About Jason Velasco

This author has not yet filled in any details.
So far Jason Velasco has created 11 blog entries.

Identification in eDiscovery and Information Governance

By |2021-03-04T16:27:39+00:00March 1st, 2021|Categories: Data, eDiscovery, Events, Information Governance|Tags: , , , , , , , |

Last week the Los Angeles Chapter of Women in eDiscovery invited me to moderate a discussion with some amazing women leaders in the Information Governance space about the challenges & solutions related in identifying users and data as part of the eDiscovery process.  In our conversation with Susan Bennett of Information Governance ANZ and Justine Phillips of Sheppard Mullin we covered topics around:  Securing and locating data with personally identifiable information (PII) for eDiscovery identification stage in relation to cross borders (e.g. tokenization and legal approaches)  Compliance and benchmarking within an organization for identifying relevant data  Using identity management for acceptable risk and understanding risk profiles  As part of this discussion, Justine and Susan provided materials to share with our broader audience.   Justine shared with us some great insight on the California Consumer Privacy Acct (CCPA) and California Privacy Rights Act (CPRA) as organizations continue to understand the different types of “Personal Information” (PI) required to be protected. She shared what is considered to be Personal Information by the CCPA and CPRA.    Susan supplied us with her knowledge related to data privacy in Australia and around the globe with the General Data Protection Regulation (GDPR) as the gold standard privacy protection regulation. Susan has written an article explaining the InfoGovANZ Information Governance model and framework that I suggest people review as part of their IG learnings:   Information Governance: optimising the lifeblood of organisations - InfoGovANZ  There is also a section on law and eDiscovery in the recently released InfoGovANZ Hindsights and Insights Report - Information governance reflections on 2020 and insights for 2021.  Thank you to the wonderful Women in eDiscovery — Los Angeles Chapter for the opportunity to learn and facilitate an interesting conversation with Justine and Susan. It can be overwhelming with the [...]

The Next Step in Our Evolution: From eDiscovery Advisory to Kindato

By |2021-02-17T23:47:09+00:00February 16th, 2021|Categories: Announcements|

The past few months have been an amazing journey for our team at eDiscovery Advisory.  We’ve been blessed with opportunities from a diverse set of client-partners ranging from eDiscovery, Information Governance, Disaster Recovery, Knowledge Management, and Healthcare information technologies.   We’ve quickly grown beyond our eDiscovery Advisory brand to a broader technology and advisory practice. I recently wrote about creating an "eDiscovery as a Service" (eDaaS) automation solution in Microsoft M365 to achieve the “State of Kindato”–achieving “Knowledge and Intelligence through Data” utilizing our Kindato Innovation Lab.    The name “Kindato” resonated with our partner team, Michael Epstein and Jason Thompson.  I’m pleased to announce that our organization will now fully operate under the Kindato (www.kindato.com) umbrella with 4 distinct practice areas:  Kindato eDiscovery Advisory – Our technology and provider agnostic advisory practice around eDiscovery & IG challenges leveraging automation and workflows based on our extensive in-house experience.  This includes our M365 eDiscovery as a Service™ (eDaas) combining Microsoft automation technologies, defensible playbooks, customized Microsoft Advanced eDiscovery 2 (AED2) training, and dedicated support staff.  Kindato Advisory – Our technology advisory practice including implementing technology programs related to overall technology strategy, disaster recovery, knowledge management and data management.  Kindato Tech – Our technology development team delivering customized solutions currently focused on healthcare and education technology.  This team recently built a Vaccine Management and Scheduling Solution (VMSS) built in on Amazon Web Service (AWS) as a SaaS solution.,  Kindato Labs – Our technology playground with a proprietary test dataset (that’s not Enron) to validate technologies as well as experiment with technology integrations.  We can only offer these services because of the team working with us to deliver.  Our internal culture and north star for Kindato is all about “Exceptional People, Extraordinary Results”.    There will be more to come as we transition our marketing and messaging to Kindato.  We are grateful for our community, partners, clients, and teammates. This includes my personal video cast/podcast, “Out of Curiosity” which has evolved around my background as an oral historian to capture [...]

