[Webcast Transcript] From Strategy to Tactics: Data Remediation at Private Equity and Hedge Funds

On April 20, HaystackID shared an educational webcast developed to discuss best practices for handling big data and provide tangible field-experienced methods for data remediation. These best practices can be implemented at your firm, proactively warding off adverse outcomes when facing an audit, investigation, regulatory request, litigation, or cyber breach incident.

While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation.


[Webcast Transcript] From Strategy to Tactics- Data Remediation at Private Equity and Hedge Funds

Expert Presenters

+ Matt Miller

HaystackID– Senior Vice President, Global Advisory Services Leader 

+ Anthony Diana

Reed Smith LLP – Co-Chair of IP, Tech & Data Practice Group and Enterprise Data Risk Management Partner

+ Kenneth Rashbaum

Barton LLP – Privacy, Data Protection, and Cyber-security Partner

+ Glenn O’Brien

Butterfly Network, Inc. – Director of Legal Operations and Enterprise Risk Management


Presentation Transcript

Moderator

Hello everyone, and welcome to today’s webinar. We’ve got a great presentation lined up for you today. But before we get started, there are just a few general admin points to cover.

First and foremost, please use the online Question tool to post any questions that you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please let us know using that same Questions tool, and a member of our admin team will be on-hand to support you.

And finally, just to note, this session is being recorded, and we’ll be sharing a copy of the recording with you in the coming days.

So, without further ado, I’d like to hand it over to our speakers to get us started.

Matt Miller

Hello, good morning, afternoon, and evening to today’s worldwide audience. Hope you’re having a great week. My name is Matt Miller, and on behalf of the entire team at HaystackID, I would like to thank you for attending today’s presentation and discussion titled From Strategy to Tactics: Data Remediation at Private Equity and Hedge Funds.

Today’s webcast is part of HaystackID’s regular series of educational presentations developed to ensure listeners are proactively prepared to achieve their cybersecurity, information governance, and eDiscovery objectives.

Our expert presenters for today’s webcast include individuals deeply involved in the discipline of managing data and the risks associated with that data in fields ranging from cybersecurity, and information governance, to legal discovery. As subject matter experts, they all have extensive practical and current experience in enterprise risk management and data protection through the lens of audits, investigations, regulatory requests, litigation and cyber breach incidents. Let me introduce myself as today’s moderator, and presentation lead as we get started.

So, I am Matt Miller, and I’m Senior Vice President at HaystackID and the Global Advisory Services Leader. I’m based out of Los Angeles. I’m a non-practicing attorney with over 18 years of experience, focusing on information governance, eDiscovery, cyber breach investigations. I’ve held a range of roles from product manager of EnCase eDiscovery and Guidance Software many years ago, I spent about six years at Ernst & Young in their Forensic Technology and Discovery Services practice. and was one of the co-founders of their information governance services line. I serve as an adjunct professor in the field of cybersecurity for two different courses at Loyola Marymount University in LA. And I’m currently leading a CFIUS third-party data monitor project, and I’m a neutral discovery expert between the New York Attorney General and a very high-profile company. And my résumé pales in comparison to who we have with us today.

So, I’m grateful to present and moderate today’s webcast with a group of industry-acknowledged experts. So, let me introduce Anthony Diana next.

Anthony Diana

This is Anthony Diana, I’m a Tech and Data Lawyer at Reed Smith, a Partner in the New York office. Generally, historically, I was a litigator, moved into eDiscovery and was head of an eDiscovery practice at a private firm. And at Reed Smith, that has expanded into other enterprise data risk management fields like data privacy, data security and the like. Most of my practice is focused on advising highly regulated and highly litigious organizations such as financial services, pharma and the like, on all things tech and data, technology data that includes data remediation, record retention schedules, third party governance, all kinds of things. So, we’ve been doing that. And then over the past few years, have been doing a lot of work in the private equity and hedge fund world where your peer firms are moving forward on managing their data and technology risks better.

Matt Miller

Excellent. Thanks, Anthony. And next up, we have Kenneth Rashbaum.

Kenneth Rashbaum

Hi, everybody. I’m Ken Rashbaum. I’m a Partner at the law firm of Barton LLP in New York City, which is a full spectrum business law firm that covers a wide variety of areas with a client base that is strong in financial services and also in cross-border aspects. I have worked with a number of private equity funds on due diligence in the regulatory area, specifically around management of electronic information for their investments. I’ve also served as a special consultant to the Assembly of the State of New Jersey and assisted in drafting one of the three data protection, that is privacy and cybersecurity, bills currently pending before the legislature and I testified as a privacy and cybersecurity expert before the Homeland Security and State Preparedness Committee of the New Jersey Assembly. I’m also an adjunct Professor of Law at Fordham University Law School in New York, where I teach two courses on privacy, cybersecurity, and technology transactions. Happy to be here today.

Matt Miller

Excellent. Thanks, Ken. And Glenn O’Brien, please introduce yourself.

