In the second of three AccessData® webinars on Navigating Information Risk, Investigations and Privacy hosted by Matt Kelly, CEO of Radical Compliance, Kelly speaks with Mark Antalik, managing director of BDO Forensic Technology Services practice.
In their conversation about “Internal Investigations Swamped with Data,” Kelly queries Antalik about his views on information governance, being aware of critical assets and creating audit trails to expedite matters. Read on for the recap of the discussion.
E-Discovery and Data Forensics—Similar, but Not the Same
While these terms are frequently used together and related, the two concepts differ by tools and output. E-discovery is for litigation and regulatory inquiries. It also includes review of electronic data, collection, search analysis and review, document assembly for opposing counsel or government regulator consumption.
Data forensics or digital forensics is a specialty that includes:
- Collections and analysis with creation of a bit-by-bit copy as it resides on the source system.
- An analysis phase that becomes the nuts and bolts of data forensics.
- Recovery of deleted items, web-mail artifacts, identifying what devices were connected to a computer, what files were copied, and the timeline with sequence of events.
The short of it is that e-discovery is an overlapping process of responding to the discovery of information. Data forensics is part of the continuum but also is a stand-alone process and specialized discipline. It comes into play in collections and analysis. Even if you have a robust e-discovery process, it doesn’t mean you’re doing the other better.
Essentially, you don’t find everything, but you find enough.
Information Governance Is King
Information governance is quite possibly the biggest insider threat to an organization. When a corporation lacks sound information governance, there is a good deal of confusion. Many small-to-medium businesses ignore it completely as it can be a challenge. Mark Antalik likes to think of information governance as “people, process and technology.”
Questions to ask yourself:
- Litigation readiness. Are you ready for e-discovery? Do you have the data needed to respond? What is your legal hold policy?
- Records and information management. Who owns devices in the company? Are employees using their own devices? Where are your assets? What are the usage patterns?
- Compliance. Do you understand data and its related risks and regulations?
- Data intelligence. Are you using information as an asset to increase efficiency and optimize processes?
How the Rise of Mobile/BYOD Contributes to Process Complexity
BYOD is a function of policy and technology. If your company allows employees’ use of personal phones with overlap to company information, then there needs to be sound policy in place.
Mature software helps employers wipe devices, extract company data when devices are lost or stolen, and help with information migration. Data can be parsed by employers pretty easily as necessary.
IT Drives Process—Key Stakeholders Must Contribute to Ensure Success
There isn’t a one size fits all when it comes to information governance. Ultimately, there should be clear responsibility and ownership, and IT often drives process. Input comes from other departments like legal, compliance and business units, too.
Company leadership should look at information governance holistically and assign someone to be in charge. When everyone within the organization works together, the outcome is simpler.
Research Shows Companies Still Struggle with Data Preservation
A BDO study showed that 42 percent of people say they under- or over-preserve data to accommodate legal risk. Their challenge centers on corporate policy and what should be preserved.
Mark Antalik agrees that everyone really is struggling. E-discovery costs inhibit many companies. There is a definite disconnect with data volume, preservation and what’s needed. Most importantly, data collection requires a surgical approach to save money downstream.
Defining, Maintaining and Tracking Assets Is Critical and Tricky
Across the board, there is wide variation about how well businesses define, locate and maintain assets. It’s definitely an immature arena; some people have an “aha or oh-no” moment due to external drivers like litigation, cloud migration or the EU’s approaching General Data Protection Regulation.
Defining “critical assets” puts organizations into a conundrum because they mostly define assets as regulated data most critical for compliance. From an operations perspective, “critical” data may mean something else entirely. Antalik shares an eye-opening statistic—50 percent to 70 percent of data within corporations is redundant, outdated or trivial.
Much of the redundancy is in the cloud. Data breach monitoring is part of standard operating procedure in the cloud. There are benefits of cloud storage, and migration presents opportunities. You can lower costs by cleaning data before migrating it to the cloud. Data mapping and classification are good first steps prior to migration.
It’s a good idea to first identify data to migrate and then evaluate cloud providers’ security and records retention. Bring IT procurement and other internal constituents together so they are on the same page.
A big component is internal communication and how directives flow to the cloud provider. To avoid unforeseen conflict in cloud migration, consider data retention and legal hold; the technology itself; data privacy concerns; change management; and, contract considerations.
Considering a Chief Data Officer—To Hire or Not
Sometimes internal squabbles preclude adding a C-level data officer, and it depends on the organization. There is benefit to having an executive drive compliance and ensure everyone is playing nice. Organizations without a mature information governance function may report to the CIO or CISO.
Information governance is frequently reactive to regulations and often lags behind. When you’re dealing with data protection and staying current, it’s a good idea to consult with local counsel in each jurisdiction. Your data protection efforts should match regulations with standards, best practices as a baseline and up-to-date policies. That’s why having a data privacy officer is a good idea to manage everything.
Essentially, the efficacy of the analysis is only as good as the data fed in. You can have all the tech in the world and still feed the wrong data. If that happens, then your information governance program doesn’t matter. Information governance covers a lot but when you understand your data, the apps, and who’s in charge, you will see reductions in cost and risk across data forensics.
Should You Create an Audit Trail?
Matt Kelly concludes the session by asking Mark Antalik about audit trails—what are they and are they a good idea.
There are different kinds of database apps that track user activity and the flow of data through the life cycle.
The important thing is to be able to demonstrate what you did, why you did it, and how you maintained integrity throughout. There is a solid benefit to sound and holistic programs for future business opportunities.
Look at some reasonable steps to handle data and the steps you should take when handing it off to someone else. Antalik’s team likes graphical reports showing how data flowed from e-discovery through its life cycle until it arrives to them. There are a variety of factors including production, analysis, where the funnel of information narrows, and also the various files, types and processes.
It’s important to track the legal hold process as well as audit data collections. We look at a variety of things like who disseminated, affirmed and acknowledged; who and where ongoing reminders were added; how collections capture was requested and by which operator; type of data and number of files; and notes of activities.
You can listen to the full recording of the conversation with Matt Kelly and Mark Antalik, here.