While lawyers are beginning to migrate toward the use of visual tools in the courtroom to communicate the stories they are presenting, they continue to lag behind the world in which their clients exist in using visual tools to perform the rest of the work that precedes the trial.  A big part of that work is mapping real statistics of how the e-discovery process is moving forward against the requirements and the overall project plan.

My thanks to Jeff Brandt, who identified this useful blog post on the value of visualization to IT executives.  I strongly endorse a quick read so that lawyers can better understand the power of RitterMaps to managing the complexity of e-discovery.

The first briefing is Managing the Legal Risks of Outside Counsel. Many corporate lawyers presume that their law firms know how to manage and protect digital information, including the sensitive records that may serve as evidence in lawsuits and government investigations.  But do law firms really do the right thing?  How can corporations better address the legal and business risks that exist when outside counsel is entrusted with valuable corporate records?  

Those attending this webinar will walk away with a detailed RitterMap™ that presents a structure for conducting a dialogue with outside law firms on how the firms implement modern information security management practices, as well as a detailed checklist of issues to be addressed in the engagement letters under which a law firm is employed. Attendees will also receive a discount coupon for a future 1SecureAudit eDiscovery Survival Executive Briefing and Workshop.

Registration for each webinar and access to further information about the series can be done here.

Last week, something happened that was truly noteworthy. The 25-year-old son of one of my good friends was visiting for dinner.  My friend encouraged me to show his son, an aspiring lawyer, the RitterMaps and how we are developing these tools to support the performance of legal services, and the collaborative, team management of digital information. We’re – located to my office and, sitting side–by–side, I began to show him how the mind mapping function worked, and some of the features and capabilities of the RitterMaps. Then, it happened.  While my own hand was gesturing in the air, the aspiring lawyer simply reached for and took control of the mouse.  No permission was requested, nor expected.  Instead, acting nearly on instinct, and eager to explore the further depth and complexity of the content, he took over.

Now, the dynamics changed entirely.  My guest was asking questions, opening and closing topics, experimenting with restructuring and re-organizing the content, engaging and interacting with the RitterMaps naturally and without any training, instruction, or guidance on how to do things.  Reflecting later that night on the moment, I remembered the scientist who is playing the keyboard for the visiting alien spaceship in Close Encounters of the Third Kind.  The scientist removed his hands from the keyboard and the spacecraft took over, playing the music on its own.  I felt much the same as the scientist – awed and humbled.

The singular incident underscored that the challenges of trying to reorganize legal content in order to be more accessible to those responsible for managing the digital record is worth all of the effort, false starts, and resistance from the status quo.  We run out of alphabet letters– and it’s difficult to keep track of whether anyone of us belongs in the X, Y, or other generations.  But the current and future generations are simply being wired differently to interact with, explore, acquire and apply information.  The inherent presence of the digital screen, and the near-infinite accessibility of information that can be transformed into knowledge, empowers individuals to point, click, explore, defy structure, and fearlessly persist in shaping the information into the knowledge structures they require to learn, work, and even play.

Traditional publication formats–most notably hardcover textbooks, three-ring notebooks, and the ubiquitous slide deck– simply no longer work as effective tools to organize, present, and deliver knowledge that enriches, informs and empowers each of us.  In developing RitterMaps, unique in their integration of legal and technology content into unified presentations, I was trying to solve a simple problem: to equip both legal and IT professionals with a resource that enables them to work better, collaborate, and reduce the risks of not understanding each other’s business languages, cultures, and performance objectives. But it turns out that we may be doing something much more important and provocative.

By taking the first steps to present legal and technology content together, and using visual information mind maps as the publication structure, we are building tools that enable those "born digital" to explore faster, to learn better, and ultimately communicate with one another in a visual space that requires no training to navigate.  Yesterday, an adjunct professor at Columbia University introduced me to their masters’ program on Information and Knowledge Strategy. It’s a very cool new program.  In our conversation, she pointed out that RitterMaps have another purpose.  They accelerate the capability of the learner to transform and share the information they have learned with others.  A RitterMap, or any mind map, allows the learner to immediately take the instrument from which they have acquired the knowledge, and present that same content to someone else-other team members, supervisors, or perhaps even judges. It turns out this is one of the most important "knowledge strategies"– to design and implement the means to share knowledge above the din of endless digital information.

It is clear that our strategy must embrace giving the X, Y, and younger generations hands – on experience with RitterMaps.  If they can touch, edit, modify and adapt the content, each user becomes an owner of both the information and the knowledge they are experiencing.  This control enables the user to construct their own architecture and, in the final analysis, use the knowledge to their best advantage.  And isn’t that essential if effective information governance in a digital world is to be achieved?

I will long remember the evening when I lost control of my mouse.  It was one of the best experiences of this journey.

On Tuesday, January 31, 2012, I will be speaking at the ALM Law Firm CIO/CTO Forum, held in conjunction with LegalTech in New York City..  It is a pleasure to be the featured speaker following the legendary Don Tapscott.  My topic—“Building and Securing Digital Trust”—represents the first time I have presented my argument for trust as an economic asset to law firm executives.  I am looking forward to it.  If you will be at LegalTech in New York, and are a CIO/CTO type, please be sure to join us.  If you cannot join us, drop me a note at jeffrey@jeffreyritter.com and I will be sure to send along an executive summary of my remarks.

Following a break, I will also be the facilitator for a panel on “Navigating the Rapids—Delivering on Mobility, Security, and Privacy”.  The Ritter Academy has been invited to set up a table—our first appearance at LegalTech.  All in all, it should be a great experience.

