Partly Cloudy or Clear Skies Ahead? Information Governance Amid Digital Transformation

Partly Cloudy or Clear Skies Ahead?
Author: Tim Anderson, Ted Barassi and Tracy Bordignon
Date Published: 28 July 2021
Related: COBIT 2019 Design Guide | Digital | Spanish

The category of data that has long been referred to as “emerging” has now emerged. In a recent survey of general counsel at large enterprises, titled The General Counsel Report 2021: Rising to Today’s Challenges and Building Resilience for the Future, the majority of respondents indicated that the risk they feel their organizations are most notably ill prepared to navigate is the impact of “emerging” data sources on ediscovery—the process of collecting, analyzing and reviewing electronic evidence—for legal matters, investigations and regulatory compliance. Moreover, 65 percent of respondents are concerned about the legal implications surrounding data privacy, data protection, security and other data issues.1

These are valid concerns. Much of the “emerging” technology has been around for more than a decade, but until recently it was not widespread and, therefore, regarded as tomorrow’s problem. Now, with 2020’s rapid shift in workplace practices and technology infrastructure, it is top of mind. IT, legal, compliance and security teams are scrambling to understand and respond to a vast landscape of new risk and vulnerabilities. 

To further understand how this impacts organizations, it is helpful to explore implications of the sudden spike in cloud-based enterprise data, how to apply information governance best practices to emerging applications and the broader ediscovery risk that will arise if organizations do not adequately address governance. 

Emerging or Emerged

Cloud-based systems started picking up steam in 2011, when roughly half of enterprises had implemented at least one application (app) (e.g., email, file shares) or a portion of computing infrastructure in the cloud.2 Within two years, the “social enterprise” was gaining momentum, with significant growth in the use of cloud software for enabling user profiles, groups, content sharing, discussions, Wikis, browser-based productivity suites, social tagging and analytics. Applications including Salesforce, Microsoft 365 (formerly Office 365), Box and Asana became staples in enterprise processes and productivity. By 2018, enterprises were spending an estimated US$3.5 million on cloud apps, platforms and services.3 In 2020, the pandemic-prompted exodus to remote work spurred 1,000 percent growth in video calls.4 Other leading collaboration and cloud-based business continuity providers saw more than 70 percent growth5 overall and billions of cumulative active minutes during weekday usage.6 

Gaps in Governance

At many organizations, information governance policies and procedures have still not caught up to these realities. In fact, the previously mentioned survey revealed that overall confidence in navigating the risk associated with social media, Microsoft 365, Google Workspace and other cloud based collaboration apps declined in 2020 compared to 2019.7 This is due in part to the fact that many information governance professionals and IT departments are still working to get their arms around regulatory retention requirements, legal holds and records management for their core systems, such as email archives and file shares. These efforts typically center around managing risk through robust retention policies and procedures and remediating legacy data that are no longer needed for legal, regulatory or business purposes.

Now, the focus must shift to include adding governance for cloud-based messaging and other forms of communications beyond email, which may include private cloud, hybrid cloud, public cloud, Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) offerings, each introducing unique issues for user access, governance and ediscovery. Many of the respondents in the 2021 report said that while they were highly aware of and felt moderately prepared for data privacy and data protection issues, the increasing use of unsanctioned tools or cloud based collaboration applications is a serious compliance concern. One respondent said, “The entire data privacy side of these tools is highly underrated as most companies are not really aware of the legal and privacy implications they create and how to comply with them.” Another said, “Companies are ill-prepared to deal with emerging data sources. Simple tools like Slack and Teams present challenges for legal holds in litigation. There are new compliance and data privacy challenges concerning emerging data sources. Also, employees are not as careful with communications and video in messaging platforms as they are in email.”

Policies need a refresh to account for new data sources. Updated processes, technology and enforcement controls will need to be implemented to support compliance with the updated policies. IT should work closely with legal to manage the risk of onboarding new applications and ensuring regulatory requirements are addressed before an implementation, as opposed to being an afterthought.

GIVEN THE COMPLEXITY OF TODAY’S REGULATORY BACKDROP, MOST TOOLS’ NATIVE GOVERNANCE FEATURES ARE OFTEN NOT SOPHISTICATED ENOUGH TO MEET THE NEEDS OF LARGE, MULTINATIONAL ENTERPRISES.

In one example, an organization rolled out Teams to more than 50,000 employees without a governance policy. While customizing the capabilities and applications its employees can access in Teams (and Microsoft Office 365 more broadly), the organization is also aiming to layer its legal, privacy and regulatory rules over these new tools. Doing so will ultimately become part of a broader information governance initiative to fully understand and adequately govern its entire Microsoft 365 ecosystem.

The Intersection of Information Governance and Ediscovery

Many well-established cloud systems such as Microsoft 365, Google Workspace and Slack’s Enterprise offering provide built-in governance capabilities that can help meet baseline needs. However, functionality is varied across these tools, and, given the complexity of today’s regulatory backdrop, most tools’ native governance features are often not sophisticated enough to meet the needs of large, multinational enterprises.

