All posts in Information Management

Inspiration & Innovation from ING3NIOUS: 3 Takeaways from NorCal 2017

Last week, I enjoyed the privilege of speaking on a panel with distinguished colleagues at the ING3NIOUS 2017 NorCal Information Governance Retreat in Carmel Valley, Calif. Our panel was appointed to discuss TAR and what we, as an industry, have learned about using it in legal matters. This session was one among a series of insightful discussions about the needs, direction, impact and practicality of technology in information governance, data security and electronic discovery. Overall, this retreat inspired, challenged and informed everyone in attendance. The scale and setting is more intimate than some other events, which resulted in a healthy exchange of ideas and challenges from experts and innovators in technology and law. Amongst the many great stories and lessons learned, I walked away from the retreat with three major observations.

#1 There’s more work to do with Technology Assisted Review.

As mentioned in my prior blog post, predictive coding and Technology Assisted Review are commonly accepted at this point. Nevertheless, stakeholders continue to evaluate, and have a healthy debate about, the conflicts and merits of related topics such as the appropriate level of disclosure and incorporation of traditional keyword search. Meanwhile, most of the technology itself has had only one major revolution in its 10 years of use. Namely, the ascent from Simple Active Learning (i.e., the first generation of predictive coding) to Continuous Active Learning. Of course, I am honored to be part of a respected and select field of leaders and innovators in predictive coding solutions to deliver these types of enhancements and much more. After synthesizing the discussion from a few of the panels at the NorCal Retreat, it is apparent that while the sufficiency of productions resulting from predictive coding endeavors remain largely unchallenged, there are a number of opportunities for on-going development and enhancement of predictive analytics, which will require a critical focus on both operability and underlying technology to maintain defensibility and enable counsel to focus on the most important content.

#2 Business processes conflict with situational nuances.

Corporate data has tremendous value to be protected and yet to be derived. In fact, there might even be an opportunity cost to not measuring and assigning an intrinsic value to the data itself. For example, consider valuation of data protected from or subject to a breach. Imagine the insurability of data itself under a commonly accepted valuation model. Meanwhile, a practical path to this idea seems as elusive as substantial application of retention policies to electronically stored information. In fact, trends and sentiments continue to suggest that information retrieval and classification are superseding data destruction priorities as search and analytics technology becomes more precise and computing capacity continues to expand. Many reasonably contend that there is risk in letting old data pile up and rightfully cite the fact that 85 percent of corporate data could be redundant, obsolete or trivial. Others contend volume should not dictate value because losing one good item amongst 20 records matters to some. All of these points demonstrate the natural and on-going tension between the demands of disputes and investigations amidst corporate governance in the information age. While information governance professionals, corporate electronic discovery managers, in-house legal operations and technology companies increasingly strive to manage legal matters and electronic discovery in a manner similar to other business processes, outside counsel cautiously, and almost unilaterally, operate around the variables and nuances of different cases and situations, strongly advocating for approaches that are tuned to the situation.

#3 We all hope and need to unify and streamline.

Despite the complications mentioned above, everyone’s strong conviction is that a more effective and consistent set of solutions can be realized. The give-and-take between customized solutions, new technology, preferred providers and pre-defined solutions means there is still a lot of opportunity along with the challenges. Each organization is aiming to adopt and provide unified processes and innovative technology with practical capabilities across the spectrum of information management, data security, case administration, project management and electronic discovery. For every firm or corporation that selects a solution, there are still others with strong preferences and compelling features and value propositions. There is a lot of room, and perhaps even an acute need, to coalesce around a more concise, stable and sustainable portfolio of technology-enabled solutions. This need will continue to ignite outstanding conferences and working groups like Ing3nious (and Sedona, ILTA, EDI, ERDM, ACEDS, IGI, WiE, etc.), where legal and technology professionals can propel the conversations and initiatives associated with these opportunities in our industry.

Manage Unstructured Data with Unified Archiving: A Case Study

As data volumes grow in today’s digital workplace, so do costs and risks associated with storing large amounts of data for litigation, investigations, regulatory requests, compliance and other requirements. To address these costs and risks, organizations need one technology system to seamlessly address information management, bringing together data from disparate systems while eliminating duplicate data sets. The compliance and ediscovery challenges of one organization are documented in a recent case study, developed by ZL Technologies and KrolLDiscovery.

