ACEDS Info Gov Panel

Key Takeaways from ACEDS DC September Meeting: Learning Information Governance

The ACEDS DC Chapter, in conjunction with the DC BAR and Drinker Biddle & Reath LLP, hosted the first in a series of Fall events last night. The Fall educational series highlights topics identified in a recent poll of the ACEDS DC membership to identify current topics important to the community. Last night’s event was an excellent panel discussion on Information Governance which was at the top of the list for local professionals. It was a great discussion featuring four leaders of the DC legal landscape, including ACEDS DC Chapter President Monica Harris.

While Information Governance is a very broad topic, Ms. Harris did a great job of moderating and keeping the discussion moving and focused. The speakers fielded questions from Ms. Harris, the crowd, and each other and kept the audience engaged through the entire discussion, ultimately having to be cut short by the moderator due to time.

Speakers covered topics such as Info Gov education and certification, valuable resources and advice on how to improve one’s own knowledge of Info Gov topics. They covered regulation and focused heavily on cyber security and privacy including spelling out the differences between GDPR and CCPA. The speakers offered valuable insights for folks working directly in Info Gov/Cyber/Privacy but also for folks helping clients establish their own Info Gov programs.

While the entire discussion was engaging and informative, I found the speakers’ unique and complimentary definitions of Information Governance to be the key takeaways of this discussion and great starting points for anyone to have further discussions on the topic, regardless of role or experience level.

Monica Harris
President, ACEDS DC Chapter

Question—How do you define Information Governance?

Veronica Nelson
Associate, Morgan, Lewis & Bockius LLP

Knowledge, power and accuracy. Knowledge of where my data is. Power that comes from leveraging my data to achieve business goals. Accuracy is important to mitigate risk, safeguard privacy and comply with regulations.

Yodi Hailemariam
Senior Associate, Drinker Biddle & Reath LLP

Information Governance is the custom-tailored who, what, when, where and how an organization gets, keeps, creates, manages and ultimately disposes of information.

Hala Furst
Director, Cybersecurity and Innovation, US Department of Homeland Security, Private Sector Office

When I think of Information Governance, I think of reputation. How do we protect a business and its systems from risk and harm? How do we protect the reputation of a business from breach, disaster, litigation and loss of revenue?

GDPR and eDiscovery: More Benefit Than Burden?

The General Data Protection Regulation (GDPR) is more benefit than burden. At least that was the argument put forward by the panelists of Relativity Fest’s International eDiscovery session. While they focused primarily on regulatory compliance, several of their points apply to eDiscovery as well.

This is the glass half full view of the GDPR and eDiscovery:

Confusion gives way to uniformity and predictability

Creating a uniform legal standard for data privacy in the EU is a primary purpose of the GDPR. It replaces a patchwork of sometimes conflicting laws and regulations administered by various national agencies. The panel argued persuasively that the benefits of operating under a single regulation with centralized, predictable enforcement outweighs the heightened compliance burden. The argument is equally applicable to collection and transfer of documents and ESI from the EU for discovery.

Cybersecurity investments pay dividends

The regulation takes a hard line on data security. Particularly notable are the 72 hour breach notice obligation and stiff fines. Stronger cybersecurity in business and legal is better for everyone except the hackers. More specifically, cybersecurity was already top of mind for eDiscovery professionals and has been for some time. The law firms and service providers who have made significant investments in infrastructure and training are best prepared for the GDPR. This gives them a competitive advantage in cases involving EU discovery.

Technological innovators have the advantage

Regulatory compliance – both in general and specifically for eDiscovery – requires technological solutions. The GDPR immediately created a large market for the design, sale and support of new products. The panelists further recommended repurposing and expanding existing eDiscovery tools, such as redaction solutions for PHI. Also needed are improved workflows to track and manage data originating in the EU. Service providers and software developers in particular are poised to benefit from the opportunity for innovation presented by the GDPR’s burdens.

Information governance is good for eDiscovery

Finally, the GDPR is a huge impetus to information governance. It governs the use, handling and storage of personal data of EU residents. The first step in compliance is to identify and map covered data. Evaluating the business value of collecting and keeping that data is essential to risk management. These issues and more fall under the umbrella of information governance. And as all eDiscovery practitioners know, strong infogov leads to more efficient and cost-effective eDiscovery.

The GDPR is voluminous, onerous and at points unclear. It also caught many US companies unprepared. It’s no surprise that the commentary so far has mostly focused on the regulation’s broad scope, compliance burdens, potential fines and other negatives.

The panel offered a thought-provoking counterpoint by focusing on the GDPR’s positive aspects instead. For litigators and eDiscovery companies, the most significant benefit may be the opportunity to get ahead of the competition by providing superior GDPR-compliant services.

This article was inspired by the “International eDiscovery and Data Protection” session at Relativity Fest 2018. The panelists were Karyn Harty of McCann Fitzgerald, Karl Hennessee of Airbus, Johnny Lee of Grant Thornton US and Heidi Stenberg of EY. Chris Dale of the eDisclosure Information Project moderated.

