With the recent ransomware attacks that have been in the headlines over the last year, many companies are reconsidering their data protection strategies to protect their company against these new, growing threats.
Prior to the availability of cloud archiving, companies were stuck with expensive, on premise archiving solutions mainly because they were the only game in town. The archiving software vendors focused on specific industries that required companies to archive data based on government regulatory requirements, for example the financial services industry with SEC and FINRA compliance requirements. Companies quickly discovered the downside of on premise archiving solutions; 1) they were expensive, and 2) they were complicated to maintain. Their main advantage was that your data was stored in your data center – you controlled your data.
The EU/US, Safe Harbor scheme, was struck down by the Court of Justice of the European Union (CJECU) in October of 2015 putting companies on both sides of the Atlantic in a difficult position - not having a process for legally transferring data out of the EU to the US.
Microsoft today announced the general availability of their archive tier, Microsoft Azure Archive Blob Storage, to go along with their Hot and Cool storage tiers. For Azure-based archiving and information governance applications, the Azure Archive Blob Storage tier will be a huge advance for records managers and information governance professionals looking for long term, inexpensive archive storage.
Today, companies are looking for solutions that can archive inactive data from little used enterprise applications. Those applications can be decommissioned, saving the company the expense of keeping them running for little payback. But the question not addressed early enough in the project is what to do with all of the application’s legacy data – delete it or save it (and where). By migrating the legacy data to an intelligent archive, organizations can preserve the value of legacy application data, ensure regulatory compliance, and address any legal concerns.
MiFID II is right around the corner, January 2018, and there are new data handling, storage, and indexing requirements that some (or many) financial services organizations may not be aware of. In fact, MiFID II, focuses on the EU financial services sector and aims to improve the quality of advice presented to clients as well as offer additional investor protections. To accomplish these requirements, the new regulations add additional data recording, retention, and search requirements.
I am going to revisit a topic I have blogged about before, mostly because of the feedback I received at Microsoft Ignite last month (September) - that of records management versus information governance. To state the obvious up front; records management does not equal information governance and here is why.
The eDiscovery process can be a complex and expensive undertaking. Ever increasing data stores, new applications and data formats, country regulations limiting data movement and increasingly, documents authored in foreign languages, continue to drive up cost, time to respond, and risk.
One eDiscovery task that has been an ongoing pain for companies is dealing with foreign language-based documents during collection and review.
Corporations continue to adopt new information technologies that make their jobs both easier and more complex. Companies have adopted new communications platforms like Skype for instant messaging, enterprise social networks like Yammer and Slack, collaborative groupware applications such as WebEx, GoToMeeting, and video conferencing, not to mention audio and video recording for security. And of course most companies still rely on the old tried-and-true tools like email and telephone/voice messages for day to day communications. Many of these tools now allow you to record both audio and video for regulatory and eDiscovery needs.
The concept of Defensible Disposition has been around for many years. Defensible Disposition is the process of disposing of unneeded and valueless information in a manner that provides information about the disposition process showing that deleted data was not under regulatory retention requirements and the data was not subject to current or anticipated eDiscovery. In short, a data disposition process that ensures regulatory and legal considerations are taken into account.
There are many reasons to develop and follow information management policies including the retention/disposition of information. The most obvious reason is to ensure compliance with regulatory retention requirements. Another reason is because of business requirements such as ensuring that data not deemed having long term value is disposed of so that IT resources are not consumed with "junk" data.
I continue to hear companies make the case for the need to have relatively detailed retention/disposition policies is due to their belief that "the law" requires it - in case your company is involved in a lawsuit and eDiscovery. Let me first touch on the first two reasons before I get into the main reason for this blog.
There's a compelling business case for attorney’s utilizing cloud storage including cost, ease of access, and security, but can lawyers ethically use it?
I still have attorneys argue with me about the appropriateness of storing client-related data, client notes, case notes, and eDiscovery results sets in the cloud. Because cloud storage involves storing data, on remote servers/storage outside of the lawyer's direct control, it continues to generate concerns regarding its acceptability under applicable professional ethics rules.
