All posts in Information Management

An Ediscovery Attorney and a Healthcare Security Manager Walk into a Webinar


What do an ediscovery attorney, a forensics investigator and a healthcare security manager have in common? In today’s digital age – everything. 


Kroll Ontrack’s most recent webinar, How To Develop a Data Preservation & Collection Plan in Preparation for Litigation, hosted by Healthcare Informatics, gave attendees a hard look into the challenges healthcare organizations face when a government investigation or civil litigation arises.

Kroll Ontrack SVP of consulting Cathleen Peterson and healthcare security manager Brian Abel put their own professional experiences on display as they navigated this challenging intersection between healthcare, law and technology.


Truth is, an ediscovery attorney, a forensics investigator and a healthcare security manager have a lot in common. Today’s healthcare organizations are traversing a new information technology terrain. Growing data volumes, increased information security threats, vast data collection efforts and computer forensics investigations require a higher level of comprehension from all experts.

As Brian and Cathleen discussed via a real-world case study, legal, regulatory and compliance requirements are requiring hospitals and healthcare organizations to properly handle electronically stored information (ESI), or face severe consequences. At the end of the day, this new territory is where technologists meet attorneys and data managers meet security professionals.  If your job involves any of these important roles, you will benefit from spending 60 minutes with this new webinar recording.

ILTACon 2016: The Sticky Truth about Tape

Known for profound peer-to-peer panels and the newest legal technologies, this year’s ILTACon did not disappoint. From artificial intelligence (AI) and the cloud to data protection and mobile device forensics, ILTACon attendees heard innovative presentations on emerging trends in legal technology.

Taking center-stage at the Kroll Ontrack booth was not the multitude of drinks and tech giveaways, but rather our new product Ontrack DataAdvisor. Whether it’s damaged tapes or multiple generations of legacy tape, Ontrack DataAdvisor will retrieve and catalog the data so you can view your catalogs online and make decisions about your data, as highlighted in our recent case studies.

Bogged Down in Tape; Masking the Real Problem

Many companies satisfy their legal and compliance duties by storing old data on backup tapes, creating a massive amount of legacy data. For a large organization, this can mean holding hundreds or even thousands of tapes in storage – most dating back years and from a variety of outdated software formats.

And then litigation pops up. Suddenly, dark, legacy data must be retrieved and examined. Finding relevant data turns into a herculean task. The cost of going through reams of tape skyrockets litigation costs and deadlines flash by too quickly. Moreover, even with new proportionality guidelines in the amended Federal Rules of Civil Procedure, courts may be unsympathetic to the expense and time that this situation creates, as a party cannot evade discovery because they chose an inconvenient storage method.

Ontrack DataAdvisor Unsticks Your Tape Troubles

Scotch, duct, packaging, masking, electrical, double-sided – you need the right tool for the right job. When it comes to volumes of legacy backup tapes, Ontrack DataAdvisor unsticks your tape troubles. Here’s how it works:

  • Your catalogs are created by Kroll Ontrack or supplied to Kroll Ontrack;
  • They are ingested into Ontrack DataAdvisor;
  • You can easily view the folder hierarchy of catalogs (media, session, directory, date, file name), search and browse folders.

With this information in-hand, you can identify, retrieve and migrate key items on individual tapes – without restoring all data in your tape library. For many #ILTACon2016 attendees who saw demos of Ontrack DataAdvisor, wheels started turning. They commented on how this solution could more easily help them solve the mystery of what is on that box of tapes in the closet.

Top Considerations When Building BYOD Policies


Vikas_PallIn a recent article, my Kroll Ontrack colleague Vikas Pall wrote about the growing concerns over bring your own device (BYOD) policies. Today’s employees integrate their personal and professional lives, and the use of personal devices for day-to-day employment duties has become ubiquitous. The days of doubling up on devices—one personal, one professional—are over, with BYOD policies emerging as the most enticing option for employees and companies.


While there are many advantages to BYOD, taking on the ambiguities and complications that can come with having employees bring their own devices to work can be a risky move if an organization fails to put a well-planned policy in place.  In his article in ILTA’s Peer to Peer magazine, Vikas outlines the top things to consider when building a BYOD policy.

