Connect with us

Latest

Leveraging Technology to Manage Big Data in Antitrust | JD Supra

Mish Boyka

Published

on

Leveraging Technology to Manage Big Data in Antitrust |  JD Supra

 

On 27 January, 2021, TransPerfect Legal Solutions (TLS) held the second day of the inaugural EU / UK Competition Regulation Virtual Conference. Day one focused on the changing regulatory landscape. Day two turned to the advent of big data and how technology is a vital tool in the arsenal of the modern competition practitioner.

Sasha Toussaint, Director in TLS’s London office, was joined by Guillaume Aubron, Counsel at Darrois Villey Maillot Brochier; Greg Bonné, Senior Associate at Latham & Watkins; Bryant Isbell, the Managing Director of Global eDiscovery and Data Advisory at Baker McKenzie and TransPerfect’s very own Katie Perekslis, Vice President of E-Discovery Project Management.

Whether it’s for merger control, dawn raids or cartel investigations, competition proceedings require the interrogation of significant amounts of documentation production in short timelines. In the big data era, budgetary concerns as well as compliance itself often turn on the scope of the information available and timelines imposed on its production.

Clients, lawyers and regulators must fight fire with fire.

Across the board, we are seeing both clients and regulators demand the use of technology. For clients, applying technology drives down the cost associated with these proceedings and limits the amount of information required for production. For regulators, it allows them to see key material faster and using fewer resources. Furthermore, there is empiric evidence (in mainstream litigation versus competition work) that technology can be more consistent and accurate than human review.1

In France, legal technology is not used as widely as in the US or UK. However, French lawyers see clear benefits to using technology in merger control and dawn raids. In the latter, technology needs to be deployed early, as the FCA seizes entire mail boxes before extending a fairly short time frame for lawyers to complete a privilege review ahead of their own review. Speed, therefore, is really of the essence. Unlike many other jurisdictions, there are no requirements for internal document production on the filing form itself and that really only comes into play later on in proceedings. However, it is accepted that as data volumes continue to grow, technology will be a necessity to ascertain risk for these matters, regardless of the regulatory burden.

In the UK, the technology-agnostic CMA is increasingly making use of its formal information-gathering powers. Those powers are also being used at varying stages during the process – including working to establish evidence for an alternative counterfactual or a theory of harm claim. Parties similarly use technology at the “back end” regularly to formulate their strategy in response to these growing requests.

The constant across both jurisdictions (and likely others) is the use of technology to speed up the privilege review. Automating the workflow in its entirety is risky, but the technology can significantly accelerate human review.

What is considered responsive plays a large role in the documents produced in these proceedings. These decisions will have an effect on how and what data is collected and shared. Whilst the CMA retains significant control on the determination of responsiveness (described in more detail below), the European Commission takes a more balanced, collaborative approach, often engaging with lawyers and technologists.

TLS has assisted on these negotiations first hand and rather than simply paying lip service, we (together with outside counsel) have materially impacted search and responsiveness parameters. In a recent RFI, we analyzed the resulting set of responsive documents based on the Commission’s proposed search terms and determined the terms were overly board. When we presented these metrics to the Commission, together with the methodology used, they were amenable to refining the search terms and data pool.

Ultimately, the regulators are amenable to changing the scope of their requests as long as the law firm and vendor work with the regulators to provide transparency and prove their methodology is logical and defensible.

If law firms can continue, as above, to guide regulators with quantitative data and defensible methodology, there will be a shift in the way data is gathered, culled and reviewed. Deploying technology and analytics is beneficial to all parties involved, particularly given its ability to better manage the never-ending increase in data volumes and sources as well as time constraints in competition proceedings.

The CMA, as compared to the DOJ, FTC or the Commission, can and is asking for more extensive information earlier in the process.

As law firms and their clients lean on the benefits of legal technology, so too do the regulators. They are becoming increasingly more engaged in the process, which has procedural and legal implications.

In English proceedings, e-discovery technology has been a common feature for many years but only recently in merger control. The main question focuses less on the “if” and more the “when.” The CMA is increasingly looking to gather evidence, which encourages parties to lean on the guidance and the CMA as they gather the information required. This can include internal documents and even emails and instant messaging chats. Similar to train of inquiry investigations, once they have a handle on the data they are able to issue further requests. These can be topic and custodian specific, or wider using search terms. Unsurprisingly, the CMA is actively recruiting legal technology professionals to help analyze the data that comes in to better inform its requests for information.