In my last blog, I discussed the connection between information management and data value. I laid out a math exercise showing how a lack of information management can dramatically affect productivity across the organization by calculating the actual cost of employees not being able to find information when the need it. This in turn causes employees to waste time looking for it, and when not found, being forced to recreate it. By estimating the number of hours of lost productivity as well as the fully loaded cost of the average employee, we are able to determine the total cost of lost productivity.
Taking this theme further, we can use the estimate of lost productivity hours and calculate total lost revenue – the revenue the company could have captured if enterprise-wide information management was more efficient.
Corporate data is what powers most businesses and so is a valuable business asset. In fact, you can say that companies employ information workers to generate and consume data for the betterment of the company. But can you actually calculate the value of data?
Employee’s annual salary, benefits, training, and corporate infrastructure all go into calculating the cost of information. On the other side of the equation, average revenue and profit per employee are measures of efficiency and productivity. To be successful, companies must generate more revenue (and profit) than total cost. And these are driven by how well companies manage their information.
For centuries, records/information managers have had to rely on end-users to take the first, second, and third steps in information governance which are:
- Make a decision on a document as to whether it should be retained
- Decide how long it should be kept (retention period)
- And actually take the step to move the document somewhere for safekeeping and management.
Over the last 15 to 20 years, many companies have marketed and sold “records management systems” that would supposedly make information management much easier. However, these systems didn’t address the 3 points above; the reliance on end users to initiate the process and to make decisions on the importance of the content.
They knew they had something here. I guess they should have known that when one of the largest banks in North America became one of their first clients. Our founders brought a simple tool to market - a software solution that moved data, moved it fast, and moved it completely, to the cloud. At that time, we liked to describe the company as a moving company and everyone was (and still is) always moving. What made it better was that everyone’s lawyer and every new law required our customers to never throw any of those old boxes of stuff away. By law, every relatively insignificant email, attachment, scrap of metadata, etc., from every deal, and every past and current employee had to be boxed up and kept in storage in perpetuity, or until someone somewhere had the guts to actually say “delete it.”
Updated: Corporate eDiscovery data storage practices have progressed (a bit) over the last 10 years. More than a few times over the years, I’ve received emails from my employer’s corporate legal department informing me that they would need me to search my email—including local and online file repositories—for any potentially relevant content and set it aside until it was asked for. Come to think about it, I never received any follow-up emails releasing me from those instructions …
Many companies that store content in cloud-based archives are stunned by their cloud vendor’s one-way attitudes - it’s free to move huge amounts of data into their cloud-based archives, however, it’s another story when you want to move it out again.
Whether you need to export a large data set in response to an eDiscovery request, or, heaven forbid, you’ve grown dissatisfied with the cloud vendor and want to move your data somewhere else, the cost to extract your data skyrockets, and in many cases, to ridiculous levels.
President Trump signed an Executive Order (EO) on 5/11 designed to strengthen the cybersecurity of federal networks by continuing a massive shift in how the US Government handles its data aiming to create a single federal IT enterprise. This effort will be quarterbacked by the Department of Homeland Security (DHS) and the Office of Management & Budget (OMB). DHS Security Advisor Tim Bossert explained that there will be a preference in federal procurement for shared IT services among the 190 federal agencies and the goal of this move to the cloud is to avoid defending antiquated and fractional systems.
Can your defense team save additional litigation cost and lower risk by using the cloud to dramatically reduce the number of data transfers?
The cloud has become a ubiquitous tool for most companies (and industries) over the last several years. However, when dealing with legal situations and eDiscovery, companies are still in the habit of shipping hard disks, optical disks, or if they’re lucky, electronically transferring terabytes of data to their external law firms in response to eDiscovery demands. Those same law firms turn around and follow the same data shipping/transfer processes when turning over client eDiscovery data to opposing counsel.