Glenn O’Brien

Hi, everyone, I am Glenn O’Brien and you can tell I’m not a lawyer, because I’m the only one of the headshots not wearing a tie. I don’t play a lawyer on TV either. I represent the in-house focus on this, I’ve been working in the legal operations space, and specifically eDiscovery for about 20 years or so managing day-to-day eDiscovery operations for a Fortune 100 insurance company where I was managing over 2,500 legal holds a year. And more recently, I started working in more of the startup world where my last two roles have been mostly startup, or close to startup organizations, managing legal operations and starting up eDiscovery operations, as well as enterprise risk management at a medical device company. So, I’m the guy who from the in-house perspective is trying to get done all the great advice that these guys are offering.

Matt Miller

Perfect. And so, next, I’ll quickly walk us through the agenda. And then we’ll dive right into the discussions here.

So, for the market of private equity and hedge funds, we tried to put together something that should address, perhaps, things that haven’t been addressed at some of the firms or things that could be improved. And we’re going to begin with a programmatic approach to information governance, we’re going to walk through some vital guidelines, essential controls that you may want to have in place for protecting data better and making changes in your data environment. We’re going to talk about understanding data risk and value and quantifying high-value information assets. What does that look like? And simultaneously, being able to eliminate redundant, outdated, and trivial data. We’ll talk through some defensible data disposition and remediation concepts. And ultimately, leave you with some ideas around insulating your firm from outside threats or insider threats. So, we could get right into this.

So, we’re going to start with this programmatic approach to information governance, and if you could just click through about six times I believe.

So, at HaystackID we have – our team has put together this methodology. It’s an information governance methodology, and the idea is to help get your security measures above a reasonable expectation. So, there’s a Sedona Conference paper around reasonable security measures in the event of a security breach. It is, I believe, still in draft form. I’m actually attending the working group 11 next week, where I think they will be talking about that again. And in order to get there and ensure that your organization is cyber incident prepared, we’re going to talk about, right now, primarily steps one, two, three, and four. Solidifying the foundational elements, the maturity level, program and policies, data mapping, getting to be able to identify, classify, and inventory data, separating things into big buckets like critical, sensitive and redundant outdated and trivial data, so that you can start operationalizing policies on the network, so that you can implement defensible disposition and remediation concepts. Once you have those three pieces up and running, you should be able to have an automated, continuous data supervision technology solution behind your firewall, which both NIST and CIS and Sedona and many other guidelines are pointing in that direction.

So, let me just pause right there about these six steps before we move into the next slide, and open it up to the panel to see what do you guys think about that foundation, those foundational elements of understanding what the maturity level is withinside the organization. So, perhaps you could put in place KPIs to measure your growth over time, and developing policies and a data map as the baseline foundation for getting a better information governance program off the ground. Maybe we’ll start with Anthony.

Anthony Diana

So, I think, just to level-set, and I assume this is going to be true for most of the listeners today, because it’s true with the – and these are relatively large private equity and hedge funds that I’ve been dealing with, they tend to be very immature in this space. And what that means is most of those organizations pretty much have almost every document, since the founding of the firm, whether that’s in email form, and they have a messaging archive, and it goes back 20, 30 years with all the data, they’ve got file servers with data that they don’t even know, and it’s petabytes of data that’s just sitting there and have never really implemented any type of routine destruction of data. So, that’s generally where we see a lot of our clients in the space.

They also don’t have even basic things like a record retention schedule, a legal hold policy and the like, and in part because they weren’t subject… these entities, generally, weren’t subject to a lot of regulatory oversight. The regulators weren’t knocking on the door like they were with the big banks. And the plaintiffs firms, generally – they weren’t in the crosshairs of the plaintiffs firms. That is all changing. Every regulator’s announcing that this is who they’re going after over the next few years.

And so, I think this is going to be something that, at least some of the peer firms out there have already started moving in this direction, and there’s a whole host of reasons for it, cybersecurity reasons. And obviously, private equity and hedge funds, because of the importance in the market, are subject to ransomware and cybersecurity attacks. There’s privacy concerns, I know a lot of you are probably global, even if you’re not dealing with a lot of your dealing with customers, you still have investors and the like with private information. So, there’s a lot of reasons why we’re seeing a lot of interest in this space, as people are really just getting ready, instead of thinking about, “We need an information governance methodology”, this is really preparing for what’s going to happen in the next three to 10 years – or actually, probably this year to 10 years – in this space as regulators and plaintiffs firms really focus.

So, getting this foundation is critically important. And we’ll talk about it as we go through what the importance of each of these foundational steps are in setting you up so that when the regulator calls, when you’re hit with a big lawsuit, you’re prepared and don’t have a lot of data that is just literally sitting there with lots of risk associated with it.

Matt Miller

That’s perfect. And Lucy, if you can move us to the next slide. I’m going to have Ken start, and then Glenn opine. This is a policy framework, these are some ideas to be able to enable organizations to have better enterprise data risk management. And so, Ken you’ve worked with different organizations over the years in this space, specifically, of these different recommended policies or these different bucket areas of what do we have, and where is our data, and what is inside our data, and who can access that data, and how we can get to our data when we need to, how long we should be keeping it, and when can we actually get rid of things, what stands out to you as maybe your top three recommended policies that are just must-haves to put in place, and why?

