New technology methodologies enable good data privacy practices.
With the Russian hacking of the U.S. Presidential election at the top of the news for the past few weeks, cybersecurity is clearly at the forefront of everyone’s mind. Everyone has a potential hacking problem.
Furthermore, according to CIO magazine’s “U.S. cloud vendors adjust to Snowden effect, Privacy Shield,” the Snowden effect on the European market may have been a bit over exaggerated. Amazon, Microsoft and Google simply expanded their strategy, building various European data centers to confront the legitimate privacy concerns in a post-Snowden world, which means that data will exist in cloud networks specific to a geographic location.
Even closer to our industry, is a piece in Corporate Counsel magazine discussing a law firm that is being sued for not adequately protecting its client information from hackers. This puts the onus on corporations to ensure that law firm data retention policies are followed.
Data must be actively managed on an on-going basis and data deposition must be automated to ensure that non-essential or non-relevant data is kept on the right network. Otherwise stated, that data is in the corporation and especially not outside of the corporate network (e.g., law firms, service providers).
Good service providers focus on a multi-prong approach to help clients achieve this and ultimately manage their data. This approach ensures that only potentially relevant data is taken out of the corporate-secured network and that non-relevant data is managed (and removed) from external sources.
Because of the diversity and complexity of this issue, service providers should ideally bring different technology solutions to the challenge, while maintaining cost certainty.
So how does the multi-pronged approach help corporations with privacy and security?
First, there’s a team of experts (including privacy lawyers, data management specialists, information governance experts and eDiscovery project managers) who work with corporations to identify how data is currently being managed, remediated and structured for retention and destruction.
For example, many of corporations are currently tasked with moving or integrating existing datasets with Office365, new cloud solutions and multiple outside providers. Right now, much of this data management is being done manually with spreadsheets that track data locations, discussions with employees/custodians and transfers from FTP or hard drives without a feedback loop. Service providers should identify these processes and procedures, help the client identify applicable rules, and then put together a strategic plan for automation.
Second, providers’ technology solutions should be reviewed against these rules and requirements to determine which makes the most sense for the solution (notice that I didn’t say that the solution was determined by the technologies – this is a mistake that I think many people make). The technology allows for us to build automated project management solutions, which include rules-based data management, data and matter notifications and data remediation – and generally you can recreate these solutions on any technology.
These technologies can either be placed inside of the corporation as an appliance (or virtualized system) or be placed in the cloud, which allows for a broad amount of solutions to meet different needs. In a nutshell, these technologies integrate with existing active directory or LDAP systems and help maintain active, real-time custodian information (e.g., names, data locations, employee status), and then use this to help automate litigation holds, data migrations from existing systems to Office365 or other new systems, and also help identify data outside of the network that can be deleted.
An established solution allows corporations to get repeatable, measurable and predictable data management solutions in place. With those solutions in place, corporations can identify data trends, remove data that is outside of data retention and litigation hold policies, and move data, such as PII, HIPAA, PCI, to more secure locations.
Ultimately it comes down to this: awareness of the Russian hack and the Snowden effect on European data privacy has led to a generally heightened data-awareness within both corporate clients and law firms. Information governance, early information assessment and cost-effective risk management is the best medicine to growing data concerns. And the cherry on the pie? Using automated technologies (particularly within subscription-based, cost-effective pricing agreements), corporations can begin to prevent data challenges before they happen, especially in the areas of privacy and security.