#1: Assess

Crafting a well thought out BYOD policy is the key to fully utilizing its benefits, but a perfectly planned policy does not appear overnight. A policy must be effective, relatively simple and easy to follow for end users and the IT department. Communication across departments is the best way to make sure all bases are covered.

#2: Plan

Once the broad framework is in place, it is time to finalize the details of the policy. From Android to Apple phones to tablets and wearables, defining exactly what is meant by “bring your own device” is critical. Companies should be device-specific, or limit the devices, and establish a clear service policy for the list of approved BYOD devices. In the midst of planning the functional aspects of a policy, it is equally important to address employee exit strategies. BYOD policies should reference the company’s separated employee process and vice versa.

#3: Implement

To prevent data breaches or corporate hacks, specify what kinds of corporate data may be accessed on which devices and implement mobile device, data and app security measures in your BYOD policy to protect company data and confidentiality. BYOD policies should also touch on preservation and discovery in litigation. Companies can get ahead of failed preservation efforts by adding BYOD data to their ESI data maps and issuing legal hold notices to address what content must be preserved.

#4: Iterate

Companies should regularly audit the effectiveness of their BYOD policy. Look at what new technologies are available and whether they should be supported. Review the current policy points to see if anything wasn’t adopted or could be improved. BYOD polices will continue to evolve with technology and the workforce.

Be sure to read the full article, From Blurred to Secured: Four Steps to a Better BYOD Policy, for a more in-depth analysis of best practices for bring your own device policies.

Guest Blog: Turning on the Lights in a Dark (Data) Room

This is a guest blog written by Tom Barce.

t_barce2015Tom Barce ( is the Director of Consulting Services for Kroll Ontrack. Mr. Barce brings over 18 years of experience in directing information management, electronic discovery and litigation support initiatives. He is accustomed to delivering strategic vision, consultative services and project management expertise. He has extensive experience in responding to complex electronic discovery demands in numerous litigation and regulatory matters. Through his experience and vision, he strives to continually elevate our community to higher state of “information intelligence.”

Tom recently spoke on the topic of dark data at the monthly meeting of the ARMA Metro NYC Chapter.

Turning on the Lights in a Dark (Data) Room

At breakneck speed, businesses and individuals are amassing huge volumes of disparate and obsolete data—data that has long gone “dark” within an organization.

Dark data is the neglected data accumulated by an organization during regular business activities—the aging information, untouched archives, ancient web log files, old records of email correspondence. This data is intermingled with highly valuable and sometimes sensitive business information, too.  It usually holds little value on its own and for many organizations it is too costly for an organization to access, compile, analyze and manage the data’s retention. For many organizations, it seems easiest to allow the data to amass in the shadowy corner of their IT infrastructure. However, when corporations shine a light on the dark data abyss, unused data can be very illuminating.

Double Check and Utilize Dark Data to Your Advantage

At its core, dark data can present significant risk. Most legal professionals who have responded to a legal or regulatory action have succumbed to the costly pains of trudging through small percentages of antiquated data amongst huge data stores. Notwithstanding such significant risks, dark data presents noteworthy opportunity costs for organizations. For example, reports run from accounting systems about company transactions alone may seem like benign business activity. But what if those reports were emailed to a Gmail account, downloaded to a USB drive or uploaded to a website?  When sources of transactional data like file names, network activity, local computer access, or web history are cross referenced, powerful corollaries can be derived to protect your organization.  While this type of intelligence might not lead to an earth shattering money laundering investigation, it does not hurt to double check activity that might seem questionable. Recognizing how to utilize dark data can allow an organization to prevent, detect and defend against internal and external threats, from spotting internal fraud to harnessing information and gaining an advantage in the market.

Growing contingents of businesses are leveraging great information for marketing and sales. But how many are using data to mitigate or detect risk?  While some organizations are letting their data gather dust in the dark, others have focused an information governance spotlight on their once-dark data to extrapolate value from overlooked data and uncovering substantial intelligence. For example, by monitoring file downloads to USB connected devices, an organization can prevent losing sensitive data. Conversely, corporations that forgo tapping into unused data may be sacrificing value and risk becoming less efficient and relevant than their competitors.