Kenneth Rashbaum

The first three recommended policies I would suggest would be access controls. Who has access to what, under what circumstances and why?

The second would be a records retention policy. How long are you keeping stuff? Why are you keeping it? Where are you keeping it? What is the basis for keeping it? Because there are a lot of laws and regulations and agency rulings that talk about this.

And the third are incident response plans. What do you do when the worst thing happens? Who do you call? Who do you call if that person you’re supposed to call is not available? What do you do if you have a ransomware attack to get your backups online quickly so you don’t have much downtime?

These are legal requirements, but they’re also business requirements in two aspects. The first aspect of a business requirement is when you are about to do an investment, you want to make sure that the company in which you’re investing is a good risk. Nobody wants to invest in a potential lawsuit of Government regulatory proceeding. So, having these policies in place, having this, what we call, a data map – which we’re going to get to in a little bit of time – which tells you what information you have, where do you have it, how can you access it, and how are you backed up, are the very same questions in your due diligence you’re going to be asking of the entities in which you want to make your investment. You may have to have set-asides in some of the deal documents, for example, if it’s not up to snuff. And the legal aspect of this is fairly simple, which is that the laws and agency rules require you to have these policies and procedures in writing. If you don’t have it in writing, they presume it doesn’t exist, and it’s a per se violation of the regulations.

The other business aspect of this is that pretty much every private equity fund we work with has privacy and cyber liability insurance, and technology errors and omissions insurance. That market is contracting, and it is hardening dramatically, as a result of the number of claims during the pandemic from so many people working remotely. You need to have this insurance, it’s a critical safety net. And in fact, some states, like Vermont, actually require that financial services organizations have this insurance in effect.

So, how does this tie into policies and procedures? Simply this, that the applications that you will be submitting to get or renew your insurance will ask if you have these things in writing. If you do, you will get higher limits, better scope of coverage at lower premiums. And if you need any evidence and ammunition to get budget for your program, this is Exhibit A. If you don’t have it, it’s going to be much harder to get the insurance at the inception, or to have it renewed on favorable terms.

So, the business reasons and the legal reasons for what we’re talking about today dovetail very nicely. Depending on with whom you’re speaking, you may want to emphasize one over the other, but they are two sides of the same coin.

Matt Miller

Very insightful. And Glenn, you are inside a company that within the past year has gone public, and you work in that enterprise risk management field, you report into legal and have some, probably, crossover in dealing with the IT teams as you’re trying to ensure that you have the right policies in place. I’m just curious to hear from your perspective. Where does your mind go to? Is it the same ones from a policy perspective?

Glenn O’Brien

It is, and before I answer this, I should preface that these are my opinions and not the opinions of my company, as a publicly-traded company. These are certainly my opinions based upon my experience.

But to answer your question, Matt, my first three go-to’s here, are what do we have? Where do we have it? And who has access to it? From a purely practical perspective is, what do we have? What data do we have in the environment? And where is it? Because I’m going to need – I can’t manage what I don’t know, and I need to know where that information is so that I can properly manage it. And then I automatically go to, who has access to it? For a number of reasons. One is, again, I think very practically, do I need the entire company to have access to this information? Probably not, but the issue that most startups have is we want to go very quickly, very quickly, and oh, by the way, very quickly, so we don’t think about things necessarily about access control. Does the entire company need to have access to this information? Not likely, let’s just give access to the information to those who need it. So, practical reasons. We don’t want this information to get out. We don’t want everybody to have access to it. We don’t need everybody to be insiders, necessarily, of the entire company.

So, make sure that you’re governing who has access to it and where that information lives so that you can probably get to it and manage it when you need to.

Matt Miller

Perfect and this is an important slide. We’re talking about the foundational pieces to be able to operationalize these policies with technology. But before we get there, Anthony, when we had talked earlier offline, you were talking about the tone at the top of the organization. Do you want to talk a little bit about that?

Anthony Diana

Yes, because I think one of the things – and if you’re listening, you’re probably thinking the same thing like, how do I sell this to senior management in these private equity funds, and hedge funds or whatever? And I think the answer is – and they also are going to think of it as, “Oh, we really need a policy”. That’s not going to sell. What they care about is results and I think Ken mentioned one, which is a good tact in terms of getting insurance.

I think most senior executives are really focused on cybersecurity. They’re also focused on not having bad emails going back more than a decade, particularly when they know that regulators and plaintiffs are coming after them.

So, there is a lot of talk about this at the senior ranks and how to do it. And I think that’s one of the questions people have is, well, how do I do this? They say, “Look, I don’t want to have any emails older than seven years, 10 years, whatever it is”. Well, how do you get there? It’s not as simple as just saying, “Well, let’s just do it”, because you need to have a legal basis for why you can get rid of things. So, that’s why these policies matter.

