Panama Papers and Data Protection at the Nuix User Exchange

NuixThere are people, I know, who can bash out a 1,400 word report about an event in the cab on the way back to the airport, but I am not one of them. I have done four other events since the Nuix User Exchange closed at Huntington Beach a month ago, each with its own preparation and travel, and make no apology for being slow to report on this one. Anyway, it had a value which keeps.

nuix2011At one point during the dinner at the Nuix User Exchange, Nuix CEO Eddie Sheehy asked those who were present at the first User Exchange in Sydney in 2011 to stand up. A handful of us were present at that inaugural event (picture right). Thanks to diary conflicts, I have not been to the Nuix User Exchange since that Sydney event. The bait dangled in front of me this year was too good to refuse, however – moderating an interview with Gerard Ryle, Director of the International Consortium of Investigative Journalists, on the subject of the Panama Papers. Who could turn that down? I will come back to that below.

huntingtonbeachThe Hyatt Regency at Huntington Beach makes a good venue for events like this. With first-rate conference facilities tacked on to an hotel which you would not mind staying in for its own sake, it has beach views, adequate food and half-decent coffee with comfortable spaces to sit and work or chatter. These things matter.

eddiesheehywelcomeEddie Sheehy opened the show in his usual upbeat and welcoming style. Nuix and its staff (there were 60 or 70 of them at the event) have a “passion for data”, he said. Data is vital to drive important subjects like discovery, security and intelligence, investigations, information governance and (a recurring theme always with Nuix) “catching the bad guys”.

Data underlies all these problems, he said, and “Nuix is really good at data problems”.

Using data to tell stories

Data is also good for telling stories, at piecing together what happened from facts derived from disparate sources from which a narrative can be made. This was the theme of a new Nuix paper written by Angela Bunting and called Collaborating in the cloud: eDiscovery risks and opportunities.

Storytelling turned up in a different context as well. Nuix is asking its users to tell their stories about how they use Nuix to benefit their businesses or their clients. This theme was illustrated by a clever little video put together from short statements by Nuix’s own staff – you can find that here along with a link to the data stories competition details (entry closes tomorrow, 20 October, so get moving).

The storytelling level sits on a deep understanding of forensic artefacts. If a device or some software stores information or enables people to communicate, Eddie Sheehy said, it is going to be involved in an investigation at some stage. Nuix, he said, will already have solved many of the problems which arise; if it does not, tell us, he added.

Session: Life after Safe Harbour

The Nuix User Exchange is not all about technology. My first panel was called Life after Safe Harbour. I was the moderator and was accompanied by Amy Taal of Deutsche Bank and Hunter McMahon of Altep. These are the sort of panel members I like, relaxed and knowledgable contributors, confident enough to perch on a table with just enough structure to cover the advertised topic while letting the talking go where I, they or the audience took it.

The invalidation of Safe Harbour and its replacement by the Privacy Shield is but one of the factors which arise when privacy and data protection meet the demands of US discovery. We have the pending General Data Protection Regulation to consider, and the recent appeal in the Microsoft Dublin case has drawn attention to the implications of US state demands for data held in foreign jurisdictions.

Part of our session covered the implications of these developments. Much of it, undoubtedly the more interesting for the audience, came from stories told by Amy Taal and Hunter McMahon based on their experience of actually dealing with the day-to-day implications of managing the collision between the opposing forces of US eDiscovery and EU data protection.

A question from Craig Ball right at the end brought the collision into sharp focus. What do you do if a data subject objected to the use of his or her data from the EU, or withdrew a prior consent, at a point when the collection was already processed and in the indexes? Hunter McMahon and Altep had been there: you stop the processing and try and resolve the conflict.

If that was not the answer Craig or anyone else in the room wanted, it was the right one (I am talking here of what the law requires; pragmatic advice on the day from someone seized of all the circumstances, with disclaimers in place, and good professional indemnity cover, may differ. Good luck).

This emphasises the need for early in-country investigation and for negotiation – that won’t bar a data subject from withdrawing consent, but it reduces the scope for disputes arising at that late stage. There is also a wider information governance point here – if you kept less crap, and had (and followed) policies for managing what you kept, then the problems would diminish.

Keynote session: The Panama Papers

I don’t usually care too much about the setting for my sessions – I have my back to it anyway and care only that the audience is not distracted by moving things or overdone slides. Grant Whitehouse, Director, Branding Campaigns at Nuix, did us proud with his setting for our Panama Papers session. If one was in any doubt about the significance of the work of the International Consortium of Investigative Journalists, the headlines above us would remove it.


The guest speaker was Gerard Ryle, Director of the ICIJ, who took us through one of the most interesting investigations stories of recent years.

The Panama Papers story has everything – a mysterious source, encrypted communications, internationally-known names, the organisation of a multi-jurisdictional, multi-lingual team, and the use of technology, mainly from Nuix, to sift through 11.5 million documents.

While the volumes are not particularly big when compared with some modern investigations, the challenges would defeat many conventional project managers. Panama law firm Mossack Fonseca set up anonymous offshore companies for those with a wide range of motives including sovereign and individual fraud, money laundering, tax evasion and drug trafficking. People may, of course, have legitimate reasons for setting up such structures, and one of the ICIJ’s primary drivers was to focus on those things which were of genuine public interest – this was not a Wikileaks dump of bulk data but a close focus on things which mattered in the countries where the investigation was done.

Mossack Fonseca kept a folder per company and the ICIJ’s first task was to make the text indexable and searchable. They needed to identify and cross-reference Mossack Fonseca clients and, using named entity extraction and other analytical tools, to check the data against lists of interesting names. The end result is that investigators can start with a corporate name, an individual name or a property (London residential property features prominently) and work from there to answer questions about the people, the assets and the flow of money in and out of a network of companies.

It was, I said in closing, the most interesting such discussion I had ever participated in, and one which holds object lessons for anyone engaged in more mundane investigations.

Cyber threats – happening at an organisation near you, now

Later, Nuix CTO Stephen Stewart gave us a closer look at the Nuix technology involved in this and other investigations using Nuix Insight and Nuix Web Review and Analytics. If it is hard enough to investigate historic data, then how much harder is it to deal with real-time investigations into unusual activity taking place now on the network.

Stephen Stewart’s explanations, about the threats and about the tools which Nuix has developed (and is continuing to develop) to counter them, would be interesting in a far more mundane context than the Panama Papers. “Mundane” in this context, means happening now, at an organisation near you. Yours perhaps.

The Nuix website is particularly good in the way it organises its resources and describes its products. Have a look – and perhaps reserve a space in your calendar for next year’s Nuix User Exchange or at the many other events which Nuix organises around the world.


About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Data privacy, Data Protection, Data Security, Discovery, eDisclosure, eDiscovery, Electronic disclosure, Nuix and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s