An Archiving Case Study

A large, international bank, based in Switzerland, operated two instances of a compliance technology solution. These compliance tools were incompatible and incapable of merging, thereby creating an unnecessarily complex compliance process. Also, the bank sought a platform that would facilitate searching for documents across the enterprise to aid in collecting and producing documents in legal discovery matters.

The bank understood that while compliance and ediscovery are often treated as separate functions, the two are closely interrelated and use much of the same data. This relationship led the bank to look for a solution that could offer a single repository for both systems in order to streamline compliance and ediscovery processes. The bank turned to KrolLDiscovery and its partner ZL Technologies to assist in implementing such a solution. Combining KrolLDiscovery’s experts in data management with ZL Technologies’ dynamic information governance platform, enables enterprises to better understand what data they have and where it resides.

The ZL solution was initially deployed in the bank’s Americas region, specifically in the United States and Canada. Once proven successful in these locales, the bank decided to launch the solution in other international locations, deploying it in its Bahamas, Europe and Asia offices. Beyond standardizing on a unified, global compliance and ediscovery technology platform, the bank also established its governance and data management principles as well as compliance and ediscovery workflows, critical goals for the global enterprise.

ZL and KrolLDiscovery: A 10+ Year Partnership

With the ZL Unified Archive platform, KrolLDiscovery helps to eliminate common business problems that go along with the unrelenting growth of data. Recently, KrolLDiscovery and ZL celebrated more than 10 years of partnership helping organizations manage unstructured data for ediscovery, compliance, records management and knowledge management.

An Ediscovery Attorney and a Healthcare Security Manager Walk into a Webinar

Healthcare

What do an ediscovery attorney, a forensics investigator and a healthcare security manager have in common? In today’s digital age – everything. 

HIGH-TECHNOLOGY HEALTHCARE

Kroll Ontrack’s most recent webinar, How To Develop a Data Preservation & Collection Plan in Preparation for Litigation, hosted by Healthcare Informatics, gave attendees a hard look into the challenges healthcare organizations face when a government investigation or civil litigation arises.

Kroll Ontrack SVP of consulting Cathleen Peterson and healthcare security manager Brian Abel put their own professional experiences on display as they navigated this challenging intersection between healthcare, law and technology.

CASE STUDY: EDISCOVERY HEALTH CHECK

Truth is, an ediscovery attorney, a forensics investigator and a healthcare security manager have a lot in common. Today’s healthcare organizations are traversing a new information technology terrain. Growing data volumes, increased information security threats, vast data collection efforts and computer forensics investigations require a higher level of comprehension from all experts.

As Brian and Cathleen discussed via a real-world case study, legal, regulatory and compliance requirements are requiring hospitals and healthcare organizations to properly handle electronically stored information (ESI), or face severe consequences. At the end of the day, this new territory is where technologists meet attorneys and data managers meet security professionals.  If your job involves any of these important roles, you will benefit from spending 60 minutes with this new webinar recording.

Top Considerations When Building BYOD Policies

ediscovery

Vikas_PallIn a recent article, my Kroll Ontrack colleague Vikas Pall wrote about the growing concerns over bring your own device (BYOD) policies. Today’s employees integrate their personal and professional lives, and the use of personal devices for day-to-day employment duties has become ubiquitous. The days of doubling up on devices—one personal, one professional—are over, with BYOD policies emerging as the most enticing option for employees and companies.

 

While there are many advantages to BYOD, taking on the ambiguities and complications that can come with having employees bring their own devices to work can be a risky move if an organization fails to put a well-planned policy in place. In his article in ILTA’s Peer to Peer magazine, Vikas outlines the top things to consider when building a BYOD policy.

#1: Assess

Crafting a well thought out BYOD policy is the key to fully utilizing its benefits, but a perfectly planned policy does not appear overnight. A policy must be effective, relatively simple and easy to follow for end users and the IT department. Communication across departments is the best way to make sure all bases are covered.