This is likely to cause significant delays at pre-notification resulting in a knock-on effect for the entire timetable, as was the case in Amazon’s acquisition of 16% in Deliveroo.

Regulators, particularly the CMA, are throwing their weight around when it comes to the issue of “responsiveness.” They believe they have the power determine what is and is not responsive through various search strategies. However, this poses an issue around personally identifiable information, documents being produced that fall out of the scope of the investigation and the general feeling that this type of information-gathering request is a regulator-sponsored fishing expedition.

In general, document production in competition proceedings has become more of an iterative process and the CMA expects to be involved. As a lawyer or e-discovery professional, you can anticipate engaging with your e-discovery and forensic counterparts at the CMA every step of the way.

Whether leveraging basic technology like search terms and email threading or more complex technology like TAR 1.0 and Continuous Active Learning (CAL), legal teams and technologists must ensure proper processes are followed.

As technology advances, it is easy to see the benefits of using advanced analytics, TAR 1.0 or TAR 2.0 (Continuous Active Learning) in data-heavy matters. Regulators do not dictate what type of technology is used, but they are leaning on technologists and law firms to understand the what, how and why.

TAR 1.0 (Technology-Assisted Review) was one of the first AI-based workflows. It is an iterative process where technologists develop an initial training set of documents and a subject matter expert reviews that data before stopping review to run the algorithm that will predict the relevance of the remainder of the documents. Additional documents may be added to the training set based on the richness of the data set, and a separate control set that is statistically representative of the data set is then reviewed by the same subject matter expert and used to validate the results, producing metrics such as precision, recall, depth of recall and F1 score – very much a start-stop-start-stop process.

CAL is a newer iteration of TAR and prioritizes the data in real time based on the coding decisions of reviewers. As with linear review, a lawyer begins tagging documents for responsiveness. The difference is the technology is working in the background, in real time, to pull other documents that are likely similar to the previously tagged “responsive” documents until the reviewers reach a point of diminishing returns.

In TLS’s experience with merger control projects where the goal is compliance to produce a large quantity of relevant documents in a short period, there is a tendency to stick with TAR 1.0 because it is not cost or time effective to put human eyes on as many documents as you would with CAL. The key in this process, however, is to make sure the subject matter expert is available to review the training and control sets to ensure consistent and accurate results because we apply their review decisions for a smaller population to the larger document set. Unlike in a linear or CAL review, a few miscoded or inconsistently coded documents can have detrimental effects on both the quality of the review and the time it takes to reach stabilization. Due to that limitation and a need to put human eyes on all relevant documents for fact finding, TAR 2.0 still tends to be the more widely used workflow in general litigations and arbitrations given its accessibility. With either of these workflows, law firms must produce a clear methodology on actions taken, including validation process. Some of these methods include:

  • Precision test – captures what percentage of documents pulled are actually relevant
  • Recall test – determines if any documents were missed in the data set
  • Elusion test – similar to recall and looks to see if any documents eluded the system

In TLS experience, regulators tend to focus on achieving high recall and are less concerned with low precision (AKA overly producing documents). But precision is very important to clients, as they do not want more data to go to the regulators than necessary, particularly if data is sensitive in nature.

All panellists agree that it is critical to produce very clear, step-by-step methodology before work has begun, both in privilege and responsiveness reviews. If the work is completed but the method is not approved, the law firm will be required to start over, which can be problematic given the tight deadlines associated with competition work.

Transparency is key in assuring the regulators that law firms have met their requirements and provided the documents required to make their decisions. As long as law firms and technologists are being defensible and reasonable about the methods, the regulators will typically approve the use of technology to work with them and with their clients.

What does the future hold?

There is a clear appetite from clients and regulators to adopt the use of legal technology in competition proceedings. Law firms and litigation support providers will continue to spearhead this movement and are constantly looking at new tools and workflows to manage big data in a defensible and efficient manner.