The other thing that’s important is as you start going through the policies, and why I like the policies, it starts highlighting what the risks are in the organization. Because one of the things that you have to do, as an organization, is figure out, where are your data risks? What is it that you care about? Like I said, I have some clients, they were really focused on messaging data, they didn’t want those bad emails. So, the focus of this enterprise data risk management, this information governance program was to start with email and start doing that. And you can’t really start having those discussions until you have policies in place, so that the risks that you’re taking on as an organization, relaying the data, are visible and transparent to the senior executives, and then they can start making decisions based on data. No senior executive cares about information governance, full stop. They fully understand risk, and how to manage risk and how to take on risk.

And that’s what we’re basically talking about, when you start putting these policies together, this is basically putting out for the organization, “Here’s the risks that we’re willing to take as an organization, and here’s ones that we’re not willing to take, and we’re going to take steps to mitigate that risk”. And it could be data remediation, it could be access controls, and having a really strong access control policy. And I know for a lot of private equity firms and hedge funds, like the trading strategies, the deal documents and the like are the crown jewels. And oftentimes, there’s no access controls, and they’re getting hit by internal audit, they’ll probably get hit by regulators eventually, that is a huge area where a lot of your peer firms are really focused.

So, that’s the type of thing that you have to start talking about is you’re not going to get anyone to say, “Oh, we really need seven policies”. What you really are selling is, “OK, we need to start managing our enterprise data risk better, where do we want to start?” And you start having those conversations with senior executives, they’re going to care about results. And similar to what Glenn says, I think they’re very much results-oriented. They want to move fast. So, they’re going to say, “I want this done, and I want this done quickly”. This takes a while, even just drafting these policies take a while, because there are decisions, critical decisions that need to be made about your organization. And really, what do you want your organization to look like from a data perspective and a risk perspective in the next five to 10 years?

A lot of your organizations are growing dramatically, a lot of you are expanding internationally. That brings all kinds of data privacy issues and the like. So, all of that is baked into the policies. That’s why this is such an important slide is this gets you the foundation for your organization to prioritize. What are the data risks that I care about? And how do I prioritize it? Is it cybersecurity? Is it data privacy? Is it we don’t want email? Is it cost savings? There’s lots of reasons why you want to do this. You’ve got to figure out from your organization, what is it that they prioritize? And what are the risks that you care about? And then how you’re going to do it.

And these policies, this policy suite is really how you pick and choose and raise that with the senior executives. And then once they sign off, as we’ll talk about later, then you can start operationalizing and the like.

Matt Miller

Perfect. And so, Lucy, let’s move to the next slide, please. And by the way, for anyone in the audience – I failed to mention this up top – if you have any questions, there’s an area where you could write in questions and try to get us to answer them as we go along.

So, what we’re depicting here is after we’ve got some of these policies in place, or along with the policies, there’s some tangible things that you can do to your data to be able to get to this point of continuous data supervision. And the controls that are going to be put in place, within the different technology suites that your IT team is in control of, need to marry up with what you have from that policy foundational framework.

Glenn, in your experience, have you ever had to deal with this classification of data? And what does that do? How does that help enable the teams to be able to do their jobs better?

Glenn O’Brien

So, we’re constantly going through exercises to figure out what the information is and where the information lives, so that we can manage it appropriately. Anthony mentioned the crown jewels before. And your crown jewels are going to vary from organization to organization.

Before my current company, I worked for a cannabis company. And I never thought in a million years, after 20 years of working in the legal space, I would be having an information governance conversation about a recipe for edibles, but yet there I was, because that was our crown jewel, one of our crown jewels of our organization. And we needed to classify the information and make sure that we knew where our proprietary information was. And yes, this recipe was proprietary information. And we needed to make sure that it was being properly controlled. And that it was being, not only properly controlled to make sure that it wasn’t getting out to it to competitors, or to insiders who might have been leaving the company, but also disseminated to those others who needed to have access to that information. Because as we were expanding as a company, this particular product of ours was one of our better products, and we want to make sure that it was being properly shared across the organization.

So again, going back to my previous comment, knowing what you have, and where you have it, what you have – part of what you have is classifying what you have to make sure that you are properly acknowledging what the company proprietary information versus the crown jewels and then properly securing it.

Matt Miller

Great. And Ken, I know that you had some thoughts about some of these different, I guess, suggestions of areas that could be implemented, but specifically related even more to PE firms?

Kenneth Rashbaum

That’s right. And picking up on what Anthony and Glenn just mentioned, you don’t need to have every byte of data subject to these policies. That’s why the data classification protocol is so critical and training the workforce on them. A lot of what I do in my legal practice is, what I call, “talking clients in off the ledge”. There are a lot of times when I will come in, and there’s been a data breach, say, and people want to notify all of the law enforcement officials and even hold a press conference immediately. And I’ll say to them, “Whoa, stop, take a breath. The law doesn’t require this. Let’s not go overboard, because you can’t walk something like that back”. And because I’m the legal advisor, I’ve got some skin in the game. And generally, we can have cooler heads prevail.

The same thing is true with data classification. You’re going to have some people who are going to say, “Oh my God, everything has to be encrypted. Everything has to go through these particular controls”. And it’s just not the case. What a data classification protocol will do is it will be designed around what the pertinent laws and regulations are that cover your organization, and basically says, “Look, this is what we need to protect, and this is how we need to protect it”. This is absolutely keystone in your program, because at the end of the day, it has to be practical. It has to be tailored to the organizational and business culture, or else nobody’s going to follow it.

