The Explosion of Organizational Data is at a Tipping Point: Here’s How to Understand What You Have and Mitigate Risk, Part Two

Editor’s Note: As I noted two weeks ago, the team at Exterro has given me the opportunity to be a guest author on their excellent blog, and my three-part series concluded yesterday.  Likewise, Ron Rambo, the Content & Communications Manager for Exterro, has provided a two-part blog series for eDiscovery Today!  Last week, we published part one, here is the conclusive part two.  Enjoy!

Why Integrating With Data Sources is Important

Connectivity across an organization is imperative because most of the data companies that store is “dark” or rogue data; it doesn’t provide legitimate business value—but remains a potential risk nonetheless. Therefore, integration via “connectors” or other APIs will allow data stewards to see all of the data that the enterprise stores, find out where it lives, and find out who is in charge of managing or remediating that data.

ProSearch

Why You Must Reference Regulatory Guidelines

Cross-referencing data remediation with retention schedules is one area where the data pile-up begins. The fear of deleting legacy data that may end up being necessary for litigation can paralyze some data stewards into keeping it longer than they have to. Soon, retention schedules are no longer enforced, and unnecessary, risky data begins to accumulate. New data privacy regulations have made this an even trickier situation to navigate.

For example, one of the key features of new data privacy regulations is the consumer’s right to request that any personal data housed by an organization be deleted. It is incumbent upon the stewards of that data to have a process in place to ensure that the data is not already under a legal hold or some other legal obligation that would prevent the deletion request from being fulfilled. Cross-checking the request against regulatory guidelines must be built in to any defensible deletion process.

Why Tracking Third Party Risk is Important

Veritas

According to research by Ponemon Institute, a majority of organizations that have suffered a data breach have had it occur via a third party. Indeed, just this year, among the more high-profile breach cases—like General Electric and Hanna Andersson—were situations in which third party cybersecurity was perhaps not as strong as it should have been, leading to breach scenarios in which consumers and former employees had their information accessed by potentially bad actors.

Both cases fall under the purview of the CCPA. Given the costs associated with data breaches under major data privacy regulations (up to $750 per data subject, under the CCPA), ensuring that reasonable processes are in place to vet third parties can help mitigate risk at your organization. Because breaches are fairly common, showcasing that the organization did its due diligence in determining where the risks were with a specific third party—and how those risks were being addressed—can help minimize financial impacts resulting in a breach. Courts look for reasonable and repeatable processes, not perfection.

A Legal Governance, Risk & Compliance Strategy is Imperative for Data Risk Mitigation

Disorganized or incomplete data management processes make it effectively impossible to answer the legal and regulatory challenges that many companies face these days. Without technology, it may be just as difficult: If you aren’t sure where your data lives or how much you really have, how can you know you’re effectively managing discovery risks, privacy risks, and other regulatory obligations? Further, if you can’t effectively access and remediate legacy data through API connectors, how much of a risk might that rogue data be to your organization once it is uncovered?

Only by connecting to each data source within an organization can you validate that your data inventory, and therefore data management processes, are up-to-date and maintained. And because there is no single platform or end-to-end technology that can perform every task related to Legal Governance, Risk, and Compliance (GRC) on its own, the final takeaway for General Counsel and Chief Legal Officers everywhere is that the ability to integrate with other applications is key to understanding how at risk your organization truly is.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply