The Pandemic driven move to hybrid and remote work has created an explosion of apps addressing the myriad challenges facing digital professionals. Once upon a time I knew every search engine, indexing technology, task manager, note taking or similar productivity product on the market. Those days are long gone. Clients and peers regularly ask my opinion of tools that I have never heard of. I routinely encounter desktop icons and browser favorites for these services that custodians have ‘forgotten’ to include in their legal hold questionnaire answers. Some CIO/CISO/CTOs circle the firewalls and play whack-a-mole in the vain attempt to prevent employees from using unapproved apps. Good luck with that. Most corporate legal teams, firm litigation support and service providers are still struggling to adapt their practices to the rapidly evolving M365 and Google Workspace environments. They dare to tackle a business unit’s new collaboration or project management web service only if it is potentially relevant to the discovery scope request. That reactive strategy is understandable but a poor defense in spoliation scenarios. So what can you do?
First, lock down user rights to install desktop apps, browser extensions and registration/login web pages by rule. WAIT!? Didn’t you just say that savvy employees will always find a way to use the newest toys? Have patience. Provide users a quick and painless way to request tentative access to new apps/sites. This encourages them to add these potential ESI sources to their data map profiles while the stakeholders evaluate the potential risk AND BENEFITS of new tech. A user can fill out a form that gives the business purpose, potential value, license cost, privacy concerns, partner/customer/competitive factors and what potential information would be shared/stored on the service.
Second, evaluate new tech in a staged workflow that usually starts with security blacklists, known vulnerabilities, integrations, regulatory requirements, privacy laws and other legal/risk roadblocks that logically make the request unfeasible. This usually weeds out a decent proportion of monthly requests that you can add to the list of ‘CompanyX has already evaluated this and banned usage for the following reasons.’
Third, absent legitimate reasons to permanently block a site/service/app your innovation stakeholder team should monitor adoption, benefits and feedback from your ‘pilot users’ for a reasonable business cycle and then evaluate it in the broader business context. Maybe it solves a M365 pain point and MIS is willing to develop an internal work around now. My primary point here is to harness innovation and empower employees within a formal lifecycle of informed consent by stakeholders. We live in a time of unprecedented change and accelerating information complexity. The days of simple custodial desktop imaging, mailbox downloads and network share crawls are dead. eDiscovery and forensic professionals have to be nimble and admit that no one can know every new potential ESI repository. With the right skills, you can evaluate new ESI sources quickly and apply different approaches for the best reasonable extraction or preservation of potential evidence.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.
See Greg’s latest pic on Instagram.
I heartily agree with both your premise and your solution set with one glaring exception. Adopting and complying with a cyber security control standard is now the minimum standard to establish “reasonable security” for PI. One of the first controls in every standard is to know about every authorized and unauthorized application on your system. The presence of unauthorized applications becomes a cyber incident that should be investigated at some level. So client eDisco talent that fails to identify apps is either siloed from Infosec or not paying attention. Neither is a good place to be.