Consider the average-knowledge worker at a midsize company. When he is hired, he gets a computer with a set of applications and a big, empty hard drive. Then he starts creating data, exchanging data, downloading data and transferring data. Maybe he works on a project and completes it, but the data from that project stays on the computer. Or, maybe he transfers departments and takes his computer with him. He also will probably use DVDs, thumb drives, cloud services and social media websites to store information.
Now multiply this example by the thousands of people working in that organization and you can get a sense of just how hard it is to find all of the responsive data you need to respond to a lawsuit. The explosion in electronically stored information (ESI) has introduced exponential risk around the security of data, an organization’s ability to protect and produce that data, and that organization’s ability to prepare in advance of litigation to comply with court requirements.
When a company hands an employee a laptop, the company knows exactly what is on it, but this is probably the last time the company will know with certainty what the laptop contains. Without immediate, verifiable visibility into what exists on a user’s computer at a given point in time, organizations face a daunting task of complying with their legal obligations to regulators, opposing litigants or even internal policies when there are petabytes of data storage in thousands of hard drives throughout the environment.
This lack of visibility can cause problems in a variety of instances:
• The company is sued and needs to gather data for electronic discovery
• The organization needs to conduct an internal investigation for HR, compliance audits or other purposes
• There are sensitive data or unapproved applications that increase risk exposure
• There is a successful data breach that leads to loss of sensitive information
A working knowledge of your corporate IT infrastructure is a key component to a repeatable and defensible e-discovery process. Knowing what storage devices exist, and what type of information is stored and where it is stored will increase the effectiveness and efficiency of your e-discovery process. It also is a requirement under Rule 26 of the Federal Rules of Civil Procedure, which states that litigating parties are to disclose either a copy or a “description by category and location” of responsive ESI.
A data map is a record that assists with this information and is an integral part of any litigation-readiness plan. It serves to identify all the locations within the corporation where potentially relevant data may be stored. Further information, such as details about what information is stored where, also should be incorporated into the data map. For example, if data related to your company’s accounting practices is located on a specific server, that should be noted within the data map. In-house counsel can reference this map when a matter arises to target collection.
With this critical information in hand, organizations are in a position to better evaluate and understand their risk profile. They are empowered to anticipate potential issues and take proactive steps to set or refine policies and procedures to ensure their ESI is being managed in keeping with their risk. They also are well-positioned to prepare for litigation in advance, evaluate costs and anticipate a strategy for responding to litigation events.
A data map also can help an organization understand its risk profile, which will allow it to:
• Validate or revise the current understanding of its data universe
• Identify sensitive data in previously unknown areas of the network and take necessary action
• Prevent data loss and gain visibility into risky data usage patterns—all allowing your private information to stay secure
There are several other key benefits to incentivize an organization to create a data map. It can help an organization establish a critical, foundational element in its e-discovery and litigation preparedness. Specifically, it can help an organization:
- Minimize time required to locate relevant ESI when litigation arises
- Gain peace of mind and assist in FRCP Rule 26 (f) preparation in advance of litigation
- Show regulators, adversaries and judges at an early stage that an organization understands where responsive data resides
- Empower lawyers to demonstrate the relative merits of alternative approaches to ESI preservation and production
Creating a data map is no easy task for an IT organization. In fact, mapping your personal data is a breeze compared to mapping data on an enterprise-wide level. For one, a company is likely to have tremendously more storage devices. Not only are there computers, laptops and smartphones to consider, but also there are servers, flash drives, legacy systems, a variety of backup devices and, increasingly, cloud storage services. In addition, a company’s IT infrastructure is often in a state of flux. Users create, delete and move information regularly, while IT personnel may add or alter storage devices.
In order to effectively map your enterprise’s data, you will need to invest in e-discovery technology that is equipped with the functionality to facilitate effective data mapping . The right technology will have pre-collection analytical capabilities that are powerful enough to enable counsel and IT to collaborate and get critical insight into the company’s diverse data stores early in the e-discovery process. Pre-collection analytics remain a robust and effective tool even as the IT infrastructure evolves. It is important to find a solution that does not rely on stale indexes of your environment or migrating all of your data to an enterprise content repository (for more on the challenges of using indexes, see my earlier column).
Data is the lifeblood of any organization. Its exponential growth is only going to continue in the years to come, and with that, there will be an exponential growth of risks for organizations. It will be critical for organizations to be proactive in taking steps to handle the data overload, and avoid the legal and financial pitfalls associated with its mishandling. Having the right software in place to help create a proactive data map is the first step an organization can take in accomplishing this goal.