()

Every day, organizations around the world are leaving electronic footprints, creating a trail through email, social media and document storage that, if one fails to pay too close attention, could evolve from harmless to catastrophic quickly.

This reality presented by electronically stored information (ESI) has ushered in the era of information governance, the practice of managing organizational information for security and compliance challenges. Yet given the speed of technology adaption, many struggle to insure their ESI is safe. At kCura’s Relativity Fest, a panel titled “The New IG Playbook for Addressing Threats from Personal Clouds, Cyber Attacks and the IoT” explored some of the major issues that can arise without a proper information governance (IG) protocol, as well as how to overcome them.

For example, moderator Philip Favro, consultant at e-discovery services provider Driven Inc., presented a hypothetical in which a fictional manufacturing company called Omega Inc. developed a lucrative proprietary technology. The company was concerned whether its security measures were effective, so it started working with legal to address “weak points” in the corporate network. While the executive team “gets” how important cybersecurity is, it has in the past allocated few resources to support its efforts.

Judy Selby, technology advisory services leader at BDO USA, said that the company is going in the right direction by recognizing the potential problem, but it’s one that should have been addressed sooner. Furthermore, people need to “understand information security is not just an IT problem,” yet while collaboration is good, it needs to extend beyond legal.

What’s needed is a “broad-based coalition with relevant stakeholders in the enterprise sitting down at the same table, discussing how to handle information through the lifecycle, from creation to collection through its ultimate disposition,” she explained.

Darin Sands, shareholder/partner at Lane Powell, noted that legal often tries to “keep its hands clean” because they’re not used to working in this cybersecurity environment. Yet the worlds of privacy, data security and e-discovery are all becoming one now, and spreading is the idea that security should be integrated into solutions from the get-go.

“That mindset, I think we can call it privacy security by design, means collaboration through the lifecycle,” he said. “And that a lot of companies are still failing to do.”

This approach can become somewhat of a headache for IG professionals when dealing with the popular messaging platform Slack, which as of now doesn’t provide security options up to the standards of most enterprises.

“Slack, as much as it’s a great tool, it’s a very, very difficult tool to lock down and be safe,” said Don Billings, Northern California manager of litigation and practice support at Sidley Austin.

According to Sands, Slack “sucks in a vortex” of information from your organization, which from the perspective of data security, privacy and e-discovery “undoes a lot of the effort you put into your IG product.”

And while email is “annoying,” it’s intertwined with e-discovery now; yet at the same time, it’s important to acknowledge that “we’re going to get to a point where email as we know it today isn’t going to exist,” he said. Rather than “treat it as a problem” that only affects some clients, “we really have to engage it now” because it’s the future of communications.

As to how clients are dealing with email storage in the present, Selby noted that current processes raise security and even sometimes regulatory issues (if, say, an email contains health information). “A lot of people aren’t dealing with it because it’s so big, they’re just not dealing with it,” she said.

Cloud technology seems to be evolving faster than enterprises can manage. Popular methods by which people share information, such as Dropbox and Box, are posing increased security risks for companies. Sands noted that while it’s important to make people understand that they shouldn’t be putting company information in these cloud platforms, “at the end of the day, people are people, and they’re going to do it.”

Billings added that he’s seen an increase in companies “just completely blocking access to these tools” rather than trying to manage them.

Sands noted that breaches such as Ashley Madison and Sony aren’t “just about adulterers and King Jong-Un,” but instead about going after companies and embarrassing them. Now, the target is increasingly focused on enterprises and law firms as well.

“I think there is going to be an Am Law 100 law firm that is going to be the subject of a Sony [type] hit just to embarrass them,” he added.

Among solutions suggested by the panel were data mapping and data categorizing. To shape the mindset for categorization, Billings suggested thinking of all information as “digital clutter.”

Sands emphasized the importance of viewing IG as a litigation, not just security, issue, and at the core of all data security policies is data minimization. Selby, meanwhile, recommended assessing your security infrastructure to see where you are and expose vulnerabilities to yourself before they’re exposed to somebody else. If an organization has already been breached, see how that has impacted its current situation. “Train for awareness,” she said. Get a security response plan in place “so you can react, and react in a good way.”

