Preparing for Disasters of the Legal Kind
As businesses begin to realize the benefits of cloud computing and business data mobility, they may be overlooking one of the most important issues any enterprise can face: information management in the event of litigation. While the IT department probably has a disaster recovery plan for handling various computer system failures, is there also a plan for managing system data and electronic information in the event of a “legal disaster”? In the spotlight is e-discovery, which is the requirement of the business to respond to legal requests for electronically stored information, and the issues CIOs and business owners should be paying attention to as computing solutions and technology models continue to change at a rapid pace.
The popularity of BYOD (Bring Your Own Device), data sync solutions, and online collaboration tools has created an environment where business data may exist in various states (meaning as in conditions or status, not as in State, like California) and on a variety of devices and systems, some of which may not be in the direct control of internal IT. Regardless of where or how the information was delivered to these devices and systems, CIOs and business owners should recognize that the information on those devices is included in discovery requests, and should be prepared with a plan for dealing with the response.
This “e-discovery plan” is the most important thing, and it means not only working through the various aspects of managing the information, but also providing consideration to keeping the plan updated. As technology changes, and as user behavior changes along with it, businesses must adjust their IT management approaches in kind. Consider that a user couldn’t store business data on their phone until the phone was able to handle that function. Now that smartphones are the norm and tablet computers are gaining in popularity, business data is roaming on personal and business devices. These advancements may introduce productivity and process gains which provide an advantage to businesses, but they also introduce potential risk and certain complexity when it comes to e-discovery.
Litigation is always expensive, but sanctions for slow response or other costs can be avoided if the plan helps the business respond in a timely manner. For this reason, the plan should include an identification of all sources for information (every location where business information and data is stored), as well as the steps to be taken to preserve this data in the current state. If the business has systems which regularly purge information (like accounting systems which purge prior period details, email systems which automatically purge old emails, or backup systems which delete old backup files as new ones are made), all of these activities must be halted. If the company doesn’t have access to control the various devices and systems to prevent these activities (or doesn’t know that they are happening), significant risk is introduced. In the case of a legal “hold”, all data and metadata and the audit controls and files must be preserved.
The final steps in the plan are the steps to be taken after the litigation is over. This is often times a forgotten part of the plan, which is the final destruction of the information gathered for discovery. Not that the original data must be destroyed (consider ALL dependencies), but the “database” of collected information related to the litigation probably should be. With this data pooled in a single place, it becomes a potentially valuable target for a data breach. At minimum, the collected information could too-easily be pulled into an entirely new legal case.
IT managers, CIOs and business owners must be realistic about the information their enterprises generate and store, including being realistic about the risk potential that duplicated and mobile data represents. It is not that the enterprise should be afraid of allowing mobility and providing remote access solutions, but it is essential that the enterprise control the use of these solutions and how they use or interact with business data. Without a strictly enforced policy of usage and control for all devices, services and solutions “touching” business data, any legal disaster planning falls short.