Today we welcome Jo Sherman, CEO, EDT Inc. (website), to share some of her thoughts on the challenge of international investigations and data collection/analysis. Given the challenges of discovery and data collection across borders in anti-corruption programs and investigations, I thought her experience and perspective would be of tremendous value. I had the pleasure of meeting Jo in New York and she also attended the Oslo Anti-Corruption Conference, where she contributed her reflections in a prior blog (link here).
RB: Jo, thank you for today’s Q and A, and perhaps you can share some of your background and how that evolved in what you do today?
Thank you Richard. I studied law a few decades ago back in Australia and then embarked upon my computer science studies. Since that time I’ve devoted my professional endeavors to the application of technology to the practice of law. About 12 years ago I founded EDT, a company that has developed end-to-end case management software for the investigation, e-discovery and litigation sectors. We’ve now grown to a point where we have many global clients and offices around the world. I moved to New York City about a year ago to set up our North American headquarters.
RB: Thank you, so Jo, what are the challenges which organizations face with respect to data collection and analysis?
Global corporations, particularly those headquartered in the US, confront many challenges surrounding the data privacy regime in the EU. Those managing internal or regulatory investigations and cross border disputes need to navigate a quagmire of EU rules, protocols and directives that limit access to and removal of data that is deemed to be ‘personal’ from corporate premises. The problem is further exacerbated by inconsistencies across various EU countries with each country requiring a different and tailored approach. This is problematic because often the data held, received or created by EU based employees, agents, contractors and consultants is of critical importance to US oriented investigations or disputes.
RB: That sounds almost un-navigable?
It is particularly challenging given the ever increasing investigatory activity by US regulators in the anti-corruption and bribery domain, such as the FCPA, and the corresponding growth in the number of internal corporate investigations. The vast majority of these investigations involve data residing in the EU that is considered private. Significant frustration has been experienced when attempting to collect such data to bring it back to the US.
There has been much debate about the best approach to such cases and a plethora of advisory services and sophisticated technology solutions have evolved in response. These solutions have typically involved significant travel for forensically skilled personnel or subject matter experts, hardware infrastructure and software licensing expenses. However, there may be an easier way to address the problem.
RB: How, given the complexity of the regulations?
Let’s go back to basics. It seems that most of the challenges corporations face relate back to an underlying core assumption that the data needs to be brought back to the US. So, in that context it’s the actual removal of the data from the EU location that is the key problem.
To that end, I wonder if we can draw an analogy to the NASA space pen story Edward de Bono talks about in his 1998 book “Simplicity” (a must read for anyone involved in technology development). In “Simplicity” de Bono advocates the need for creative thinking to find simple solutions to complex problems. As a metaphor, he uses the story of the NASA program that required massive funding over an extended period of time to develop an anti-gravity pen that will work in space.
Meanwhile, the Russians used pencils.
So, when confronting the EU data protection challenges, I wonder whether we are over-engineering the problem and missing some potentially obvious solutions?
RB: Well, this is new to me, so what might be the obvious?
The first question I would ask is; why do we assume that the data needs to be removed at all? If obtaining approval to move the data is the problem then why don’t we simply stop moving the data? Why don’t we just keep it in place, for as long as possible, conducting the bulk of the data analysis and review activities on-site, to either dramatically reduce the problem or potentially even remove it altogether?
A related and basic question is; why do we assume the review needs to be done in the US? Why can’t the review take place on-site, at the source location, potentially even with some key employees or even workers’ council representatives looking on? This approach would mean conducting analysis of the data on-site, running searches to identify key relevant documents and, at the same time, identifying personal information right there and then. At that point the necessary approvals could be sought using very detailed and specific data descriptions (broad sweeping ill-defined requests have rarely been successful), or the personal information could be redacted or it could be flagged and quarantined altogether. Then, a first pass review could be undertaken, again, on-site without moving any data.
RB: So you seem to be advocating an on-site as opposed to “move the data” approach?
Yes. I think it’s often possible to do a considerable amount of the work on-site without moving the data. That means fewer obstacles will be confronted because fewer (if any) approvals to move data will be needed. The extent to which data will need to be removed at all will vary from case to case but I would think that most cases could benefit from a policy that advocates on-site collection, analysis and at least a first pass review to cull down the data.
In some circumstances it may be possible to conduct a more detailed, second pass review in-situ while other cases may necessitate return of a small subset of data back to the US corporate headquarters or to a US based legal team that is overseeing the investigation or dispute. In such cases, seeking approval for a small kernel of key information that is highly relevant rather than approval for a massive data dump of everything that could possibly be relevant is far more likely to satisfy the EU based gatekeepers. And, it’s also likely to be a less painful exercise if an on-site, consultative approach is taken whereby key employees, knowledge workers, even worker councils have been engaged throughout the on-site culling, analysis and review exercise in the first place.
Of course, to adopt this strategy the supporting technology platform needs to be nimble, affordable, easy to use and above all it must have a light footprint so that it’s easy to install, even onto a mobile computer like a laptop. Such solutions do exist.
RB: Do these solutions embrace reasonably user-friendly technology, or would it extensive training? And what has been the market reaction to this paradigm shift?
Three words to that Richard – Keep it Simple.
By that I don’t mean simplistic. Technology must be powerful but it must also be easy to use. It should be possible for on-site corporate employees, investigators and lawyers who are not data scientists to perform processing, analysis and review activities with minimal training.
Last month we co-hosted an event with our UK based partner, Altlaw (link here), at the NYC offices of Hughes Hubbard & Reed LLP to canvass this topic. My co-panelists were Brian Corbin Vice President, Discovery Program Manager from JP Morgan Chase, Ignatius Grande, Senior Discovery Attorney, Hughes Hubbard and Reed LLP, Patrick Burke Senior Counsel, Sefarth Shaw LLP, Mike Taylor, i-lit limited.
There was a particularly candid and stimulating debate between panelists and the participants with valuable insights from corporate attendees. Some efficient, practical and creative strategies were proposed for managing cross border litigation and investigations and a take the tools to the data proposition presented above was one of the many ideas canvassed.
Indeed, a key theme to emerge on the evening was very much aligned with recent comments by Leslie Caldwell, the AAG of the DOJ’s Criminal Division to the effect that companies under investigation are not required to “boil the ocean”. A fresh and proportionate approach through a bit of creative thinking may enable corporations to find the balance between ticking the compliance box while maintaining control over the bottom line expenditure.
RB: Indeed, that “boil the ocean” comment seemed to have generated an “ocean” of reaction. Well, is there anything else you would like to add, and how can people get in touch with you?
I’d like to thank you Richard for the fine work you are doing in the anti-corruption and compliance sector. Your insights are always compelling and it’s so refreshing to hear such a candid perspectives from someone who ‘talks the talk’ but has also really ‘walked the walk’.