Use cases
Industries
Products
Resources
Company
Each week on eDiscovery Leaders Live, I chat with a leader in eDiscovery or related areas. Our guest on February 19 was Sam Sessler, Assistant Director, Global eDiscovery Services at Norton Rose Fulbright.
Sam and I started with a look at the group he is in, how it is structured, and what they do. We moved quickly to his current area of focus, data breaches and cyber incidents. We talked about their attempts at simultaneously achieving perfect precision and perfect recall when dealing with breaches, about the approaches they take in pursuing this elusive goal, and the need, at least today, to put recall ahead of precision. Sam discussed how they build baseball cards to better identify and notify individuals where breaches have occurred, including some of the processes and tools they use to assist them in these efforts. Sam talked about those things there are able to do alone and those where they work most effectively by partnering with others, and touched on cross-border challenges as well as the need for law firms not to be the weak link when it comes to data breaches. Same went into the different data types that need to be addressed and the challenges doing so, and about what needs to be done to deal with large volumes not just of data but also of individuals. Finally, Sam shared his thoughts on an ideal data breach platform.
Each week on eDiscovery Leaders Live, I chat with a leader in eDiscovery or related areas.
Recorded live on February 19, 2021 | Transcription below
Note: This content has been edited and condensed for clarity.
George Socha:
Welcome to eDiscovery Leaders Live, hosted by ACEDS, and sponsored by Reveal. I am George Socha, Senior Vice President of Brand Awareness at Reveal. Each Friday morning at 11 am Eastern, I host an episode of eDiscovery Leaders Live where I get a chance to chat with luminaries in eDiscovery and related areas.
Past episodes are available on the Reveal website, go to revealdata.com, select “Resources”, then select “eDiscovery Leaders Live Cast”.
Our guest this week is Sam Sessler. Sam is Assistant Director, Global eDiscovery Services at Norton Rose Fulbright. He's been at Norton Rose for 10 years, rising up through the ranks through a variety of positions and he was at PWC for four years before that, so he's got quite a breadth and depth of experience to bring to bear. Sam, welcome.
Sam Sessler:
Thanks for having me.
George Socha:
Glad to have you here. I'd like to start this discussion, if we can, with you talking a little bit about your group or department, how you’re structured, what you do.
Sam Sessler:
Yeah, absolutely. And for those of you that may have seen my profile pic before, it's a little different than the post COVID days. I'm getting a lot of hard time. This morning I was on a call with David Kessler and he accused me of ripping off Tom Selleck, so I thought I would introduce myself a little humor there.
George Socha:
You know what it is, it's just mustache envy. I could try my entire life and I would never be able to grow and support a mustache the likes of what you have there.
Sam Sessler:
We have a pretty interesting set up for a law firm, even for a global law firm of our size. We are structured more like a provider or a vendor inside of a law firm. We have three lines of service, essentially. We have a consulting service, which is the team I head up. We have project managers, project analysts, essentially in a consulting role across the country. And we have counterparts in Canada and the UK as well. The consulting team heads up all of our project management services. We focus our expertise on eDiscovery mainly, TAR consulting, AI consulting and data breach and cyber. We also have a processing and hosting team. They basically handle all of our data analysis, data processing and eDiscovery hosting. And last, we have a document review offering. We have between 10 and 15 full time review attorneys that serve as project leads and then we have overflow to outside providers. So, we're a pretty beefy size team, we have about 20 people in the consulting side, four to five on the data processing side, and between 10 and 15 on the document review side.
George Socha:
Fulbright, the Fulbright side of things, long has had a team, as I recall when we started EDRM in 2005, Florinda already had a team maybe 40 strong, focusing on litigation support and eDiscovery. So you have been well-established for a long time, right?
"We are always trying to evaluate and make sure we're using the right tech, the most recent tech, and maybe even technology that hasn't even become mainstream yet."
Sam Sessler:
That's right. I came on board in 2011 and we had been using technology assisted review in many ways and leveraging AI technology all the way back to 2008, even. It’s when we did our first TAR project. We wrote a protocol on it, we did a defense document that basically laid out in front of a court the outline and the protocol for it, and it was accepted. So you're right, we were very early on on the cutting edge of TAR and AI back in the day, and we've been trying to push the boundaries and moving forward in that front ever since. We are always trying to evaluate and make sure we're using the right tech, the most recent tech, and maybe even technology that hasn't even become mainstream yet. That's been our focus for many, many, years.
