eDiscovery Leaders Live: Toni Millican of Trinity Industries
Each week on eDiscovery Leaders Live, I chat with a leader in eDiscovery or related areas. Our guest on April 9 was Toni Millican, Senior Director of Information Governance & Data Protection for Trinity Industries.
Toni and I talked about the evolution of eDiscovery professionals. We discussed their movement toward the left side of the EDRM diagram, how they deal with so much more than eDiscovery, and what they do to take their eDiscovery skills to new areas. We looked at solutioning, project management, and regulatory and similar challenges. We turned to vendor relationships, growing reliance on vendors as part of the team, shared risk and due diligence, and the risk profiling that corporations do of vendors and vendors of companies. Toni gave a unequivocal response to the question of whether it is enough to have ISO 27001 certification, and from there moved to how vendors can help corporations with changes in privacy requirements. Toni talked about analytics and key performance indicators, as well as the expanding audience for the capabilities eDiscovery professionals bring to bear. We closed with Toni’s thoughts on the many directions of eDiscovery careers and the value of abiding curiosity.
Recorded live on April 9, 2021 | Transcription below
Note: This content has been edited and condensed for clarity.
Welcome to eDiscovery Leaders Live, hosted by ACEDS, and sponsored by Reveal. I am George Socha, Senior Vice President of Brand Awareness at Reveal. Each Friday morning at 11 am Eastern, I host an episode of eDiscovery Leaders Live where I get a chance to chat with luminaries in eDiscovery and related areas.
Past episodes are available on the Reveal website. Go to revealdata.com, select “Resources”, and then select “eDiscovery Leaders Live”.
Our guest this week is Toni Millican. Toni is Senior Director, Information Governance and Data Protection at Trinity Industries. Trinity Industries, which is headquartered in Dallas, Texas, is North America's premier provider of railcar products and services. Their products are an integral part of the supply chain that helps fuel our lives and our economy.
Toni joined Trinity in 2017 to build their eDiscovery program. She now leads the company's data privacy, information governance, eDiscovery, and litigation support functions and plays an integral role as well in cyber threat protection.
She is a certified eDiscovery specialist (CEDS) with over 30 years of legal industry experience both in the public and the private sectors, with a concentration in eDiscovery best practices and technologies. Toni’s got an extensive background with implementation of enterprise wide eDiscovery technology, development of litigation support procedures, and discovery management.
She brings perspective to legal operations teams, having the ability to leverage her extensive experience in the legal field and, as so many of us try to do, bridge the gap between legal and IT compliance. She's had a variety of positions in the legal industry, including discovery manager, legal assistant, legal assistant manager, practice group coordinator, litigation support specialist, and forensic analyst. And finally, Toni is currently a Director at Large for ACEDS’s North Texas Chapter.
Thank you. Thank you, George.
Glad to have you with us.
Glad to be here.
The Evolution of eDiscovery Professionals
This week I would like to start with a discussion about the evolution of eDiscovery professionals. We ran through a whole litany of positions you've held at different types of organizations so you've got a great perspective on that. What can you tell us?
What I've noticed is that there is really an opportunity, so many opportunities, in this space. What I’ve really seen since 2006 was that those disciplines that we have learned as an eDiscovery professional have really spider-webbed into so many opportunities.
Once you have that foundational knowledge from the ability to lead within project management teams in the eDiscovery space, in that vendor space where you're helping with a collaboration with in-house counsel, you have the ability to move more into information governance. I've seen a lot of professionals move into more technical roles within an IT compliance place because of the repeatable, defensible standards that we put in place. There's a niche there that we actually provide a lot of value through an enterprise.
Many over the years have asserted, me among them, that the skills that you develop on the eDiscovery side carry over quite effectively to IG, privacy, and the like. Many of those of us who assert that haven’t actually made that type of transition, but you've been in both areas. Do those skills carry over, and if so, how?
100 percent. To step back, I never thought of myself in the information governance space when I started in eDiscovery. I was truly a technologist, I just wanted to dig in there. I had a legal background, but I was really into the IT space. I enjoyed eDiscovery, I enjoyed digging, fact finding.
When you look at what we're doing in eDiscovery and the idea that we're in here, we're collecting information, and the amount of data that we're collecting - and then look back on trying to mitigate risk with moving more on the left…. There's so much data as technology has changed - the cloud environment, so much out there. When we first started, we were looking at email, really, and some files sitting on an unstructured file share. We were limited in scope. Now it's so vast and so the ability to lean more to the left - especially with the knowledge that you have around data and the importance of trying to minimize how much data you're processing and how much you're holding on to - you're interested in moving more to that left.
