Information governance is becoming increasingly important at corporations of all sizes, with the challenge of data retention and destruction becoming more acute with growing data volumes. With e-discovery now a part of the vast majority of litigation and investigations, information governance policies or lack thereof can severely impact the outcome of a matter as it relates to electronically stored information.
Fortunately, many of the technologies and processes used in the e-discovery process can assist in the execution of legally sound information governance policies, especially for data identification and remediation. If an organization has solid policies in place, there are a handful of ways to leverage common e-discovery tools for data management. Here are three example scenarios.
1. Protecting IP when employees exit the company
For companies in industries with a lot of intellectual property, such as biotech, IP protection is paramount. This can be a sensitive issue when employees -- especially senior level ones -- leave the company. When an employee departs, organizations often conduct a focused remediation process whereby the outgoing employee’s work product is securely deleted and removed from his or her machines. For these matters, there's often an initial exit interview with counsel present to help identify the documents to remove from the systems.
One recent matter handled by the forensics team at FTI Consulting's Technology Practice involved the departure of outgoing employees from a technology firm. It required content deletion from the host computers in the presence of an attorney for each employee. The departing employees were interviewed in the presence of their attorneys, to identify certain locations where specific documents resided. Once all sides agreed on the documents for deletion, the team captured and remediated designated documents.
[With so much stored data having no business value, enterprises need to tackle the challenge of reducing the data mountain. Read David Hill's analysis of the problem in "The Critical Need For Data Disposal."]
The team deployed a forensic preservation tool to perform the targeted captures of the specific documents identified by the custodian, for the purpose of providing the source documents back to the former employer. Once captured, we used a secure deletion application to securely delete the documents as well as any "slack space" attributed with each remediated item.
At the conclusion of that process, we provided a detailed affidavit outlining step by step the measures that were implemented, as well as assurances that the process was complete and thorough. For this particular matter, there were different parties involved at multiple locations, creating added nuance to the process and the identification of the full scope of documents. Even in complicated cases like this, data remediation can be effectively executed to protect IP and reinforce overall company data deletion policies.
2. Migrating documents when companies dissolve a partnership
In this case, the remediation team will need to identify IP-related documents across both companies -- Company A and Company B. This usually involves the removal of these type of sensitive documents from one or both of the companies’ systems, and it also may include providing a copy of the identified documents removed from Company A to Company B.
In such instances, the remediation may include interviews of key custodians to identify potential locations for IP, as well as performing indexed searches for IP utilizing agreed-upon search terms. Once identified, appropriate forensic and secure deletion tools complete the remediation process.
This process must involve working with counsel to identify which documents need to be remediated, and to oversee the process to ensure all necessary steps are taken to securely delete or transfer the documents of interest. The process usually also involves a certification drafted for the court, as an added layer of assurance that the process was complete and thorough.
3. Complying with customer data protection regulations
Any organization hosting customer data must consider Payment Card Industry (PCI) requirements, HIPPA and other laws and industry standards for protecting customer information. Deletion or retention of this type of data must be handled in the most secure way possible. One case our team handled involved a matter at a health care company, and included the large-scale remediation of sensitive credit card information for hundreds of patients.
In this case, which was spurred by PCI requirements, the data was housed within a number of different source media locations including network servers, file servers and desktop computers. The large number of custodians involved, combined with HIPAA data privacy and security concerns, required that we conduct the remediation within the company’s environment, while utilizing outside software and hardware tools.
The remediation process included applying PCI-compliant search patterns across the data sets. We pulled statistically valid samples of data to ensure all of the credit card data was captured. As we identified items containing credit card information, a dynamic reporting functionality was generated to review the flagged contents. This provided the option of conducting a small-scale review of the flagged items as an added layer of confirmation.
From there, once items were confirmed for remediation, the team implemented proprietary deletion scripts across the network, and log files detailed the items remediated. The entire process was conducted securely and in compliance with all regulations, using existing e-discovery tools.
Other factors, such as litigation holds, add further complexity to the data remediation process. It’s important to identify any items that may be within a litigation hold, as those items can’t simply be deleted or remediated. Additionally, IT teams need to work closely with the legal team to understand what data is no longer necessary within legacy systems in order to reduce costs and security risks.
These considerations underscore the importance of keeping both legal and IT stakeholders involved in the information governance and data remediation process. Working together to assess internal controls in place and regularly auditing policies and procedures are proactive measures that can be taken in advance of remediation to assist in mitigating the overall scope of data management.
Antonio Rega is a managing director in the technology practice at FTI Consulting and is based in New York. Rega’s areas of expertise include forensic data acquisitions/analysis, recovery of deleted data and e-discovery. He has handled a wide range of high-profile computer forensic investigations involving multi-million dollar settlements and has provided sworn testimony on matters relating to computer forensics and e-discovery, most recently before a grand jury for the Attorney General’s office.