Whether looking to make stock investments or obtain Internet-based services from “cloud providers”, a growing momentum exists to demand increased transparency regarding how well companies manage their digital infrastructure. On different fronts, companies are facing new formal legal requirements and the pressure of voluntary compliance with mechanisms to report and disclose information about how they create and manage their information systems.

Public Company Disclosures

In October, 2011, the U.S. Securities and Exchange Commission published a Guidance on the obligations of registered companies to disclose cybersecurity risks and cyber incidents. The Guidance is available here. The Guidance examines different types of disclosures that are to be made in order that a reasonable investor making an investment decision does not rely on disclosures which would be otherwise misleading. Here are some examples:

· If an investment would be speculative or risky because of the risk of cyber incidents, those risks should be disclosed if they would be among the significant risk factors. Risk factors that are disclosed need to describe the nature of the risks and their impact on the company.

· Actual cyber incidents that have a material impact on the company (an example given by the SEC is a cyber attack embedding malware that compromises customer data) may also require disclosure.

· The financial impact of specific attacks may also require discussion in the “Management’s Discussion and Analysis”.

· Material pending legal proceedings involving a cyber incident may be appropriate for disclosure.

· Financial statements can take into account both investments in prevent cyber incidents, as well as their impact on diminished cash flows, customer goodwill, and customer-related intangible assets.

There is no question that this guidance will provoke considerable discussions in corporate board rooms regarding whether any real cyber security risks exist. But the SEC has taken an important step forward—it has empowered investors to have (a) a legitimate basis of inquiry regarding the information systems of a company, and (b) a basis to ask questions regarding the security and integrity with which those systems are maintained which are no different in their value to the investment decision than questions regarding the physical facilities, human resources, intellectual property, and other assets of a company.

In doing so, the SEC has also put into motion a further dimension of the dialogue that occurs between public companies and their service providers regarding cyber security and cyber incidents. Now, addressing information security, system security risks, and the security controls that are required by commercial contracts is no longer a discretionary item. Far too often, these topics are minimized in the contracting process, addressed with general, non-binding language, or avoided completely.

Now, the public companies have the incentive to demand a quality of security across their entire operations (including those that engage cloud-based service providers) that enables (a) material cyber risks and the potential for adverse incidents to be controlled (thereby avoiding the public disclosure of those risks), and (b) remedial and corrective action plans to be in place to assure that any incident, if it does occur, is less likely to create a reportable event.

Disclosing Cybersecurity Controls

The Cloud Security Alliance (CSA) has taken a different, and perhaps more influential step. Many lawyers and information security managers have been frustrated by the inflexibility of cloud service providers in addressing security concerns substantively in the related commercial contracts. Often, the service providers, whether providing software, platform, or infrastructure as a service, oppose making contractual undertakings that enable their customers better confidence the customers are able to meet increasingly complex legal rules for maintaining information security controls.

CAS has announced a free and publicly accessible registry that allows service providers to file and document the security controls they offer. The service is called the Security, Trust and Assurance Registry (STAR). Detailed information on STAR is available here. The service was launched with the initial filings of Google, Microsoft, Verizon, Intel and McAfee. Vendors may submit either one of two types of reports, each of which requires detailed disclosures regarding their security practices, and the alignment of those practices with published CSA best practices.

STAR is an important innovation because it sets a standard of care in place for how vendors earn the confidence and trust of their customers, as well as the larger ecosystem a specific customer may support. For example, ABC Manufacturing selects Vendor X to host in the cloud various services that provide data and reporting on 6,500 distributors of ABC products. Those distributors now have greater visibility into the security controls that enable the data services, and in turn, should have better ability to address their own compliance mandates.

Clearly, competitive advantage is going to be realized by those who understand, and do not try to deny, the importance of transparency. Those vendors who decline to participate face two new hurdles. First, customers will make competitive peer-to-peer comparisons between vendors who participate in STAR and those that do not. Second, the SEC guidance, which will surely be copied over time by other national agencies, creates regulatory demands that make it difficult for any public company (or their providers) to do business with a cloud vendor that cannot offer the transparency required to document cyber incident risks are controlled and not reportable.

Where does this lead?

As consumers and customers, and as vendors and sellers, all of us see both sides of the process through which trust is secured that enables a transaction to be executed. Working for our company, we often try to secure the sale with our smiles, great pricing, and advertising. But, in the evening, as consumers and investors, we aggressively investigate any seller, blowing past smiles, pricing and advertising to seek knowledge that informs our decision: crowd-sourcing (such as eBay merchant evaluations), investment analyses, product reviews, etc. It is an essential truth in an open, competitive digital market that the vendor that does not provide comparable information, both in the types of information and quality, will be dis-favored by the consumer.

Technology enables transparency, but it also enables us to express and incorporate into our purchasing our own criteria and preferences. There is no barrier today that precludes customers from demanding transparency on security controls, as well as the effectiveness of those controls. Nor is there any barrier to expanding the criteria on which we seek information until, for any single transaction, we reach a point of indifference. I believe this drive toward transparency will continue and gain momentum across a much larger catalog of criteria than security controls. Each additional object of information allows us to lower our risk that a decision to trust a vendor is subsequently voided by performance failures on which we could have asked better questions.

Companies must anticipate this level of disclosure and build into their system designs the expectation that their controls, their performance, and their failings, will be reportable events, not just internally but to external audiences (such as regulators or customers).  It will no longer be sufficient to offer that “we employ commercially reasonable information security procedures”; instead, transparency will be competitively required to enable the trust decisions a customer must make. 

Both professors are scholars I respect. They have accurately reported the issues presented as ones arising under the U.S. Constitution and its limits on the power of the state to conduct surveillance. But I submit both the professors, and perhaps the advocates before the Court, have presented the issues far too narrowly. In doing so, they have provoked me to use this posting to call out a more fundamental failure in how to navigate our way through the collisions of a digital world with the prevailing principles of a legal system, and our current failure to consistently prepare law students to be effective custodians of the rule of law in a digital world.