Taking an Agnostic Approach to Legal Technology

By |2021-02-03T20:01:24+00:00February 3rd, 2021|Categories: Data, eDiscovery, Information Governance, Intelligence, Technology|

Early on in my career as a consultant in the eDiscovery space, I felt it important to have an agnostic approach and be independent with my recommendations for solutions, technologies, and providers. Even in my earliest days running the advisory practice at Renew Data where we had our own technology and service offering, there were many situations where I advised clients to go another direction because of the specific scope of a project. As much as this frustrated our salespeople, I understood that there is plenty of business out there and it was good karma.   In 2010 Barry Murphy, Greg Buckles, and I founded the eDJ Group, a boutique analyst firm covering the electronic discovery and information governance space. The eDJ Group stayed above the fray at all cost looking at what was really in the best interest of a client based on their specific scenarios. We tried our best as analysts to take an agnostic approach.  I founded the eDiscovery Advisory practice on the same agnostic approach to technology and providers. That means passing up the lucrative referral or sales relationships with technology and service providers that pervade our market. Maintaining the integrity to advise clients based on their needs is key to the eDiscovery Teams strategic vision and achieving our desired state of KinDato (Knowledge and Intelligence through Data).  As the eDiscovery Advisory team continues to build on this agnostic approach, I had the opportunity to reunite with my previous business partner and very independent consultant, Greg Buckles.  Greg still runs the eDiscovery Journal as well as the eDJ Group consulting practice.    JV: You and I have spoken many times over our careers about really taking more of an agnostic approach to looking at legal technology and legal service providers. Maybe we could start at the beginning by sharing why you chose to be independent and your experiences working independently.  GB: In my role as a corporate buyer of eDiscovery technology and services at El Paso Corp., I started finding conflicts inherent within the relationships between my service and tech providers. I would find out they would get points off a deal or if I chose a piece of technology, the sales rep would get 7.5%.    When I went from there to being a product manager, everybody around me was selling technology except for me. I was the person who owned the development of the technology, [...]

Knowledge & Intelligence through Data: The KinDato Innovation Lab

By |2020-12-03T17:53:46+00:00December 3rd, 2020|Categories: Announcements, eDiscovery, Technology|Tags: , , , , , |

One of the unique opportunities I have as an advisor working with organizations looking at data information governance and eDiscovery issues is that we have an opportunity to look at the strategic use of data within an organization. Over time what we have learned is that organizations get value and reduce risk from data by making sure there is a combination of Knowledge and Intelligence that is driven by Data, or as we call it…the state of “KinDato”. As part of that effort to improve the use of technology and gain value from data within an organization we built the KinDato Innovation Lab, allowing us to assess and leverage multiple technologies through integration and workflows. In the context of eDiscovery and data management, we look at integrating numerous tools in an agnostic way since we don't have a specific relationship with any specific tool or provider. Our goal is to create effective integrations within a client’s environment particular their technology stack. Every organization that we work with uses different types of technologies to manage both their knowledge and data across their organization. From an eDiscovery viewpoint, this is challenging especially when trying to identify sources of relevant information as well as understanding the value and risk of that data.  At the core of things, it is really all about data and understanding that data from various stakeholder perspectives. The KinDato Innovation Lab is completely agnostic to the technology used in our innovation.  For example, we work with mid-size organizations on leveraging the technology they have in-house specifically around Microsoft M365 Advanced eDiscovery solution. Many organizations can’t spend the money or effort on complex eDiscovery technologies.  They simply want to be able to have an easy to use and defensible workflow for things like third party requests and data subject access requests (DSARs).  The KinDato Innovation Lab worked with the built-in Microsoft tools using PowerShell, Graph API, SharePoint and other automation techniques to build a system within the Microsoft Teams environment to create a defensible workflow for these types of cases.  More complex eDiscovery matters that require a greater effort will of course have a different workflow, but this approach will save clients a significant amount of money and effort allowing them to [...]

eDiscovery Productions in Business Productivity Suites: Truly End-to-End?

By |2020-11-03T19:58:54+00:00November 2nd, 2020|Categories: eDiscovery|Tags: , , , , , |

I work with many clients that implement cloud-based messaging and storage systems like Microsoft 365 (M365) and Google Workspace to manage their enterprise. I’m a proponent of moving enterprise systems to the cloud and generally encourage IT organizations to consider all manner of cloud solutions. Legal hold and eDiscovery needs are often secondary (or tertiary or not even considered) in the decision to move messaging and storage to the cloud especially when an organization is not regularly dealing with eDiscovery or data subject access requests (DSAR). Do these tools help enable an “End-to-End” eDiscovery workflow? My definition of an “End-to-End” eDiscovery solution starts with legal hold, data identification, data processing, data review, data search (basic and advanced), and data productions. Based on that definition my answer is no specifically because data productions require additional tools to meet the typical production obligations. Both M365 and Google Workspace have functionality to support legal hold, eDiscovery and data compliance at the tenant level. That equates to using the native index to search for responsive users and content which does not include non-indexable data. eDiscovery in M365 and Google Workspace were built as data triage tools to reduce the amount of information going into the expensive review process. The functionality to support that triage process is powerful with both tools in the hands of a practitioner that understands the nuances of the data workflow in these technologies. Producing data to requesting parties will require additional steps and/or technology depending on the requirements for the production. Production formats vary from case to case, but it is common to have a production specification for TIFF or PDF with native spreadsheet along with a load file. This is important especially with when markings (e.g. Bates stamp, etc.) or redactions [...]