#2: Plan

Once the broad framework is in place, it is time to finalize the details of the policy. From Android to Apple phones to tablets and wearables, defining exactly what is meant by “bring your own device” is critical. Companies should be device-specific, or limit the devices, and establish a clear service policy for the list of approved BYOD devices. In the midst of planning the functional aspects of a policy, it is equally important to address employee exit strategies. BYOD policies should reference the company’s separated employee process and vice versa.

#3: Implement

To prevent data breaches or corporate hacks, specify what kinds of corporate data may be accessed on which devices and implement mobile device, data and app security measures in your BYOD policy to protect company data and confidentiality. BYOD policies should also touch on preservation and discovery in litigation. Companies can get ahead of failed preservation efforts by adding BYOD data to their ESI data maps and issuing legal hold notices to address what content must be preserved.

#4: Iterate

Companies should regularly audit the effectiveness of their BYOD policy. Look at what new technologies are available and whether they should be supported. Review the current policy points to see if anything wasn’t adopted or could be improved. BYOD polices will continue to evolve with technology and the workforce.

Be sure to read the full article, From Blurred to Secured: Four Steps to a Better BYOD Policy, for a more in-depth analysis of best practices for bring your own device policies.

Guest Blog: Turning on the Lights in a Dark (Data) Room

This is a guest blog written by Tom Barce.

t_barce2015Tom Barce (thomas.barce@krolldiscovery.com) is the VP of Thought Leadership at KrolLDiscovery. Mr. Barce brings over 18 years of experience in directing information management, electronic discovery and litigation support initiatives. He is accustomed to delivering strategic vision, consultative services and project management expertise. He has extensive experience in responding to complex electronic discovery demands in numerous litigation and regulatory matters. Through his experience and vision, he strives to continually elevate our community to higher state of “information intelligence.”

Tom recently spoke on the topic of dark data at the monthly meeting of the ARMA Metro NYC Chapter.

Turning on the Lights in a Dark (Data) Room

At breakneck speed, businesses and individuals are amassing huge volumes of disparate and obsolete data—data that has long gone “dark” within an organization.

Dark data is the neglected data accumulated by an organization during regular business activities—the aging information, untouched archives, ancient web log files, old records of email correspondence. This data is intermingled with highly valuable and sometimes sensitive business information, too.  It usually holds little value on its own and for many organizations it is too costly for an organization to access, compile, analyze and manage the data’s retention. For many organizations, it seems easiest to allow the data to amass in the shadowy corner of their IT infrastructure. However, when corporations shine a light on the dark data abyss, unused data can be very illuminating.

Double Check and Utilize Dark Data to Your Advantage

At its core, dark data can present significant risk. Most legal professionals who have responded to a legal or regulatory action have succumbed to the costly pains of trudging through small percentages of antiquated data amongst huge data stores. Notwithstanding such significant risks, dark data presents noteworthy opportunity costs for organizations. For example, reports run from accounting systems about company transactions alone may seem like benign business activity. But what if those reports were emailed to a Gmail account, downloaded to a USB drive or uploaded to a website?  When sources of transactional data like file names, network activity, local computer access, or web history are cross referenced, powerful corollaries can be derived to protect your organization.  While this type of intelligence might not lead to an earth shattering money laundering investigation, it does not hurt to double check activity that might seem questionable. Recognizing how to utilize dark data can allow an organization to prevent, detect and defend against internal and external threats, from spotting internal fraud to harnessing information and gaining an advantage in the market.

Growing contingents of businesses are leveraging great information for marketing and sales. But how many are using data to mitigate or detect risk?  While some organizations are letting their data gather dust in the dark, others have focused an information governance spotlight on their once-dark data to extrapolate value from overlooked data and uncovering substantial intelligence. For example, by monitoring file downloads to USB connected devices, an organization can prevent losing sensitive data. Conversely, corporations that forgo tapping into unused data may be sacrificing value and risk becoming less efficient and relevant than their competitors.