The facts are straightforward. Pursuant to a warrant, police secretly installed a GPS device on Antoine Jones’ car to monitor his movements. The warrant expired, the GPS data continued to be collected, and the data enabled the police to locate a cache of cocaine, resulting in a conviction. On appeal, the United States government argues no warrant was even required in the first instance to track the movement of citizens, arguing that today’s always-on technologies are already monitoring each of us to such an extent that we have no “reasonable expectation of privacy” for which a warrant application must be prepared. That application allows a court to evaluate whether the suitable cause exists to nevertheless approve the government’s surveillance.

Both professors highlight the prevalence of surveillance and monitoring technologies. Both also acknowledge the degree to which each of us live our lives in acquiescence to the presence of these technologies, and express no objection to the constant observations being recorded. “We are evolving into the perfect cellophane citizens for a new transparent society,” observes Prof. Turley. Nevertheless, the authors seem to believe that the protection of privacy extracted from a Constitution that went into effect nearly 300 years ago is being eroded, and that a favorable ruling for the government is the basis, again in Prof. Turley’s words, to “mourn . . . privacy’s passing”.

In 1999, Scott McNealy, the founder of Sun Microsystems famously observed, “There is no such thing as privacy. Get over it.” Both of the professors need to get with the program. What is at issue is not the power of the state to conduct surveillance, nor any natural or legal right of a person, automobile, or company to be observed as they live their lives. We are living “cellophane” lives, and if we are connected, both corporations and government have nearly unfettered access to any digital activity (or digital recordings). What is important, and what should be the driving issue, is to recharacterize the conversation to focus on the ownership, control and use of the collective record of our lives stored within the Net.

On nearly any current detective show on television, we see abundant examples of how law enforcement is requesting and accessing recorded data created and held by private entities to investigate and discover social misconduct—call records, casino video tapes, parking lot video tapes, hotel room magnetic key records, credit card transaction data. Of course, none of us going about our routine lives think much about the presence, or use of, these monitoring technologies. I don’t believe any of us choose a beat-down corner grocery versus a national brand convenience store because we know the grocery has no monitoring devices, takes only cash, and does not decorate the interior edges of their front door with measuring tapes against which to calculate our height.

Nor does the collection of the resulting monitoring data seem to offend any of us—by virtue of our use of the devices (such as a credit card) or our access onto premises with recording devices, we are consenting to the recordation of our conduct as a condition to use or access. Banking and real estate lawyers would say that we have given that consent either by express contract or by the voluntary decision to enter onto a specific property.

No one seems particularly upset when commercially collected data is used to catch the bad actor (except, of course, the bad actor). For myself, despite a lifetime liberal value system, I cannot get upset when technology can be employed to detect, and document, conduct that violates the law. The use of commercially collected monitoring data, and re-purposing of that data toward law enforcement, just does not make me uncomfortable.

So, do we have a different level of comfort or discomfort when a) the monitoring data is collected originally by the government, and b) the target has no knowledge of, or consent to, the installation and use of the monitoring technologies? Put aside the constitutional analysis for a moment: does that conduct by the government make us have a different sense of discomfort than any commercial collection activity? In Jones v. United States, what was being monitored was the travel and passage activity of a vehicle on public infrastructure facilities.

Ironically, also in this morning’s New York Times, coverage reported on the “wary” decision of the Chicago City Council to approve the installation of hundreds of speed-detection cameras. Really?!? In opposing or expressing skepticism, several arguments were made: “taxation without representation” of non-resident drivers violating the speed limit; constituents anger that the legislator would support the use of technology that actually worked to enforce the law, etc.

But what seems really at issue is the notion that a citizen has a discretionary “legal” right to disobey the law, based on the likelihood they will not be caught. Too few officers on patrol. A dark and stormy night. No traffic (or officers) in sight, despite a “No Turn on Red” sign. What annoys those opposing speed-detection cameras is that their “right” to roll the dice and violate the law is being compromised by technology. Of course, it is especially ironic the Times reports that, where speed-detection cameras have been installed, drivers are not getting caught as much—in other words, aware they are being observed (and likely to face certain punishment based on the digital record of their conduct), the drivers are complying with the law. What is possibly wrong with that outcome of the use of technology? Is not the government acting no differently, as the owner and operator of the street system, as the convenience store management team?

Imagine, instead of collecting data from an installed GPS underneath Jones’ car, the government turned to a private company that operates orbiting satellites that keep “eyes on the ground”. From the time-lapse video images, specific movement data on a vehicle can be extracted, once a starting date and location of that vehicle are established. Same results: a pattern of conduct, repeated visits to a known “hot spot” providing probable cause. In those circumstances, did Jones have any type of right—much less a constitutional right—to escape prosecution?

The simple reality is that the right of privacy, such as it may exist in the US Constitution (or be expressed in Article 8 of the European Convention of Human Rights, will be an ineffective shield to the use of collected monitoring data by government to enforce the law. Privacy, as a notion of the discretion with which we live our lives, does not entitle us to be immune from prosecution merely because we did not consent to the collection or use of digital evidence of the record of our misconduct.

Instead, where we must focus—and this will be a titantic, enduring, global struggle that will endure beyond my lifetime–is on building a legal rule of law that aligns to the digital age. That rule of law must include global, functional means, including enforcement resources, to define the uses—and impermissible uses—that may be made with collected data. We see uncomfortable innovations every day—family medical histories used to deny insurance; open source analysis of web-based data to verify employment suitability; “evidence-based” medical care—but our legal community is not responding to the real issues.

