App-alling Risk: Preparing for Complex Data Discovery

by John Mielitz

The explosive growth of data volumes has forced enterprises to re-evaluate their preservation and governance models, but perhaps not as intensely as the expanding diversity of information sources. Not so long ago, personal computers were the biggest source of corporate data, and the number of applications generating, storing, sharing, and managing information was relatively low.

Nowadays, though, a proverbial universe of applications act as unique and complex sources of data, especially as the average corporation increasingly mobilizes its workforce with smartphones, wearables, and other connected devices. An increasing rate of enterprises are also leveraging desktop apps that generate complex data, such as Salesforce, Slack, and internal Wikis.

As eDiscovery preparedness becomes more critical for a wider range of corporations, app-based discovery is becoming a major hurdle.

Here are a few notable statistics to be aware of:

Enterprise decision-makers ought to be focused on developing plans to better manage their app-based data preservation and governance practices, boosting eDiscovery preparedness in the process.

All about governance

In the past several years, the confines and best practices of information governance have shifted immensely thanks to the rapid rise of data volumes and increased sensitivity of data management at large. Now, the explosion of communication and management apps has once again stimulated transformation, and this time the complexity is even greater.

Keep the information governance stage of the EDRM in mind here, which seeks to reduce risk through more transparent, comprehensive, and proactive management of all ESI. When you have varied information genesis in several complex source environments without any policy or enforcement mechanism to govern the data, risk is going to inherently rise.

For this reason, law firms and organizations really need to be putting forth a strong and guided plan to track and control ESI in app-based source environments that covers creation, destruction, and everything in between. Every time a new communication app is implemented, the plan needs to be adjusted to account for the unique governance demands involved.

Additionally, at the identification stage of the EDRM, organizations are urged to seek data sources and establish the full spectrum of classifications for each. A few years ago, in the case of mobility, this could have only involved SMS text messaging, email, and maybe one or two apps. Today, just the text messaging component could span three or four unique sources, each of which needing to be classified and governed accordingly.


Photo courtesy of Mark Kens

A note on rogue IT

Business leaders need to deter rogue IT, at all costs, as perhaps the most precarious discovery situations will come from independent, unsanctioned downloading and use of apps on corporate-owned devices. Unfortunately, few appear to be doing so.

The Healthcare Information Management Systems Society discussed the prevalence and dangers of rogue IT at its 2017 Health IT Conference. According to that presentation, more than three-quarters of workers are using social media on work devices regardless of whether there is a policy in place or not.

Not having a policy is the first step toward rogue IT, which HIMSS argued could lead to a range of threats such as indelibility, shadow records, and issues with authentication. What’s more, in the sector with arguably the most stringent data protection and governance demands, almost half of physicians and clinical leaders admitted to not having smartphone security solutions in place.

Rogue IT is most likely to be avoided when policies are in place, for starters, and are highly focused on users. For example, let’s say an employee wants to begin using WhatsApp for work purposes. If relevant policies do not exist, there will be no guidance for, nor governance of, the communications. If relevant policies do exist but are not “frictionless” from the perspective of the user, that employee is likely to download and begin using the app anyway, avoiding disclosure to IT, supervisors, and others.

Deterring rogue IT with respect to apps that create, share, and store complex data that might be pertinent to a trial is a great way to proactively mitigate the discovery risks of modern communication software and tech.

Simple steps

All in all, the best advice I can give is to view app-centric information governance in a proactive fashion. One would be hard-pressed to identify an organization that is not using popular desktop software and mobile apps for management and communications purposes, but it would likely be easy enough to find plenty that have not taken any precautions to prepare for the potential discovery implications.

Here are a few steps all firms can take to begin the risk mitigation process:

  • Identify all apps used for business purposes, cataloging in an intuitive fashion.
  • Gather insights from employees to understand how the apps are being used.
  • Establish data governance policies for each.
  • Create an over-arching governance policy that connects the various moving parts.
  • Ensure all of these policies are clearly communicated to employees.

From there, policies should be reviewed regularly and adjusted as updates are released or more insights are collected from employee use. Suffice it to say that tackling these complex, app-based discovery problems before relevant data becomes pertinent to a trial will always be the least stressful and most cost-effective approach.