[EDRM Workshop Transcript] Managing Data Overload and Complexity in Catastrophic Events

Mary Mack

Hello, and a warm welcome to our first quarter EDRM workshop. I’m Mary Mack, EDRM’s CEO and Chief Technology Officer. Today’s workshop is a collaboration with our wonderful, trusted partner, HaystackID®, called “Managing Data Overload and Complexity in Catastrophic Events.” Our workshop experts include John Wilson and Paul Easton, and our moderator and organizer is none other than Mary Bennett. Holley Robinson, EDRM’s Marketing Operations Manager is here with resources for you. Holley?

Holley Robinson

Thanks, Mary. We are loving On24. There are so many great ways for you to engage with the platform. If you check out the console to the right of your screen, you’ll see several icons. If you click the question mark icon, you can submit your questions for today’s faculty, and we highly encourage you to do so. If you click the paper clip icon, you can find today’s resources, including a link to On24’s engagement tools description so you can better interact with the platform. There’s also a link to learn more about HaystackID’s exceptional services. And be sure to take two minutes to share your insights in the Winter 2025 eDiscovery Pricing Survey. Schedule a meeting with the experts at HaystackID to learn more about how they can assist you. Coming up next on the EDRM Global Webinar Channel this Friday, February 7th, don’t miss the fifth annual eDiscovery State of the Industry report Survey results with Doug Austin. Register now. Speaker bios can be clicked on and popped open to learn more about today’s faculty. Just like on Zoom, you can use the smiley face emoji and other reactions to engage with the webinar. We are having a lot of fun with these, so feel free to join in. Lastly, stay connected with EDRM and HaystackID on LinkedIn by clicking the Twitter bird icon. Back to you, Mary.

Mary Mack

Thanks, Holly. Our moderator, Mary Bennett, wears two hats today. She was recently promoted to Senior Director of Content Marketing for HaystackID and is also the Senior Director of Content and Community Initiatives for EDRM. For five years, Mary was a Brand Producer at another one of our great trusted partners, Relativity, where, among other things, she created and championed the renowned Stellar Women Program. Her bachelor’s is from the University of Iowa. She is a storyteller, community builder, content strategist, and eDiscovery marketer, and we are absolutely thrilled to kick off a new year with her. Mary, take it away.

Mary Bennett

Thank you, Mary. We’re so, so excited to have you all here. For those who were with us last year through our workshops, welcome back. If you’re new, we’re really excited to have you. Just to note, for today, we want this to be interactive, so if you have stories or questions, please feel free to put them in the Q&A. I will do my darndest to make sure I’m keeping track of them throughout. And as Holly noted, we all love a good emoji, so feel free to like or give a thumbs up. We definitely appreciate that. We have a lot to discuss in such a wonderful panel. So I’m just going to introduce each of our wonderful speakers, starting, of course, with Mary Mack, the CEO and Chief Legal Technologist at the EDRM. Mary leads the EDRM, which is a project-based organization. She was formerly the executive director at a certification organization. As many of us know, she is super well known for her skills in relationship and community building and her depth of eDiscovery knowledge. Good job with a thumbs-up emoji for whoever put that. Nice work. She is frequently sought out by the media for comments on industry issues and to participate in panels, lead workshops, and deliver a keynote. She is also the author of “A Process of Illumination: The Practical Guide to Electronic Discovery,” which many of us in our industry consider to be the first popular book on eDiscovery. So, Mary, I am very, very thrilled to have you.

Mary Mack

Thanks, Mary.

Mary Bennett

Then we have Paul. I’m very excited to have Paul here. He has more than 20 years of experience in eDiscovery. He has worked across the private and public sectors in the United States, Taiwan, India, Europe, and Iraq. He is now seated in Wisconsin. So, a fellow Midwesterner like Kaylee and me here, not John, as you likely all can tell from his outside decor. He is not in the Midwest. Paul is the Assistant United States Attorney, United States Attorneys’ Offices, Eastern District of Wisconsin. As Paul will probably share today through different stories, he spent five years in Baghdad as the head of the Information and Evidence Management Unit for the United Nations Investigative Team to Promote Accountability for Crimes Committed by Daesh/ISIL, otherwise known as UNITAD. Paul, thank you so much for joining us all.

Paul Easton

Glad to be here.

Mary Bennett

And we have Mr. John Wilson. John, nice to see you. He works with me at HaystackID, where he is the Chief Information Security Officer and President of Forensics. If you were curious, he is in Florida. He provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations and cryptocurrency investigations and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from financial institutions and pardons to government departments, including Fortune 500 companies and AmLaw 100 firms. I am so excited. Paul, Mary, and John, I am excited to have all of you here today.

John Wilson

Thanks for having me. I’m excited to be here.

