I recently interviewed Marc Zamsky, Chief Executive Officer of Compliance. We covered so much with regard to eDiscovery trends that we couldn’t fit it all in a single blog post. Part One of my interview was published Monday, here is part two.
Remote work has also led to a surge in data breaches and malware incidents, according to a published report from Bitdefender (covered here). What advice do you have for our audience to minimize risk against cybersecurity incidents?
I think there are a couple of basic factors that businesses need to put into place to minimize that risk. The first is two-factor authentication (2FA), which everyone should have, along with endpoint security protocols on each laptop and desktop. The second is ISO 27001 compliance, which is the standard in eDiscovery and at Compliance. With ISO 27001 certification, there is no exception for remote work. Corporations have to enforce the same policies that they would at their offices. So, it’s important to do home network assessments and make sure that Wi-Fi is password protected, firewalls are turned on, that people accessing your environment are not using a shared computer or shared resources, and they’re being mindful of what they download. You also need to conduct cybersecurity training, because ultimately work from home is a greater threat with less protection.
CCPA went into effect earlier this year and many other states are also toughening data privacy laws to protect rights of individuals. How do you think the increased focus on data privacy impacts organizations?
It’s a daunting task to try to understand where PII data lives—it’s probably the biggest challenge corporations face today. I think we’re going to see a greater focus on how data is stored, gathered, and remediated. Organizations that collect PII or other types of personal information need to understand what data they’re collecting, where that data lives, and ensure they have tools in place to identify suspect data. In addition, they need to consider how potential employees pose a risk. It’s important to know who is sending out credit card information, social security numbers, and spreadsheets with birth dates, email addresses, home addresses, and cell phone numbers. You really need a way to monitor that activity.
When you start to look at the Information Governance Reference Model (IGRM), the GRC aspect (Governance, Risk, and Compliance) is critical for data privacy. We’re seeing more tools that perform enterprise data grabs to assess where data is held, what‘s being passed across systems, what’s being sent out in emails or included in chat, and what’s stored in the cloud. These types of risk analysis offerings can really start to analyze and track that data, and we’re seeing some monitoring tools with some great technology. GRC is one of the biggest areas of expansion for anyone involved in data management as it relates to legal.
The use of eDiscovery technology for internal investigations has also increased significantly in recent years. What should organizations look for when considering technology solutions to support internal investigations?
Analytics and AI-enhanced technology are probably the number one factor to look for in an internal investigation workflow. What’s important is being able to pull large amounts of data (really, any amount of data) and synthesize it into a story that can be understood. Whether it’s using sentiment analysis or other portable models, looking at Foreign Corrupt Practices Act (FCPA), fraud investigations, or anything else that might affect an entity has to be considered. The ability to ingest that data and quickly cull through it is incredibly important.
The second and most important aspect is having subject matter experts: data analysts that understand how to apply technology and know what they’re looking for, including “buzz words” and how to follow the breadcrumbs. The technology can’t do it by itself; people are still needed to interpret the results. At Compliance, we use four different analytics tools across a spectrum of cases. With internal investigations, we’re trying to assess the type of suspected behavior and then select the right type of analytics platform to determine that. Some platforms are simply better than others in how you can visualize or drill down into data and start to get tangential queries or facts, or even custodians that may be involved with that data. This makes the subject matter expertise incredibly important.
It’s also important to work with Counsel in a very collaborative environment where you see and understand the same things within the data. It almost becomes a dance of weeding through the haystack together to determine if there’s even a needle in there.
We’re not done yet! The third and final part of my interview with Marc Zamsky will be published on Friday.
So, what do you think? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.