I think as a professional, especially if you've been in this road for a while, and you really are looking at some of the changes that you're seeing in privacy, we have an obligation now with the changes in state privacy laws that are being adopted to ensure that we're doing what we can to protect data for our employees and for our consumers. I think that there's an evolution there. Especially if you're always levelling up, it's hard not to find yourself in that space.
Much More Than eDiscovery
My peers and those around our team that have dubbed themselves as eDiscovery members of the team, they're truly not just eDiscovery. We are using the technologies of eDiscovery to assist us within lots of different resources within the company, whether it's information governance, with data minimization, identifying data for privacy matters, assisting in lowering our risk by having more insight on what we have so that we are ensuring that we can protect that data. And then obviously there’s the eDiscovery, the standard litigation and collection, preservation and processing.
Taking eDiscovery Skills to New Areas
As people take the skills from eDiscovery and bring them into other areas, is that an easy transition? Do they encounter resistance? Are there people who say look you just don't understand what we do so why are you telling us to do things this way? What happens there?
That's a mixed bag. I think you can look at it two different ways. I think it's important first to make sure that when you’re working in cross collaboration teams at an enterprise level that you are focused not just on what your goals and initiatives are related to governance, risk and compliance, but what are you doing strategically to assist the enterprise, to assist that cross collaborative member of the team. If it's IT, speaking to IT of the value that you're bringing to them by some of the standards that you're requesting that they put in place. Same with the business, the ability to be able to show them not just tell them the value that you're bringing, the insight that you're bringing, to really ensure that we meet our objectives successfully and at the same time we're doing what we can to make sure we're mitigating risk and bringing value to our employees and to our shareholders.
Bringing Solutioning, Project Management to Take on Regulatory and Related Challenges
So helping to mitigate risk is of course a major value to bring. What other values can you bring to those folks?
Solutioning. Especially with IT, the eDiscovery solutions that we have available with identifying data, locating information that they may not have insight on, maybe in your environment, your unstructured data sets, where there may be data that's residing out there that’s noncompliant, and assisting them with enforcing policy.
There's a lot of opportunity there with the tools as well as the disciplines that we have. We are really good with project management, I think the eDiscovery professional. We have starts and ends, and we go through a repeatable standard process, and we really follow that. We're really good at assisting teams with trying to walk through a process of making sure that they meet all of those goals and in an auditable method to ensure that they're doing everything with execution of that plan. Does that makes sense?
It does. Project management when it comes to a lawsuit, has some particular challenges because every day you get up and try to build something and your opponent gets up and tries to destroy what you've been attempting to build. You have your plan; they try to rip it apart.
When you take these skills, techniques and workflows and move them into IG or privacy, is there someone equivalent to that opposing counsel who's trying to tear down everything you're trying to build up or is life a little easier that way?
Well, I think regulation is trying to tear us down. That's what you're fighting, right? You're fighting regulation. Just look at the privacy laws that are being adopted within the United States. Every single state has little nuances around some of those state privacy laws that they've adopted or are looking to adopt. We started off with California taking charge in the lead with CCPA and now if you look at the map, it changes weekly on what’s already been introduced to in committee, to where it's signed now. We have signed in Virginia and California, Washington is in cross committee. It's changing rapidly but there's just little bit of differences there.
At the same time you have the cyber threat. That's what you're fighting too. You're trying to do everything you can to protect and stay ahead of the game. You really have a role in that with data minimization, to make sure you're only keeping what you have, knowing what you have, ensuring you’re profiling with your vendors because you have data now out there in the cloud. Supply chain is a huge vector for digital event. You’ve seen SolarWinds and the Microsoft issue that we've just seen, really large and very impactful to a lot of people. We really are trying to just stay ahead of the game.
The other thing is organizations are bringing on new solutions. It depends on the strategic objectives of your organization, to ensure that you have a seat at that table, so making sure you're adapting to what the objectives are and meeting their goals and at the same time doing what you can to bring value.
That takes us to another topic. Not everything happens just within the organization, you've got to deal with vendors, you’ve got to deal with law firms who don't like to think of themselves as vendors, but maybe corporations have a different view on the matter. What are your thoughts on how best to deal with all of that and the challenges around that?
Greater Reliance on Vendors as Part of the Team
I think we need to look at vendors as partners, truly an extension of your team. Look at the changes that we've seen in-house, having a reduction in force in a lot of organizations and moving more towards working with consultants and third party providers to be truly a part of that team. We as in-house teams are really looking to make sure that we're partnering with vendors that are looking forward, that are strategic, that are staying ahead of the game on making sure that they can meet the needs and the demands of the evolution of that we're seeing within the eDiscovery practice, the IG practice, digital event, privacy.
