Gartner Researches’ Magic Quadrants are well known for categorizing innovations and defining the prevailing characteristics of tools and services in a specific marketplace. This year’s E-Discovery Software Magic Quadrant has identified the trends in the space, including predictions on the market size of the e-discovery software as well as an assessment of how the key players in the industry are preforming.
Those in the market for a new tool can use the report to quickly determine what vendors do best, and find the right fit for their practice. Twenty of the most popular e-discovery software suites were ranked for their ability to execute and for the completeness of their vision, dividing the group into four categories: challengers, leaders, visionaries and niche players of the e-discovery space.
Leaders: kCura Corp., FTI Consulting Inc.’s FTI Technology, Recommind Inc., ZyLAB, HP, Nuix Pty Ltd. and Exterro Inc.
Challengers: Epiq Systems Inc., Kroll Ontrack Inc., AccessData Group Inc. and Symantec Corp.
Visionaries: Guidance Software, IBM Corp., Catalyst Repository Systems and Microsoft Corp.
Niche Players: CommVault Systems Inc., Driven Inc., Ubic Inc., Xerox Corp. and LexisNexis
While 2014’s rankings were considered stagnant for including the same 20 names from 2013 (with only minor movement between categories, this year’s rankings showed the addition of several names as well as the exit of others including: KPMG, Stroz Friedberg and Integreon.
In addition to rating the 20 top performers within those quadrants, the research analyzed the strengths and weaknesses of the group, providing a baseball card-like quick hit of what they do best and how. Legaltech News will dive deeper into that analysis with profiles and conversations with those vendors in the coming weeks.
Past identifying and categorizing leaders in the industry, Gartner’s research also took a holistic look at the industry. According to the research, the growth of the e-discovery marketplace continued unabated in 2014. Gartner estimated that total revenue for the enterprise e-discovery market was approximately $1.8 billion last year, and had a compound annual growth rate of 12 percent.
The growth is attributed to several trends, including a diversifying array of data streams that must be controlled within the context of discovery, as well as a continued desire to move e-discovery to more flexible, less expensive options.
One factor driving the evaluation and implementation of new e-discovery software is migration to Microsoft’s Office 365. According to the report, “Organizations are in the process of migrating email and documents into Office 365 and need to take a step back on what that means to their established e-discovery process and technology application.”
Another interesting trend identified in the research was the increasing proclivity of vendors to provide SaaS models of delivery. While the report warned that many of these are actually misidentified hosted solutions (which connect to a virtual environment via software installed locally rather than being accessible via Web as true SaaS platforms) it suggested that the method makes sense for those who have a variety of cloud-based information streams to consider in their discovery efforts.
According to the report,” This is a new area for e-discovery practitioners. The legal guidance and requirements on how to treat cloud data (social, website, Web email and Internet-of-thing content) within the e-discovery context is lacking. At the moment, organizations are dealing with the cloud data on an ad hoc basis.”
Last night was David Letterman’s farewell to late-night TV. For over 30 years, he has entertained us with his interviews and antics, showing that the mundane can be funny and made unfamiliar. The guy was a class act, and he will be missed.
As a tribute to Dave, we’ve created a Top 10 list focused on the basic structure of a compliance program—tone at the top, policies, risk assessments, training, communication, monitoring and response. Do your best to imagine Rupert Jee of Hello Deli reading aloud: “Top 10 Signs Your Compliance Program Is In Trouble”
10. The company is using a straw poll to monitor the compliance program.
Monitoring a compliance program is a key ingredient to its success. Unless they know the compliance initiatives are working, compliance professionals cannot gauge whether the program is effective and make potential adjustments. Options for monitoring range from using technology tools to evaluate controls or compliance resources to test how well the program is working.
9. The CCO’s license plate reads “LAWRUP.”
When a compliance professional identifies a compliance failure, the program must respond accordingly. If the failure implicates criminal consequences or a large fine, outside counsel may be appropriate. The compliance team, who has a greater understanding of the business and comes without the increased cost, may handle less-complex issues. There is no one-size-fits-all solution.
8. Company policies are an oral tradition that are categorized only as “Before and after the war.”
If you don’t tell employees what a good job looks like, you cannot expect them to perform. The best policies are clear, concise and contain usable teaching aids. Try using universal imagery. Think of icons that speak to your organization and the risks faced. Give employees the tools they need to succeed and make following the policies simple.
7. The CEO’s favorite episode of “Mad Men” is the one in which Joan secures the Jaguar account to become a partner.
Leadership is the best advocate for compliance. When the CEO speaks, people listen. Smart compliance professionals use business leaders to advocate for their program. Teach the CEO what to focus on—create messages and tools to incorporate compliance into presentations and meetings. When the CEO and CCO work together, they can impact the culture of compliance.
6. The company’s online training consists primarily of YouTube excerpts from “The Wire,” with the CCO talking about how all employees need to “re-up.”