Mary Bennett

Great. And I don’t think we need to dive too much into me, but for those who just joined, hello. I am Mary Bennett. As noted earlier, I am wearing two hats—it’s a figure of speech—but I’m going hatless right now. I am at HaystackID, where I’m the Senior Director of Content Marketing. I am also the Senior Director of Content and Community Initiatives at the EDRM. I’ll serve as the moderator of today’s discussion. As I noted, if you have questions or comments, I’ll be flagging the Q&A box. So please feel free to voice anything that you would like as it pertains to the conversation. We just love good dialogue. All right. I will go to the first screen because much of today, if not all, will be conversation-based. So we’re talking about the plethora of different data types and volumes that come with different catastrophic events, whether that’s the recent wildfires or different situations in other countries. We’re going to cover a lot of different topics today, but to set the stage, Mary Mack, I’m going to turn it over to you. When you’re looking at disaster scenarios, what types of data are we looking at, and what are some of the most challenging types of data that investigators are dealing with?

Mary Mack

Well, we’ve been talking for a while about the volume, velocity, and variety of data, and certainly, in a disaster situation, you’ve got it all or some sort of catastrophic event. And if we look at the wildfires, the hurricanes, and situations happening in conflict areas, we have all kinds of new types of data like drone footage, dispatch recordings and logs, internet of things, sensors, ring cameras in neighborhoods, vehicles, all the things that are tracked and the video in cars. It’s put up on social media and all sorts of different platforms. It’s sent in texts and all kinds of messaging apps, encrypted and unencrypted. We’ve got thumb drives that look like key fobs or might look like a child’s toy on a backpack. We’ve got home automation that gets tracked, security systems, body cams of the first responders, dashcams, and of course, in our wildfire and in the hurricane, we’ve got the electrical grid and all the sensors on it. I’ll stop there because the guys probably have some other interesting data types to throw in the mix here.

John Wilson

Yeah. I mean, a big one that we’re starting to see a lot of is body cams and the virtual glasses and the things that people walk around with every day and all of the data, not just the video, but the data, the telemetry items of, hey, I walked here, I walked there, I looked at this, I looked at that, and all of the various elements related to that. It presents amazing data resources on the one hand and scary amounts of data resources and information on the other. So there is a trick and a balance to it.

Mary Bennett

Thank you. Paul?

Paul Easton

Yeah. I would just add that in addition to all the different types of devices that John and Mary mentioned, an additional key challenge is data fragmentation. So, if you’re in a disaster, you’re going to be dealing with different stakeholders, systems, standards, and formats, and you’re going to have to prioritize what you’re going to collect. If you’re dealing with police body cam footage, that’s getting backed up, and you’ll be able to get that later. Let’s say security cameras in a business or home could get overwritten if that’s not collected in time. You have to think through what the most critical data is going to be. What’s the most important thing to prioritize in preserving first? And that’s a big challenge when you’re in a high-pressure disaster scenario.

Mary Bennett

We’ll talk a lot more about the implications of privacy and ethical considerations later throughout the panel. I just want to know: We’ll also be talking about operational resilience and what you can do proactively to the best of your ability when things like this strike, so it’s not starting from scratch. Thank you, Paul. Paul and John, you both have very interesting backgrounds. Mary and I love to hear your stories. And I’m sure our audience would, too. So Paul, you’ve talked about, or with me at least, and Mary, how you’ve worked in different, let’s say, physically dangerous locations. What was that like in terms of collecting in those environments? Did you experience difficulties, and what did you learn from working there?

Paul Easton

Right. So at UNITAD, we’re conducting an investigation of a crime scene that spanned over 21,000 square miles of Iraqi territory and over 200 mass graves. We often have to collect data in hostile or unstable areas, requiring coordination with Iraqi-encouraged authorities and UN security teams. It meant collecting data in environments with unreliable power and limited internet access. It required constant contingency planning for backup power solutions and mobile forensic and scanning equipment that could function without stable infrastructure. In addition, time constraints were often very tight. Every movement had to be cleared, so forensic teams had a very limited window of time to collect and preserve evidence before needing to leave the area. On top of that, one thing that might not be, or at least to me, was not immediately obvious, but often, you’re dealing with unforgiving road conditions. So, dust, heat, and vibration were real risks to the original storage devices. You had to ensure proper packaging to protect the devices from dust and vibration. We’re dealing with a large volume and diverse types of data sets. Everything from battlefield evidence, which can include phones, drones, laptops, paper records, often a lot of it in damaged condition, court documents and intelligent reports requiring translation, standardization, authentication, and civil society witness data, which is high-risk information, requires strict confidentiality and trauma-informed investigation measures. Finally, open-source intelligence leads to large volumes of data and issues related to verifying its authenticity. I think we can discuss some of the legal issues with the chain of custody later, but I’m more interested in hearing John’s stories.