George Socha:
The focus, of course, has changed over time. Early on I suspect it was heavily on document review in a more traditional linear form. Of course, as you said you were early days in predictive coding, TAR, whatever you want to call it. And these days you've got a burgeoning data breach in cyber practice, right?
Sam Sessler:
We do indeed. Very relevant right now. I'm working on four consecutively, all at once, and I know there's more that the firm is currently handling. It's a practice area that at NRF started three years ago. It's since become a huge focus of our time and efforts lately. Last summer we had a few very large cyber incidents that we worked on and we've already gotten six this year, at least that I'm aware of, and I'm currently working on four. It's a very unfortunate line of business to be in, but there are clients and other law firms that are dealing with the same thing. Our eDiscovery team is a large important team that focuses on that area. We also have a group of privacy and cyber lawyers that are heavily involved in those breach works.
George Socha:
It sounds as if those types of undertakings are by their nature multi-disciplinary.
Sam Sessler:
For sure. I come from a background of, it’s more of an IT background that moved into the digital forensics space while at PWC. It translates well to eDiscovery, but it also translates well to cyber incidents. Data breach and incident response is very similar and overlaps in a lot of areas. We find that our team has a lot of expertise that we can apply to these types of matters. Unfortunately, they are quite the slog. There's a lot of good tech out there, there's a lot of good expertise in the market. The problem is there's not a silver bullet yet, but there are some budding technologies, budding vendors out there that are doing a really good job in the space that we use and they complement our team very well.
George Socha:
What are some of the biggest challenges you encounter when dealing with data breach and incident response?
Sam Sessler:
Where should I start? I'll name a few. In eDiscovery, it's a little bit different. What we do in eDiscovery is more focused on what's reasonable and proportional. These data breaches, we have to be perfect or as close to perfect as possible. At least that's our mindset, it’s what our customers and clients expect, it's what regulators expect, unfortunately. We don't have to answer to courts unless there's a litigation that ensues from these, but we have to answer to regulators and we have to answer to end clients, customers that had their data breached. When you're looking at the statistical analysis of the data that's been breached, having perfect precision and perfect recall is the goal.
You want to be able to find and isolate and extract the information that's been breached and when you're dealing with terabytes of data sometimes, just like in a large eDiscovery matter, it's hard to find that needle and even further, it's very hard to be precise in finding that needle. So these data breach reviews can be very expensive if you don't attack it strategically.
Our team does a really good job of being strategic around sampling this data and using technology to find that needle, those sensitive documents. But what becomes difficult, which the market has not really found the perfect way to handle, is the extraction of that information. You don't only have to find the information but you have to extract it, you have to build a list and then you have to notify individuals about what’s taken, what was exfiltrated. There's very little automation that exists out there to build that list. There is some, but it's still extremely expensive. It can be error prone, without a lot of heavy eyes on. Every step in the process introduces a small margin of error into that step, and so that can compound as you get further along the lifecycle of a breach project. It's very tedious work, there are things that you can do, there's tech you can apply to it, but it's still a very tedious exercise fraught with potential error, unless you are very careful and have a very good process to apply to it.
George Socha:
With active learning in eDiscovery and litigation, we tend to think of precision and recall as trade-offs. The more you do to improve precision, the more you sacrifice on recall and vice versa.
Sam Sessler:
That's right.
George Socha:
Yet you said for data breach, you’ve got to have 100 percent perfect on both. How do you get there?
Sam Sessler:
It's very difficult, and you don't. Like you said, George, it's a balancing act. If you improve precision, recall usually drops and vice versa. I think where we usually land is being perfect on recall or as close to perfect as possible. We oftentimes have to sacrifice precision. That's unfortunately the way that we have to approach it, because of the regulations and the strict requirements around finding that PII and PHI. It's a very good point. We usually default to sacrificing precision unfortunately. Now, there is AI that can help with that, but for the most part, we have to sacrifice perception to a certain degree.
George Socha:
It sounds like you end up erring on the side of at least initially including something as potentially something you need to deal with rather than setting it aside, saying “yeah, probably not”. Right?
Sam Sessler:
That's right. From a budgetary standpoint, that's unfortunate, but it's better that you don't miss that, so we will introduce it into a workflow versus excluding it upfront.
George Socha:
Another challenge, if I'm hearing what you said correctly, is that at some point you need to identify people to contact, and we don't always have their names laid out in a neat precise fashion, we don't always have telephone numbers, e-mail addresses and all readily available. What do you do to deal with those challenges?