At conferences, we hear that live training is always superior to online training. But what about the employee who has been with the company for 20 years and listened to the training program numerous times? Isn’t it better to provide that employee with the changes to the compliance requirements through online training or some other module that does not detract from his day-to-day job? Does that employee need the same training as someone that is new to the company? As with the compliance program itself, training is not a one-size-fits-all proposition.
5. The CCO insists that any bad news be delivered only via texts to his personal cellphone.
It is easy to overlook communication. We all think we communicate well. Emails and texts may be useful, but implementing formal communication in a compliance program takes some work. Effective communication depends on defining the right channels and a thoughtful escalation process.
4. The business folks sing the tune “Bad Boys” from “Cops” every time anyone from compliance walks into a meeting.
The first job in compliance is to understand the business. Compliance does not work without buy-in from the business. What makes the business operate? What are the pressures from different operations and markets? What keeps the COO up at night? Effective programs have strong coordination between compliance and operations, where the operations team sees compliance as a business enabler—not just a cost center.
3. The CCO frequently invokes scenes from the movie “Jumanji” when discussing the company’s risk assessment results.
A proper risk assessment looks forward and evaluates risks that may impact the compliance program according to subject matter. What could go wrong? When could it happen? What are the potential consequences? How do you rate these things? What factors should you use? A risk assessment is not an internal investigation that provides you with historical information about your program. It’s an exercise in predicting and forecasting.
2. Employees in international markets cannot pick the CCO out of a line-up.
CCO visits to an organization’s international markets have a profound impact. These visits increase compliance visibility and leadership awareness of market activities. Different regions have different issues, and to adequately understand and develop a compliance program that mitigates international risk, the CCO has to mingle with employees and collect information on how the program is working.
1. The U.S. Attorney General refers to your company as “a cartel.”
Public perception of a compliance program is important—and that goes double for your regulators. Speaking at compliance conferences and other events not only provides an opportunity to pick up on the best practices of other organizations, but it also allows a CCO to publicly promote the program. Sometimes perception becomes reality in the mind of regulators.
Ryan McConnell and Meagan Baker are lawyers at McConnell Sovany—a compliance and litigation boutique. McConnell is a former assistant United States attorney who, in addition to writing this column, has taught compliance and criminal procedure at the University of Houston Law Center. Baker’s practice focuses on international compliance issues ranging from risk assessments to developing compliance programs. Send your favorite stupid pet trick to firstname.lastname@example.org.
IT service providers, particularly cloud service providers, increasingly are resisting unlimited liability for breaches of privacy and data security obligations in their customer agreements. Instead, they offer unlimited liability for breaches of confidentiality, asserting the customer’s risk of a data breach would be covered as a breach of confidentiality, and arguing that unlimited liability for breaches of data protection obligations is simply double dipping.
A Data Breach Is Not Needed to Create Liability
When an IT service provider takes this position, one of the first questions a customer asks is: Assuming that the service provider has access to data that would be covered by privacy and data security laws, what is the risk if the provider breaches the privacy and data security obligations without an actual data breach
In other words, does there need to be a data breach for the customer to incur liability? Unfortunately, the answer is no.
To fully understand the risk of accepting the IT service provider’s position, a customer should identify:
The privacy and data protection requirements the customer must satisfy.
The likelihood the IT service provider may cause the customer to fail to comply with those requirements.
The potential for damages, fines, penalties or other enforcement activity if the customer fails to comply with those requirements—even absent a data breach.
Privacy and Data Protection Requirements
In terms of the privacy and data protection requirements the customer may need to satisfy, the customer should consider legal and regulatory requirements (including regulatory guidance) and industry standards. For example, if a customer collects or processes credit card information, the customer must comply with the Payment Card Industry Data Security Standards (PCI DSS) as well as Visa's Cardholder Information Security Program (CISP), MasterCard's Secure Data Protection program (SDP) and Discover Network's Information Security and Compliance program (DISC). In addition, Massachusetts 201 CMR 17.00 requires a company that owns or licenses personal information of Massachusetts residents to implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards.
Even if there is no data breach, failing to comply with these standards may subject the customer to enforcement actions by the relevant regulatory authority and/or significant fines.
Once a customer identifies the relevant requirements, the customer should ensure that these requirements are expressly passed through to the IT service provider through well-tailored “flow-through” terms. Not only is the customer at risk for liability if the IT service provider causes it to fail to comply with the requirements; simply failing to flow through the requirements may subject the customer to liability for noncompliance.
This is true even if the service agreement includes a confidentiality clause, which generally requires the receiving party to exercise a duty of care to protect confidential information of the disclosing party in a way that is consistent with the measures the receiving party takes to protect its own confidential information. It is often unclear, however, exactly what measures an IT service provider takes. For example, Massachusetts 201 CMR 17.00 specifically requires companies to oversee its service providers, including requiring its service providers by contract to implement and maintain appropriate security measures.