And remember, once you have all this in place, as I said, you’re going to be doing workforce training to socialize this with everybody in the company. You want people to say, “Yes, we can do this”. You don’t want them to say, “Oh my god, forget it, I have too much on my plate already, this is never going to happen”. Because that’s a recipe for a disaster, that’s a recipe for a data breach, or a regulatory investigation with huge penalties, and most importantly, losing the confidence of your investors if either of those things happen.

So, that’s why that classification is absolutely critical, it needs to be done very early before any of these other things on these slides really can be done.

Matt Miller

And so, Lucy, let’s move forward. We spent a lot of time there, because clearly, all of us think that it is so important to have that foundation in place. So, if we’re going to flip forward one more slide, and probably click three times, I think. I just put up here a couple ideas that I pulled out of the NIST 800-53 Rev. 5. It’s easily my favorite NIST guideline, it’s about 495 pages, but I tried to boil that into a little graphic there on the left-hand side, which is that what they’re trying to say is that protecting your essential assets, which is the critical and sensitive information on the network, through controls, it involves multiple lines of business, which all have different obligations to get involved.

And going further with that 800-53, in the bottom middle, you’ve got depiction of what I call the integration hub, the Center of Excellence, some sort of steering committee comprised of a variety of different stakeholder key stakeholder groups within the organization.

Why do we need to have these different groups working together is ultimately to prevent cybersecurity-related privacy events, which would be a data breach, a compromise of some sort, an exfiltration of data of your most critical and sensitive information? I’ll also point out the CIS Security Controls V8 is out now. These are different guidelines that insurance companies are now even leaning to when they go through and do an audit of what you have in place as they’re trying to make determinations of what you’re going to be paying for a premium.

And we’re going to flip to the next slide, and I’m going to let the team here talk about some of the regulatory compliance and major legislation that’s out there now, that probably is impacting everyone that’s on this call.

And maybe we’ll start with Anthony on this one, specifically related to PE. And then generally, where do you see the focus needs to be? Why do they need to follow those guidelines and controls and get those in place in order to meet their obligations for all the different things that we see on the screen here?

Anthony Diana

And I think this is critical in terms of, again, educating the private equity and hedge fund space around some of these because they haven’t been, again, as big a focus of the regulators. But we’ve heard from various State AGs, from the FTC on antitrust grounds, from the SEC, they are laser focused on this space, because this is where the money is. They’re really focused on doing investigations. And again, what we’ve seen, and FINRA has done this as well, these regulators – just to give people a heads up – what we’ve seen, particularly in the large financial institutions sector, where an investigation on insider trading, or hiring practices or whatever it is, balloons into basically an audit of your data and security policies, including information access and the like.

So, we’ve seen this time and time again for the big firms, and even some of the small broker-dealers. They frame it as either cybersecurity or whatever, violations or whatever you want to call it, but what they’re doing is basically saying, “Are you managing your data risks correctly?” And again, some of the big firms have been fined. J.P. Morgan got fined again, that was on capturing WhatsApp and WeChat and the like that business lines were using. It wasn’t protected and captured. I can tell you, undoubtedly, the senior executives and even some of the non-senior executives on the trading floor are probably, particularly during the pandemic, were using these non-authorized communications to do business. It was pretty much rampant for a while, and I think that’s why they made J.P. Morgan a target. You should know that there’s probably about a dozen, I think, other large financial institutions that are also being canvassed for this.

So, it all comes to what controls you have in place to make sure you’re capturing all your electronic communications, because you may be subject to the Investment Advisers Act, or 17a-4, for your broker-dealer. So, you have to capture that information. Do you have controls in place to make sure people are doing that? It’s a simple thing. But it’s something that I would not be surprised that the private equity and hedge funds space are going to be pretty exposed on, because they probably were doing it and may not have the culture of compliance, because they haven’t been a focus.

Again, I think all of this comes into play. All of these laws, HIPAA, GDPR, like if you’re going global, like I said if you’re going into not even just global, even some of the states have specific requirements on deleting data. These privacy laws and cybersecurity laws are really focused on data management, but also on, why do you have data that you don’t need to keep? And this is going back to the policies. You can’t defend that I’m keeping this data for reason, because they’re going to say, “Well, what is the reason?” And that’s what the record retention schedule is for. No one wants to do a record retention schedule, they say, “Why do I need this?” That’s what it’s for. You can go to your record retention schedule and say, “Under the laws, I have to keep this for seven years or whatever it is, or 10 years, or 30 years”. If you don’t have that, you’re just completely exposed when these regulators start calling.

So, again, going back to the basics this is going to be a focus of these investigators. And if you haven’t gotten the knock on the door yet, you’re going to get it soon from one of these regulators dealing with one of these laws.

Matt Miller

I think there’s no doubt there. And Ken, you worked in drafting some of the privacy laws on a state level. How do you see that playing out from a regulatory enforcement perspective in the future?