First Steps to Shining the Light on Dark Data

Unfortunately, shining the light on dark data is not as simple as flipping a switch. A few steps are essential to capitalizing on dark data. First, begin by prioritizing business concerns and risks to establish a starting point for the projects to follow. Next, aim for one project per period (quarterly, semi-annually or yearly) to focus on your concerns and the data you can use to manage them. Leverage people, processes and technology, and understand how to profile the data that is usable to create actionable business and legal intelligence.  Identify easy wins when possible, especially if low cost solutions can securely advance high risk objectives.  Of course, document the process should litigation ever loom on the horizon.

There isn’t a single existing technology solution today that can thoroughly illuminate all the dark data and automatically harvest its value.  That said, with careful forethought and perseverance, corporations can make unwieldy dark data far more comprehendible, less risky and just a little brighter.

Information Governance – It’s a Jungle Out There!

Building information governance (IG) protocols from scratch can feel like getting lost in a jungle. Often it is difficult to know which direction to go to get started on your journey, especially with a thick forest of documents standing in your way. But orienting yourself in the IG jungle is essential to avoid the possibility of leopards attacking you, birds swooping down on you, or those sneaky critters that might come back to bite you. Luckily, we’ve created a handy IG Guide to help you navigate through the underbrush and into the clear!

The guide includes critical information on IG, such as how to amplify the value of enterprise information, manage data and control ediscovery, as well as how to reduce data governance risks and costs. Also included is a look into how a hypothetical company, Healthy Nuts, found their way through the IG jungle. Find out more about their story and information governance here.

Choose Your Own Adventure: Mastering Information Governance in the Workplace

Choice A or Choice B? Choice C or Choice D? There’s nothing quite like the mystery and thrill of the Choose Your Own Adventure (CYOA) novel, where the reader gets to direct and navigate the story of their choice.

Similarly, when it comes to Information Governance (IG) programs, corporate counsel and the IG team get to create their own old school CYOA storyline by defining the processes and implementation of the multi-disciplinary structures, policies and programs necessary to control and organize data. Kroll Ontrack’s Tom Barce recently wrote an article, Information Governance: Be Prepared for a Data Disaster, discussing the importance of IG programs and what corporations should be aware of in regards to what an IG program can do.

To showcase the advantages of IG programs, let’s consider the following scenario for Health Nuts (HN), a large (fictional) multi-national company in the nutritional supplements industry:

The company has hundreds of employees and millions of records containing private and personal data. Over the past decade, the company has grown rapidly through acquisition. HN recently expanded into Brazil, however, very little has been done to integrate the various data management policies and procedures from the newly acquired companies. Some divisions of HN are highly technical, with employees leveraging modern communication devices and forums, as well as using personal devices for work communications.

Do you:

Choice A: continue as is and allow various data management policies to continue

OR

Choice B: re-evaluate the complexities and dangers of rapid growth and insufficient data policies and consider incorporating an IG program

For inside counsel and IG teams, the above hypothetical should raise blaring issues of security, management and data protection. Unfortunately, with corporations now fully entrenched in the digital age, counsel are playing a catch-up game with how fast data is created and where the data goes, and many do not recognize the need for a robust IG program. When utilized properly, IG programs can control a corporation’s data and maximize its value, but only if the information at hand is under control. So what happens if the information is not under control and a corporation chooses Choice A? Let’s return to aforementioned Heath Nuts Corporation:

The nature of the organization’s data management and decentralized IT systems left it ripe for attack. Three months ago, the company suffered a data breach and is still trying to determine the scope of the attack across its divisions. Due to this, customers have experienced identity theft and fraud. Compounded with the fact that state and federal agencies are investigating the nature of the breach, a lawsuit is clearly imminent.

