One of my recurring themes in my occasional interviews with Matthew Geaghan of Nuix is the ever-wider application of eDiscovery skills and tools to tasks and functions beyond eDiscovery. As he says in this interview, it is “all about the data” and about the skills used for identifying, assessing and categorising data. Waymo v Uber has settled, but it has lessons for the recipient, as well as the owner, of wrongfully-removed data.
Information governance is a term which, useful though it seemed to me, did not attract as much attention as it should have done when it came up as a subject three or four years ago. It did not then have behind it the compelling reasons which have appeared since then, including awareness promoted by the imminent General Data Protection Regulation and realistic concerns about cyber security risks. It has become more evident that bad things happen when you do not secure data, quite apart from increasing duties to preserve the privacy of data subjects.
The GDPR has generated a new sense of responsibility in many organisations, not just because of the fear of fines, but because of the risk of losing business. It is certainly easier now to make a case for spending money for information governance when faced with the real risk of customer dissatisfaction, regulatory intervention, consequential litigation, shareholder questions and the potential for financial and other penalties (the fines are important but perhaps less so than some of the other foreseeable business risks).
At the time of our interview, Waymo v Uber was still heading towards trial (it subsequently settled) and Matthew Geaghan talks about it here in the context of wider responsibilities about data. As he explains, 14,000 documents were exfiltrated from Waymo and came into Uber’s hands via an ex-employee of Waymo called Levandowski. Several interesting points arise here about care and control of data; one of them, as Matthew Geaghan says, is that Waymo apparently had no means of detecting the removal of the data. The skills and the technology available for that purpose are much the same as those used to protect private information, and those looking for an ROI can easily find several reasons why organisations can find more to be worried about than potential fines. Nuix has for many years been warning that an organisation’s own employees are the biggest potential source of leaks like this.
It is not just the organisation who owns the data which needs to be concerned; any recipient has its own risks and responsibilities to think about. An article called Who blinked first in Waymo v Uber? by Sarah Jeong on The Verge, suggests that Uber as the recipient of the data ought to have had a means of noticing its arrival. A big player in a potentially valuable new market needs to know (as the article puts it), “that Uber technology wasn’t tainted by actual misappropriation”.
And how about this paragraph:
In trial, Uber did not try to dispute that Anthony Levandowski downloaded 14,000 documents onto his work laptop, moved them onto his personal laptop, and then moved them onto other disks. Uber also did not try to dispute that Levandowski was getting cozy with Travis Kalanick before he left Google and that the two of them were unbearable bros who sent each other the most idiotic text messages you could possibly imagine.
The problem with being the admitted recipient of documents in these circumstances is that it becomes hard to shake off the idea that there was some kind of conspiracy. The exchange of “the most idiotic text messages you could possibly imagine” generated suspicions which it was hard to shake off, especially when added to “second- and third-hand information about a suspicious meeting at Uber”. It seems that Uber’s CEO “didn’t know about the documents until late in the game, that he never saw them, and that he told Levandowski to get rid of them as soon as he found out that they existed”. You would think that somebody would notice their arrival; much expensive litigation might have been prevented if they had.
My earlier interview with Matt Geaghan was about collecting data from mobile devices. One of Nuix’s strengths is the aggregation of data from multiple sources, including texts and other sources on mobile devices. Although originally designed for (inevitably retrospective) discovery, the same Nuix tools find new and increasingly relevant purposes finding and managing data as it arises, including suspicious activity by employees. That may be 14,000 key design documents; it may be a single list of sales prospects taken out of one company and sent to another. Both organisations need to know about such activity and need skills and systems to detect it.