eDiscovery Leaders Live: Florinda Baldridge of NRF

Each week on eDiscovery Leaders Live, I chat with a leader in eDiscovery or related areas. Our guest on April 23 was Florinda Baldridge, US Director of Global eDiscovery and Litigation Technology at Norton Rose Fulbright.

My discussion with Florinda was all about data breaches, an area she has taken a keen interest in. Florinda discussed the race against time from breach to notification – the challenges that come with trying to get it right and the penalties that can flow from failing. She talked about the need to keep pace with a growing data landscape and the efforts to use traditional eDiscovery tools and technologies in response to data breaches. Florinda offered her cyber breach wish list, then returned to a further discussion about key data breach stakeholders. Finally, Florinda discussed what her firm, Norton Rose Fulbright, has been doing in the cyber breach arena and opportunities for growth in a changing industry.

Recorded live on April 23, 2021 | Transcription below

Note: This content has been edited and condensed for clarity.

George Socha:

Welcome to eDiscovery Leaders Live, hosted by ACEDS and sponsored by Reveal. I am George Socha, Senior Vice President of Brand Awareness at Reveal. Each Friday morning at 11 a.m. Eastern, I host an episode of eDiscovery Leaders Live, where I get the chance to chat with luminaries in eDiscovery and related areas. Past episodes are available on the Reveal website; go to revealdata.com, select “Resources'', and then select “eDiscovery Leaders Live”.

My guest this week is Florinda Baldridge. Florinda is the US Director of Global eDiscovery and Litigation Technology at Norton Rose Fulbright. She leads a team of over 30 lawyers and technologists who provide eDiscovery solutions to the firm's large dispute practice. Florinda has been working in the eDiscovery space for over 20 years…. I think it's longer than that Florinda. She’s joined us today to discuss her thoughts and experience in an area that's affecting businesses throughout the globe.

Today, it's cyber security day here, so cyber security breaches, data breaches, and the state of eDiscovery challenges and cyber incident response matters. Florinda, welcome, glad to have you with us.

Florinda Baldridge:

Hi, glad to be here, George. I was trying to balance not disclosing my age, but still showing some sort of gravitas in the space. So, I think you exposed me.

George Socha:

No, you are a child prodigy, you started in eDiscovery matters at the ripe age of 3.

Florinda Baldridge:

Exactly right. So, it's great to be with you George. As I was preparing for this and as we think about being disconnected from our peers and colleagues that we have known throughout the years, I was thinking about, remembering, being in St. Paul in your office back in 2005, 2006, as we were working through the EDRM. The thing that I remember, while that was a momentous time, the thing I remember most is that I couldn't get a cab in downtown St. Paul just walking onto the street. So I got pretty smart by the second trip and made those arrangements while everybody was milling around on the corner.

George Socha:

And in St. Paul, getting a cab may still be a challenge today, but at least now there's Uber and the like. And you were one of that merry band if you will, at the very first EDRM planning meeting.

Florinda Baldridge:

Yep, that was a really exciting time when you look back… what is that? 15 years later?

George Socha:

Yeah, that was May of 2005.

Florinda Baldridge:

Yeah, and a lot of smart people that are still around today came out of that space. And the topic that I want to address today sort of ties back to where we were in eDiscovery at that time. Some may think that I'm off on that assessment, but I’d like to use this time to kind of talk about why.

George Socha:

Go ahead, let's dive into that and I’ll let you know whether I think you're off on that assessment.

Starting a Dialogue on Cybersecurity Attacks

Florinda Baldridge:

Okay, well that's good. Please, it'll make it more interesting, just challenge away. Good morning everyone, happy Friday. I'm not a lawyer so I will not be addressing any of the cybersecurity legal issues, and I'm probably not going to tell you anything that you don't already know. 

What I wanted to do today is really just have a dialogue and put some thoughts out there to the key stakeholders that are impacted by the ever increasing cybersecurity attacks. I think you all know that these attacks have become more egregious and in nature through malware and ransomware. High value data is being targeted. The volume of the data that is taken is in the terabytes. And that process that a company or a firm must go through, from the time of the breach to that point of notifying regulators, individuals, their customers, is a very compressed timeline. Think about it in terms of expedited discovery and second requests time ten.