Every day, organizations around the world are leaving electronic footprints, creating a trail through email, social media and document storage that, if one fails to pay too close attention, could evolve from harmless to catastrophic quickly.

This reality presented by electronically stored information (ESI) has ushered in the era of information governance, the practice of managing organizational information for security and compliance challenges. Yet given the speed of technology adaption, many struggle to insure their ESI is safe. At kCura’s Relativity Fest, a panel titled “The New IG Playbook for Addressing Threats from Personal Clouds, Cyber Attacks and the IoT” explored some of the major issues that can arise without a proper information governance (IG) protocol, as well as how to overcome them.

For example, moderator Philip Favro, consultant at e-discovery services provider Driven Inc., presented a hypothetical in which a fictional manufacturing company called Omega Inc. developed a lucrative proprietary technology. The company was concerned whether its security measures were effective, so it started working with legal to address “weak points” in the corporate network. While the executive team “gets” how important cybersecurity is, it has in the past allocated few resources to support its efforts.

Judy Selby, technology advisory services leader at BDO USA, said that the company is going in the right direction by recognizing the potential problem, but it’s one that should have been addressed sooner. Furthermore, people need to “understand information security is not just an IT problem,” yet while collaboration is good, it needs to extend beyond legal.

What’s needed is a “broad-based coalition with relevant stakeholders in the enterprise sitting down at the same table, discussing how to handle information through the lifecycle, from creation to collection through its ultimate disposition,” she explained.

Darin Sands, shareholder/partner at Lane Powell , noted that legal often tries to “keep its hands clean” because they’re not used to working in this cybersecurity environment. Yet the worlds of privacy, data security and e-discovery are all becoming one now, and spreading is the idea that security should be integrated into solutions from the get-go.

“That mindset, I think we can call it privacy security by design, means collaboration through the lifecycle,” he said. “And that a lot of companies are still failing to do.”

This approach can become somewhat of a headache for IG professionals when dealing with the popular messaging platform Slack, which as of now doesn’t provide security options up to the standards of most enterprises.

“Slack, as much as it’s a great tool, it’s a very, very difficult tool to lock down and be safe,” said Don Billings, Northern California manager of litigation and practice support at Sidley Austin .

According to Sands, Slack “sucks in a vortex” of information from your organization, which from the perspective of data security, privacy and e-discovery “undoes a lot of the effort you put into your IG product.”

And while email is “annoying,” it’s intertwined with e-discovery now; yet at the same time, it’s important to acknowledge that “we’re going to get to a point where email as we know it today isn’t going to exist,” he said. Rather than “treat it as a problem” that only affects some clients, “we really have to engage it now” because it’s the future of communications.

As to how clients are dealing with email storage in the present, Selby noted that current processes raise security and even sometimes regulatory issues (if, say, an email contains health information). “A lot of people aren’t dealing with it because it’s so big, they’re just not dealing with it,” she said.

Cloud technology seems to be evolving faster than enterprises can manage. Popular methods by which people share information, such as Dropbox and Box, are posing increased security risks for companies. Sands noted that while it’s important to make people understand that they shouldn’t be putting company information in these cloud platforms, “at the end of the day, people are people, and they’re going to do it.”

Billings added that he’s seen an increase in companies “just completely blocking access to these tools” rather than trying to manage them.

Sands noted that breaches such as Ashley Madison and Sony aren’t “just about adulterers and King Jong-Un,” but instead about going after companies and embarrassing them. Now, the target is increasingly focused on enterprises and law firms as well.

“I think there is going to be an Am Law 100 law firm that is going to be the subject of a Sony [type] hit just to embarrass them,” he added.

Among solutions suggested by the panel were data mapping and data categorizing. To shape the mindset for categorization, Billings suggested thinking of all information as “digital clutter.”

Sands emphasized the importance of viewing IG as a litigation, not just security, issue, and at the core of all data security policies is data minimization. Selby, meanwhile, recommended assessing your security infrastructure to see where you are and expose vulnerabilities to yourself before they’re exposed to somebody else. If an organization has already been breached, see how that has impacted its current situation. “Train for awareness,” she said. Get a security response plan in place “so you can react, and react in a good way.”