Data exists, will exist, will increase, and be more comprehensive in its monitoring of our lives. More and more “secondary” uses of data will emerge, many of which have valuable social returns (such as law enforcement), some of which will have harmful impacts (such as online corporate espionage). What is critical is that we re-frame the dialogue from reliance upon national or regional legal principles (which are, themselves, fairly attenuated) and develop coherent mechanisms, embedded in the Net, which express the limits of our comfort on what represents both acceptable and impermissible uses.

In its essence, the solution is found in the basics of contract—forming a contract through offer and acceptance, and making payment to the proper “owner” for the secondary uses which occur. But the application of those basics will be an immense effort—European privacy law has the essential concept already—the notion of informed consent by the data subject, and the opportunity to condition that consent on payment (or other consideration).

In Jones v. United States, I have no problem with the principle that a driver on a public road, as a condition to the privilege of doing so, agrees to the monitoring of their conduct, whether by satellite, speed-detection cameras, motorcycle cops waiting behind a billboard, or the good Samaritan who observes a “hit-and-run” and captures the license with their cell phone camera. None of us believes our legal right to use the public roadways is expressed as “I can do what I want as long as I am not seen violating the law.” Indeed, it is the essential moral principle that citizens voluntarily adhere to the law that keeps society civil. We see in daily life the opposite occurring, particularly when government’s monitoring resources are more limited.

Whether scarce public funds should be invested in GPS devices—or the law should prevent the “trespass” of a vehicle to attach a GPS device—are properly addressed legislatively. But the real shame that is that today’s law students are continuing to be prepared to enter the legal profession without a committed resolve among the academic community to prepare their students to help shape a digital rule of law.

Courses that teach the rules for managing digital information as evidence are electives or seminars, if they are even offered; courses that expose law students to the basics of electronic commerce, and the functionality of the technologies in commerce, have similar status. Only a handful of law schools offer courses on the law of information security (notably the curriculum at Indiana University)—that is, the legal and technology rules by which digital theft, trespass, and mischief can be controlled.

Law is still taught by jurisdiction, without a realistic recognition that the Net, and our systems, are global, as are the bad actors. Those being educated as the next generation entrusted to preserve and advance the rule of law must be offered a foundation that enables them to be zealous advocates in the world that exists. Even the law students understand the problem—I was amazed a few weeks ago attending a New York City Bar event to find law students seeking out supplemental training on electronic discovery, beyond the exhausting workload they already carry in law school, because they felt they would need the training to be effective in their careers. To my knowledge, not a single bar examination that determines the fitness of a law graduate to practice law routinely examines their mastery of the basic building blocks of electronic commerce, digital rights, or privacy.

In this context, then, how would I suggest the Supreme Court rule in Jones v. United States? I do not believe they need to reach the issue of privacy. Under the rules of engagement, i.e., the warrant, the time had expired during which the collection activity had been sanctioned. In effect, the warrant was the contract between the judiciary and the police that defined the boundaries of acceptable data collection. How the case fits with precedents becomes a fairly easy analysis in that light.

The Court need not evaluate this as a principle of privacy—instead, the contract had expired. So has reliance on privacy as a defense against the use of collected monitoring data. Its time to get over it, and begin teaching our law students how to build and maintain a digital rule of law. Precedents, including the Constitution, have their place, but the new law requires new rules.

In nearly every scenario, the ID would include a hardware component, on which additional identifier data could be embedded and communicated as part of each session without any user activity required. Existing userid/password methods of authentication would be abandoned.

The proposed technology solutions have drawn significant attention in terms of the potential for invading privacy (e.g., capturing additional attribute data—such as health history data—and making such data accessible to uncontrolled categories of vendors, retailers or others) or accelerating crime (such as losing a cell phone that enables an ID to be compromised). But all of this consumer-oriented dialogue fails to expose a far more troubling equation—how will each asset (system, website, application, service) score the identifying data and make a positive determination to trust the identity represented by a user? Who bears the economic loss of an incorrect business decision to trust?

From the vendor’s perspective, an online ID solution is intended to reduce the risk of misrepresentations (such as age, required under COPPA and similar rules for information collection from minors), mischief (misrepresenting your neighbor’s identity), or outright fraud (credit cards, mortgage loan applications, etc.). There is also the promise of improved business efficiency. If a vendor’s system can access and download relevant attribute data, there is less time invested by the vendor and the customer in transferring and inputting that data. If the data can be relied upon without further validation, even greater efficiency results, allowing the vendor to accelerate the overall transaction.

But reducing risks and accelerating transactions require someone to pay somebody. The credit card industry, and its evolution, offers some important lessons here. From the beginning, the merchant accepting the credit card (i.e., the identity token) was responsible for, and bore the risk of loss for, the possibility that the bearer of the card was not the person to whom the card had been issued. Moreover, the merchant also had responsibility, and risk of loss, if the card issuer had notified the merchant that the authority to accept the card had been suspended.

This dates me, but I still distinctly remember tendering a credit card and watching the cashier manually look up the card number against a published paper booklet kept at the cash register, listing all disqualified cards. For certain transactions, additional identification was examined, and for certain dollar amounts, the telephone was employed to obtain verbal confirmation of an authorization code. Even in those circumstances when an authorization code was given, the detailed terms and conditions still placed much of the risk of loss, if not all, on the merchant. If there was fraud, the merchant had to be able to document they performed all of the required procedures—something it was almost impossible to prove in a specific transaction.

