X1 was able to search and analyze terabytes of M365 information very accurately and in a fraction of the time required for other means, including Microsoft Purview.

Meier explained how the X1 Enterprise platform’s unique architecture allows it to index nearly ten times the daily volume compared to Purview or other competitive “connector” technologies. X1’s patented distributed micro-index-in-place architecture, combined with horizontal scaling, makes X1 the only solution capable of handling rapid indexing, identification, searching, and remediation of massive data sets in the terabytes across M365 sources, including modern attachments and inactive mailboxes. Additionally, X1 effectively addresses both cloud and on-premises data sources in a unified manner, including distributed endpoints, network file shares, and multiple M365 services like Mail, OneDrive, Teams, and SharePoint.

A copy of the webinar recording can be accessed HERE.

For companies navigating complex information governance and eDiscovery requirements, including those involving M365, the  X1 Enterprise Platform ensures compliance while protecting privacy. By implementing X1 Enterprise, organizations can not only reduce costs and save valuable time but also gain a strategic advantage in managing their information governance needs. We invite you to explore how X1 can transform your data management processes and help you stay ahead in the ever-evolving digital landscape.

Leave a comment

Filed under Best Practices, Corporations, ECA, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, ESI, GDPR, Information Governance, m365, Preservation & Collection

Tagged as , , , , , , , , , , , , ,

December 27, 2011 · 5:14 PM

Pennsylvania Court’s Excellent “Whitepaper” on Social Media Discovery

Another Pennsylvania court recently ruled that information posted by a party on their personal Facebook page is discoverable and ordered the plaintiff to provide their user name and password to enable the production of the information. Largent v. Reed, Case No. 2009-1823 (C.P. Franklin Nov. 8, 2011) features a detailed and instructive 14 page opinion from Court of Common Pleas Judge Richard J. Walsh that is a must read for anyone remotely interested in the topic of electronic discovery of social media. It is one of those well-written legal opinions that I liked to use as a framework for my motions on a given subject back in my litigation days.

The case arose out of a chain-reaction automobile vs. motorcycle accident from which the plaintiffs allegedly suffered serious and permanent physical and mental injuries. However, the Facebook public timeline page of one of the plaintiffs featured content that contradicted her claims of serious injury, including several photographs showing her enjoying life with her family and a status update about going to the gym. Based upon this information, Defendant moved to compel disclosure of Plaintiff’s Facebook username and password.

In granting the motion, Judge Walsh began his opinion noting that Facebook is a site that “helps you connect and share with the people in your life,” and that the site has more than 800 million active users, 50% of whom are active on the site daily. Although he acknowledged that Facebook has privacy settings, the Court emphasized that users must take “affirmative steps” in order to prevent their information from being shared with the public. The Judge addressed and dispelled the following objections raised by the plaintiff:

1.     Relevancy and discoverability. The Court made it clear that just as other forms of electronic evidence are fair game if relevant, “it is clear that material on social networking sites is discoverable in a civil case.”

2.     Privacy.  The ruling determined that no social media privacy privilege exists: “No court has recognized such a privilege, and neither will we.” Information on Facebook is shared with third parties and, thus, there is no reasonable expectation of privacy in such information. As Judge Walsh explained, “[o]nly the uninitiated or foolish could believe that Facebook is an online lockbox of secrets.”

3.     Stored Communications Act. The Court found that Plaintiff’s information was not protected by the Stored Communications Act, which prevents the government from compelling Internet Service Providers (ISP) from disclosing information about their users. However, in this case the information was sought directly from Plaintiff, who is not an ISP.

4.     Overbroad and Harassing. Finally, the Court overruled Plaintiff’s objections that Defendant’s request was overbroad and disagreed with the claim that Defendant’s request is akin to asking Plaintiff to produce all of her personal mail. The Court also determined that the request would not cause unreasonable annoyance, because Defendant would bear the entire cost of investigating Plaintiff’s Facebook information, noting that “….this is one of the least burdensome ways to conduct discovery.”

Again, I recommend that you read this opinion in its entirety. We will continue to report on any significant cases in the social media legal realm.

Leave a comment

Filed under Case Law

Tagged as , , , , , , , , , , , , , , , , , , , , , ,

September 28, 2011 · 6:53 PM

Authentication of Social Media Evidence

With over 800 million Facebook users and 200 million people with Twitter accounts, evidence from social media sites can be relevant to just about every litigation dispute and investigation matter. Social media evidence is widely discoverable and generally not subject to privacy constraints when established to be relevant to a case, particularly when that data is held by a party to litigation or even a key witness. However recent court decisions reflect that the main pressing concern for attorneys, eDiscovery practitioners and investigators is the authentication of social media data for admission into evidence in court.

We have devoted a whitepaper to this important topic (download it here) with some good feedback. The bottom line is that absent  uncontroverted and cooperative witness testimony, lawyers must turn to circumstantial evidence to help establish an evidentiary foundation for social media evidence. This is where utilizing best practices technology that 1) establishes an effective chain of custody of the collected social media; and 2) captures all available metadata without alteration is essential.

Metadata is particularly important as under US Federal Rule of Evidence 901(b)(4) evidence, including electronic data, can be authenticated through circumstantial evidence that reflects the “contents, substance, internal patterns, or other distinctive characteristics” of the proffered evidence. And social media items contain a wealth of key meta data that represent or can establish “internal patterns or other distinctive characteristics” of the social media items in question. I will be posting more specifics concerning social media metadata and its potential importance in court in a few days.

2 Comments

Filed under Authentication, Best Practices, Social Media Metadata

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,