Mary Bennett

Thank you, Paul. That was wonderful. John, what about you?

John Wilson

Yeah. In that similar arena, I was working on some Senate investigations. I spent extensive time in the area, and Paul was talking about being out in battle environments and things like that. But in my investigations, we just had to go into the different circles of Amman, Jordan, for instance. The circles are like wards or townships, and we had to go out to the ninth circle to collect a bunch of the required evidence for our matter. We arrived on site, and there were a bunch of computers in storage units with no power. There was no power in the entire block, so there was no power to get, so you had to have power resources planned out. You had to have all these things to effectuate the collection. We were like, “Hey, here are all the computers; let’s collect them.” It’s like, well, power is a critical element here. We have the power to collect electronic data because it is electronic. And so we had to work through that and solve that. That was a key element. On that same trip, I had to go out into Bedouin villages in Wadi Rum and collect things there. And then suddenly, you had to deal with, “Hey, there’s a sandstorm coming. It’s going to hit in about 20 minutes. You’ve got to be finished, and all your gear has to be protected because the sandstorm is going to hit pretty hard.” Again, we’re using power banks and all of these things to collect this data out in the middle of nowhere in the middle of the desert, and then sand and electronics aren’t great friends. Silicon is made from sand, but introducing sand in a sandstorm is very interesting to the equipment and the data items themselves. You have to prepare for that. The first time it happened, we weren’t prepared for it. It was like, “Well, what are we going to do?” We took nylon parachutes and wrapped everything in the nylon parachutes and taped them sealed shut, and then we started bringing environments for that. You can think of Faraday cages, which are not to protect from signals but from the sand. They serve a dual purpose for us because they are contained environments. But you’ve got to think through all those things when facing those challenges. It’s not your standard application or preservation. The means and abilities you have will be vastly different, and the tool sets you can use will be vastly different because there is no internet, no power grid, and no stable environment for what you’re doing. Sometimes, we had to collect systems by putting them in the front seat of a car with the battery pack in the back seat, doing the collection while driving around to avoid being in the problematic areas we wouldn’t be sitting in. So you’re sitting there trying to keep the computer imaging in the chair and the cell phone imaging in the passenger seat while driving around to avoid bad things from happening. So it keeps life exciting.

Mary Bennett

It is not your typical Tuesday. It is a little bit different. Yeah, I guess it’s Wednesday, tomato, tomato. But expanding on that, John, Paul, and Mary are also open to you. You mentioned some of what you did, especially as you learned in your second sandstorm, what you might need to protect the data and the systems. What tools or techniques did you find helpful with data collection, making it as reliable as possible when some traditional methods aren’t available?

Mary Mack

Yeah. I’m interested in how you dealt with the power situation and whether or not the forensics tools are as forgiving as you’re collecting. I haven’t been hands-on for 20 years, but if anything happened, like a little brownout, you could blow your forensic image back then. So, I can’t even imagine running one in a car in a war zone. So, how did you guys do it?

John Wilson

I mean, I can start. So we had power cases. They were basically like APS units, APC units, or battery backup units built into cases, but then we had special plugs on them so that rather than… When you go to a computer, and it’s plugged into the wall, you would take our special cable and just clamp it onto the cable right in front of where it is plugged into the wall, and that would provide that stabilized power. Now, we would leave it plugged in if we had power, even if it was brownouting or something to provide that stability. Our systems had surge protection and dropout protection, so they would monitor and apply power as necessary, but it was very specialized equipment. It took lots of testing to find a provider and the clamps that we could clamp onto a power cable plugged into the wall to ensure that we could sustain viable power during the collection process.

Paul Easton

Yeah. I mean, contingency planning is definitely important. Those portable backup solutions and surge protection were actually less of a challenge in the sense that the UN already does many of its missions. So it wasn’t too difficult to get that equipment. What was more of a challenge for us was the type of productive packaging in cases. The cases and the different hard drive enclosures and Faraday bags. And a lot of the digital forensic device packaging that I could buy online and ship the next day to the U.S. I mean, it was really, really hard for us to get in Iraq, and we actually had people from our forensic unit and our information systems unit, and they’d go R&R, they would buy and bring a bunch of stuff back in their suitcases because it just took forever to get the proper packaging material because that just wasn’t something other UN organizations in Iraq had, and it just took so long to go through the procurement process, but it was at the same time, incredibly important for all the reasons that we mentioned above and that John was talking about. I mean, dust—those dust storms that really find us—it gets into everything. It’s not like I’m just going to close the door. You can be inside, but it just gets into everything—so the dust, the vibrations, driving on poor roads. That was for me, one of the bigger challenges is just having that proper protective packaging and really spending time working with the teams to pre-stage the equipment, training teams for [those] environments, having workflows for rapid infrastructure, independent data extraction, and preservation. The equipment is just part of it. Having people ready to adapt and to be able to respond to changing situations is as important.

