• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.

Big Data: Big Value or Big Trouble?

Like “the Cloud”, the term “Big Data” has many different definitions.  But no matter how you define it, Big Data is not a fad.

Some use the term to denote the incredible variety, velocity and volume of data that we are creating and using every day.  (Here is a very interesting infographic on that point).

Others use the term to represent huge data sets from which we can intelligently extract useful trends and business information.  In fact, the promise of Big Data is not just the ability to mine data for sales purposes, but also for customer and employee sentiment, and even the idea of “predictive compliance”.

Regardless, as with the Cloud, there is enormous potential value in Big Data — but there are also costs and risks that need to be weighed in the process.  Among these are the eDiscovery and security risks associated with keeping a significant amount of data past its (normally) useful life.  Our friend Barclay Blair has published some interesting thoughts on Big Data, the law and eDiscovery.

As in so many other areas, business will drive the need for big data initiatives; but compliance and legal need a voice in the process to adequately cover potential risks and issues.

Archiving To Help Solve BYOD

We have written before about the security, privacy, compliance and legal issues created by the Bring Your Own Device (BYOD) phenomenon.  And if BYOD seems difficult here in the US, it’s far more difficult in the EU with its stronger protection of personal data.  With BYOD, personal information is being mixed with corporate information on an employee-owned device, often with no real corporate oversight, creating all kinds of new problems.

The UK’s Information Commissioner’s office recently published guidance to assist organizations in dealing with BYOD concerns in the EU.  Of course, a main point is that having a clear and effective BYOD policy is a crucial step for any organization.  But one issue, along with its related advice, really caught our attention:

     “If copies of data are stored on many different devices. . . there is an increased risk that personal data will become out-of-date or inaccurate over time … [or] retained for longer than is necessary … [because] it is more difficult to keep track of all copies of the data.  Using devices to connect to a single central repository of data can help mitigate this risk.”   [Emphasis added].

Centralized archives, operating and retaining data according to company policies, serve this purpose.  For example, rather than having email (and attachments) stored on various email servers, in PST files and on devices for every custodian, it should be stored, maintained, accessed (and ultimately deleted) from a single instance email archive.  Each device can serve as a “window” to that centralized content so that it’s accessible as needed, and then deleted.  This avoids creating new instances of each message that are stored and managed for each individual device requiring access to the data.  And this same concept can be applied to documents from file systems, Sharepoint, even records management systems.

Not every organization will have to meet EU (or even EU-style) data requirements.  But centralizing and managing content is a solid best practice that will pay dividends no matter where you are located.

BYOD: Bring Your Own . . . Disaster?

While the “Bring Your Own Device” phenomenon seems to be gathering even more momentum, few organizations seem to be working on the compliance issues that BYOD can create.  BYOD is clearly an important technology wave, but without some thoughtful planning, this BYOD could easily turn into “Bring Your Own Disaster”.

BYOD can be loosely defined as employees using their own devices to access company resources and complete job-related tasks.  In the real-world, BYOD can be as simple as an employee using personal funds to purchase a cell phone for business use; or as complex as an employee-purchased tablet (or laptop!) with monthly wireless charges reimbursed by the company and access to the company network encouraged.   These devices can boost productivity but with an impact.  Some companies have found that several hundred applications — typically unapproved and many completely unknown to the company — are touching their network from employee smartphones.

BYOD creates concerns that need to be addressed, or at least considered.  In the more complex situations (usually with laptops or tablets), both corporate and personal data will probably be mixed on the device.  If a mixed use device contains illegal or infringing data, is the company responsible?  If a lawsuit or investigation requires access to the employee’s data, does the company have the right — or obligation — to collect relevant information from the device?  What if it has the obligation but not the right?   And what happens if data is clearly relevant to a company issue but also clearly personal to the employee — will the employee resist?

Specific regulations regarding data retention or security may also be triggered.  How does an employer insure that record content created on these devices, which may have never touched a corporate server, is retained for required retention periods?  Insuring compliance with regulations such as HIPAA (related to health information) and 17a-4 (broker-dealer communications) is unlikely without the company having some access to and knowledge of information created and/or stored on the device.  Outside the US, the problem can become more difficult because data privacy laws further limit the company’s access to the information.