Kenneth Rashbaum

Well, Anthony’s right, this is where the regulators are going to be focusing. But I want to disabuse a notion that some of you may have that you don’t have information that is “private”, because you’re just handling financial information. That is not the way the regulators and the statutes look at the information that you’ve got. Privacy and confidentiality are essentially overlapping ideas of the same point, the data is protected, because its release to unauthorized people can cause problems. So, that’s why the General Data Protection Regulation, which applies to anybody doing any business with people in Europe, all right, in the European Union specifically. So, yes, it has what we call as lawyers, “extraterritorial jurisdiction”, meaning it applies to you in the United States, if you are working with European investors, European clients, European customers, or even tracking what European residentials are doing so you can make them clients or customers. You will be covered by that.

In my work with New Jersey, we spent a lot of time on what information will be covered and to cast a broad net, so that it would cover, specifically financial information, as well as the more traditional private information. So, yes, you are covered by these laws and, yes, they do form a framework for how you should be managing your information and how you’re representing to clients, and customers, and investors how you’re managing that information, because the State Attorney General and the Federal Trade Commission are looking at what they call “unfair or deceptive trade practices”. I started my career as a prosecutor in Brooklyn, and the way we used to discuss it is very simply this. If you talk the talk, you’ve got to walk the walk. So, if you’re talking about how wonderfully you’re keeping the information secure, and confidential, and having access controls, and meeting requirements, you really better be able to do it and document that you have. Because if you have a data breach, and everybody will at some point, it’s more a matter of when you have a data breach, and the Attorney General or the Federal Trade Commission come knocking, you’re going to have to be able to say to them, “Look, we live up to the standards we’ve set for ourselves”, if you don’t, you have tremendous exposure that way, not just financial exposure for penalties. The SEC is, by the way, all over this too very recently. But reputational damage, reputational damage, if you’re losing investors’ funds because of lack cybersecurity, it’s going to be very hard to get them back.

So, this is the theme I strike with all of my financial services clients. It is this, it’s not just legal compliance, it’s existential to your organization.

Matt Miller

Excellent commentary there, guys. Lucy, let’s move forward, because I’m going to have Glenn probably talk next about the data risk and value. But really, what we need to understand is, where is all of this stuff? And how do we get control over it? So, if you can move to the next slide.

We’ve got a bunch of different types of repositories, data sources listed here. There’s different kinds of data, unstructured, structured data, software-as-a-service, file hosting systems. I know something that – because Glenn and I have done this talk in the past – shadow IT. And I think it actually was mentioned by our other panelists earlier. Glenn, can you talk about these different kinds of buckets? What gives you the most trepidation from an enterprise risk perspective? And what is that concept of shadow IT? And how does that impact what you do on a daily basis?

Glenn O’Brien

So, the shadow IT really is that scary thing that’s sitting out there. So, we talked a little bit earlier about a data map And so, what is a data map? A data map is understanding what data you have. Where is it? How it’s controlled. How it’s secured. What of those frameworks and regulations we saw in the previous slides govern it, so that you can check the box and make sure that you’re doing the right thing?

Well, OK and that works for great things that are on here like Workday. I obviously know where that is, ServiceNow, Salesforce, those are all the IT governed and managed applications that are out there. But what’s not out there is people who want to do the poor man’s FTP to move things from their work laptop to their home laptop, because they’ve got a better processor on that laptop. So, they move something over to their personal Dropbox account, or they move it over to an external hard drive, or they’ve got an Access database running, that’s not just an Access database, but it’s actually processing the data. So, now when you talk about things about a process map, in terms of GDPR, about where this data is going, you’ve got all these other side things that are running out there that you just don’t know about. And that’s the shadow IT that Matt’s talking about.

Technology has come so long in the years that I’ve been doing this where you don’t need IT to manage your databases for you, because all you have to do is simply install something like an Access database, a Microsoft product on here, that will start processing data. And now that you’ve actually processed this data, it’s subject to things like GDPR, and all this other stuff. And it’s moving from point A to point B, and now you’ve lost control of it. Because when I, as the enterprise risk manager or the legal operations manager, suddenly come upon a need to find data, because I don’t know, maybe we’re getting sued, or I need to do an investigation, or I need to issue a legal hold, I have to know where that data is in order to go put a legal hold on it, or collect it for forensic investigation. I’ve got all these shadow IT operations going on out there that I’ve lost control of where that is.

So, when it comes to this particular slide, that’s the thing that keeps me up at night is making sure I know where my data is and how it’s being processed.

Matt Miller

Lucy, click it one time. So, 90% of all data in existence was created in the past two years. In 2020 90% of all data generated would be unstructured, and it has no defined format. And I’m going to read just a quick couple of statistics about the size of data.

A megabyte of data, one meg is 75 pages worth of text. One GB, and my phone has 256 gigs on it, that’s 1,024 megs, so a gig is about 75,000 pages or a pickup truck full of documents. A terabyte, it’s 1,024 gigs. So, a terabyte is over 85 million pages, or about 1,150 pickup trucks full of documents. It also could be a terabyte, about 500 hours of video content. And a petabyte, where most of the organizations are at and over, 1,024 terabytes is 1,174,187 pickup trucks full of documents if it was printed out. Massive volumes of data.