Mary Bennett

Thank you.

John Wilson

Oh, sorry, Mary. I was just going to add that Paul brings up a great point about the logistics and equipment. In my experience in that Senate investigation, as I went into the country, they stopped me at the security checkpoint at the airport and actually wrote the serial numbers to every single piece of equipment, all the way down to watches and stuff in my passport. They used up multiple pages in my passport, wrote all the serial numbers, and then, with machine guns in hand, said, “You will leave with every one of these serial numbers.” That required me to change the whole plan as we entered the country. I had to find new hard drives because we needed to ship. We didn’t know how much they would let me through with security when trying to leave the country. We certainly met the privacy regulations and requirements at the time, but having the country, because it was a Senate investigation, we were averse to the crown in the country I was in. We had to make sure that we would be able to get that data out. And so I had to go out to gamer garages and buy hard drives for $500 a piece with cash. It was the only way to get hard drives I could put evidence on. We had to solve that challenge and go find out, “Hey, where can we get hard drives here that I can acquire locally so that they can be DHL out of the country and make sure that we have a secure copy of our evidence?” And those are some interesting challenges when you need a hundred hard drives in 24 hours.

Mary Bennett

It takes up quite a bit of passport space.

John Wilson

That it does.

Mary Bennett

Yeah, as we know, going to the DMV is not fun, but that is not the most pressing challenge there. Paul and John, a question came in. What has been your most challenging situation to collect from and regarding the most unusual source of data? Is there anything new from what you’ve shared already?

John Wilson

I mean, for me, I can say my most challenging or unusual data to collect was when I was working on investigations into crimes against children. We went on-site and seized the property, and I was coming in to do the imaging. They couldn’t find anything, but we found a little wire, and we followed the wire. The individual suspect in this particular matter had wired storage within his microwave. We had to collect not only the hard drives that he had wired into the back of the microwave but also its memory because that was where certain key portions of the data were being stored. He had overwritten the memory of the microwave. So that was extremely unusual and a very interesting experience.

Mary Bennett

Paul, do you have any stories to add on that one? Are there any unusual spots?

Paul Easton

Well, yeah, the most unusual is not always the most challenging. In terms of atypical collection scenarios, I mean, we did a lot of mass grave work, and you wouldn’t think of eDiscovery as being particularly involved in that, but you often would find devices or SIM cards, et cetera, on the bodies, and we needed to have processes for properly collecting those, documenting that, and documenting exactly which body is associated with it. There was also a lot of battlefield evidence. It’s in damaged conditions, and the forensic team would have to use special techniques to try to recover the data from these damaged devices and often prove the provenance. If we talk a little later about the chain of custody, the challenges with proving the provenance of a lot of the battlefield evidence when a lot of it would be forces would go in and just grab a bunch of stuff and take it back. They weren’t doing a crime scene investigation. That was challenging, but actually, one of the most challenging was that we would go and get documentation from Iraqi courts and agencies with records and evidence investigating ISIL. You’re just talking about old-fashioned paper discovery. I never knew that my experiences from 25 years ago would be relevant again. But that was just very challenging to be able to go in at short periods, set up mobile scanning stations, and find ways to do best practices in a way that you can get in and out quickly. And so, that was an interesting challenge.

Mary Bennett

Definitely. Thank you both for sharing. As we discussed earlier, Paul, I want to dive into the chain of custody regarding these scenarios. Can you walk us through some of the challenges with preserving the chain of custody and anything organizations can do to ensure that they’re doing, have the proper documentation, and defensibility of traditional forensic processes aren’t possible? What can they do to maintain that as best as possible?

Paul Easton

Yeah. It is interesting to discuss the chain of custody and ensure that you have defensible processes when talking about the work at UNITAD because UNITAD’s mandate specifically directed that we adopt procedures for collecting, preserving, and storing evidence based on, quote, “The highest possible standards” to ensure the broadest possible usability and admissibility of such evidence and materials before national courts and by national investigative and prosecutorial authorities. The challenge is that we’re dealing with many nations in multiple legal jurisdictions, so the legal standards can vary greatly. Common law and civil law jurisdictions can differ when it comes to the requirements for chain of custody, hearsay evidence, and expert testimony. Sharia law puts witness testimony at significant weight. So this made it very important that we had meticulous documentation on the providence, the chain of custody of the evidence, linking and corroborating diverse sources, and coordinating with member state prosecutors to support gathering additional witness testimony and conducting additional evidence collection as needed. We developed our evidence life cycle management system, including a mobile app component to assist with remote collections. However, we ended up never using the mobile app portion because, again, internet and even cell phone service can be spotty. So, for a lot of it, we still had to rely on old-fashioned paper intake and chain of custody forms. They would bring that back, scan it in, and key in the information when they got back to the office. The last thing I’ll say about this is the importance of consistent training because we had people from different law enforcement agencies, intelligence agencies, and lawyers from many different countries. They’re trained in their best practices, and they can be. A lot of them are very experienced, and a lot of them are experts. However, you still have to ensure that they’re trained in your specific protocols to ensure uniformity and that you have these pre-established standardized procedures to allow teams to work together effectively. So that is my last advice.