Do CIGO’s Really Exist?

Image by Eric P. Mandel, “View from DBR Skyview Conference Center, Chicago IL”

I flew to Chicago recently on a grand quest: to come face to face with the mythological creature known as the CIGO. I first heard of the CIGO in 2014, or maybe it was 2015. Having been fascinated with turning the idea of information governance into reality a few years earlier, I have long desired the opportunity to meet an actual CIGO in the wild.  I figured my time had finally come, having secured an invitation to the 2018 CIGO Summit from my friends at the Information Governance Initiative (www.iginitiative.com).

This was the fourth annual event for the IGI, but it was the first I was able to attend. The attendees included corporate representatives covering various areas of the information governance spectrum, as well as several thought-leaders and a few generous sponsors.

The event started off with a low stress late afternoon plenary session, framed by plenty of time for networking – which I’m sure came as a relief to those who had been going nonstop for nearly three days at the preceding annual MER Conference.  The afternoon session included a group exercise exploring the generic opportunities and threats (the second half of a SWOT analysis) for implementing or expanding a successful IG program over the next year.  Of the several key threats identified by the group, the lack of authority / executive sponsorship appeared to be functionally endemic — and was the subject of further discussion on Day 2 (as addressed below).  On the other side of the coin, the opportunities for IG identified by the group were seemingly more plentiful and diverse, covering the spectrum of the overall benefits of information governance that we have discussed for years now, such as promoting collaboration and knowledge management throughout the enterprise.  Additionally, it was well-noted by many that the eminent roll-out of the European Union General Data Protection Regulation (EU GDPR) was bringing long-wanted attention to push for information governance, in general, and an updated records and information management program in particular.

Day 2 kicked off with a decidedly different pace, moving quickly through the day with rapid fire 10 to 30 minute sessions covering a variety of topics touching on key elements of information governance.   The morning sessions focused on leadership and innovation in a multi-disciplinary environment, with several excellent presentations.  Of particular note were the presentations of two military officers: Russ Stalters, who was one of the leaders of the BP oil spill litigation response program and a former Naval aviator, and Chris Graves, who is the COO of Tritura and an active reserve Marine Colonel who has repeatedly been deployed into active war zones over the last 17 years.

My takeaway from the morning sessions was that for information governance to gain a foothold in today’s enterprise, we need leaders who can actively listen to understand the diverse interests of varying stakeholders, who can bring together and harmonize teams from different disciplines, and most importantly, those who can manage change.

The afternoon continued with the rapid fire program, with a focus on specific challenges and practical solutions for those faced with attempting to implement IG in larger enterprises. For me, one of the best presentations of the day was from Morgan King, Head of Records & Information Management at Shire. In addition to her official role in the company, Morgan serves as chair of the company’s Governance Council that includes representatives from all major facets of IG that exist across the enterprise. I was drawn to the story of how Shire has established and is growing a functioning IG program and leadership team that addresses the core purpose of having a CIGO, without actually having hired a CIGO.  As Morgan explained, Shire’s Governance Council includes a Chair and Vice-Chair from leading stakeholders, as well as a steering committee that includes the other C-Level or functional leads.  There are defined management boundaries and objectives, an established meeting cadence for the steering committee and council, along with standard defined deliverables to be submitted to the executive corporate leadership.  While one could argue that a CIGO role would be the proverbial cherry on top of this program, Shire’s IG program can serve as a functioning model of IG maturity.

One common theme heard throughout the day was the oft repeated notion that legal, compliance and records tend to be considered the departments of “NO!”  It seems to me that for information governance to be able to grow and develop within an enterprise, we must find a pathway to “Yes” that addresses the needs of the enterprise for the processing of information while still achieving acceptable governance.  While one speaker suggested that we need to “break down silos that divide us,” it seems to me that we should instead reframe the point as instead looking to bridge the gaps between existing silos and establish integrated IG approaches that address the many facets of the enterprise that impact information governance.

While I did not succeed in finding an actual CIGO at the CIGO Summit, I walked away from the event better informed, and filled with new ideas (plus a 3rd place prize for their annual Play-Doh sculpture competition).

 

 

Growing Business Use of “Chat Apps” Poses Information Risk for Corporate Legal Departments

A 2017 survey of business professionals worldwide found that the average business professional uses 9.4 software apps for work purposes. Nearly half of the respondents said they use apps that are not sanctioned by their company’s IT department, ranging from cloud storage and project-tracking apps to the increasingly ubiquitous chat apps that facilitate instant communication.

Chat apps are useful tools that enable workers to communicate in real time, which increases workplace efficiency. This is especially valuable in companies with a global presence as colleagues spread across multiple time zones can connect with much greater ease and at much less expense.

