Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Shadow information technology, sometimes known as rogue IT or consumer IT, represents pockets of information technology lurking within a company that operate outside the organization’s IT department. Ranging from ad hoc databases and backups to portable media that leave the workplace, shadow IT is a phenomenon whose importance should be clear to litigators. Companies and their employees are using technology and storing data that will not likely be uncovered or preserved when the need arises, absent a specific and diligent effort to identify and interview those most knowledgeable. By any name, the phenomenon involves technologies, applications and data that are created or used by employees, but that run under the radar of the corporate information technology group. Rogue IT usually refers to projects that were started by business units with needs that were not being met by corporate IT. These projects may have addressed legitimate requirements for the business, but the technologies were not developed by the corporate side because of budgetary and resource restrictions. Shadow IT and consumer IT increasingly reflects consumer-based technology that makes its way into the workplace, often in increments too small to notice. A thumb drive here, an instant messaging account there, and suddenly the inmates are running the asylum. Recent studies have found that 20% of IT spending occurs in shadow mode. Additionally, 60% of information technology users had “consumer grade” software, and people outside IT who are performing IT functions represent as much as 78% of the total IT “staff.” See “ Shining the Light on Shadow Staff,” Cindy McNeese et al. Drivers of this phenomenon include cost, availability and quality of services from structured IT, and a lack of policies or effective controls to manage user behavior. Gartner Inc. research predicts that between 2007 and 2012, the majority of new information technologies adopted by the enterprise will have their roots in the consumer marketplace. Patton, supra. Lest one think that engaging structured IT workers ensures compliance, it’s important to note that sometimes even they can’t find their own data. There is a story that a network server at the University of North Carolina had been missing (yet running) for four years. IT personnel were unable to locate it until they followed the cable to a wall, where the server had been sealed behind drywall by maintenance workers. Urban legend or not, one can imagine that the complex and shifting landscape of today’s corporate IT systems challenges even the most conscientious IT manager. Both the recent updates to the Federal Rules of Civil Procedure and evolving case law underscore the point that lawyers and their clients must be diligent in identifying and preserving all potential sources of responsive data in litigation. An hour-long interview with the IT executive is not adequate. Instead, in-house and outside counsel must work to identify the several individuals who can collectively articulate the most accurate picture of the formal IT landscape, keeping in mind that there will be added value in business area interviews to uncover shadow repositories. Further, it is no longer enough simply to lob a preservation notice over the figurative fence and hope for the best. Careful assessment of potentially responsive sources of data, custodians and data types is needed. As the court said in Zubulake v. UBS Warburg, 229 F.R.D. 422, 432, 434 (S.D.N.Y. 2004), “[c]ounsel must take affirmative steps to monitor compliance so that all sources of discoverable information are identified and searched,” and “[o]ne of the primary reasons that electronic data is lost is ineffective communication with information technology personnel.” Follow-up is, therefore, essential to ensure that individual custodians are made aware of their obligations, and also to assess the completeness of the notice, both as to custodians and data sources. Rogue categories The technologies most commonly found in rogue and shadow IT may be divided into three categories: storage of convenience, tools of convenience and applications of convenience � things employees create and use to make their jobs easier and more convenient, and themselves more productive. High on the storage list are thumb drives, jump drives and other portable devices. With thumb drives now available in sizes up to 16 gigabytes, at prices as low as $19.95 (and often free at trade shows), these miniature drives are available as wristbands, watches and necklaces, so they may constantly be available to the wearer at work and at home. It makes sense, then, that the data deemed most important, current or valuable by the wearer � and, perhaps, to the lawyer � may be found on these drives. Less common but rising fast is the use of Internet-based storage. Hosted sites such as iBackup, Xdrive (a service of America Online) and GlobalDrive offer online storage for all types of data. Five gigabytes of storage (i.e., 375,000 pages of documents) is available for free on some sites, or for up to only $99 per year on others. Their advertising reads like a lawyer’s nightmare: “Applications that you currently use will be able to access your GlobalDrive-stored data as if it were stored on your PC.” Tools of convenience include communication platforms, utilities, hardware and software applications that are “consumer grade,” originally targeted at the individual or small business rather than the enterprise. Perhaps the most visible of these are communication tools: instant messaging and Internet service provider (ISP) mail (such as Yahoo! and AOL). No longer the exclusive realm of the under-18 set, Internet-based communication technologies are used extensively by corporate employees who were well out of college before the advent of the personal computer. The potential dangers of these are many. For example: Journalist Ben Worthen of CIO magazine, writing about the growth of shadow IT, admitted that he forwarded all his work e-mail to his Gmail account, because, he said, “Our work e-mail system is Lotus Notes, and while it has a web-based interface, the design is clunky and the URL is hard to remember.” He goes on to say that e-mail has become his de facto document repository, and that through his personal Gmail