A more effective approach is to feed all data sources into a single archive that can become the foundational repository for data retention, disposal and discovery. Organizations can first conduct an organizationwide data assessment and gap analysis. This will provide an understanding of the impact new data sources have on existing work and workflows and help the information governance team establish a data map of the current universe. Then, everything—data sources, workflows and unique retention policies for different types of information—can be funneled into a sophisticated archive set up to manage governance, risk and compliance.

It is important for IT and legal teams to acknowledge that new data sources are indeed subject to ediscovery obligations and will only become more obliged as tools such as Microsoft Teams, Slack, Zoom and other cloud apps increasingly replace email. Although most of these providers offer application programming interfaces (APIs) that make it possible to extract data and move it into other platforms, the process of doing so is nuanced and typically requires some level of custom software development. Most organizations simply do not have the in-house time or resources to build unique solutions for each novel system that requires governance. A more straightforward and cost-effective approach is required.

Today’s leading compliance archives have taken care of much of that heavy lifting by integrating APIs from hundreds of cloud applications. This allows for data from a wide range of sources to be easily pulled in and stored within the archive. With a central repository for cloud data, organizations can get out in front of the ediscovery burdens of cloudbased data and establish efficient, standardized processes for retrieving key information when a need (e.g., a legal or regulatory issue) arises. This approach also makes it easier for teams to load cloud data into analytics and ediscovery review platforms to utilize machine learning (ML) and artificial intelligence (AI) for quickly finding key facts and understanding what is in the data. Otherwise, IT and legal teams will be at the mercy of the cloud provider or stuck without an efficient way to extract and analyze data when needed.

In addition to alleviating many ediscovery burdens, a central repository can also support compliance with the EU General Data Protection Regulation (GDPR), the US State of California’s California Consumer Privacy Act (CCPA) and other data protection regulations. With cloud data organized and managed under a robust set of policies and controls, organizations can ensure that their data privacy programs are aligned with ediscovery practices and maintain visibility into data that may require privacy protections.

MOST ORGANIZATIONS SIMPLY DO NOT HAVE THE IN-HOUSE TIME OR RESOURCES TO BUILD UNIQUE SOLUTIONS FOR EACH NOVEL SYSTEM THAT REQUIRES GOVERNANCE.

Conclusion

Most large organizations today are managing dozens of data types, and the volume and diversity of data are on pace to continue growing rapidly. Without strong governance controls, including user access controls, use policies, retention and deletion schedules, and program monitoring and enforcement supported by a central repository for all of this information, organizations have no straightforward way to monitor and mitigate the risk associated with their massive data footprint. Like traditional data types, the implications of inadequate governance over cloud data can extend to significant legal, regulatory, security and financial exposure. Regardless of where an organization sits on the information governance maturity spectrum, it is likely time for a refresh of gap assessments, policies and data mapping that examine new cloud applications and how they implicate ediscovery and other legal and regulatory risk.

Endnotes

1 FTI Technology, Relativity, The General Counsel Report 2021: Rising To Today’s Challenges and Building Resilience for the Future, USA, 2021, http://www.ftitechnology.com/resources/white-papers/the-general-counsel-report-2021
2 IDG, 2018 Cloud Computing Survey, USA, 2018, http://www.idg.com/tools-for-marketers/2018-cloud-computing-survey/
3 Ibid.
4 Spataro, J.; “Remote Work Trend Report: Meetings,” Microsoft, 9 April 2020,
http://www.microsoft.com/en-us/microsoft-365/blog/2020/04/09/remote-work-trend-report-meetings/
5 McKendrick, J.; “Everyone Seems Okay With Remote Digital Collaboration, Except Maybe Managers,” Forbes, 10 May 2020,
http://www.forbes.com/sites/joemckendrick/2020/05/10/everyone-seems-okay-with-remote-digital-collaboration-except-maybe-managers/?sh=23cc6ebf3d84
6 Arbuthnot, T.; “Microsoft 365 Hits 30 Billion Daily Collaboration Minutes (DCM) and Over 115 Million Microsoft Teams Daily Active Users (DAU),” 1 November 2020
7 Op cit FTI Technology and Relativity

Tim Anderson

Is a managing director at FTI Consulting’s technology segment. He has more than 20 years of experience in legal technology and specializes in developing strategies for the preservation, collection, analysis, review and production of information stored in emerging enterprise data sources such as Microsoft 365, Google Workspace, Slack, Box, Salesforce, Confluence, Workplace from Facebook and many other cloud-based systems

Ted Barassi

Is a managing director at FTI Consulting’s technology segment. He has more than 20 years of experience in information law and practice, with specialized knowledge of ediscovery and information risk management as well as information security, authentication, privacy data protection and compliance.

Tracy Bordignon

Is a director at the FTI Consulting technology segment’s information governance, privacy and security practice. She consults with clients regarding information governance and data privacy issues including holistic privacy assessments, data remediation, the US State of California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), merger integration and data subject access requests (DSAR).