Mary Bennett

That’s awesome. Thank you.

John Wilson

Going into the previous question about challenging and then tying into chain of custody and the challenges around all of that is another one of my cases where I was up in the Laplands doing collections from an individual. I got the call, “Hey, we need to be there tomorrow.” It’s halfway across the world, so I’m like, “Yeah. I’ll see what I can arrange.” When I get there, I am supposed to be collecting a laptop and two external hard drives for this individual. It’s important because the individual is terminally ill and expected to pass within the next week or so. In that particular country, that evidence wouldn’t be allowed to be used once it goes to his estate without a long and protracted process to make that evidence usable. So, we needed to get it collected and have testimony documented. We did a video deposition of the individual. I showed up, and here’s the computer, and I started interviewing the custodian to make sure I understood everything I needed. We’re doing the video documentation to make this evidence legal and usable. And he says, “Oh, well, yeah, that one’s just for this part I just did. I have a laptop and multiple hard drives for each part I did across the last 25 years at the company.” And so he had just bookshelves of laptops and hard drives, one laptop and two hard drives typically for every project he worked on over 25 years at the company as a founder. And that was an exciting challenge. We had to have imaging running and multiple systems running at the same time and 24/7. So we were doing all of this collection at the individual’s house. I’d have to go there every four hours, 24/7. I had six days, but it took six days to complete it. Fortunately, we were able to get it done. We got all the testimony necessary to make that evidence viable because it was a $500 million product defect lawsuit and a very challenging environment because you’re also in the Lapland. So you’re getting multiple feet of snow every day. When I say multiple feet, I landed. I got in the taxi to my custodian’s property, and the taxi driver said, “Hey, yeah, the weather’s going to be good today. We’re only going to have eight feet of snow.” That’s not generally what I call good weather, but it’s okay.

Mary Bennett

So from desert to snow, John.

John Wilson

It was quite challenging just to manage the time, the operation, and this critical pressure because, unfortunately, the custodian was terminally ill.

Mary Bennett

We have a follow-up question for you here, John. How are you planning the case? I guess it’s open for everybody here. How are you planning the case team review and analysis workflows for these unique data types? Are subject matter experts relied on to make sense of what’s been collected to assist in translating the more complex data sources into comprehensible pieces of evidence?

John Wilson

So yes, we very frequently leverage SMEs or subject matter experts. That is a very common practice for us. Sometimes, they’re just not available when you’re in extreme situations or catastrophic events, and you’ve just got to interpret and figure it out. I think that comes from the fact that we have a great team here at Haystack that has many years of experience, including myself. I’ve collected and operated in 49 countries I’m allowed to say I went to. There are a handful of others that I have never been to, but it’s that 20, 25 years’ worth of experience seeing different things and being able to interpret them. We certainly will leverage SMEs when possible, but they’re not always available. I mean, sometimes we had to collect mainframe stuff for a project and there was nobody left at the company that even understood the mainframe data. It’s just there. It just continues to operate and the company still continues to operate on, but the knowledge base, all of those people have retired and totally just disappeared. There were no SMEs to go to, so you’ve just got to find the best resources and find the SMEs that can leverage your team’s intuition, skills, and experience.

Mary Bennett

Thank you, John. I’m shifting gears just a little bit still in the context of this conversation. I want to talk briefly about Enron and how that changed how organizations think about data governance, defensibility, and records management. While it’s not necessarily a natural disaster, it did expose weaknesses in data preservation and compliance. Mary Mack, I’m going to hit it over to you. What lessons still apply here that can be applied to high-stakes or disaster scenarios from Enron?

Mary Mack

Enron was an economic and financial disaster, and the people who ran the systems were no longer available. At the time, it was also so large that it was parceled out to various government agencies to investigate, as well as the law firms that we’re defending. The evidence was many places, multiple companies, and things like that. I’ll do two things that stuck out to me. One was the boxes of paper, and Paul and John, you can resonate with this. The boxes of paper oftentimes contained ESI, like disks at the time back in the Enron days. And what we found in one of the boxes was tape, like a cassette tape, and we had to duplicate the cassette tape. We didn’t have any forensic equipment to duplicate for cassette tape. So I went across the street and got one of those cassette duplicator things that you plug into your stereo system to make a copy of the tape and document the process. The other thing is that the data that we received for some of the critical custodians all had the same modified date because it was collected incorrectly. So, they tripped the modified date, which made it less than useful for data reduction or things of that nature. That’s a bit of a blast from the past. I want to hear these guys’ lessons as well.