Law firms will leverage analytics and investigations tools where time is of the essence – the first to apply for leniency or immunity or to assess risk. Getting a handle on what their clients have early will be key.

In time, the FCA, CMA and Commission may collaborate and follow certain DOJ practices given its experience with larger data sets, deal flow and technology. And it will be in parties’ best interests to work alongside them to design a process that works for everyone.

Data is inescapable. Clients, lawyers and regulators continue to play an ever-changing game of catch-up to leverage technology. The procedural and legal considerations grow and change as data volumes increase and data sources diversify, and it is imperative to lean on these tools to provide the best outcome for all parties involved.

You can watch the full recording of this panel here.

1 Pyrrho Investments Ltd v MWB Property Ltd: [1] [2016] EWHC 25. Paragraph 31

Latest

Vermont Health Connect had 10 data breaches last winter

Avatar

Published

on

By

Vermont Health Connect had 10 data breaches last winter
Vermont Health Connect has set up a special enrollment period in response to the coronavirus outbreak. VHC photo

In mid-December, a Vermont Health Connect user was logging in when the names of two strangers popped up in the newly created account.

The individual, who was trying to sign up for health insurance, deleted the information that had suddenly appeared.

“It was super unsettling to think that someone is filing in my account with my information,” the person, whose name is redacted in records, wrote in a complaint to the Department of Vermont Health Access. “Just seems like the whole thing needs a big overhaul.”

It was one of 10 instances between November and February when Vermont Health Connect users reported logging to find someone else’s information on their account.

The data breaches included names of other applicants and, in some cases, their children’s names, birth dates, citizenship information, annual income, health care plans, and once, the last four digits of a Social Security number, according to nearly 900 pages of public records obtained by VTDigger. On Dec. 22, the department’s staff shut down the site to try to diagnose the problem.

While officials say the glitches have been resolved, it’s the most recent mishap for a system that has historically been plagued by security and technical issues. The breaches could be even more widespread: Administrators of Vermont Health Connect can’t tell if other, similar breaches went unreported.

“We don’t know what we don’t know,” said Jon Rajewski, a managing director at the cybersecurity response company Stroz Friedberg. Regardless of whether there are legal ramifications for the incidents, they should be taken “very seriously,” he said.

“If my data was being stored on a website that was personal, — maybe it contains names or my Social Security number, like my status of insurance… — I would expect that website to secure it and keep it safe,” he said.

“I wouldn’t want someone else to access my personal information.”

Andrea De La Bruere, executive director of the Agency of Human Services, called the data breaches “unfortunate.” But she downplayed the severity of the issues. Between November and December, 75,000 people visited the Vermont Health Connect website for a total of 330,000 page views, she said. The 10 incidents? “It’s a very uncommon thing to have happen,” she said.

De La Bruere said the issue was fixed on Feb. 17, and users had reported no similar problems since. The information that was shared was not protected health information, she added, and the breaches didn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

“No matter what the law says technically, whether it’s HIPAA-related or just one’s personal information, it’s really concerning,” said Health Care Advocate Mike Fisher.

The timing of the issue is less than ideal, he added. Thousands of Vermonters will be logging into Vermont Health Connect in the coming weeks to take advantage of discounts granted by the American Rescue Plan. “It’s super important that people can access the system, and that it’s safe and secure,” Fisher said.

A ‘major issue

The issues first arose on Nov, 12, when at least two Vermonters logged in and found information about another user, according to records obtained by VTDigger.

Department of Vermont Health Access workers flagged it as a “major issue” for their boss, Kristine Fortier, a business application support specialist for the department.

Similar incidents also occurred on Nov. 17 and 18, and later on multiple days in December.

Department of Vermont Health Access staff members appeared alarmed at the issues, and IT staff escalated the tickets to “URGENT.”

“YIKES,” wrote a staff member Brittney Richardson. While the people affected were notified, the data breaches were never made public.

State workers pressed OptumInsights, a national health care tech company that hosts and manages Vermont Health Connect, for answers. The state has contracted with the company since 2014. It has paid about $11 million a year for the past four years for maintenance and operations, with more added in “discretionary funds.”

Optum appeared unable to figure out the glitch. “It is hard to find root cause of issue,” wrote Yogi Singh, service delivery manager for Optum on Dec. 10. Optum representatives referred comments on the issues to the state.