As systems evolved, and competition developed (and true credit cards, allowing payment in installments, emerged), the merchant discount (i.e., the amount automatically deducted from each retail dollar by the credit card issuer or system representing the merchant’s payment for the services) became the focal point of measuring the value of the competing interests among (a) the convenience of the card as a source of payment for the merchant, (b) the additional revenue stream available to the merchant by accepting credit cards, (c) the value of receiving payment from the card issuer within 30 days (rather than the full term of the installments), (d) the different levels of risk associated with transactions of differing value or transactions involving specific products or services, and (e) the risks of loss otherwise associated with fraud or misuse of the credit card.

As technologies, systems and evolve, the merchant discount has continued to decline, allowing the merchant to keep more of each retail dollar. The card issuers (and associations) have continued to develop technology-enabled processes for lowering the possibility of misuse, and offer different rates when payment methods include more advanced technologies for limiting the potential for fraud.

But the card issuers have also focused on the systems and processes of the merchant, which have moved far beyond the skeptical, reliable eye of a middle-aged cashier questioning the authenticity of the driver’s license tendered by a youth without hair on his chin!

The PCI security standards have established levels of security required for the systems of the merchants, to further inhibit the potential for those systems to be compromised. Compliance with those standards is mandatory, and has been a significant cost for merchants. But once those systems are validated, the risks of loss are more finely balanced than historically, with the issuers and associations required, as a competitive necessity, to minimize the risks of loss.

With any online ID that introduces a token-based component (such as two-factor or three-factor authentication), if a system, device, website, application, or merchant is to rely on the validity of the online ID, someone must bear the economic risks that the online ID is being used improperly.

First, someone must bear the risk that the issuance process (including the information submitted, validation of that information, and delivery of any hardware or hardware-embedded token) was compromised by a fraudulent application, or a diversion and capture of the token into the control of a bad actor.

Second, even if properly issued, someone must bear the risk that the online ID is being used improperly and is not a genuine, authorized use by the intended relevant user.

Third, in either case, someone must bear the potential costs of taking corrective and compensatory action—including developing and pursing criminal and civil remedies, and making a system operator or merchant whole in the event payment for any related goods or services is dishonored by the proper holder of the online ID.

With online ID, of course, evolving with solely the image of a single “merchant” becomes inadequate. With federated systems, distributed networks, and cloud-based services, there emerges an entirely different vision of how the risks of misplaced reliance on an online ID at a point of access can ripple across an entire ecosystem of dependent and reliant systems, devices, applications, and data assets. This type of cascading impact is fairly easy to imagine, and very difficult to think through in terms of assigning and managing the related risks. Perhaps the most agile metaphor in today’s credit card identity system is to imagine that, with a credit card fraud today involving a major purchase (such as a $9,000 bicycle), virtually every supplier of the raw materials, assembly process, packaging, shipment, delivery, set-up and retail sale received a chargeback and lost revenue because of the fraudulent use of the credit card.

Those advocating online identity tools are certainly applying their resources to a genuine problem. But, in their pursuit of a new and lucrative revenue stream, they must also begin to discuss what the economic models are going to look like. As with credit cards, there will be companies that will issue the online ID tools. As the individual banks issuing credit cards combined into associations, so can we anticipate federations of ID issuers to gather together, set standards, and attempt to manage the risks through contractual terms that limit or exculpate them from liability.

But without a full economic model of the risks, the costs, and the means by which those costs will be allocated and shared, online ID discussions regarding privacy are almost serving to deceive and distract us from the core economic questions. If those advocating the solutions do not embrace and advance this dialogue, then surely they are inviting the public sector to assert regulations that do so.

That outcome produces chaos, conflict, and regulatory disorder that collides with the global, systemic efficiency that can be achieved. We saw it from railroad regulation (perhaps the first cross-border physical networks involving safety risks) to privacy today. Online ID’s will thrive if the full economic and risk management model can be developed and launched concurrently. Doing so is the best strategy for minimizing regulation and improving overall trust in the digital infrastructure in which we exist today.

On Thursday, October 13, 2011, I will be speaking at the Mid-Atlantic CIO Forum on the topic "Governing the Cloud: Sustaining Trust and Improving the Velocity of Business.”  This represents my first public presentation on how to connect using the tools of good information governance to the economic demands to show that doing so improves profitability, shareholder value, and competitiveness.

I am looking forward to unfolding these ideas with such a terrific by-invitation-only audience and the possibility for a dynamic exchange with the audience. What few people realize is that information governance has no value, unless it creates economic wealth.  The principles I will be sharing are proven to be working for those companies that have engaged me to coach and train them, but this is the first time I have assembled them to present to an audience.

If you are interested in attending, or wish information on the Mid-Atlantic CIO Forum, please visit here. 

On September 4, 2011, an article with nearly the same title as this blog was published in the New York Times. Jeffrey Pfeffer and Robert Sutton, both leaders in evidence-based management (or EBM), present a lucid and efficient case for how EBM can improve medical care and business management. But the title intrigued me: What can EBM theory and experience teach us, if anything, regarding how we present, and rely upon, digital information as evidence of the truth? How do we trust digital evidence, and not our instincts, in the courtroom? How do we enable judges, juries, regulators, investigators (and even trading partners in business) to do so?

To those trained in law, EBM is not too hard to grasp. Lawyers learn to evaluate the facts of a case and, in giving legal guidance on how to structure a commercial transaction, making a case for civil liability, or advocating the legal innocence of a criminal defendant, research published case decisions that are comparable on their facts. They seek cases that align best to their facts, try to find as many points of alignment as possible (and minimize where they do not align) and then offer a compelling analysis to support the outcome desired by the lawyer (and their client!).

In a given clinical situation, a doctor is encouraged to not merely rely on their clinical instincts but to define the diagnostic challenge in terms that allow the doctor to conduct research and identify scientific research, studies, and analysis that can be evidence of the most likely treatment plan. The doctor evaluates the published research in terms of the congruity to a patient’s condition, research design and execution, etc. and integrates that analysis into treatment decisions.