"You're technically building a baseball card for an individual. You’re finding the individual or the entity, you are finding what personal information was breached, and you're creating relationships about that individual tied to those data elements."
Sam Sessler:
It's a good question. Again, we don't have a perfect process for it, but what we do have is, we do have some decent technology out there that can help us build these profiles of information. You're technically building a baseball card for an individual. You’re finding the individual or the entity, you are finding what personal information was breached, and you're creating relationships about that individual tied to those data elements. We use a variety of techniques. Some are old, some are new, but at the end of the day we use a variety of technology and techniques to build that relationship or that profile. There's a lot of QC that goes into that relationship that you've created. We start it at the beginning of the process with the TAR identification or the AI identification of that individual and of those data elements. We then bring in technology to assist us with creating those relationships. And then last, we do validation just from a high level, we do validation with the end client or with other publicly available databases to validate that you do have the right individual, you do have the right address, this is a married name versus a maiden name. Those examples can get pretty difficult to validate. But we do it. In a standard data breach review, we allow three weeks to do that validation. It's a rolling validation, so you'll be rolling out notification throughout that time period to customers as well as clients.
You have to build out that time in order to do that, otherwise you could be notifying people that either don't exist or didn't really have their data breached and you can create a problem. Another thing you could do is accidentally create another breach by inadvertently disclosing information that you didn't mean to disclose. It's a very, very, high risk, very tedious to do. The tech is really helpful but we need more, I think. We need more cutting edge technology to help us with not only, like you said, the recall; being precise is what we're really needing help with.
George Socha:
It sounds to me as if you've got aspects of a number of things pulled in here. You've got initially the confusion and uncertainty of an internal investigation or governmental investigation. You've got the time pressures and financial challenges of a second request. You have got the need to figure out what happened and figure out what story you tell as a way of pulling all of this together that you get in a lawsuit. And then you have got to be a claims administrator as well. Is that right? Are you pulling in all sorts of different things to make this happen?
Sam Sessler:
Bingo, you nailed it. That is exactly right. And the whole time you're working with your end client you're in crisis mode. Everything's in crisis mode so it brings in the incident response side of things back into the eDiscovery lifecycle. You're trying to mitigate the risk, and you're also trying to put your clients at ease, while dealing with state regulators. That's a very good way to put it George, you described it well.
George Socha:
How much of all of this are you able to do by yourselves, how much do you need to partner or choose to partner with others, and then what sort of partners are you looking at?
Sam Sessler:
To be frank, we started doing all of it ourselves three years ago. We've learned a lot along the way. We've developed really good processes. However, we've also found that there are some partners out there, some providers that can fit some of our needs. Right now we're leveraging providers to help us with the review side of things - not just the eyes on review, but the technology to help us with building those relationships for the individuals who have had their data breached. That's where we are currently partnering with providers and we're looking to kind of continue to vet that. If there are providers that have emerging tech that can help us with that relationship-building of those entities and fixing the precision problem while not sacrificing recall, that's where we're looking to really partner with a provider.
George Socha:
It seems to me from what you're saying, that there's yet another facet to this that we can compare to what needs to be done in electronic discovery. I assume data breaches and cyber incidents do not respect national boundaries and that you've got all sorts of cross border challenges you need to deal with as well?
Sam Sessler:
That's right. We have two projects right now that are in the EU, which is very difficult for us because we can't touch it, we can't see it, we can't access it. Luckily we are a global firm that has privacy experts globally but we still need providers to help us globally. When we have an EU incident, we keep it in-country and we rely on those experts and we consult from afar. But it is a challenge, it's really difficult. You have time zone issues. You have different country requirements for notification. You have GDPR requirements you have to deal with. And then you're sometimes working with teams that you don't have the same familiarity with. While you're one firm and your vendors and partners are pretty consistent in how they do things, you still have to deal with working with a team in a different region.
And it's not just the regional problems where breach comes in, it's the client profiles. Law firms are becoming more and more of the crown jewels for these ransomware attacks. It's unfortunate, but it's another thing that we're dealing with. The client profile is shifting. Nobody is secure from these things, no matter how hard you try. I know everyone has heard this, but it's a matter of when you'll be hacked, unfortunately.
George Socha:
It has long been said that law firms are the weak link when it comes to data security. Because you're dealing with these, obviously that must mean that as a firm you're putting a lot of resources into making sure that you are doing everything you can to provide adequate protection for data. I'm not asking for the details, because you shouldn't be sharing those details, but that must be a part of what's going on as well.