By Dec. 14, Grant Steffens, IT manager for the department, raised the alarm. “I’m concerned on the growing number of these reports,” he wrote in an email to Optum.

The company halted the creation of new accounts on Dec, 14, and shut down the site entirely on Dec, 22 to install a temporary fix. “It’s a very complex interplay of many many pieces of software on the back end,” said Darin Prail, agency director of digital services. The complexity made it challenging to identify the problem, and to fix it without introducing any new issues, he said.

In spite of the fixes, a caller reported a similar incident on Jan. 13.

On Feb. 8, a mother logged in to find that she could see her daughter’s information. When she logged into her daughter’s account, the insurance information had been replaced by her own.

“Very weird,” the mother wrote in an emailed complaint.

Optum completed a permanent fix on Feb. 17, according to Prail. Vermont Health Connect has not had a problem since, he said.

Prail said the state had reported the issues to the Centers for Medicaid and Medicare Services as required, and had undergone a regular audit in February that had no findings. The state “persistently pressured Optum to determine the root cause and correct the issue expeditiously but at the same time, cautiously, so as to not introduce additional issues/problems,” he wrote in an email to VTDigger.

“We take reported issues like this very seriously,” he said.

A history of glitches

The state’s health exchange has been replete with problems, including significant security issues and privacy violations, since it was built in 2012 at a cost of $200 million.

The state fired its first contractor, CGI Technology Systems, in 2014. A subcontractor, Exeter, went out of business in 2015. Optum took over for CGI, and continued to provide maintenance and tech support for the system.

Don Turner
Don Turner, right, then the House minority leader, speaks in 2016 about the need to fix the state’s glitch-ridden Vermont Health Connect website. With him are Phil Scott, left, then the lieutenant governor, and Sen. Joe Benning. Photo by Erin Mansfield/VTDigger

In 2018, when Vermont Health Connect was less than 6 years old, a report dubbed the exchange outdated and “obsolete.”

Officials reported similar privacy breaches in 2013, when Vermonters saw other people’s information.

An auditor’s report in 2016 found a slew of cybersecurity flaws, and officials raised concerns again during a  2018 email breach.

It wasn’t the first time that Vermont Health Connect users had been able to view other people’s personal information. Three times since October 2019, individuals had logged in to see another individual’s insurance documents. Prail attributed those incidents to human error, not to system glitch; a staff member uploaded documents to the wrong site, he said.

In spite of the issues, Prail said he and other state officials have been happy with Optum. After years of technical challenges with Vermont Health Connect, “Optum has really picked up the ball and improved it and been running it pretty well,” he said.

Glitches are inevitable, he added, and Optum has addressed them quickly. “They took a really difficult-to-manage site and made it work pretty well,” he said. “Optum is generally quite responsive to any issues we have.”

“I find any privacy breach to be concerning,” said Scott Carbee, chief information security officer for the state. He noted that the state uses “hundreds of software systems.” “While the scope of the breaches can be mitigated, true prevention is a difficult task,” he wrote in an email to VTDigger.

Optum spokesperson Gwen Moore Holliday referred comments to the state, but said the company was “honored” to work with Vermont Health Connect “to support the health care needs of Vermont residents.”

Prail said the Agency of Human Services had no plans to halt its contract with the company. “I don’t have a complaint about Optum,” he said. “They took a really difficult-to-manage site and made it work pretty well.”

Don’t miss a thing. Sign up here to get VTDigger’s weekly email on Vermont hospitals, health care trends, insurance and state health care policy.

Help us get halfway to our Spring Drive goal. When we reach 1,5000 members, we will unlock a $10,000 match, plus 1,500 Vermont kids get a new book!

Filed under:

Health Care

Tags: data breaches, Optum, Vermont Health Connect

Katie Jickling

About Katie

Katie Jickling covers health care for VTDigger. She previously reported on Burlington city politics for Seven Days. She has freelanced and interned for half a dozen news organizations, including Vermont Public Radio, the Valley News, Northern Woodlands, Eating Well magazine and the Herald of Randolph. She is a graduate of Hamilton College and a native of Brookfield.