A Race Against Time: from Breach to Notification 

George Socha:

How compressed is very compressed? Are we talking months, weeks, days, hours?

Florinda Baldridge:

That’s a really good question, and because the regulation across states varies a bit, you have to evaluate the states implicated. But on average, you can think about 60 days from the time that you identify that there was even one data element that was breached and meets the definition of PII or PHI. There's some legislature out there, I didn't get to finish reading the article, but there's some legislation pending that's looking to shrink, even further shrink, that time from breach to notification, whether it's a notification to a regulator or to individuals.

In between that time the desire and the interest of the company to notify their customers, they've got to at least make some contact and some initial notification to their customers because many of these breaches are already getting depressed. The C- Suite is obviously and understandably really nervous about getting information quickly. So we’re dealing with terabytes of data, trying to apply the traditional eDiscovery processes and technology to something that was never intended to be. That is the subject of the discussion today.

George Socha:

A question on that. The company learns there's been a breach. It's got let's say 60 days to either start or finish notifying people. Either way, if it doesn't hit that deadline, what sort of penalties or problems does it face?

Florinda Baldridge:

Okay, now you're asking me a question that is better suited to update the David Kesslers of the world, right?

George Socha:

Yeah, but we don't have David here, so is it a question of fines or a question of reputational damage?

Florinda Baldridge:

I'm sure that there are some kind of regulatory penalties. Again, that is not my space so I'm not speaking with assurance, but there are certain business implications, and the PR implications, and some even consider that with almost every breach of that scope, there's probably a litigation right behind it. So the issue is not only the timeliness and the risk of any missed deadlines, and then the business implications to the corporation. But then there's the litigation that may follow about the company's practices around data retention, data security, and then litigation that might implicate the process of the breach notification. At every point you're dealing with not only a compressed timeline, a lot of the unknowns, the threat actor is still publishing, in the ransomware concept they're publishing things to the dark web, and that's the threat for the ransom.

So there's all these issues going on around us and we're trying to get the data. The really interesting thing, and we found this in one of the matters with one of the providers, is the data comes from the dark web and the providers don't want to put it on their network. And some still don't have the lab space to scrub it if it isn't done by one of the forensic vendors, the CrowdStrikes and Mandiants of the world. In one instance, a recent one, there’s the equivalent of a novel virus in this space, where even the the experts around forensics have not yet even developed the necessary, if you will, immunization or the antidote to scrub and clean the data before you send it on to review and extraction.

So that’s another challenge where the eDiscovery vendors are, and I’ll speak to each of the stakeholders in this area where I think we're all needing to adjust the way that we handle these matters that is different in the way we would handle a traditional eDiscovery matter for disputes.

Keeping Pace with a Growing Data Landscape

George Socha:

It sounds like, to put a highly technical label on things, this is a hot mess.

Florinda Baldridge:

It is indeed a hot mess, and we're kind to swatting at it. And I don't mean that in a derogatory tone. Other than to say, we're all smart people in the industry and we're all committed to doing the best for our clients. But what is still emerging, is the technology. I was thinking back you know, over the years of doing these matters. They were smaller. We could do them in our traditional eDiscovery platform. We would brute force the entity extraction to some spreadsheet. Then we’d bring that spreadsheet back together. Then we’d put it back into the database. We do these brute force deduping of the entities so we could do the notification. That works in the smaller matters just fine when you have a mailbox or a few really targeted and small data that's been breached, but when you're talking about terabytes we have we can't efficiently apply all the tools that we use for traditional eDiscovery.

I was thinking back to, remember even the EDRM days, when after a time we went back and added the information governance to the left of identification and preservation. And the issue is, and all that that involves data dispositions, specifically for this context. But it is amazing that and again, we're going to talk about the corporation, the vendors, the software developers, the staffing companies, the law firms. I want to sort of touch on all of them, but from even the corporate and the law firms I'm just talking about data disposition. I say law firm, I mean to say corporations and companies to include all that that involves, all businesses.

One matter that we were involved in, you have in one corner of the network there was 5 years of payroll records in PDFs, W2s and other things. And the process to extract all that data, to notify those folk.  And the question was, nobody knew that data was even there, and it was like “where did this come from?” That just heightens, that initiative, with all of us, all companies to really revisit the way that they are managing, handling and disposing of legacy data that has no ongoing business value because this is where it can come back to hurt you.