M365 Advanced eDiscovery: Tipping Point?

By |2020-10-13T01:37:08+00:00October 13th, 2020|Categories: eDiscovery|Tags: , , |

I often have discussions with people looking to understand the eDiscovery space better as part of the eDiscovery Advisory Strategy Practice. One of the most recent conversations was around understanding how organizations that are doing in-house culling will impact the volume of downstream data going into the traditional eDiscovery process ending in contract review. Many of my clients over the years have implemented toolsi Nuix, Relativity, ProSearch, CloudNine Law, OpenText EnCase, Forensic Tool Kit (FTK) as well as legal hold tools like Zapproved, IBM Atlas, or Exterro to identify and triage data as part of the initial identification and collection process. It is my experience that the larger, highly regulated organizations typically have a mature workflow around data culling to reduce the data as early as possible in the EDRM lifecycle. But where does that leave the rest of the organizations in the corporate world where it doesn’t make sense to invest heavily in advanced eDiscovery technologies? What can these types of organizations do to cull data down by date, users, and search terms to reduce their downstream eDiscovery costs? I believe that Microsoft 365 (M365) may be the tipping point for smaller organizations making a significant dent in downstream eDiscovery data. M365 comprises of messaging (Exchange) and file sharing (OneDrive) along with underlying services like MS Office, SharePoint, and Teams. Underneath the hood is an indexing engine and administrative tools to manage all the data. eDiscovery functionality is found in the Microsoft Compliance Center which manages the data in the M365 ecosystem. Within the M365 Advanced eDiscovery technology (which requires an E5 license or comparable academic license) exists the functionality to search the indexable data stored in the Microsoft tenant as well as place the data on preservation/legal hold. From there [...]

Remembering eDiscovery Defensibility in a Crisis

By |2020-07-08T00:30:15+00:00July 8th, 2020|Categories: eDiscovery, Technology|Tags: , , , |

Notwithstanding containment efforts, the coronavirus has spread worldwide.  According to a recent McKinsey & Co. report, the U.S. economy could be in a state of recovery until as late as 2023. The hardest-hit sectors – commercial aerospace, air & travel, and oil & gas – might not even restart until sometime in 2021. The COVID-19 pandemic is having a massive impact on a wide range of industries, including the eDiscovery space. However, despite the global crisis, litigation has not stopped and the eDiscovery process continues. Data is being collected, preserved, reviewed, and produced, hopefully in a cost-effective manner and fully-defensible manner. Pandemic-Proofing Your eDiscovery Defensibility Covid-19 has vast potential to expose flaws in the eDiscovery workflow, making the need for a defensible process more critical than ever. Here are some ways to strengthen your procedure: Collect data defensibly. Data collection from a custodian’s laptop may not be possible with social distancing guidelines unless remote enterprise-level forensic technology is available. Work with your outside and in-house counsel to formulate and document a plan ranking critical custodians’ availability. Then prioritize available network sources like file shares and email servers while deprioritizing physical media until collection is deemed safe for both collectors and collectees. The active data collection approach will vary from data source to data source, so work with your outside counsel and collection specialist on the best practices for a data source type. If your organization uses Microsoft O365, it might be time to develop a plan and approach for using the eDiscovery & Legal Hold modules in the Security and Compliance Center to streamline and document your collection efforts from Microsoft systems. Document your chain of custody. As the data transitions from its original source (e.g., Exchange, file shares, SharePoint, etc.) to the collection destination such as a [...]

DSAR Best Practices and Workflows an Organization Should Follow

By |2020-07-07T15:05:10+00:00June 30th, 2020|Categories: eDiscovery, Information Governance, Privacy|Tags: , , , , |

In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]

Responding to a DSAR Request

By |2020-07-07T14:59:23+00:00June 10th, 2020|Categories: eDiscovery, Information Governance, Privacy|

In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests. An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR: Conduct a Data Inventory Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information.  The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements. Organize DSAR Requests You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data.  There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery. Fulfill the Request A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated [...]

DSARs 101: What to Expect When Doing Business with EU Customers

By |2020-07-07T14:54:19+00:00June 4th, 2020|Categories: Information Governance, Privacy|Tags: , , , , |

For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk. Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges. What is a DSAR? On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system). Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU. The General Data Protection Regulation The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located. According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online [...]