What are they doing? Are they thinking about some of the changes that we’re seeing in privacy law? How is that going to change the eDiscovery landscape? How is that going to change how we have data sitting in these hosted environments?
How are our outside counsel protecting that data? What controls that they have and place within their own environments to protect? Same with our third party suppliers and third party vendors, what are they doing to protect information? I think that it's changed quite a bit. We’re asking more.
Shared Risk and Due Diligence
It sounds like part of what you're asking in this is for them to do a better job of managing the risk they might create as they interact with you in various ways? What can you do from your end? Is there a profiling process you follow or what would you suggest to people?
I think due diligence is key. Just like we have a discovery phase in litigation, we’re mining and looking for information. I think it's extremely important. I think any information governance or eDiscovery professional, especially in eDiscovery, if you’re a program manager, ensuring that you’re vetting those third party vendors to ensure you know how they're protecting information, looking to see what controls that they have in place in their environment, what's their access controls internally with teams. Their offboarding and onboarding process might be something. That vendor risk profile is essential on the front end before you execute contracts. Ensuring that you have a seat at the table too when you're onboarding new solutions at the enterprise level is truly important. Because if we can look at the front end and look at what we might need to do to make sure that we have the proper controls in place, that is really important long term.
Risk Profiling: Vendors and Corporations
If there is someone who is hoping to become a new vendor to a corporation, and they're going to be going through a risk profiling exercise like this, how long might they expect this exercise to take?
That's a really good question. Specifically in the space of the eDiscovery sector, any professional is going to be looking to more than one vendor. We already know that. I think you're going to see that when we're looking at a vendor risk profiling, it's not just going to be an eDiscovery and a legal team that's going to be looking at that. Especially if there's new solutions, there may be Info Sec teams involved within your own enterprise that you want them at their SMEs to come in. It's a moving target, You can expect with at least a quarter to go through that process, a 30-60-90.
I think the other thing vendors need to remember, is that within a litigation they’re strategic on winning a case, but we all know - I mean, I have 30 years in this space - that's where their heads are. They're kind of getting their heads out of that and looking beyond to be strategic around what we're doing within our space, within our environment and vendors, the solutions, long term, looking at analytics and we’ll probably talk a little bit more about that. They're really out there and they're looking at that due diligence and making sure we're doing everything that we can to protect.
Is this something that's both directions, are they looking at you and making sure that your risk profile is good, as well as you looking at them, or is it more one way?
I anticipate we're going to see a shift there. I would anticipate that you'll see vendors start looking at their customers as well, vetting them just as much as we’re vetting. I think that you have an obligation to do that at this point.
Is ISO 27001 Enough?
If there's an organization hoping to start selling you services, they know that you're going to be looking at their risk profile, they come to you and say, “Don’t need to worry, we’re ISO 27001 certified”. Does that….?
That’s not enough. You have to ask questions. You need to go deeper than that. I strongly recommend building what's important to your organization, almost like a questionnaire, so you can start the discussion. It helps also that you're building that relationship, because now the vendor knows what's important to you. That's going to be their cue to say, “They're really paying attention. That might be someone we do want to partner with”.
It’s not just “We’ve got ISO”. It goes way beyond that. You really need to ask questions. Especially when you're looking at data privacy and how that's changing, people look at sensitive information differently across various organizations. Some think, “Oh it's just my social security and credit card”, or it's just you want to make sure you're preserving information about this particular employee or medical or HIPAA. It goes way beyond that. We’re looking at IP addresses now. There’s biometrics. There's so much involved in sensitive information that people don't look past the standard of what they know. You have to really look outside of the box.
How Vendors Can Help Corporations with Changes in Privacy Requirements
With the constant changes in the privacy rules, regulations, laws, with the expansion into things like biometrics and the like, what can vendors do to support corporations with all of these privacy changes?
Well again, I think looking and being strategic. Paying attention to what the evolution of the laws are. Having someone in place.
I think it's really important with these vendors, and what I've had some challenges with, is that they have customer advisory boards. Because those customers can give you the information that you need to be successful to support them. I think that's really important in this space to really move forward and be on the same level with your organization and know what they're dealing with - what is your customer dealing with on a day to day. Having insight on that so that they're improving their technology and making advances.
In the vendor space, if they're hosting information I think it's really important that they have their eye in the game and they know what their needs are.
Analytics and Key Performance Indicators
And then analytics again, I pointed that out a minute ago. There's so much that we can gain from having insight on what we're doing with getting some KPIs and dashboarding. That visualization is something I'm seeing a trend to. All teams, whether it's legal, IT, the business, everyone wants analytics. Everyone wants to say, we've got the data, what can we do with the data? What can we learn more? We can be looking at trends and be more strategic for cost optimization.