Paul Easton

In terms of Enron, I think the main lesson was that pre-established data governance frameworks matter. Organizations need to be prepared. And I think organizations today, at least larger organizations, are more prepared, sophisticated, and savvy with their information governance. Hopefully, we’ve learned some of the lessons at Enron.

John Wilson

Yeah. I mean, for me, it’s exactly that. It’s that compliance and having the InfoGov programs in place. I talk about cases like Enron, where you had boxes of floppy disks and five-and-a-half-inch floppy disks. The really old school media, cassettes with data on it. It really comes down to corporate data planning, having that data map, and understanding where your data is, especially things that have regulatory compliance or preservation requirements for the organization. Understanding where that data is and how that data is housed is really critical. I mean, we had a case three years ago for a large utilities organization and we showed up on site. They had a major catastrophic event. We start collecting data and find boxes of jazz tapes or jazz disks. I don’t know how many people remember jazz disks, but they were basically a hundred-megabyte or 250-megabyte cartridges. You could think of them as a mix between a hard drive and a backup tape, and they would store this info. Well, it took us six weeks just to source the jazz drives necessary to actually use that media because they’re not made—they haven’t been made in a long time. We had to source a whole bunch of them, and then we had to put them into our R&D lab and work on rebuilding four viable units out of them because most of them came with some problem or another. They’ve been sitting in dust in a box, and people still have them, but they haven’t operated them in 20 years. They’re not terribly useful in that state. So thinking about where the organization’s data is, is really critical to have that catastrophic event preparedness. Thinking about where your key data is going to be stored, and what your preservation requirements are, make sure that you have a DR plan or preservation plan to meet those requirements for data sources as data evolves. Spinning platter hard drives are almost archaic in today’s world. They still use them quite a bit in server farms and stuff, but most storage media is moving towards the SSD world now. So you really have to think about how familiar people are going to be with a spinning platter hard drive versus an SSD hard drive in another 10 years. The world continues to evolve.

Mary Bennett

It does. It does. A question came in, and before I ask it, for those who joined a little bit later, I just want to let you know you can ask questions on the On24 platform. I’ve been monitoring those throughout. So, if you have questions, please put those there. When considering catastrophic events, such as the LA wildfires or hurricanes, what about people who have lost it all or almost everything? What challenges come when there’s data collection and preservation, when there’s just not much left? Is that just what it is, or what would the following steps be?

Paul Easton

Well, I think that’s why it’s essential. We are talking a lot about securing data, maintaining infrastructure, and ensuring continuity. But you can’t put your people in the cloud. Your data may be safe, and you may have your redundancy plans, but if your staff is facing personal crises, losing their homes, or evacuating loved ones, the last thing they’ll care about is getting the production out by its deadline. Organizations, especially small and mid-sized ones, need to prepare for short-term disruptions and support their people through and beyond a disaster. What are some ways you might want to do that? Well, workforce redundancy is building that in advance. That could mean geographically distributed teams and remote work options, but you could also think of things like pre-arranged mutual aid agreements. Have a network of trusted contractors and firms that you can partner with who can step in. Cross-training your employees, providing staff disaster preparedness resources, running some response workshops, covering personal safety, encouraging employees to create personal contingency plans, supporting employees during and after the crisis, flexible lead policies, maybe emergency stipends, if that’s something that your business can afford, temporary workspace support, mental health counseling, encouraging mutual aid, helping teams organize local support efforts, establishing emergency check-ins. I think it’s also essential for leadership to be prepared to set clear expectations. They need to acknowledge the crisis, set realistic workload adjustments, and basically be ready to support their staff. It’s not just about mitigating and dealing with the short-term disruption to businesses; for your long-term business health, you need to make sure that your employees are supported.

Mary Bennett

Paul, when we were talking about this workshop, a big thing we wanted to discuss was operational resilience, and you said, and I quote, “It’s not just a checkbox exercise; it requires real tested plans.” It seems like you hit on it in your previous answer, but I would love for you to expand on what precisely you mean by operational resilience in this context and what some of these tested plans organizations should consider deploying so that they’re ready should a disaster hit.