Sam Sessler:
Oh, it is, and I know all of our counterparts are doing the same thing. All of the CISOs of the world are working very diligently to curb this this problem. We saw a big focus on it during COVID, because it was really bad during the COVID spike. It continues to be a focus of ours and I know it continues to be a focus of all the law firms, which are working diligently to try to minimize their risk. Some teams, unfortunately it took getting breached before they could address it, but still it remains a large focus especially in the law firm world.
George Socha:
Certainly for cross border matters, but I imagine even for data breaches that are primarily within the United States, you must be dealing with a wide variety of things - multiple languages, multiple file types, audio and video, as well as text. Am I right in that surmise?
Sam Sessler:
That’s right. That's very relevant to me right now. I just finished a report on potential complex data types that we're dealing with in a matter, very similar to eDiscovery, However the type of data that you're dealing with in breach work, if you have structured data that you are having to analyze what potential PII or sensitive content is in that data type, it becomes very tedious. You can’t apply a standard eDiscovery workflow to that at all. It's also hard to do a sampling approach to those data types. We're dealing with SQL databases often, database backups, complex Excel spreadsheets, all sorts of different types of ugly PDFs that are just terrible reports. Being able to apply technology to those types of documents to extract information out systematically is not easy.
While there are some teams that we partner with, that do a very good job of basically scripting a lot of that out, it takes a lot of work to do so. And not every matter is the same, not every data set is the same. Just think about the complex databases that are out there with the amount of tables that might exist within the amount of databases, within the amount of instances. And then you have records within all of that. It can be very difficult to slice and dice that and assess what the potential impact is without a lot of smart people doing really good work on them.
George Socha:
We like to think we know how much volume, what sorts of volumes of data, how much data we're going to need to deal with when it comes to eDiscovery in civil matters. What sort of volumes of data are you dealing with here?
Sam Sessler:
Really good question. It's really difficult to assess documents and how that translates to the amount of individuals that might exist in those documents. One spreadsheet could have 300,000 Social Security numbers in it. That becomes 300,000 individuals that you have to extract data from. It's very difficult to extrapolate how many entities am I going to have to deal with when I have a terabyte of data.
We've done a really good job of breaking that out based on past experiences. We have a lot of good information that we can leverage from prior matters. But how to project and estimate what you're going to deal with from an entity standpoint is difficult still to this day. One of the projects we had last summer, we had, I believe, eight to ten million entities that we extracted from 300,000 documents. You can see how that balloons from an extraction standpoint and from an individual PII standpoint. The amount of elements that exist for each individual is just extraordinary, and so it can be very difficult to extrapolate for an individual or for a client or for a state regulator just what we might be dealing with at the onset of a breach. One of the biggest challenges from that standpoint is the regulators and the clients are asking, and the individuals are asking, once you disclose then floodgates open. They want to know what exactly has been taken and what do you expect to find and when do you expect to find it. And so the clock starts ticking. It's a very fun little exercise for sure.
George Socha:
I’m not sure fun might be the word everyone would choose. I'll close with this final question, which I think you've opened the door to. What would your ideal platform for dealing with these challenges look like, and assume no technological limitations whatsoever, assume no financial or budgetary limitations. What would it look like?
"Being able to build those relationships without a lot of human input, unsupervised, would be in my opinion the best technology that I could ask for these projects."
Sam Sessler:
Oh wow. No budgetary limitations. I think being able to do it all would be awesome. Right now, we have to apply many different technologies to a single project or to a single data source. I would say the wish, the silver bullet, would be a platform that does data breach from beginning to end, from an identification standpoint, a review standpoint, and a notification standpoint.
But I would say the biggest need there is a tool that can create relationships and do them well. Something that's smart enough, that can say, okay, I know Sam Sessler is also Sam G. Sessler, they’re the same person, and I can tell that based on you training me that this is his social, this is probably his physical address or whatever that example might be. Being able to build those relationships without a lot of human input, unsupervised, would be in my opinion the best technology that I could ask for these projects.
George Socha:
Great. Thank you, Sam. Sam Sessler is Assistant Director, Global eDiscovery Services at Norton Rose Fulbright. I am George Socha. This has been eDiscovery Leaders Live, hosted by ACEDS and sponsored by Reveal. Thanks for joining us today.
Please join us next Friday, February 26th, when our guest will be Suzanne Clark, Discovery Council at eDiscovery CoCounsel. Thanks, Sam.
Sam Sessler:
Thank you.