So, there’s all these different obligations we talked about from the regulatory authorities, from legislation. There’s obligations around messaging, and there’s a lot of difficulties related to collection.

Anthony, could you talk a little bit about the sophistication level in some of the big banks and maybe biotech, pharma, healthcare versus perhaps this market? Simply because it hasn’t been focused on in the past.

Anthony Diana

I think the reality is most of the big organizations have been working on everything we’ve been talking about for the past decade or so. They’re not that far ahead, bluntly, they’re starting to delete stuff. They focused on email and the like, they’re now trying to start doing – and they’ve got petabytes and petabytes, I don’t know what the thing is about petabytes, but they have that in terms of file server data and unstructured. So, they are well aware of this explosion of unstructured data, and they want to mine it for – bluntly, they also want to mine this data for business purposes.

So, again, that’s the reality. And I think most of the people that I’ve said, I’ve talked about is I assume that if you looked at your organization, you’ve got a ton of data that’s just sitting there, and has literally been there since the organization started.

So, what to do? I think one of the things that’s helpful on the slide is technology, particularly these cloud service providers are a solution. So, technology adds lots of risks, but it also provides solutions, which is great. We’re doing a lot of work right now, both in the private equity space, and also for these big firms on something like M365. Microsoft 365 is designed, basically, to help organizations because it’s in the cloud, you have your data, and their big push is to manage your data better. So, something like M365, whether it’s Exchange Online, OneDrive, SharePoint Online, Teams, great productivity tools, but also can be utilized to help you manage your data risk.

But again, part of this is talking to the IT folks, and this just goes to a slide before, why do you need all these people involved? You can’t just say, “OK, this is what I want to do”. IT is probably making decisions, frankly, and taking on a ton of risk for your organization, by just following default settings that Microsoft has. It should not do that. There’s privacy risks, and security risks associated with that, and in their default settings and the like.

So, just thinking about, again, I always like to think about stop the bleeding, if your organization is moving to 365, and they probably are, or maybe Google or whatever, but if they’re moving in that direction, moving away from on-prem to the cloud, that’s the opportunity to set it up correctly. Talk to the IT folks, and really get privacy, everybody involved and start going through all the different features,. Even something like retention, and figuring out from each thing, how long are we keeping stuff in a OneDrive or whatever? And again, it’s all going to be based on policy. But it’s a good way to start thinking about how we’re going to manage our data is if you’re moving to the cloud, for particularly your unstructured data, start putting some guardrails on it, start putting the controls in place. And then that’s a good way of educating your client, your clients meaning the businesses on this is how we’re going to manage data in the future, and this is the rules of the road going forward.

So, I think it’s an opportunity and should be used as an opportunity to really start thinking about – this is what I was talking about before – what’s the vision of your organization in terms of data and how you’re going to communicate with clients? Are you communicating through email? Are you going to communicate through Teams? How are you communicating with your investors? All of those things are the discussions you should be having. Are you going to be having outsiders – your portfolio companies, it’s a big discussion right now. Should your portfolio companies have access to your Team sites and your SharePoint sites? These are the conversations that people need to have. However, there are a ton of risks associated with that in terms of setting it up correctly.

So, again, I think, because of where we are, as a world, where we’re moving to the cloud and moving – there’s a lot of opportunity to do it right going forward, you’re always going to have the stuff legacy, but you’re going to have to deal with that eventually. And hopefully, you deal with it before it’s migrated to the cloud. But you do have the opportunity right now to set up your organization for success. And again, it’s the vision of not just success, but it’s how are you defining success. And it could be if your organization is we want all of our portfolio companies to be managed through SharePoint and Teams, and you’re going to collaborate more. When you’re doing deals with your outside counsel, you’re going to have Team rooms now. And you’re going to manage that risk and data better, with access controls and the like. There’s so much that’s opportunity out there, but again, you have to start with the fundamentals before you can go too far.

Matt Miller

That’s perfect. And so, in the interest of time, I’m going to walk us through a couple of slides and then bring you guys back in. Lucy, if we can click two slides up. We’re going to see a chart from IBM that lays out data value for the different types of data that you have out on your network. This is another critical foundational element and exercise that needs to take place at each one of these companies to be able to identify what is that enterprise-critical data with deal documents, for example, that just ultimately needs to be protected. And it’s this really small amount of data that is probably of that most high intrinsic value. And that’s why it’s the hardest to find, you should know where it is, and if you don’t, you need to.

And so, let’s go to the next slide, where it’s an example, and we’re going to click a couple times. What we’re looking at here is an HR folder, and it’s got 226 gigs of data. And then once that is expanded, you’ve got 347 gigs of data. But within that data, because no policies have been put in place, and no remediation has taken place, no defensible disposition activities have taken place, you are holding on to enterprise risk, and you’re keeping your company exposed.

So, in this particular example, and this is a real-life case study, they had 5.2 million social security numbers sitting out there that were all over – in documents that were over seven years old, and had never been deleted off the network, because they had never looked for them. No one had ever scanned the network.