Legal requirements and industry standards are not the only potential risk. The customer also may have contracts in place with its end-user customers and other third parties that would expose it to unlimited liability for breaches of privacy and data security obligations. If the IT service provider only offers unlimited liability for breaches of confidentiality and the IT service provider’s obligation is to comply with its own duty of care standard and not the customer’s standards, the customer may not be able to look to the IT service provider for full recourse if the IT service provider causes the customer to breach these contractual obligations.
A Data Breach Does Not Always Mean a Breach of Confidentiality
Even if there is a data breach, customers may be at risk that the confidentiality provision does not cover the data subject to the breach. Confidentiality provisions often define “confidential information” in a manner that may not encompass all of the data subject to privacy and data security laws. For example, the definition may include only information that is labeled as confidential or that a “reasonable person” would consider to be confidential. In this case, certain types of data, such as IP addresses or geolocation data, are unlikely to be labeled as confidential when disclosed to the IT service provider and may not be something a “reasonable person” would consider to be confidential.
“Confidential information” often is defined to include end-user customer data but not employee data. The IT service provider’s services, however, may include storing or processing employee data. Particularly for services such as cloud-based HR solutions, this may be as simple as receiving employee names, phone numbers, addresses and emails in order to provide technical support.
If the customer discloses personally identifiable information to the IT service provider that is not covered by the definition of confidential information, then a breach of that data would not be a breach of confidentiality for which the IT service provider would have unlimited liability under the service agreement.
The risk of liability for a breach of privacy and data security obligations without a data breach is only increasing. Audit and enforcement activities have continued to increase, an example being the U.S. Department of Health and Human Services Office for Civil Rights’ focus on HIPAA privacy rule violations—with some resulting in civil penalties in the millions. This risk is likely to continue to grow as regulators and states become even more active in setting data protection requirements and enforcing them, including increasing scrutiny of how companies are flowing down protections to third parties.
Customers will want to minimize their risk in deals with IT service providers by (1) including privacy and data security obligations sufficient to satisfy their privacy and data protection requirements; and (2) insisting on uncapped liability for the IT service provider’s breach of those obligations. If the IT service provider simply refuses to accept such unlimited liability and only offers uncapped liability for breaches of confidentiality, the customer may try to reduce its risk by:
Including privacy and data security obligations sufficient to satisfy the customer’s privacy and data protection requirements, even if those obligations are subject to a general limitation on liability.
Ensuring damages the customer may incur for breach of privacy and data protection obligations, such as regulatory fines, penalties and the like, are not excluded by a sweeping exclusion of liability for consequential damages, even if they are subject to a general limitation on liability.
Seeking a heightened liability cap for breaches of privacy and data security obligations in addition to uncapped liability for breaches of confidentiality
Defining “confidential information” to ensure it encompasses all personal data the customer may disclose to the IT service provider.
Including the right to terminate for convenience without the payment of any early termination charge.
Glynna Christian is a partner in the corporate department of Kaye Scholer’s New York office. She has over 20 years of experience advising Fortune 100, FTSE 100, and a variety of other public and private companies on complex transactions, including mergers and acquisitions, joint ventures, and other forms of strategic investments and partnerships. She also advises on outsourcing and commercial transactions with an emphasis on technology, media and financial services. Nikki Mondschein is an associate in the corporate department of the firm’s New York office and a member of the IP and technology transactions group. She provides strategic advice to clients on corporate and commercial transactions with an emphasis on the technology, software, media, arts and entertainment sectors. She previously worked as corporate counsel at Apple and Nokia.
When overseeing sales performance management, managers often focus on their employees' quotas. While these quotas suggest what employees are capable of, they do not give a comprehensive picture of workers' potential.
Rather than simply use quotas to quantify employee performance, employers should implement a performance management approach that seeks to unlock the full potential of all their salespeople. A recent Gallup poll revealed companies maximize only 5 percent of their employees. These workers who are the top performers exhibit three significant characteristics that allow them to work at their best: having an employment history of 10 years or more at the same company, being engaged on the job and working at a position that lets them use their natural abilities.
With these characteristics in mind, employers could follow these tips to optimize employee performance:
Match employees' positions to skills and experience When employees know they are working a job that is a great fit for their past history and skills, they are more likely to be engaged with the job. Employers should match their employees to jobs that they feel comfortable doing and excel at the most, according to Gallup.
"Gallup's research shows that employees are most likely to be engaged – and stay with their companies – when they report that their managers understand them and give them the chance to do what they do best every day," Gallup said in the report. "Managers can help employees find ways to do more of what they're good at."
Train and educate employees for career success Employees expect more out of their employers, especially when it comes to training and skill development opportunities. People who are good at their jobs frequently want to build on their existing abilities, according to Business 2 Community. They want to learn more sales techniques, technology and software and other innovative tools in the industry.
"Naturally curious, persistent types not only see learning as a way to reach their goals more quickly, but see self-development as a way of life," Business 2 Community stated. "For them, learning and continual growth do not end at a certain age or stage of life but are the essence of life itself, and therefore never ending."
Employers should ask employees what skills or sales techniques they want to enhance and provide them with corporate resources that will achieve this to increase employee engagement.