Security As Core To Information Governance
Discussions around Information Governance (IG) understandably revolve around eDiscovery, records management, litigation risk & cost, FOIA requests and regulatory issues. What is rarely discussed in the IG context is security. Closer consideration, however, shows that this is not only an artificial distinction but one that neglects significant information security risk in common place IG practices.
Controls Disappear At The Boundary
Legal practitioners have daunting challenges to meet deadlines imposed by legal and regulatory processes. Even worse they need to do so against a current of budget scrutiny and massive increases in data. The now ubiquitous EDRM model is the focus of most discussions on IG. In those discussions the focus is often on tools, technologies or services that can reduce cost across one or more of the model components, but security needs due consideration.
One of the most pronounced areas of security concern in the IG process is the number of times that data leaves the enterprise in bulk to go to 3rd parties. These include, but are not limited to:
- Identified data that is sent to outsourced providers for processing
- Collected data that is sent to 3rd party providers for analysis
- Documents and data reviewed by 3rd party service providers
And in each case the 3rd party may be one entity or multiple, and that actor may be a law firm, technology firm, or a Legal Process Outsourcer. Additionally, any or all of these 3rd parties may engage additional partners to either handle the data volume or type of analysis necessary.
An organization may have the latest security and information controls in place, but the processes such as eDiscovery and investigation routinely take large volumes of enterprise data outside of those controls with very little feedback controls and data disposition. As a former practitioner in the eDiscovery industry, I can attest that it is not uncommon to walk into the litigation support group of a major law firm and literally see hard drives of client data sitting on desks and floors.
How do you assure confidentiality for data that has left your positive control? Do you have proof of destruction when data leaves the enterprise but is no longer needed? Is there data leakage in your IG processes, and how do you monitor for it?
Never Move The Data
The fact is that enterprise tools and technologies have evolved to the point where data never has to be moved. Data inside the enterprise can remain there, and remain under control and within security perimeters, and 3rd party tools and expertise can be brought to bear to operate against that data in place. These solutions are enabled by the current generation of archiving tools that largely have capabilities that are untapped by organizations that have licensed them. Through a simple change of perspective and inside-the-firewall integration, there is an alternative architecture and process flow that adheres to all the EDRM premises of IG, but keeps the organizational data within the control of the organization at all times.
- Never pay to ‘process’ data again.
- Employ state-of-the-art analysis tools in situ.
- Allow legal experts visibility into all the documents they need to review, without data ever leaving your control.