George Socha:

Just as poor information governance can wreak havoc on an eDiscovery plan and budget, the same thing happens in the data breach side of things? 

Florinda Baldridge:

That's exactly right, but with more risk and cost than in eDiscovery. In eDiscovery, you basically just sifted through it and threw bodies at it to review it and gee whiz, that did increase your budget and you had to produce more than you’d probably would have otherwise had to if you hadn’t retained it.

In this instance, the cost, it's not just the monetary costs but there's all the reputational damage and all the ensuing potential litigation. So, yes the impact on the data security side is even greater. So, there's that consideration. When you think about the technology and how we have, I think that the eDiscovery industry and the technology around it has really evolved. Remember in the early 2000s, there was not a lot out there and then it seems like mid-2000s the industry really developed some great tools. TAR came into the picture, predictive analytics, all of these great tools like Brainspace, NexLP and all of the other proprietary products that a lot of smart software developers and eDiscovery vendors have invested greatly in. We've all benefited from that development. What we have found is that these tools haven't exactly translated effectively to the identification of PII and PHI.

Part of this discussion in this platform today is to exhort all those smart technology and software developers in this space to reimagine eDiscovery for cyber. Will there be a time where we will have TAR for litigation for disputes and TAR for cyber matters and different kind of tools and technology? That is what I encourage our colleagues on the software side to really think about, this space seriously moving forward.

A Cyber Breach Wish List

George Socha:

I know you would like to cover the different stakeholders and let's get to that in a moment. But before we get there, I’d like to hear from you some of the things you wish this technology would do that it's not doing today.

Florinda Baldridge:

That's a really good question, because our lawyers and our teams feel the pain of that void every day. The idea that you could identify potential PII/ PHI without ever even running it through traditional processing. You have a terabyte and you have some tech that doesn't require any particular indexing, it just goes out and analyzes a dataset and says here's all the potential PII/PHI. It doesn't even have to be perfect, it is like an initial impact assessment because the clients are just waiting, they’re like on us every day, “How much is it? What is it? Who is it?” That's the first piece on the initial list of identification. 

And then there is the more targeted and the identification through the review process, rather than throwing an army, is already doing a deeper dive identification on a subset of that data that you may have decided to run through processing or not. Through that you can actually then, maybe avoiding discovery processing altogether, just take that data, identify, we call it “pot parenthesis”, pot PII, and put it into a review platform that automatically extracts what appears to be Social Security numbers, bank account numbers. Any number of those low hanging fruits and then obviously there's all sorts of other identifiers for PHI and PII. As a start, just get me started. You can get some reviewers focused on that while we continue to use maybe other tools. We’ll continue to use maybe some other kind of predictive analytics to do some further analysis and being able to continue to feed that.

I think there will always be a need for the human review, but get that whole process - identification, extraction and review - more seamless. The other piece is then once you extract those entities, not having to take it outside of the application but you're doing it within the application.

Then you do a deduping of the entities. That is, “Is this Joe P. Smith on Magnolia Street the same guy as Joe Smith on Magnolia Street?” So, dedupe the entities so individuals don't receive a hundred notifications. That deduping is a huge component, a very efficient, high tech way of deduping the entities. And many times the clients want an initial dedupe report of whatever has already been extracted. Doing these interim deduping is always a challenge, the ability to do that deduping within the application, not taking it outside, doing a SQL script, but doing it in the application - extracting it, deduping it, and being able to interim. Then it's all in the application, generate the notification report with the addresses to then send it to the experience of the world to mail out.

It sounds so simple as we talk about it, but it's a slog. That's the only way I can call it, a data slog. But it's so critical to the key stakeholders.

Key Stakeholders 

George Socha:

Let's shift to stakeholders. Why don’t you address who those key stakeholders are and some of their key concerns and then after that I want to make sure that we have time to hear about what you're doing.

Florinda Baldridge:

Great. We’ve talked about the companies, they are often the victims of these breaches. We've talked about the software vendors, talked about getting some critical thinking around these tools. The eDiscovery vendors that themselves may be either adopting tools that the software developers are using, but integrating that into their review platforms. Staffing and skill sets is a huge component of this and so retooling the teams, or leveraging teams of data scientists, data analyst specialists, project managers that are used to managing the eDiscovery litigation matters. So that whole piece, the people piece. We're back to people, process, and technology.