In social and behavioral sciences, evidence-based programs (EBP) are those treatment plans or programs that have been objectively measured in objective studies to align outcomes with the design. The studies themselves should be peer-reviewed to assure their integrity as measures of effectiveness and reliability. In effect, the evidence-based programs are supported by scientific evidence that the programs work at achieving the intended result. Funding decisions, program resources, and treatment plans are weighted to favor EBP. Increasingly, treatment programs that lack evidence-based support struggle to recruit advocates and sponsorship, even if experienced clinicians and counselors instinctively believe those programs will make a difference.

So, in the first instance, EBM and EBP seem almost quaint in suggesting that precedents, expressed in the published research (for EBM) or validation studies (for EBP), help reinforce the decision process. That concept is one of the first lessons in law school and a foundational concept in legal reasoning. It is almost unsettling to consider that medicine, social services and behavioral sciences are only now getting to the point that diagnosis and treatment strategies might rely on more than the instincts and good sense of the person asked to make a decision on the right course. Law is so much further along . . . or is it?

In our digital world today, over 97% of all business information is created by and with computers. The machines function with astounding efficiency, applying complex algorithms faster than eyes blink, using astounding computational functionality to assure the accuracy, integrity, consistency, security, and reliability of the information inputted, as well as the processed products—nearly 295 exabytes of information globally stored by 2007, as reported by the BBC (enough to fill 1.2 billion average computer hard drives!). To even exist, electronically stored information (ESI) is the product of systemic efficiency, multiple automated controls, and structured tracking, reporting, and management. Metadata, the data about data that computers and applications automatically create to manage the files, records, and histories of their own operation, has become the documentation of the computer as witness—objective, intensive, accurate, and usually immune to human intervention or alteration without special tools, access, and skill.

But, and this is a critical “but”, when we turn to the rules of evidence which govern American courts, as well as those in most other nation states with judicial systems, the admissibility of digital information as evidence is left entirely to the unrestrained, and immeasurable, discretion of the human judge who presides. Evidence in any form—oral testimony, paper documents, tangible objects, or digital records—is considered as evidence only if the judge determines, subjectively, that the evidence is what it purports to be (authenticity). Once admitted, however, whether the evidence is to be believed, credible, or persuasive (collectively the probative value of the evidence) is left entirely to the subjective instincts of the judge or the jury. Indeed, many jurisdictions expressly prohibit a judge from instructing the jury on the weight to be given to evidence or particular testimony. In a case tried without a jury, the judge may make his or her own determinations of weight.

So, in a digital world, with astounding documentation available on the origin, history, and calculation of virtually any character or pixel in any ESI, a world in which other professions are relying on evidence-based analytical methods to improve their diagnoses, treatment strategies, and programs, we have the extreme irony that the most evidence-based process in our social infrastructure—the finding of truth in the courtroom—relies, in fact, on the unmeasured, human instincts of the judge or jury!

When evidence is presented to the judge for a determination whether the evidence is to be admitted, the party offering the evidence must lay the foundation. Oral testimony (or, in rare cases, sworn written affidavits) must be offered from suitable witnesses to establish the authenticity of the evidence. For ESI, the oral testimony may itself be supported by computer records (such as system operating logs, access activity logs, file revision histories, etc.) to substantiate the authenticity of the primary evidence.

Yet, to this day, no one has published an objective, authoritative set of criteria—perhaps based on best practices in information management, information security, and digital storage and recovery services—with which to enable the judges to make evidence-based decisions as to authenticity. Even further, no such resource exists to enable the juries to evaluate the probative value of digital information as evidence. Instead, if the weight of ESI is vulnerable to challenge, the more likely scenario is for both sides to assemble, rehearse, and present multiple computer geeks to provide—you guessed it—oral testimony to undermine or reinforce the weight to be given to the digital material. The message to the jury is “Sure, the judge let you see this drivel, but we don’t know what she was thinking. This stuff is worth less as evidence than the paper on which it is printed.” It is no wonder juries fall asleep during these dances on the pin by the computer angels.

Our legal system of justice has an institutional bias toward the role of oral, human testimony. Indeed, at the starting point of determining whether to admit digital records to prove the truth, the records are considered as “hearsay” and not admissible unless exceptions specified in the Federal Rules of Evidence are satisfied. To this day, one of the most challenging chapters in law school is learning how to navigate the 23 express exceptions under which written or computer records can be admitted as hearsay, even if a human witness is available to testify.

It is somewhat remarkable that the Rules of Evidence have not been amended to expressly carve a more suitable basis on which digital business records can be admitted into evidence. Even under the existing rules, counsel will fail to understand how to demonstrate the authenticity of digital records. In one landmark case, in which both parties submitted printed copies of electronic mail to support their motions, the court rejected both sides on the basis they never established the authenticity of the electronic mail. In another, American Express failed to obtain a judgment against a non-appearing bankrupt consumer because the court ruled American Express had not shown the reliability of their systems from which the consumer’s statements had been printed.

The Federal Rules express one further exception allowing the admission of hearsay that is worth mentioning. Formally titled the “Residual Exception” of Rule 807, this exception enables the judge to admit specific records despite their hearsay character and despite the fact 23 other exceptions do not apply. Under this rule, even if there is no other basis for admitting “hearsay”, a court may determine to admit a record if four conditions are met:

(a) the statement (i.e, the record) has “equivalent circumstantial guarantees of trustworthiness”;

(b) the statement is offered as evidence of a “material fact”;

(c) the statement is “more probative on the point for which it is offered than any other evidence which the proponent can procure through reasonable efforts”; and

(d) the general purposes of the rules of evidence and the interests of justice will best be served by admitting the statement into evidence.

