According to a recent report by Gartner, enterprise data will continue to grow by more than 40 percent annually, over the next five years. International Data Corporation has also weighed in on the data deluge problem, estimating that the volume of digital information may balloon from 2.7 zettabytes this year (the storage equivalent of 2.7 billion Apple iMacs) to 8 zettabytes by 2015. This problem is compounded by the diversification of platforms and devices on which this data is created and stored. Even as storage technologies improve, processing, storing and securing that data will present a significant challenge to enterprise IT.
However, IT is not the only department struggling to manage this information tidal wave; legal departments also feel the pain. They also must effectively manage electronically stored information in order to comply with stringent requirements from regulators and courts regarding document preservation and production for investigations, inquiries and litigations. The pressures faced by legal tend to trickle down to IT, the gatekeepers responsible for all ESI in the enterprise. Tensions can rise as the demands of complex litigations and regulatory filings square off against the limited time and resources of IT departments that are responsible for the digital welfare of the entire enterprise, not just the legal department.
Many consider the head-butting between legal and IT almost inevitable, but the demands of e-discovery and the enterprise share more in common than initially meets the eye. This is especially true when it comes to security and storage concerns.
For example, as more organizations store data outside the firewall in the cloud, there is increased sensitivity about the lack of transparency around security protocols and data protection, not to mention the uncertainty surrounding confidentiality, issues of ownership and control, as well as data privacy engendered by a globally redundant cloud infrastructure. These same concerns should hold true in the e-discovery context, particularly when data is moved outside the firewall or stored by a third-party provider, cloud or otherwise. Awareness is growing as businesses see the real risk that can result from misappropriation of data, especially in regard to regulatory and discovery obligations.
Contrary to what many people believe, the information security risk is not based solely on content residing outside the firewall, but during the transfer of data from one location, or service bureau, to the next. When it comes to data management, and the e-discovery processes within it, there needs to be a heightened focus on protecting data during and after transfers. Failure to protect data at these transfer stages can result in inadvertent disclosures that can impact litigation, lead to breaches of confidential corporate information, or complicate data retention and disposition practices.
IT and legal departments also share concerns related to the volume of data being produced, particularly when it involves excess copies of that data. While IT may view large numbers of copies primarily as a storage problem, legal shares the burden not of where and how to store relevant data, as well as how to control the legal costs associated with having to review and categorize multiple copies of the same document. While e-discovery software has come a long way in terms of weeding out redundancies, those copies must still be processed through at least a portion of the e-discovery lifecycle to be eliminated before the final document review, adding costs at the front end of the EDRM.
There is also a security concern for both legal and IT associated with uncontrolled copies of enterprise data. The more copies of sensitive information produced and distributed, the greater the risk of an information security breach during the data transfer or storage process.
Controlling costs and ensuring the security of corporate data in the e-discovery lifecycle (or otherwise), is the job of both IT and legal. More often than not, these two departments can effectively work together to create policies that will result in long-term success.
The first step is to create a plan for carefully evaluating all new systems before they are deployed in the enterprise. Legal and IT must work together to carefully consider the potential e-discovery challenges associated with these data sources, from preservation to collection and retention, as well as the larger data management and information security concerns that arise when a new system is deployed.
Second, but still crucial, data should be encrypted as it is exchanged externally with partners, vendors, or storage providers, as well as internally between departments within an organization. As a component of their long-term data security due diligence process, organizations must also thoroughly vet the encryption policies and procedures of their provider organizations, particularly those who store data outside the corporate firewall.
Third, stakeholders must know what information is being produced and who has access to it. A major challenge, and subsequent risk, occurs when an organization’s information security practices have no procedures to limit the number of copies of data or information. Most companies do not adequately track where data is copied or limit the number of copies being made. As a result, the risk of uncontrolled copies increases rapidly, making it nearly impossible to monitor the data. By implementing a policy designed to control and limit the number of copies made, as well as procedures to control who has access to data and how that data is disseminated, organizations can curtail the uncontrolled copying and distribution of corporate data, limit storage costs and help ensure data security during transfer and storage.
Finally, legal and IT should work together to implement a long-term strategy for data disposition. Storing data indefinitely is a very expensive and risky model. Thus, both departments must create a map of the ESI data landscape, as well as a process for lifting litigation holds. The method of destruction should also be determined in advance, which will lower data risks and costs. Many of these goals can be accomplished with a strong, collaborative information governance strategy. The Information Governance Reference Model offers a broadly applicable reference framework for enterprises looking to streamline their information governance and risk management strategy across all departments, including IT and legal. Through process transparency and policy integration between the business side of the enterprise, IT, legal and records management, a workable strategy can be achieved.