e-Discovery, information management and the legal aspects associated with enterprise data are hot topics for technology leaders to address with their business customers. But what information governance strategies are legally defensible? What compliance approaches work best in the long run? How can enterprises reduce risk when they save or delete data?
To answer these questions, along with several related security topics, I recently interviewed Jim McGann, who is VP of Marketing for Index Engines, a leading electronic discovery provider based in New Jersey.
Dan: Can you briefly describe your background and overall experiences dealing with e-Discovery?
Jim: In my over 20 years of specializing in information management, in which I frequently write and speak on topics that impact legal and compliance on corporate data, I have seen some paradigm changes in the way that organizations regulate and manage their data. In the last 5 years I have seen a shift in organizations to clean up the “data lake” that has been generated and to become more proactive in managing their data assets. It is important to defensibly delete data that no longer has business value and archive what is needed for legal purposes.
Within the first 15 years of my career, I worked with organizations on deploying technology aimed at generating information faster and storing large volumes. Back then, organizations could save anything and easily hide the content that could become a liability, but that won’t work these days. Lawyers and judges are more tech savvy and they won’t accept excuses about complexity and cost issues anymore.
Dan: What is Defensible Deletion and why is it important?
Jim: Defensible Deletion is a process within an overall information governance strategy that applies value-based decisions against organizations’ content. It aims to segregate the content between what is useful to the agency and what is not. This methodology guides disposal of valueless content to meet business, legal and regulatory requirements.
Dan: How does Defensible Deletion control long term risk and liabilities?
Jim: Implementing a defensible deletion strategy and methodology not only mitigates long term risks and liabilities related to enterprise data assets, but also saves time and expense in supporting ongoing litigation and discovery efforts, while reducing budget used for storing and managing content that is no longer useful. A large volume of the “unknown” data, such as files and email from employees that left the organization years ago, or aged data that is no longer managed by the user who owns it, can be easily purged with no legal or regulatory implications.
Dan: How does Defensible Deletion help with always changing regulatory and compliance policies?
Jim: Government agencies are now facing new and complex information management challenges. Not only legal issues, but also regulatory requirements such as the Federal Records Act (FRA), Federal Data Center Consolidation Initiative (FDCCI) and Freedom of Information Act (FOIA) are causing issues for every information management executive in the industry. Managing these regulations and also supporting legal requirements is complex, especially when the large bulk of data are on networks and hidden in legacy backup tape archives, which are expensive and time consuming to rummage through.
Managing data according to ever-changing regulatory and compliance polices is difficult. Enormous volumes of sensitive files and email are scattered about every organization. This data flows through massive networks and is cloistered away in proprietary repositories and archives, which makes access even more of a challenge. As a result, information management strategies are nearly impossible to design and deploy. Understanding and profiling this data is essential and will drive efficiency and management of the content.
Dan: What are the most common and high risk types of content repositories?
Jim: Breaking down the corporate content environment by repository type simplifies the plan of attack towards a defensible deletion methodology. Data repositories can be desktops, network servers, email servers and even legacy backup tapes. Managing each of these repositories presents a significant challenge, especially if you need to manage all of them at once. However, by breaking down the enterprise content environment and prioritizing by data that represents the most risk and liability to the company, the organization can create tiered classifications based on storage capacity and presumed risk. The highest risk data environments are typically email servers and legacy backup tapes. Email is the most common source of evidence produced for litigation and regulatory requests. Legacy backup tapes are a snapshot of everything, including email and files. Using this approach can make a monumental task much more manageable.
Dan: What is Data Mapping and how can governments use it for tiered storage via data classification?
Jim: Creating a data map of content will provide a greater understanding of what data exists and where it is located. A data map can provide information such as age of the data, last accessed or modified date, owner, location, email sender/receiver and even sensitive keywords. A data map will deliver the knowledge required to make “keep or delete” decisions for files and email. An actionable data map can then help you execute on these decisions and defensibly delete what is no longer required, and archive what must be kept. Data mapping can also be utilized to determine how to best store and manage data assets. For example, as a cloud on-ramping platform, a data map can help find content according to policies and migrate it to cloud storage.
Dan: What one action can CIO and CISOs take that would reduce enterprise risk in this area?
Jim: One action a CIO or CISO can take to reduce enterprise risk is to develop a plan that is achievable and measurable. The plan should have small-scale, incrementally applied projects that allow the organization to get started. The biggest risk information governance programs face is getting overwhelmed with the process and methodology. Once the organization has developed a strong understanding of what information it has and where that information is stored, it can then develop an overall information governance strategy that defines what a reasonable deletion methodology should look like.
My advice is to start small and work up to a master plan. A place to start could be with purging ex-employee data, or determining what data has not been accessed in 5 years and could be migrated to less expensive storage such as the cloud, or can eventually be purged. Getting started is the biggest challenge in a defensible deletion program, however even with a small start the organizations’ risk and expenses are positively impacted.
Dan: Thanks Jim for sharing your insights related to managing enterprise data. For more information, you can contact Jim at: firstname.lastname@example.org. Or, feel free to leave a question or comment below.