Rule 807 illustrates how, when it comes to evidence and the evaluation of digital records as evidence, our system perpetuates a decision process that is the antithesis of evidence-based anything. Under five different criteria (“equivalent guarantees”, “material”, “more probative . . . than any other evidence”, “reasonable efforts”, “best be served”), the application of which is entirely incapable of objective review (such as an appellate court may provide on other evidential matters), a court can bar digital information from its chambers.

So, is there a means for us to institute into our legal system a means to “trust the evidence, not our instincts”? Can we develop a methodology by which judges asked to serve the interests of justice can rely upon objective, researched, documented criteria by which to measure the authenticity of digital information? Can judges and juries be provided a template—a scorecard perhaps—by which to objectively measure the weight of digital information? Can counsel, judges, and juries be equipped with the evidence-based means of determining when a computer record is more probative (even conclusive) than oral testimony (e.g., a computerized traffic camera vs. a driver’s denial he was “on that road at 2:00 am”) or when a computer record is to be entirely viewed as fraudulent (such as the false trading reports generated by Bernie Madoff’s software programs)?

Imagine, as an alternative, that before counsel even considered offering digital information as evidence, the lawyer first completed an inquiry into the provenance and pedigree of a digital record by evaluating:

In each case, detailed checklists would exist, to be completed by the systems themselves, and capable of being audited by independent experts if required. The elements on each checklist are evidence-based—that is, each functional feature or characteristic is included because it is scientifically supported by objective evidence to be a valued characteristic for digital information to be trustworthy as evidence of the truth. The performance reported for each element would be objective—measured against known metrics and computationally scored, independent of human subjectivity or discretion.

On these checklists, features can be weighted or optional, based on the quality and nature of the data or report. But the presence or absence of any of the listed features is always disclosed. These checklists report compliance, as well as deviations, from the criteria. But the checklists enable the lawyer, even before appearing in the court, to know whether the digital ESI, as evidence, is worth the paper on which it is printed.

Together with the ESI, such reports are submitted to the court. Now, at this point, the courts can eliminate reliance on their “instincts” and can make far more objective determinations of authenticity. And, in the event competing versions of the same evidence exist (such as two versions of the same electronic mail, with one conspicuously missing the metaphors comparing an employee’s size to a farm animal), these reports also enable the weight of the competing versions to be objectively evaluated by judge, and jury.

Unrealistic and fanciful? Not at all. What is unrealistic is that our justice system perpetuates making decisions on the authenticity and integrity of electronic information on “instinct” rather than the available objective evidence. What is fanciful is that the electronic discovery collar that currently enslaves judicial efficiency has absolutely no criteria whatsoever with which to disqualify ESI from serious consideration because the systems, devices, and records associated cannot demonstrate in the first instance they meet an evidence-based threshold of reliability as potential evidence.

Every day, as data moves with more and more volume and greater computational efficiency, millions of transactions, communications, wealth transfers, knowledge transfers, reports, and records are objectively measured against published, visible, electronically expressed criteria to determine their continued transit through additional processes, applications, devices, systems, and networks. A single deviating byte and an entire record may be suspended, re-processed, or rejected. Indeed, the entire function of the Internet demands protocol compliance as a condition to transfer.

That type of brutally efficient, objective, and ruthless calculation is what computers do to protect themselves from false identities, fictitious data, improperly modified reports, and other products of malicious intent or negligent competency. Yet time and again we continue to invest billions of dollars annually (software, hardware, professional services, lost production time, etc.) in preserving, processing, filtering, and reviewing digital information as evidence without ever asking the basic questions: does this ESI meet any objective, measurable standard of integrity?

If we fail to come to the cause of justice by developing evidence-based means to trust digital information as evidence, and relieve judges and juries from the burdens of subjective decisions based on “instinct”, I am concerned for the future of justice in a digital age.

Companies that do not invest in executing for their ESI, as evidence, the same quality controls for integrity and reliability that their machines demand in daily processing should be handicapped in being able to rely on such records, or to have their deficiencies exposed more efficiently than through conflicting oral testimonies of dancing geeks on the witness stand.

Counsel that do not develop the skills to be able to ask whether digital evidence measures up are not serving their client’s interests, whether evaluating the evidence tendered by an adversary or the evidence available from their own client.

Insurance companies, as underwriters, should not fund the defense of companies that fail to install and operate systems for assuring the integrity and availability of their ESI. (Even today, carriers are imposing information security standards, demanding performance reporting, and conducting audits in issuing business interruption and other coverages. The same principle as a good driver discount should apply as an incentive for improved records management.)

Judges and juries should not be imposed upon to judge the merits of the case without assurances that any digital records offered as evidence meet certain objective “evidence-based” criteria for trustworthiness. The weight to be given to those records can be objectively expressed, and not left to the judge or jury to establish by human emotion the “equivalent circumstantial guarantees of trustworthiness”.

It is time to move forward and install evidence-based management in the administration of legal justice. We are soon approaching a day when the computer record will transcend the reliability and integrity of oral testimony of any person on nearly any matter of legal consequence except, perhaps, acts of physical violence that occur outside of the recording capability of any cameras, video devices or microphones. But only certain computer records will deserve to have that credibility and weight—now is the time to begin to figure out the differences among them.

* * * *

The role of automated evidence-based means to evaluate evidence is just one of 10 trends I examine in my keynote presentation on “Digital Justice in the Year 2058”. If you would like to hear the other trends, and explore how technology is transforming who will win—and lose—in how law and justice will be administered, pick up the phone and give me a call to discuss scheduling a presentation to your conference, your management team, your partners, or just a coaching session with yourself.