Are there any KPIs that you find especially useful?
Specifically in eDiscovery and if you're looking at litigation, I would find that's really important to make sure you're looking at case by case, how much data obviously, how many custodians you have, standard amount of custodians, the amount of data that you're collecting, how much you're processing from, what’s at the end, how much you're actually producing, what type of case it is, the jurisdiction of that case, area of law is truly important, I think.
Then you can look at that information and look at trends. Then also, what was your cost with your vendors in defending a litigation, potentially. And then you can look at a trend to say, you know what, we've seen over time this has been more costly for us or we should go down this path. It helps you make some decisions in early cases assessment.
A New and Broader Audience
We’ll shift gears a little bit here. Are there trends you see from corporate leadership when it comes to eDiscovery?
Trends in just adopting eDiscovery, beyond eDiscovery. When I was on-boarded at my current position, I was bringing in a program to help us with having repeatable defensible processes in place, ensuring we're bringing in some true technology to help with that, and finding that that technology could go beyond just helping the legal team. We are able to use the skill set, and legal teams are now aware of that, they're able to see what we can do and how we can bring value with those tools across the organization.
As I mentioned with data minimization, we're out there are already collecting and finding data. Why are we not going beyond just a particular case? Why are we not looking beyond and actually taking those tools to reach out and learn more about your environment and then have the ability to leverage that for productivity, for operational efficiency, for compliance controls, for enforcement. I really do see a change in the audience; it's not just the litigators who are interested to know what the eDiscovery team is doing.
The Many Different Directions of eDiscovery Careers
You've touched on this point a few times, but I'd like to come back to it. The many different directions you've seen people take their eDiscovery careers or eDiscovery people rather, take their careers, since you got involved in all of this. We haven’t just been on a straight-and-narrow, we've done a lot of different things.
Right. So the question is specifically, like what have I seen, what other people have done within their career paths?
Yeah, or put it another way, what sort of opportunities are there for people?
It's so vast. I mean if you really think about it, look at Legalweek and where that's gone when we go to New York. Hopefully we’ll be going again very soon. I miss seeing my peers. There’s so much in those relationships that we're building. We learn so much from each other.
I never thought, when I started off working in a law firm and I had this itch for technology and I was interested and I started building relationships within that technology space, and it gave me opportunity to level up into litigation support, which was an easy transition from being a paralegal, I thought. And then I was interested in finding more about well, what are these IT guys doing when I asked them to go do something? So then I wanted to know about IT, I wanted to do it.
The opportunity is there, if you engage yourself. You can actually make those things happen for you, especially if you're working with your community, your ACEDS community, there's so many different people within the ACEDS space that we all have different backgrounds and can offer opportunities if you're taking the time to build those relationships with your peers. They give you ideas that can really bring value to your career and level you up.
An Abiding Curiosity
Listening to what you're saying, for you one of the abiding things has been a persistent curiosity: what's happening, what's making this function work, where can I take this from here, what are people doing?
I think a lot of us in this profession are like that. I haven't met a lot of people in the eDiscovery space who aren't seeking more knowledge, that aren't looking to do something different. There may be those professionals out there where they that they prefer to be in an environment where they're hosting and they're ingesting information and bringing value to their customer and we need that.
There are those who are out there who are looking to learn more and grow. I think that the eDiscovery space, there's so much opportunity there, especially if there are people that are in legal and litigation support role and are looking to do more because they enjoy technology and getting into that eDiscovery space. As a paralegal, I remember working in that space and if you're someone who wants to do more outside of reviewing depositions and doing depositions summaries, again, you learn so much.
I think we're professional research. When I was growing up, things never came very easy. I worked really hard and I think that those disciplines of working hard in my career, I always told myself, I may not know the answer right when you come to me, but I know how to find it because I'm willing to go out there and do the work and research. It’s all at my fingertips. It's either going out, and I know this person is going to be able to give me some information I might need. As long as you have that mindset that you don't have to know everything, you know you're not responsible for, like the book is just sitting in here (motions to head), I have a file cabinet and I'm going to look for that resource, Knowing that you don't have to have all the answers right away, I just think that's part of this background.
You might not have all the answers right away, but you've had a lot of answers for us today.
Toni, thank very much. Toni Millican is Senior Director of Information Governance and Data Privacy at Trinity Industries. I am George Socha, this has been eDiscovery Leaders Live, hosted by ACEDS and sponsored by Reveal. Thank you all for joining us today, please join us again next Friday, April 16th, when we will be joined by Julia Hasenzahl, who is co-founder of ProSearch. Toni, thanks again.
Thank you so much, I really enjoyed it.