First Steps to Shining the Light on Dark Data

Unfortunately, shining the light on dark data is not as simple as flipping a switch. A few steps are essential to capitalizing on dark data. First, begin by prioritizing business concerns and risks to establish a starting point for the projects to follow. Next, aim for one project per period (quarterly, semi-annually or yearly) to focus on your concerns and the data you can use to manage them. Leverage people, processes and technology, and understand how to profile the data that is usable to create actionable business and legal intelligence.  Identify easy wins when possible, especially if low cost solutions can securely advance high risk objectives.  Of course, document the process should litigation ever loom on the horizon.

There isn’t a single existing technology solution today that can thoroughly illuminate all the dark data and automatically harvest its value.  That said, with careful forethought and perseverance, corporations can make unwieldy dark data far more comprehendible, less risky and just a little brighter.

Information Governance – It’s a Jungle Out There!

Building information governance (IG) protocols from scratch can feel like getting lost in a jungle. Often it is difficult to know which direction to go to get started on your journey, especially with a thick forest of documents standing in your way. But orienting yourself in the IG jungle is essential to avoid the possibility of leopards attacking you, birds swooping down on you, or those sneaky critters that might come back to bite you. Luckily, we’ve created a handy IG Guide to help you navigate through the underbrush and into the clear!

The guide includes critical information on IG, such as how to amplify the value of enterprise information, manage data and control ediscovery, as well as how to reduce data governance risks and costs. Also included is a look into how a hypothetical company, Healthy Nuts, found their way through the IG jungle. Find out more about their story and information governance here.

Choose Your Own Adventure: Mastering Information Governance in the Workplace

Choice A or Choice B? Choice C or Choice D? There’s nothing quite like the mystery and thrill of the Choose Your Own Adventure (CYOA) novel, where the reader gets to direct and navigate the story of their choice.

Similarly, when it comes to Information Governance (IG) programs, corporate counsel and the IG team get to create their own old school CYOA storyline by defining the processes and implementation of the multi-disciplinary structures, policies and programs necessary to control and organize data. Kroll Ontrack’s Tom Barce recently wrote an article, Information Governance: Be Prepared for a Data Disaster, discussing the importance of IG programs and what corporations should be aware of in regards to what an IG program can do.

To showcase the advantages of IG programs, let’s consider the following scenario for Health Nuts (HN), a large (fictional) multi-national company in the nutritional supplements industry:

The company has hundreds of employees and millions of records containing private and personal data. Over the past decade, the company has grown rapidly through acquisition. HN recently expanded into Brazil, however, very little has been done to integrate the various data management policies and procedures from the newly acquired companies. Some divisions of HN are highly technical, with employees leveraging modern communication devices and forums, as well as using personal devices for work communications.

Do you:

Choice A: continue as is and allow various data management policies to continue


Choice B: re-evaluate the complexities and dangers of rapid growth and insufficient data policies and consider incorporating an IG program

For inside counsel and IG teams, the above hypothetical should raise blaring issues of security, management and data protection. Unfortunately, with corporations now fully entrenched in the digital age, counsel are playing a catch-up game with how fast data is created and where the data goes, and many do not recognize the need for a robust IG program. When utilized properly, IG programs can control a corporation’s data and maximize its value, but only if the information at hand is under control. So what happens if the information is not under control and a corporation chooses Choice A? Let’s return to aforementioned Heath Nuts Corporation:

The nature of the organization’s data management and decentralized IT systems left it ripe for attack. Three months ago, the company suffered a data breach and is still trying to determine the scope of the attack across its divisions. Due to this, customers have experienced identity theft and fraud. Compounded with the fact that state and federal agencies are investigating the nature of the breach, a lawsuit is clearly imminent.

Do you:

Choice C: Await litigation


Choice D: Go back to the initial set-up and implement an IG program

For Health Nuts and for most corporations, the above situation is not too far from the norm if corporations choose Choice A over Choice B. Fortunately, steps can be taken to mitigate this hair-raising data disaster by choosing Choice D and following these initial steps:

Be Aware of Your Data and Know How to Leverage People, Processes and Technology

Before making any decisions about a company’s data, counsel needs to understand what, and where, data is stored and what the current policies regarding data retention and destruction are. Counsel needs to be especially concerned with the nature, location, security and maintenance of personally identifiable information (PII) as well as “dark data,” or data that is created, processed, and stored in the regular course of business and is not currently in use. Once a corporation’s data is located and secured, the next step would be to leverage current employees in the IT and Information Security departments to ensure the appropriate emphasis is placed on training them and the organization-at-large about the policies and definitions of the IG program. In addition, data categorization, auto-classification, and predictive coding solutions may be utilized as part of your IG strategy to reduce costs while organizing data for future use. Furthermore, counsel must consider data that has been placed on legal hold and held in a legal hold repository. This data and the associated obligations are the burdensome, but necessary, exceptions to effective IG that can lead so many corporations to complacency.