Paul Easton

Yeah. It shouldn’t be like Binderware or PDF that’s on a server somewhere, a checkbox exercise to show an auditor that you’ve done it. It requires real-tested plans that are tested under real-world conditions. For example, keeping discovery tidy as part of our organizational resilience planning, disaster recovery, and evacuation planning was necessary, given the environment that we worked in. Part of that was planning for evidence evacuation as part of our disaster response. One thing that we did is timed live exercises with our security teams. The advantage of that is that it will reveal gaps or areas for improvement that some tabletop drills wouldn’t catch. So, putting ourselves through timed stress and more real-world type of testing scenarios led to improvements such as doing more cross-training of staff to ensure continuity, clearer, more visual emergency guides and checklists, and taking lead labeling to prioritize critical evidence under tight time constraints. Even how we would pre-position public cases and ensure that our storage was stored in an easy-to-evacuate manner. If you think of your typical evidence room like a law enforcement agency, it isn’t easy to evacuate that quickly. So we had to try to maintain best practices in terms of evidence, room management, and storage but in a way that could be easily evacuated. A lot of that comes out when you say, “Okay. Thirty minutes, get this out.” And it’s like, yeah, you start to realize, “Man, let’s put some clear labels on take leads and let’s make sure this is just grab and go and that we’re not having to think about it or having to reap, take things out of one thing and put it into another.”

John Wilson

Yeah. When you’re thinking about those things, we recently had to do this exercise for a law firm client in the wildfires, and they had to evacuate the evidence they maintained at the law firm for their clients. And they’re like, “Oh, it’s in a secured area. There’s access controls to the space.” But they needed our help evacuating that data because we had resources in the area. We went in, and lo and behold, the security pads for the secured area did not work because the power was lost because of the wildfires. You’ve got to plan, “Hey, do I have battery backups on my security system? Do I have a digital evidence vault, or do I have an old-school safe for my evidence vault?” Again, what Paul says is all that logistics, planning, and testing your plan to ensure that you account for as many of the variables as you can. That’s where things usually get missed: trying to figure out what scenarios might apply. Could it be a hurricane? Okay. What happens when a hurricane hits? We lose power, we have flooding, or what happens in a wildfire? Maybe we lose power, maybe we don’t. Things are burning, things are hot. Is that going to melt? Now, all of a sudden, the drawers won’t open because the locks on the drawers have melted. There are lots of possibilities, things, and challenges to think about.

Mary Mack

Yeah. I want to underscore the timed nature of testing the plan and that it should not be tabletop because imagine needing to evacuate that evidence down stairwells and how long that takes in reality as opposed to how long it takes on the plan.

Paul Easton

Yeah.

Mary Mack

Mm-hmm.

Paul Easton

Yeah.

Mary Bennett

Right. It’s longer than you think to do anything like getting out. So yes, scenarios or things are not planned, and there’s chaos. It’s going to be different than what you think. We’ve talked about data privacy a lot here today, but I want to talk about it, too. So John, when we were talking about this call, we wanted to talk about if there’s a disaster scenario, let’s say the wildfires, you’re getting evidence, a ring doorbell might have some good evidence for something, but that could be on a business across the street, and so can you collect that? When you have those snap decisions to make, and you’re making some decisions that could have privacy or ethical implications, how can someone weigh that efficiently but practically?

John Wilson

Yeah. Well, that’s the challenge. You must think through what you’re talking about. So we have a building under surveillance. That building just started burning. It’s under surveillance through cameras at two properties across the street, but what else might be on those cameras? Are those things that can be seen or not seen? Does that cause additional privacy concerns and constraints, or can I access that data, or maybe I can’t even access it because it’s an agency that isn’t allowed to share the data? So all those things are considerations. Unfortunately, those are the things that are very difficult to plan for because they are circumstantial. Okay. Now you have to evaluate, and this is what we do as a very specialized team: we’re very responsive and reactive and not the proactive side. Organizations and businesses have to think through the proactive side of things, but there are certainly situational things that you have to assess. When I get there on site, and we’re trying to assess, where’s our evidence? What evidence is necessary for this particular situation? And then you have to think through. Now, there’s a stoplight camera we can subpoena from the city. And then there’s a ring doorbell on the residential house across the street, and then there’s a ring camera at the business across the street. All of those will have different requirements and restrictions, and you have to work through those. You can’t automatically expect them to be like, “Yeah. Sure. Here’s my video from your building burning down, the people breaking in, or whatever catastrophe occurred.” You’re not always going to be able to get access to it. You’ve got to think through the considerations. What privacy concerns can come up here? Hey, this is a private bank that does high-net-worth individuals. They may not want to release videos of people coming in and out of their building or who happen to have the building across the street. You’ve got to think through, just because the camera’s pointing at your building, the video footage at the particular time something happened could have had somebody walking in or somebody coming out. There may be privacy concerns about that individual in the frame, so you can’t use the video, or maybe you can. There are a lot of things that you have to work through. It’s a lot of consideration.

