Compliance is often deemed a dirty word in IT circles. But I have another 10-letter word just as dirty: e-discovery.
This one word arguably creates the most angst among IT executives today. But there is a way to soften that angst with two other words: records management.
I have a lot of firsthand experience with e-discovery-related projects, so I can attest to the level of effort they require among a variety of people in IT roles. Similarly, in my expert witness work, I’ve seen how quickly certain e-discovery requests are made by attorneys. The whole process of e-discovery is often brutal, extracting its pound of flesh from an enterprise, regardless of the resources it has to devote to it.
What used to be a cash cow for a select few e-discovery firms with the right tools has become mainstream. There are numerous e-discovery and records management applications on the market to help reduce the pain and cost associated with discovery requests. According to Stamford, Conn.-based Gartner Inc., the market for e-discovery software will reach $1.2 billion this year and nearly $1.5 billion in 2011. Vendors such as EMC Corp., Optical Image Technology Inc., StoredIQ Inc. and Messaging Architects offer an array of archiving, e-discovery and information management solutions focused on records management.
The increase in data breaches, bribery and insider abuse underscores the need for such tools. Without them, it’s practically impossible to search through hundreds of gigabytes of electronic records for the relatively small subset of data that’s needed. If you don’t have some semblance of electronic records management and something bad happens that leads to e-discovery, you’re toast.
Looking at the bigger picture, records management is deeply entrenched in various business, compliance and IT processes, as shown in Figure 1:
Figure 1: The records management lifecycle can be very complex.
Given the amount of information you have, combined with the complexity of your information systems, the only reasonable way to manage these aspects of electronic data is with a good records management tool.
One of the greatest risks to any business is a lack of knowledge about what electronic information is, and the hard fact is that many businesses have little or no control over data classification and retention. These two factors are a dark cloud hovering over an enterprise, threatening to burst into a raging storm. You would be wise to lean on records management tools for help.
That said, as much as these tools can help, they are hardly a panacea. Longer term, you will have to streamline your management processes as well. If you really want to get records management and e-discovery down to a science, you will have to tweak both your business processes and the culture inside your organization. This will require:
• Obtaining and maintaining buy-in from members of upper management (which should be easy, since it’s their rear ends on the line);
• Putting the necessary policies in place (classification, retention, labeling and disposal come to mind);
• Getting the word out on what constitutes business records (this is the tough part, but it has to be done);
One of the greatest risks to any business is a lack of knowledge about what electronic information is.
• Holding people accountable for their actions when missteps occur (creating the understanding that labels such as “Internal Use Only” and “Archive after 90 days” mean just that); and
• Working with legal counsel periodically to ensure that your system is kept current (there’s nothing worse than an outdated records management system that creates more problems than it solves).
Getting management and employee buy-in is half the battle. One of my clients struggled with this very issue for years. After being acquired by a larger company, which already had an efficient records management infrastructure and environment in place, things started to come together.
The typically slow-moving bureaucracy that haunts larger enterprises often hinders information security and risk management efforts. But we can all learn from the finely tuned records management processes many such businesses utilize. They’re continually faced with e-discovery and compliance burdens, so records management has become second nature to them.
It would be wise to look into these records management and e-discovery solutions. If you need help justifying their cost, many vendors have already done the research for you. The money saved in one e-discovery request can pay for a solution tenfold. Why not take that leap and invest in the right tools now before you really need them? Things are only going to become more complex.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he’s the creator of the Security On Wheels information security audiobooks and blog.