De-Cluttering Company Data…

The success of IG programs depends on a number of factors, including the increased business utility of the data under management, storage savings, impact on ediscovery and company productivity. In today’s modern age, data tends to accumulate exponentially. To prevent the hoarding of extraneous data, corporations must learn to dispose of unnecessary information and learn to sift through the types of data that will have a great effect on protecting company, employee and consumer data while streamlining ediscovery responses by eliminating irrelevant documents. In addition, de-cluttering company data can increase the value and efficiency of an IG program, thus allowing for more effective analytics.

…But Keeping the Necessary Documentation

Through the process of streamlining the IG program, organizations must ensure that they effectively document their processes. This includes clarifying IG program goals, definitions, policies and procedures, as well as employee training, enforcement actions, audit practices and program evaluations. Corporations should document these processes in anticipation of dealing with legal or regulatory actions, as well as help in the overall evaluation of the IG program. Successful documentation can lead to increased visibility and better opportunities for corporations to address and fix problems.

If corporations wish to avoid a data disaster, the choice is clear. By utilizing an effective IG program to locate, secure, and document their information retention and destruction processes, corporations may avoid or, at a minimum, mitigate the risks and damages that result from data breaches and/or regulatory and litigation events.  For more information, check out Information Governance: Be Prepared for a Data Disaster today!

Information Governance: Points from the Professionals

Information governance (IG) is becoming more and more critical to any organization’s success in controlling the sheer mass of data generated in the ordinary course of business.  However, determining the best ways to get information under control has many organizations at a standstill, with too many organizations only enacting IG practices after disaster strikes.

To highlight the importance of developing effective IG programs, the Information Governance Initiative (IGI) interviewed a number of IG practitioners in differing industries and recently published two reports.  Stories in Information Governance: The IGI 2015 Benchmarking Report and the accompanying document, Information Governance: Tips from the Trenches, compile valuable expert insight and practitioner tips to help any organization evaluate and cultivate an IG program. Across both resources, a couple central themes emerged:

Secure Support for Information Governance

Selling a program meant to protect against a vague, future threat is undoubtedly a challenge, but securing executive support and funding is essential for success. Using mock scenarios to test your program’s strengths and weaknesses, calculating the costs of inaction and consulting an outside expert can help win over a tough crowd and jumpstart an IG program or revive an old one.

Integrate Information Governance into the Entire Organization, not just a Single Department

By coordinating IG throughout the whole organization, end users will learn to think of information as belonging to the organization as whole, not just one department’s problem. For example, creating a senior IG role and developing an IG council of interdepartmental players can optimize the effectiveness of a program.  Further, exploring technology options that can automate as many processes as possible and eliminate end-user variability can make for a streamlined, cost-effective integration of IG policies and procedures into your organization.

Look for Smart Solutions to Challenging Information Governance Problems

Encountering roadblocks while starting and running an IG program is par for the course; don’t shy away from creative solutions. Proactive and creative planning gives you the chance to highlight the value of a strong IG program and garner support from key stakeholders. For example, leveraging versatile technology used to address one problem for other purposes can help stretch a limited budget. Rather than fixating on short-term hang ups, utilizing resources and finding a balance between completing current projects and achieving long-term goals will create a strong IG core at the heart of every project.

Make sure you take time to read these two valuable resources from IGI today: Stories in Information Governance: The IGI 2015 Benchmarking Report and Information Governance: Tips from the Trenches.

Webinar On-Demand: Applying Technology to Information Governance

Information Governance

Within an enterprise, the importance of information governance (IG) is greater than ever as we soar towards a global economy equipped with rapidly evolving technology. Understanding how modern technologies and ediscovery practices apply to IG is integral.