Paul Easton

To continue, add to what you’re saying about privacy, and also, with the increasing volumes and complexity of the data, cognitive services, machine learning, and generative AI are going to be increasingly essential for synthesizing and analyzing that data that’s diverse in a continuously collected scenario. At UNITAD, member states and donors had many concerns about privacy, false identifications, and other ethical AI risks. It’s important to understand your organizational principles and requirements if you’re going to be using these technologies. And I know we’re short on time, so I’ll just say that anyone who’s not familiar with the NIST AI Risk Management Framework should check that out. It’s a great way to help your organization plan for some of these privacy preparations.

Mary Bennett

Yes. And with two minutes of spare, Paul gave, let’s say, Paul’s one action or resource for those on the call. John or Mary, one action organizations should take a day or one resource they should look into to be prepared for things we’ve been discussing.

John Wilson

Yeah. Know where your data is, know what you know, and know what you don’t know. That’s my takeaway with every client. The bottom line is: Know your data, know what you know, and know what you don’t know.

Mary Bennett

Thank you. And Mary?

Mary Mack

I would add that you should know your tiger team and have backups for it. Vacations or catastrophic events can really impact a response team.

Mary Bennett

Great. I want to thank everybody for joining me and the panelists today—really great insights. I value everybody’s time and expertise. HaystackID wants to thank the EDRM and let you know that we have a webcast about data minimization in a few weeks. So, you’ll learn all about the legal requirements and practical techniques, from streamlining your data practices to bolstering your compliance and operational efficiency. If you want to register, go to HaystackID.com. You’ll find all the information there. Mary, Paul, and John, thank you so, so much. And Kaylee and Holly, thank you for your organization and support as well. I hope everyone has a lovely day.

Paul Easton

Thank you. I enjoyed the discussion.

John Wilson

Thank you. It was a great conversation. Appreciate it.

Mary Bennett

It was. Thank you all.

Mary Mack

Yeah. This concludes our workshop for today. Thank you to our trusted partner, HaystackID, for making John Wilson, Paul Easton, and Mary Bennett available for this insightful discussion. Our thanks to Mary Bennett for organizing and moderating in the EDRM community and for your kind attention and participation. We hope to see you on February 7th for the state of the industry with eDiscovery Today founder Doug Austin. Be sure to click your emojis and schedule a meeting with the experts at our trusted partner, HaystackID. Thank you. Thank you, John Wilson.

John Wilson

Absolutely.

---

Expert Panelists

+ Paul Easton
Assistant United States Attorney, United States Attorneys’ Offices, Eastern District of Wisconsin

Paul Easton has over 20 years of experience in e-discovery, working across the private and public sectors in the United States, Taiwan, India, Europe, and Iraq. He currently serves as the E‑Litigation Assistant U.S. Attorney for the United States Attorney’s Office for the Eastern District of Wisconsin. Previously, he spent five years in Baghdad as the Head of the Information and Evidence Management Unit for the United Nations Investigative Team to Promote Accountability for Crimes Committed by Da’esh/ISIL (UNITAD).

---

+ Mary Mack
CEO, Chief Legal Technologist, EDRM

Mary Mack leads the EDRM, a project-based organization, and is the former Executive Director of a certification organization. Mack is known for her skills in relationship and community building as well as for the depth of her eDiscovery knowledge. Frequently sought out by media for comment on industry issues, and by conference organizers to participate, moderate a panel, lead a workshop or deliver a keynote. Mack is the author of A Process of Illumination: The Practical Guide to Electronic Discovery, considered by many to be the first popular book on eDiscovery. She is the co-editor of the Thomson Reuters West Treatise: eDiscovery for Corporate Counsel. Mack was also recently honored to be included in the book; 100 Fascinating Females Fighting Cyber Crime published by Cyber Ventures in May 2019. Mack has been certified in data forensics and telephony. Mack’s security certifications include the CISSP (Certified Information Systems Security Professional) and the CIAM, Certified Identity and Access Manager.

---

+ John Wilson, ACE, AME, CBE
Chief Information Security Officer and President of Forensics, HaystackID

As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics, including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody. He regularly develops forensic workflows and processes for clients ranging from major financial institutions to governmental departments, including Fortune 500 companies and Am Law 100 law firms.

+ Mary Bennett [Moderator]
Senior Director, Content Marketing, HaystackID; Senior Director, Content and Community Initiatives, EDRM

Mary Bennett, HaystackID’s Director of Content Marketing, focuses on the power of storytelling to educate the legal technology industry on pressing issues impacting practitioners. With nearly 10 years of content marketing experience, Bennett joined HaystackID after working at an agency to help B2B tech startups grow their marketing engines through content that drove audiences through the marketing funnel. Before her agency experience, Bennett worked at Chicago-based Relativity as a Senior Producer on the Brand Programs team. She was a founding member, host, and producer of Relativity’s Stellar Women program and producer of the company’s documentary series, On the Merits. In her role, Bennett crafted and socialized important stories that elevated the eDiscovery community and illustrated technology’s potential to make a substantial impact.