What can you do?  Although the ultimate solutions will likely be technology based, start with policies.  Dust off your records retention, email retention, corporate network, cell phone, security and other related policies and read them with an eye on BYOD issues. Consider whether the company can or should mandate access to a personal device used for corporate purposes, or create an obligation granting access to the device if it has data necessary for the company’s regulatory requirements or legal requests.  There is not yet much guidance from the courts on whether this is sufficient, but putting these requirements in writing is a start.

Longer term solutions may be technology based.  Access to company resources via smartphone and tablets can be controlled through security applications installed on the device.  Applications (like EMC’s Syncplicity) can deliver the convenience and open collaboration of an application like DropBox but with corporate controls.  And some creative planning can insure that most email and documents available on a smartphone or tablet are also on a corporate network for easier access and retention.

But beware —  employees and employers may not see eye-to-eye on many of these concerns. For example  over 75% of employees said they would not give an employer access to see the apps installed on their device and would not permit a tracking application to identify their whereabouts.  

Like it or not, BYOD is here.  Giving it some consideration and planning now can help you ensure the productivity side of BYOD without the disaster.

Viva La Resolution!

Although I strictly avoid New Year’s Resolutions, January is often a good time to think about the year ahead.  Last year at this time I created a wish list hoping that we would all learn more about archiving, machine classification, social media and “the cloud”. 

While those topics remain very important this year, let’s start 2013 by focusing on an umbrella issue — “Information Governance”.  To me, very simply, Information Governance encompasses all of the things that we’ve focused on individually during the last several years in the information world — eDiscovery, archiving, retention policies, defensible deletion, security, records management, privacy, etc.  (Deb Logan of Gartner has a far more thoughtful definition). 

How do you “do” Information Governance?  That’s a very good question and I don’t know that anyone yet has a great answer.  The best thing that we can do, today, is to be better educated on the issues outside of our main focus area so that we can better understand the impact of our own initiatives.  For example, the legal department’s goal of making information more accessible and searchable for eDiscovery may impact privacy and even security concerns.  An IT goal to move email to the public cloud to save money may create compliance and eDiscovery nightmares.  And an initiative to delete “legacy” data could wreak havoc with records management policies.

For now, spend some time learning about what your colleagues are doing in their areas of expertise, across IT, legal, records, compliance, security, etc.  You may find that the big picture quickly becomes much clearer.  

P.S.  Hope to see you at the EMC booth at Legal Tech.  

 

Be Clear Before You Cloud!

Interest in cloud services remains extremely high, with IDC predicting a compound annual growth rate of almost 28%.   Yet “cloud” is a broad term, and when purchasing cloud services it is more important than ever to understand the details of an offering, particularly when considering email archiving.

Cloud archiving offers the opportunity for cost savings and a potential reduction in operational complexity.  But as with any offering, there are risks and downsides that are often ignored during the decision-making process:

–          If the system fails or is down, what are my rights?  In most cases, you will have an Service Level Agreement but the remedy if that SLA is not met is usually minimal.

–          If a regulator needs access to data or if I have an unexpected e-discovery requirement, how can I get the data that I need?  Some clouds will have tools but few companies determine in advance whether those tools are sufficient to meet their needs.

–          If the system is hacked or there is a security breach, what happens?  In most cases, any penalty for stolen or lost data remains with the company that owns the data, and the recourse against the provider is contractually limited.

–          If I find a better solution (or just don’t like this one next year), how can I move to another system?  Migrating your data from a cloud system is generally not an easy or inexpensive task.

For many, a managed service or private cloud may be the right answer.  In this model, the equipment and data center can still be owned by the customer, enabling it to maintain control and access whenever desired.  But with the day-to-day operation of the system managed by a skilled third party, at a set rate, operational costs and even complexity can be sharply reduced.

One size still cannot fit everyone.  So when looking at cloud solutions, make sure to understand all of your company’s requirements (have you talked with legal and compliance?) and get the answers before you decide.  It may save you a rainy day.