account he can circumvent the IT department’s storage limit. So, at the end of the day, some amount of CIOmagazine’s intellectual property (and who knows what else) is stored on Google’s servers � forever. Other tools of convenience include Voice over Internet Protocol (VoIP), such as Skype, and social networking software, such as MySpace, Facebook and LinkedIn. Skype can be downloaded for free and easily installed by employees, and claims more than 100 million registered users. The issue for businesses is employees’ use of Skype’s instant messaging capability � which can store the contents of chats � and of its original VoIP telephony service. Without corporate-level controls, firewalls and security protocols, data and voice are exposed over the Internet. Further, Skype natively cannot log or monitor calls, which can pose a real problem for companies that must adhere to strict monitoring standards. Skype reports that business users account for 30% of its downloads. On the desktop side, Google Desktop, released for free to consumers in 2004, has allowed corporate users to index the entire contents of their hard drives for searching in the same way that Google indexes the Web. Because of the option also to search across computers, copies of files such as Word and PDF documents may be copied to Google’s servers. This creates obvious risks regarding privacy, security and document retention. Personal digital assistants, iPods and BlackBerrys are only a few of the many handheld devices frequently purchased by the employee-consumer for business and personal use. They are used for communication and data storage, and their data are not generally protected should the device be stolen. These devices often are overlooked in a litigation hold and collection process and, if owned by the employee rather than the organization, may become “less available” when the need for data preservation and collection arises. One of the scarier developments is the rapid rise of consumer “privacy” tools, including at least two dozen snoop-proof e-mail services, such as Stealth Message; anonymous remailers like Anonymize.-net; more than 30 anonymous surfing services, such as The Cloak; HTML filters that can clean Internet histories and route Web pages around firewalls; voice communication, e-mail, computer file and instant messaging encryption; and disc or file erasing, the most infamous being Evidence Eliminator. Although usually legitimate when used for personal data and communication, these tools in a business setting may be cause for concern. For example, attempts at drive wiping are fairly common among employees who leave a company under less-than-desirable circumstances. Applications of convenience An application of convenience is one that is based on a corporate standard (such as Microsoft Excel or Access), but that is used in an unconventional way or in lieu of existing enterprise programs. One example of this is the creation of ad hoc databases in Microsoft Access. Available as part of the Office Suite, Access is relatively simple to use, and the novice can get started building an application through wizards. The ease with which these databases may be built means that they sprout up overnight to serve a particular need, and are as quickly forgotten. However, the database files usually live on � on hard drives, on network shares, on backups � but are not cataloged or otherwise documented. At the other end of the spectrum are departmental or enterprise applications built outside the IT enterprise. Driven by needs not met by IT, employees (whom Gartner calls “digital natives”) launch their own initiatives and develop software, databases and other high-end tools for their businesses. Although the innovation is commendable, the risks may also be high. Leaving aside such considerations as a lack of documentation, testing, security and maintenance procedures, a focus simply on the lack of data retention, data backup and cataloging should be enough to give litigators palpitations. As one blogger put it, “Every department has little custom apps that they’ve developed in Excel, Access, or something else.” “Frankly, most people I know try not to talk to their IT departments.” This anonymous comment, which was posted on the CIO.com blog, says it all. There are a number of things lawyers may do to help ensure that potentially relevant sources of data are located, beyond talking with corporate IT: • Data and practice mapping. This is the process of identifying an organization’s current practices for data management. Through a series of interviews, one can address such topics as data storage locations, volumes and system architecture; specialized applications; backup procedures and backup inventory; e-mail and other communication software; and policies and practices regarding hardware and data-storage management. • Interviews. For any particular matter, it is critical that key players be interviewed not only for topical input, but also regarding their data-management practices. The greatest appeal of many shadow IT tools is that they are free. The ultimate cost, however, is anything but “free,” when measured in terms of risk and exposure to the organization. • Rule 30(b)(6). Lawyers should consider working through a mock 30(b)(6) deposition with the “person most knowledgeable” in the organization’s IT group. They will either come away (a) confident that shadow IT is well in-hand, or (b) convinced that the inmates have, indeed, taken over, and that they’d best get a handle on shadow IT well before the next litigation arises. The bottom line is that most of these data sources and technologies will not be identified simply through an hour interview with the IT designee. They will be found only through careful and methodical inquiry. Going through such an exercise, however, will both help the organization weather the storms of discovery and shed some needed light on the reality of real-life technology use. Deborah H. Juhnke is director of electronic discovery services at Kansas City, Mo.-based Blackwell Sanders Peper Martin. She assists clients with the development of electronic discovery plans, provides e-discovery consulting services, project management and training, as well as litigation readiness planning, data and practice mapping.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.