Kroll Ontrack recently presented a webinar, Applying Technology to Information Governance, addressing just this. Panelists included:

  • Bennett Borden, a Partner at Drinker Biddle in Washington DC
  • Cathleen Peterson, Senior Vice President of Consulting, Client Services and Operations, Kroll Ontrack

Together, these two experts discussed the complexities of IG, along with how to develop and implement successful programs.

Defining Information Governance

The best place to start the conversation around information governance is to understand what it is and how it differs from information management.

  • Information Management: HOW information flows through an enterprise. Activities include collection and distribution of information in an organization.
  • Information Governance: WHY an organization has information in the first place. Activities involving information governance run the gamut from ediscovery and privacy to business intelligence and analytics.

Developing Information Governance Programs

There are multitudes of IG programs that a company could develop. What an organization chooses depends on its business needs and available resources. A successful program will leverage these key tenets, starting small and building momentum:

  • Define organizational objectives
  • Determine the information needed
  • Organize the information
  • Ascertain the value
  • Dispose of the information when it is no longer valuable

Common IG projects companies are undertaking today include:

  • Updating policies and procedures
  • Data consolidation and cleanup
  • Defensible data remediation
  • Intelligent migration
  • Legal hold

Information Governance Resources

Looking to learn more about what information governance (IG) is, how to develop IG programs, and what IG projects companies are undertaking today? Download this Kroll Ontrack webinar on-demand.

Further, don’t miss this new IG resource from the Information Governance Institute (IGI): Information Governance in 2020.

Is data security your organization’s greatest worry? If not, it should be…

Data Security - should it be your organization's greatest worry?

This blog post is brought to you by Raul Cuervo, Ediscovery Manager at Kroll Ontrack

I recently had the pleasure of spending time with a partner and client at the largest law firm on the planet. During our conversation, he asked me a question that I have not been able to stop thinking about since. “What do I consider to be my greatest risk/fear as a company?” I began to think of several things, such as competition from behind the firewall solutions, the downward pressure on processing/hosting fees, etc. His response was totally different than I expected. “Your greatest risk/fear should be someone hacking into your servers, stealing my client’s data and putting it up on the Internet!” WOW!

Emphasizing Data Security

We have all, as of late, been hearing news stories about individuals stealing intellectual property and personal information from corporations and even countries! Such stories spur obvious questions, such as “how does this happen?” And, “how do we protect our law firm/corporation from the vulnerabilities that are a reality of today’s world?” After spending an hour with this partner and going through the client safety and data security concerns he wakes up daily worrying about, I was sold. More emphasis needs to be placed on data security.

Fortunately, I was able to answer his question about data security with the utmost confidence. My data center is like Fort Knox. With 20 PB of active data stored across four data centers around the globe, Kroll Ontrack  has a fully redundant infrastructure and monitors customer data 365X24X7 through ingress and egress monitoring, surveillance systems, dual biometric and personnel badge access. Having been in the ediscovery business for about 13 years, I can absolutely say that is not the case for a large majority of providers. It is not uncommon for a “data center” to in essence be a closet with a rack of several servers, which is “protected” by a receptionist at the front desk, whose main responsibility is to answer telephones and greet guests.

8 Key Data Security Questions

As a professional in the industry, I am certainly proud of the efforts, attention and expense Kroll Ontrack places on the security of our customer’s data. The idea of sending client data to a place where security is an afterthought at best should be truly frightening to my clients.  So, if data security has not previously been at the forefront of your concerns for your clients, I hope this message resonates and changes your behaviors and perhaps the questions you ask prospective providers. Here are 8 questions to consider the next time you need to leverage a third party:

  • How is access to physical premises controlled?
  • Have you asked for Security audits? Have you/vendor done Penetration testing(Pen testing)?
  • Where is the data stored/maintained?
  • What is your chain of custody process and how is it managed?
  • Who has access to my data?
  • Can I limit access and permissions?
  • How is access to my data controlled?
  • Any of these are good questions to ask and should be. Also have you toured the facility?

What are your greatest fears or risks as a company?

Raul Cuervo
Ediscovery Manager, Mid Atlantic & S.E. Region
Direct: 202-525-8049