Open Records and FOIA – Pushing Government Technology into the 21st Century

At a recent a conference for compliance and IT professionals working in the state government sector, it quickly become evident that one of their main concerns was the tremendous increase in the number of open records requests that they have to deal with.   Both the federal and state governments give much lip service to the theory of transparency but few have made the necessary changes to properly deal with the onslaught of requests that appear almost daily.  Wisconsin’s Governor, Scott Walker’s administration has already produced 60,586 pages of open records in response to 222 requests in 13 months.  Compare that to 312 requests filled during the previous governor’s first 4 years[1].  It’s not just Wisconsin that is dealing with an explosion of open records and FOIA requests.  The U.S. Department of Defense received 67,434 in 2009 compared to 74,573 in 2010 and the National Archives and Records administration received 14,075 in 2008 compared to 18,129 in 2011[2].  Most government entities handle open records requests the same as they handle eDiscovery for litigation, manually and on an ad hoc basis.  Unfortunately for government agencies, the turnaround for a response is much quicker than for litigation.  Federal agencies have a statutory requirement to respond to requests within 20 business days[3].  State agencies have time limits ranging from 10-30 days or within “a reasonable time.”  For this reason, IT departments are struggling to keep up and there is a substantial backlog at most agencies. Continue reading

A New Year’s Wish List

Jim Shook

Jim Shook

Rather than trying to make predictions for 2012, which I tend to avoid, I thought it might be interesting to put together a short wish list of things that I hope for in 2012.  The usual suspects immediately sprang to mind:  that Legal and IT learn to effectively communicate; companies begin to defensibly delete their stale and legacy data, more eDiscovery moves in-house, etc.  Those all seemed to be a little much to absorb in January, so instead I put together a much more achievable “To Do” list with some additional resources to help.

Don’t Be Scared Of  “Archiving”

Despite surveys suggesting otherwise, our experience is that email remains the most important and painful eDiscovery repository in a company.  Email sprawl also creates operational costs and risks when it’s not properly managed.  Yet many legal departments either block or fail to assist the efforts of their IT counterparts when they decide to do something about email.  Many times, this failure is because they really do not understand email, or their understanding of an “archive” implies that they will be keeping everything forever.

In reality, modern archives enable companies to implement and enforce retention policies on email, which is a strong foundation to enable defensible deletion of email.  Better archives can also enable similar management of other content repositories, such as Sharepoint and fileshares.  A good archive, with associated policies, will improve and reduce the cost of operations, and make eDiscovery cheaper and easier.

Learn more:

Dive Into Machine Classification and Coding

Machine-based coding for document review is a hot topic.  We’re learning that in many cases, people just do not do a great job in reviewing and coding large volumes of information.  However, machines are built for this type of work because they are consistent, never tire and are cheaper than human review.  An open and shut case, right?

In reality, there remains a misunderstanding about how these technologies actually work, and how they can be successfully deployed and defended in a litigation matter.  Clearly they hold great promise, but there’s a lot of work to be done before they become mainstream.

Learn more:

Be Proactive With Social Media

Many companies are using different types of “social media” to more effectively and rapidly reach their customers, partners and even their own employees.  Technologies such as Twitter, Facebook, wikis and blogs are being used daily, and it’s likely we’ll see some even newer technologies develop in 2012.

Yet social media is not a free ride.  Gartner’s Debra Logan predicted a year ago that by YE 2013, half of all companies will have produced social media content in response to an eDiscovery request.  But today, most companies do not have policies to regulate social media content, nor do they have much of an idea on how they might preserve and collect that ESI in response to a regulatory or litigation matter.

Learn more:

Understand “The Cloud”

Ahhh, the Cloud.   Depending on your vantage point, Cloud Computing may be the answer to every issue you have or the most overhyped idea since push computing in the 90s.  The IT department is attracted to the cloud’s operational efficiencies and flexibility, and the business enjoys the rapid rate of deployment.

But don’t dive in without being informed.  “Cloud Computing” is actually an umbrella term representing a number of different deployment and service models.  Operational and cost benefits found with cloud computing should be weighed against the loss of control that comes with those deployments.  In some cases, that’s an easy trade-off.  In others, particularly where compliance is concerned, it can be more difficult.  Even in tougher cases, better informed teams might be able to get the best of both worlds by leveraging private or hybrid cloud deployments.