However, as the use of chat apps by employees for business purposes has proliferated, we have begun to see the dangers that come along with these benefits. Within the last few years, a series of high-profile litigation disputes and government investigations has been fueled by the disclosure of key information via chat apps. In 2015, the EU was rocked by a sweeping investigation into the alleged manipulation of interest rates by banks, with key evidence uncovered from instant messaging conversations harvested off enterprise chat platforms. In November 2017, litigation between Uber and Waymo was suddenly upended when evidence emerged that top executives at Uber used an encrypted chat app to hold secret conversations, set for automatic deletion after as little as a few seconds.

In fact, the mere use of these chat apps that are known to auto-delete has raised concerns, with the unintentional implication that the company knew the information being exchanged was in question. So, whether or not the company employees have ever discussed the functionality of chat apps could create a cloud of suspicion in the event of a litigation dispute or government investigation.

Whether it’s Wickr® (the app used in the Waymo-Uber dispute), Slack®, Google Hangout™, Signal, WhatsApp®, Skype®—or any one of the dozens of new apps available— the growing business use of desktop-based chat apps poses a serious legal and information risk to corporations, as evidenced by the rising number of digital forensics investigations and e-discovery projects we’re now seeing involving data from chat apps.

Moreover, although our thoughts in this article are focused on desktop versions of chat apps, the problem is exacerbated by the use of mobile versions of those apps that are installed on employees’ phones. There is simply no way for companies to monitor employee use of chat apps on their personal devices.

If you know or have reason to believe your employees are using chat apps, here are five information risks associated with their use for business purposes, which corporate legal departments and their business colleagues ought to be monitoring:

1. Preservation

In the example of Waymo v. Uber, Judge Alsup admonished attorneys that counsel in future cases can be “found in malpractice” if they do not turn over evidence from such specialized tools, potentially setting legal precedence for the future expectation of preservation from these new communication platforms. Furthermore, Rule 37 (e) (2) (B) of the Federal Rules of Civil Procedure states that “If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, a judge can instruct the jury that it may or must presume the information was unfavorable to the party.” Many chat apps offer a wide array of options for ephemeral message history, with some giving the user an option to set up auto-deletion of messages in as little as five seconds. If these settings are not enabled for compliance with data retention standards and a litigation hold has been issued on communications related to a relevant matter, your organization will be unable to produce this data and be facing a serious problem in e-discovery.

2. Access

In some companies, the data security protocols that govern chat apps are so lax that we have been startled to discover the trove of company information exposed through these apps. In other cases, the protocols are so stringent that it’s difficult to actually extract any data from the apps. It’s important to be able to access relevant data without making the organization vulnerable to easy data theft.

3. Encryption

The encryption built into certain chat apps can be very complex to decipher, requiring intensive and potentially costly digital forensics investigation to access the content. This can also create a legal problem for the company if the apps are unable to be decrypted at all, leaving a litigant out of compliance with their discovery obligations to produce potentially relevant data.

4. Vulnerability

Some chat apps have been criticized for possibly creating a back door security hole to bad actors, opening up vulnerabilities in the company’s IT systems. Hackers may see the use of chat apps for business purposes as a vehicle for trying to access the company’s networks or other devices so they can steal valuable corporate data. Or worse, they may seek to use the apps as a command & control (C&C) center to host malware on the victim’s system. In this case, according to research conducted by Trend Micro, hackers simply sign up to these apps like a normal user and start commanding the malware to perform all sorts of vicious attacks once it has infected the system. Essentially, they’re able to turn the entire app into a C&C system without being detected by any anti-malware or security.

5. BYOD

The emergence of Bring Your Own Device (BYOD) policies has ushered in a wave of IT challenges for corporations, including the risks created by employee use of chat apps on personal devices or personal email accounts. This is even more difficult for corporate legal departments to monitor as the risk lies outside of the company’s official IT infrastructure.

The good news for companies who wish to rein in these risks is that there are new software tools available to companies that can help you proactively monitor for the use of unauthorized apps for business purposes. The best of these tools will locate potential information risks—such as unauthorized apps or data residing in unauthorized locations— so organizations can take inventory of software on connected computers and data repositories across the enterprise.

Those findings can then be shared across InfoSec, legal, compliance and audit teams to determine the appropriate next steps. This may involve confronting the employee on the use of the apps or the execution of targeted, automated deletion of any non-compliant apps in use, which allows you to get ahead of any issues before they arise and address them quickly. Of course, if a mobile phone needs to be collected and data from an employee’s mobile app use brought into an investigation, you will need access to specialized forensics software tools that can locate and analyze that type of data.

Meanwhile, if you choose to allow the use of chat apps for business purposes, make sure that your information governance policies are updated frequently in response to emerging technologies and carefully outline approved communication tools. Also make sure to instruct employees on the required settings they must use and privacy protections they must have in place.

Regardless of how you choose to proceed, it’s always a good idea to consult the experts in the field before you actually have to deal with a legal or investigatory problem related to the use of chat apps for business purposes.

#          #          #