Then carving out from the people and the skill sets, the profiles I just mentioned, is the review. We have traditionally just thrown the typical contract reviewers at the problem. What we're finding in our matters as we're capturing daily metrics on these reviews, we're finding and we’re seeing some providers are using non-lawyers for this that have strong Excel skills, for instance. Because a lot of this PII is buried in a spreadsheet with 20 tabs chock full of PII and PHI and so you're doing this manual slog of extracting that data. That's not what the contractor reviewers that are focused on text driven analysis….

George Socha:

It’s review, but it's not quite like the review where….

Florinda Baldridge:

It’s not your grandfather's review. But there's a hybrid, because many of these reviews the client may say, “You know, I want to also do a business sensitivity review”, so we bifurcate it and we might hire the lawyers, the contract lawyers, to do the business sensitive review, looking for things that are important to the client that they want to know is out there. And then maybe the non-lawyers for the extraction review.

And then there's the training professionals, like ACEDS. Do we look at doing a certification for cyber breach, cyber incident response specialists? I know the staffing companies, TRU Staffing for instance has had some interest in this for several years and building out, identifying that talent.

We've talked about the clients, the software developers, the eDiscovery vendors, the review vendors, the training and certification vendors and the law firms. All of us have an opportunity to contribute our piece of this. We're all SMEs in one or more of these areas and this is a great opportunity to really make some advances there. I think we have 6 to 9 months to maybe a year where those that figure it out are going to get to a status of being able to capture the market.

What Norton Rose Fulbright is Doing with Cyber Breach

That is a segue to… in the past few months we interviewed about 12 to 13 vendors and we had a very deliberate process and we started with our team, the technical team, doing the initial contact, ending with our partners, we have 3 cybersecurity partners that are very engaged, and 5 or 6 associates. And we took to them, out of those 13 we reduced it to those that we would put in front of them, and basically said, okay go at it because it was there and they're very good at what they do and they're very technical.

We have found in that process, the lawyers and us uniformly agree that there were two that would be our primary.

George Socha:

And these are providers of services, right?

Florinda Baldridge:

Of eDiscovery technology and the services piece. And so I think back to that issue and we're doing the best that we can. There's custom scripting and some bespoke kind of technology that these providers have done. There's a lot of opportunity for continued development in that space.

The one thing that we did as part of that whole reassessing how we were handling those matters, was then the people part, our own team. What we have been doing, we were using our project managers and those folks that did dispute matters, were also supporting some cyber matters. We learned that those two don't…They may be working on four or five litigation matters and one breach matter comes along and consumes their entire existence. What we decided to do is we bifurcated the organization and we're having an eDiscovery dispute team and an eDiscovery cyber team.

We've been interviewing and are going to hire a team for cyber, so I'm going to shamelessly recruit on this call. Those of you that are out there that have an interest, solid eDiscovery skills, we’ll train on the cyber. That's what we’ve found that we need to do to better service these clients and to not create complete burnout. So that's our story.

Opportunities for Growth in a Changing Industry

George Socha:

Well, it's quite the story. It's an interesting extension, isn't it, from the more traditional world of eDiscovery and how we've seen it develop over the past 20 years, to what is happening with data breach and cybersecurity. Any closing thoughts or comments?

Florinda Baldridge:

Well, I think my closing and most critical thought was, those of you that are out there that are interested in a new path but leveraging your existing skills, I believe this is a really growing and thriving market. Think about re-tooling yourself to this because there’s more demand for these folks than there are supply of experienced people. We’ve found they exist mainly in the vendor world, those that are doing it well have some really good people. That is what I would say, if you have an interest to maybe pursue another aspect of eDiscovery, this is certainly one to watch.

George Socha:

Great, thank you. Well, thanks Florinda. Florinda Baldridge is the US Director of Global eDiscovery and Litigation Technology at Norton Rose Fulbright. I am George Socha, this has been eDiscovery Leaders Live, hosted by ACEDS and sponsored by Reveal. Please join us again next week Friday, 11 am Eastern. Thanks, Florinda.

Florinda Baldridge:

Thanks everyone. Bye.