****

The economic pain and adverse outcomes that companies have endured as a result of their historical underfunding of information management have sent the message –we have to improve how we find and manage digital information as evidence.

But, despite the message ( and the fact that fewer messengers are being killed for having delivered the message!), companies (and their lawyers) are still struggling to implement functional, defensible programs.

After all, if they were all getting e-discovery right, its unlikely Gartner would have projected the global marketplace for e-discovery software to grow—47% from 2009 to 2011! And, Gartner acknowledges, that projection largely takes into account only the U.S. market. What does Gartner project as the overall spend for this year? $ 1.49 billion.

Of course, Gartner is only looking at one of the many checks to be written to install improved e-discovery capabilities. External costs include legal, consulting, hardware, training, software support, etc. Internal costs include many of the same, as well as operating costs associated with the facilities, personnel, utilities, and management. To my knowledge, no one has estimated the overall spending that is being allocated to the overall investment required for e-discovery processes to be improved.

But, in my mind, spending on e-discovery software (as well as the other costs) is a patch—a remedy for poor records and information management infrastructure that enables organizations to find and validate information required for any legitimate purpose (including as evidence) with appropriate speed, quality and accuracy. So, why are companies spending so much? Why are the number of cases being reported by e-discovery analysts continuing to increase in volume, nearing two published decisions per week in 2011?

E-Discovery as Organizational Change

To answer those questions requires looking at electronic discovery differently—lets think of the innovations demanded by improving electronic discovery as organizational change. When we view e-discovery in that manner, what becomes a critical truth to navigate is that– across industries, technologies, geographies, and processes—organizational change usually fails!

According to consistent research during the last decade, here are some sobering statistics:

• Up to 85% of organizational change initiatives fail.
• Up to 70% of these failures are due to flawed execution.
• The failure rate of change initiatives dependent upon people (reengineering, TCM, cultural change) is 80-90%.
• Less than 10% of what is taught to staff in the classroom is transferred to the job.

In fact, e-discovery process improvement demands change on many levels. To name a few: 

• movement from indexed, boxes of stored paper records to massive digital archives and tapes;
• movement from stable content on a printed page to dynamic content, such as web page content, databases, etc. that demand constant management to assure required preservation occurs;
• movement from controlled records stored within an enterprise to outsourced and/or cloud-based storage involving multiple locations, often shifting without the prior control of the record owner;
• migration from wired, networks and systems of controlled devices to wireless, remote, mobile devices;
• acceleration of discovery from a deferred exercise (after all legal motions and counter-motions on legal grounds are exhausted) to an exercise requiring immediate and comprehensive action at the outset of a case (or even before, if litigation is “reasonably foreseeable”);
• reconfiguration of the teams required to recover and manage potential evidence from largely internal resources (records managers and key witnesses) to significant engagement of contracted assets: software, hosting services, outside law firms, e-discovery consultants, forensic analysts, etc.
• migration from largely manual management (Bates numbering, indexing, physical review) to automated management (electronic UPC codes, digital processing, automated reviews with search terms, review of electronic files, etc.)
• introduction of automated logic, predictive coding, management of false positives, etc. to replace attorney review and judgment on relevancy and responsiveness.

That list is pretty compelling—and a good insight into how much e-discovery process improvement demands as organizational change. But what can we learn from the world of organizational change management to help improve the investment returns and probabilities of success within companies? What can consultants, law firms, software vendors, and data custodians do to improve their own credibility with corporate customers?

Improving Organizational Change with Maps

The opening statistics hint at where the e-discovery process can be dramatically improved. But we are continuing to also learn how RitterMaps are more powerful than we first realized at enabling improved outcomes for organizations.

Flawed execution is a reflection of poor planning, poor discipline in execution, and the absence of meaningful metrics against which to incrementally measure progress. But flawed execution is also a function of individuals not being trained well-enough in the overall program’s objectives, and the risks of failing to succeed, to be motivated to perform as expected.

RitterMaps enable more effective training, but they also extend beyond the actual courses, empowering you to retain in front of you a picture of the path forward. Used as a platform against which to customize your program, RitterMaps put everyone on the same page.

A structured change management methodology is critical to implementing significant changes. Studies report that, aside from effective sponsorship, a structured process with tools is the number two contributor to success.[1]

RitterMaps serve as valuable visual tools with which to structure and design the path forward in e-discovery process improvement. The range of depth on different RitterMaps is intentionally designed to enable high-level managers to engage with the process, while detailed structures become functional checklists. The maps are tools—use them beyond the classroom and you begin to leverage your investment in Academy enrollment to an entirely new level.

An effective communications plan, as well as a plan for continually reinforcing to your team members throughout the organization the value of the new processes, are vital. It is stunning that companies invest heavily in educating staff, only to see 90% of the knowledge delivered in the classroom is not transferred to the job, much less transferred from the persons attending the class to their colleagues, supervisors, and others.

RitterMaps are powerful tools for enabling improved communications. Designed to be more than “a picture which says 1,000 words”, our RitterMaps enable you to share with your team members what has been learned—literally putting everyone on the same page!

Our RitterMaps are also there to enable you to do your job better, putting the knowledge acquired in taking a course or lesson at your fingertips. In instructional design theory, these are called “sidekicks”—tools that transfer the knowledge into allowing the learner to do their job.

So, perhaps we are onto something important. E-discovery confronts companies with immense organizational change challenges, with high risks of failure inherent to the process. RitterMaps are much more valuable than colorful artifacts of learning—they can become tools that enable collaboration, improve project execution, facilitate structured processes and empower better communication and better application of knowledge in how people do their jobs!

[1] See this article on change management planning and the related checklist.