So, let’s go forward. And let’s go forward one more, let’s click this one, I think, two times. So, there’s defensible disposition frameworks that can be put in place. Click one more time. And you can draw a line in the sand with the legal team, with your outside counsel to have these policies put in place, and then implement with the IT team defensible disposition and remediation tactics to be able to get rid of data that you don’t need to hold on to any longer.

And let’s go forward to the next slide. Let’s click this one, here we go. And so, gentlemen, benefits of disposition and being able to actually get rid of this stuff. How does this play out in real life, in protecting the organization from cyberattacks and things of that nature? Let’s start with Ken.

Glenn O’Brien

So, I’ll jump in from a cost perspective. I was managing eDiscovery, electronic discovery for many, many years at a Fortune 100 company. This data is expensive, and I know the technology has gone there where you can get to this data a little bit faster than you used to be able to in the old days. But the least amount of data that you have that is subject to legal hold. The least amount of data that you have to collect that costs money. The least amount of data that you need to host up into a review platform that costs money. The least amount of data that needs to be reviewed by lawyers, guess what, that costs money. So, from a pure, practical perspective, if you can eliminate some of this data out of the environment, you will save a tremendous amount of money when it comes to the very real event of an eDiscovery exercise.

Anthony Diana

And I would say this, just to give you an example, so one of one of the big private equity firms – and this is, I think, helpful also for career paths – there was a person that they hired to help with this, and she worked with my firm in a consultant light, and worked with the IT folks, very closely with IT and got IT to basically buy into this concept. And IT was shocked and surprised, because we said, “Look, we’re getting rid of all of your – we’re going to get rid of all the backup environment pretty much”. And we basically reduced their backup environment by, I think, more than 90%, partly because they were going to the cloud and stuff like that. So, huge cost savings by getting rid of – because they were keeping backup tapes forever. No one has ever given the authority to get rid of them. We got rid of all the backup tapes. Then we also limited and deleted all of their email that was older than seven years. Again, huge because we were able to save a ton of money in negotiating with the vendor and the like, that was supplying that. We got rid of tons of boxes. We’ve gotten rid of so much stuff. Now, we’re starting to do file servers. But it’s transforming the entire organization.

And then from an IT perspective, what they like is now I’m not spending money on just junk, I can now invest money on the technology that the business needs to actually do the work. So, working really closely with IT to fund this was critical, and talking IT about what their vision is, which is usually cloud-based, really high-tech technology to start doing stuff is exactly what they wanted, and they’re willing to fund it.

Kenneth Rashbaum

On that point, everybody’s afraid to throw out stuff. There is still – and the paradigm has changed, because there is so much of it now. And there are now legal requirements, in addition to the business requirements we’ve been talking about, that you have to get rid of stuff. It’s called data minimization, and it’s worked its way into the General Data Protection Regulation in Europe and many of the state laws including New York’s laws for that matter.

So, when working with your legal team, to give you the authority to say, “Hey, we can get rid of this”, with the IT team as to how it will be done, and with your third party consultants as to how to do it in an efficient manner, you can streamline your data picture, your data landscape, in that way, reduce your exposure to potential data losses, potential penalties, and also the costs of maintaining that information.

Matt Miller

That’s really fantastic. And I know we had a handful of slides left, but we’re going to just skip right to the end, because we are out of time, but it’s because we had such a great discussion today.

I’ll put it out there that if anyone wants to reach out and get a copy of this deck, or even have me walk their team through it, be happy to do so. My email is [email protected]. And I want to say thanks to this team, such valuable information and insight. I also want to thank all of our audience members who took the time out of their schedule today to attend this webcast. We know how valuable your time is, we know how valuable your data is, and we really appreciate you sharing your time with us today.

We also hope you have an opportunity to attend our next monthly webcast, which is currently scheduled for May 18th, 2022. The webcast will feature an expert presentation and discussion on blockchain and cryptocurrency considerations and investigations by industry expert and well-known speaker John Wilson. We hope you can attend.

You can learn more about this webinar and upcoming webcasts and review our extensive library of on-demand webcasts on our website at haystackid.com

Thank you so much Anthony, Ken, and Glenn. It really was one of the best discussions I’ve done on a webinar as a moderator in my entire career. There was just so much value that you brought with real-life of what you see in the field and how this all applies.

So, thank you everyone again for attending and have a great day. This concludes today’s webcast.


About HaystackID®

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms securely find, understand, and learn from data when facing complex, data-intensive investigations and litigation. HaystackID mobilizes industry-leading cyber discovery services, enterprise solutions, and legal discovery offerings to serve more than 500 of the world’s leading corporations and law firms in North America and Europe. Serving nearly half of the Fortune 100, HaystackID is an alternative cyber and legal services provider that combines expertise and technical excellence with a culture of white-glove customer service. In addition to consistently being ranked by Chambers USA, the company was recently named a worldwide leader in eDiscovery Services by IDC MarketScape and a representative vendor in the most recent Gartner Market Guide for E-Discovery Solutions. Further, HaystackID has achieved SOC 2 Type II attestation in the five trust service areas of security, availability, processing integrity, confidentiality, and privacy. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, go to HaystackID.com