Do you:

Choice C: Await litigation

OR

Choice D: Go back to the initial set-up and implement an IG program

For Health Nuts and for most corporations, the above situation is not too far from the norm if corporations choose Choice A over Choice B. Fortunately, steps can be taken to mitigate this hair-raising data disaster by choosing Choice D and following these initial steps:

Be Aware of Your Data and Know How to Leverage People, Processes and Technology

Before making any decisions about a company’s data, counsel needs to understand what, and where, data is stored and what the current policies regarding data retention and destruction are. Counsel needs to be especially concerned with the nature, location, security and maintenance of personally identifiable information (PII) as well as “dark data,” or data that is created, processed, and stored in the regular course of business and is not currently in use. Once a corporation’s data is located and secured, the next step would be to leverage current employees in the IT and Information Security departments to ensure the appropriate emphasis is placed on training them and the organization-at-large about the policies and definitions of the IG program. In addition, data categorization, auto-classification, and predictive coding solutions may be utilized as part of your IG strategy to reduce costs while organizing data for future use. Furthermore, counsel must consider data that has been placed on legal hold and held in a legal hold repository. This data and the associated obligations are the burdensome, but necessary, exceptions to effective IG that can lead so many corporations to complacency.

De-Cluttering Company Data…

The success of IG programs depends on a number of factors, including the increased business utility of the data under management, storage savings, impact on ediscovery and company productivity. In today’s modern age, data tends to accumulate exponentially. To prevent the hoarding of extraneous data, corporations must learn to dispose of unnecessary information and learn to sift through the types of data that will have a great effect on protecting company, employee and consumer data while streamlining ediscovery responses by eliminating irrelevant documents. In addition, de-cluttering company data can increase the value and efficiency of an IG program, thus allowing for more effective analytics.

…But Keeping the Necessary Documentation

Through the process of streamlining the IG program, organizations must ensure that they effectively document their processes. This includes clarifying IG program goals, definitions, policies and procedures, as well as employee training, enforcement actions, audit practices and program evaluations. Corporations should document these processes in anticipation of dealing with legal or regulatory actions, as well as help in the overall evaluation of the IG program. Successful documentation can lead to increased visibility and better opportunities for corporations to address and fix problems.

If corporations wish to avoid a data disaster, the choice is clear. By utilizing an effective IG program to locate, secure, and document their information retention and destruction processes, corporations may avoid or, at a minimum, mitigate the risks and damages that result from data breaches and/or regulatory and litigation events. For more information, check out Information Governance: Be Prepared for a Data Disaster today!

Information Governance: Points from the Professionals

Information governance (IG) is becoming more and more critical to any organization’s success in controlling the sheer mass of data generated in the ordinary course of business.  However, determining the best ways to get information under control has many organizations at a standstill, with too many organizations only enacting IG practices after disaster strikes.

To highlight the importance of developing effective IG programs, the Information Governance Initiative (IGI) interviewed a number of IG practitioners in differing industries and recently published two reports.  Stories in Information Governance: The IGI 2015 Benchmarking Report and the accompanying document, Information Governance: Tips from the Trenches, compile valuable expert insight and practitioner tips to help any organization evaluate and cultivate an IG program. Across both resources, a couple central themes emerged:

Secure Support for Information Governance

Selling a program meant to protect against a vague, future threat is undoubtedly a challenge, but securing executive support and funding is essential for success. Using mock scenarios to test your program’s strengths and weaknesses, calculating the costs of inaction and consulting an outside expert can help win over a tough crowd and jumpstart an IG program or revive an old one.

Integrate Information Governance into the Entire Organization, not just a Single Department

By coordinating IG throughout the whole organization, end users will learn to think of information as belonging to the organization as whole, not just one department’s problem. For example, creating a senior IG role and developing an IG council of interdepartmental players can optimize the effectiveness of a program.  Further, exploring technology options that can automate as many processes as possible and eliminate end-user variability can make for a streamlined, cost-effective integration of IG policies and procedures into your organization.

Look for Smart Solutions to Challenging Information Governance Problems

Encountering roadblocks while starting and running an IG program is par for the course; don’t shy away from creative solutions. Proactive and creative planning gives you the chance to highlight the value of a strong IG program and garner support from key stakeholders. For example, leveraging versatile technology used to address one problem for other purposes can help stretch a limited budget. Rather than fixating on short-term hang ups, utilizing resources and finding a balance between completing current projects and achieving long-term goals will create a strong IG core at the heart of every project.

Webinar On-Demand: Applying Technology to Information Governance

Information Governance

Within an enterprise, the importance of information governance (IG) is greater than ever as we soar towards a global economy equipped with rapidly evolving technology. Understanding how modern technologies and ediscovery practices apply to IG is integral.

Kroll Ontrack recently presented a webinar, Applying Technology to Information Governance, addressing just this. Panelists included:

Together, these two experts discussed the complexities of IG, along with how to develop and implement successful programs.

Defining Information Governance

The best place to start the conversation around information governance is to understand what it is and how it differs from information management.

  • Information Management: HOW information flows through an enterprise. Activities include collection and distribution of information in an organization.
  • Information Governance: WHY an organization has information in the first place. Activities involving information governance run the gamut from ediscovery and privacy to business intelligence and analytics.

Developing Information Governance Programs

There are multitudes of IG programs that a company could develop. What an organization chooses depends on its business needs and available resources. A successful program will leverage these key tenets, starting small and building momentum:

  • Define organizational objectives
  • Determine the information needed
  • Organize the information
  • Ascertain the value
  • Dispose of the information when it is no longer valuable

Common IG projects companies are undertaking today include:

  • Updating policies and procedures
  • Data consolidation and cleanup
  • Defensible data remediation
  • Intelligent migration
  • Legal hold

Information Governance Resources

Looking to learn more about what information governance (IG) is, how to develop IG programs, and what IG projects companies are undertaking today? Download this Kroll Ontrack webinar on-demand.

Further, don’t miss this new IG resource from the Information Governance Institute (IGI): Information Governance in 2020.

Is data security your organization’s greatest worry? If not, it should be…

Data Security - should it be your organization's greatest worry?

This blog post is brought to you by Raul Cuervo, Ediscovery Manager at Kroll Ontrack

I recently had the pleasure of spending time with a partner and client at the largest law firm on the planet. During our conversation, he asked me a question that I have not been able to stop thinking about since. “What do I consider to be my greatest risk/fear as a company?” I began to think of several things, such as competition from behind the firewall solutions, the downward pressure on processing/hosting fees, etc. His response was totally different than I expected. “Your greatest risk/fear should be someone hacking into your servers, stealing my client’s data and putting it up on the Internet!” WOW!

Emphasizing Data Security

We have all, as of late, been hearing news stories about individuals stealing intellectual property and personal information from corporations and even countries! Such stories spur obvious questions, such as “how does this happen?” And, “how do we protect our law firm/corporation from the vulnerabilities that are a reality of today’s world?” After spending an hour with this partner and going through the client safety and data security concerns he wakes up daily worrying about, I was sold. More emphasis needs to be placed on data security.

Fortunately, I was able to answer his question about data security with the utmost confidence. My data center is like Fort Knox. With 20 PB of active data stored across four data centers around the globe, Kroll Ontrack  has a fully redundant infrastructure and monitors customer data 365X24X7 through ingress and egress monitoring, surveillance systems, dual biometric and personnel badge access. Having been in the ediscovery business for about 13 years, I can absolutely say that is not the case for a large majority of providers. It is not uncommon for a “data center” to in essence be a closet with a rack of several servers, which is “protected” by a receptionist at the front desk, whose main responsibility is to answer telephones and greet guests.

8 Key Data Security Questions

As a professional in the industry, I am certainly proud of the efforts, attention and expense Kroll Ontrack places on the security of our customer’s data. The idea of sending client data to a place where security is an afterthought at best should be truly frightening to my clients.  So, if data security has not previously been at the forefront of your concerns for your clients, I hope this message resonates and changes your behaviors and perhaps the questions you ask prospective providers. Here are 8 questions to consider the next time you need to leverage a third party:

  • How is access to physical premises controlled?
  • Have you asked for Security audits? Have you/vendor done Penetration testing(Pen testing)?
  • Where is the data stored/maintained?
  • What is your chain of custody process and how is it managed?
  • Who has access to my data?
  • Can I limit access and permissions?
  • How is access to my data controlled?
  • Any of these are good questions to ask and should be. Also have you toured the facility?

What are your greatest fears or risks as a company?

Raul Cuervo
Ediscovery Manager, Mid Atlantic & S.E. Region
Direct: 202-525-8049

 
css.php