[Webcast Transcript] Understanding Information Governance, Data Privacy, and Data Breach Exposure

Editor’s Note: On December 1, 2021, HaystackID shared an educational webcast designed to present and describe a framework for deploying and enhancing organizational information governance programs. The presentation, led by a panel of cybersecurity, information governance, and eDiscovery experts, highlighted programs, that when adequately implemented, should ensure cyber-incident preparedness and help organizations demonstrate reasonable security measures for sensitive assets.

While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a transcript of the presentation.


[Webcast Transcript] Understanding Information Governance, Data Privacy, and Data Breach Exposure

Expert Presenters

+ Matthew Miller – Senior Vice President of Information Governance and Data Privacy, HaystackID
+ Ashish Prasad – Vice President and General Counsel, HaystackID
+ Michael Sarlo – Chief Innovation Officer and President of Global Investigation Services, HaystackID
+ John Wilson – Chief Information Security Officer and President of Forensics, HaystackID


Presentation Transcript

Introduction

Matthew Miller

Hello, and I hope you’re having a great week. My name is Matt Miller, and on behalf of the entire team at HaystackID, I would like to thank you for attending today’s presentation and discussion titled Governance, Privacy, and Exposure: Information Governance, Data Privacy, and Data Breach Exposure. 

Today’s webcast, it’s part of HaystackID’s regular series of educational presentations to ensure listeners are proactively prepared to achieve their cybersecurity, information governance, and eDiscovery objectives. Our presenters for today’s website include individuals deeply involved in both the world of cyber discovery and legal discovery, some of the industry’s foremost subject matter experts on governance, privacy, and discovery, and they all have extensive and current experience supporting all types of audits, investigations, and litigation. 

So, first, let me introduce myself as today’s moderator and presentation lead. My name is Matthew Miller, I currently serve as the Senior Vice President of Information Governance and Data Privacy for HaystackID. I’ve got a background in legal that transitioned into eDiscovery. And I’ve had numerous IG-centric roles, such as helping co-develop Ernst & Young’s information governance services practice and serving as the global information governance advisory lead at Consilio before moving over to HaystackID and establishing our leading IG practice. 

Next, let me introduce you to Mike Sarlo. Mike is our Chief Innovation Officer and President of Global Investigations and Cyber Discovery services for HaystackID. In his role, he facilitates innovation and operations related to cybersecurity, digital forensics, and eDiscovery in the US and abroad. He also leads the development and design of processes, protocols, and services to support cybersecurity-centric post-data breach discovery and review. 

Next, I will also introduce John Wilson. John is our Chief Information Security Officer and President of Forensics at HaystackID. In his role, John provides expertise and expert witness services to help companies address various digital forensics and electronic discovery matters including leading investigations, ensuring proper preservation of evidence items and chain of custody. He regularly develops processes, and creates workflows, and leads implementation projects and GDPR data mapping services for our clients including major financial institutions, Fortune 100 companies, and the Am Law 100. His work spans some of the most significant matters on record, literally, in the United States, and many of 39 different countries that he has worked on cases inside. 

Unfortunately, Ashish Prasad will not be joining us, but I did want you guys to know he is our VP and General Counsel for HaystackID. He is one of the leading experts on eDiscovery in the United States. He served as litigation partner, founder, and chair of the Mayer Brown Electronic Discovery and Records Management practice. He was the founder and CEO of Discovery Services LLC, and the VP and GC of eTERA Consulting. If you want to speak with Ashish, I can absolutely get you in touch with him through this session. 

So, we can get started. This is the agenda. We’ve got eight different topics that we’re going to try and cover and time permitting, we will be able to get through all of them. 

So, without further ado, balancing risk and value, obligations and opportunities. 

Core Presentation

Matthew Miller

So, organizations today can get a lot of value out of their information assets. And what’s interesting is that technology and data mining has caught up with the amounts of data that are out there on the networks. And in order to get value out of your data, you have to balance the utility of your security and privacy requirements as there’s an ever-changing landscape of standards and regulations. So, being able to keep and retain all your data and mine it for your business purposes where you can get value, it has to be balanced with the risk that it may pose. Satisfying your compliance obligations with the statutes and regulations that are coming out internationally and all across the United States is very important to have the right controls and control frameworks in place. 

So, one of the things that we’ll be focusing on today is making sure that you’re architecting your control-centric cybersecurity program to also incorporate the needs of the privacy team, the legal team, and also keeping in mind the productivity of your own employees, and accessibility of data to your consumers and customers. 

So, there are a lot of challenges that we see with data today. And I’m going to ask Mike to opine a little bit about how all of these challenges are intertwined, and then what some of the real serious challenges might be for organizations who are trying to make sense of all the data on their network. 

Michael Sarlo

Thanks, Matt. Certainly, we’re seeing just exponential data growth everywhere we go. And we’re fully digital, a digital world with COVID, we have robust interconnectivity between applications that we interact with day-to-day that may have been desktop native, that are now really somewhat stratified with their data points and how they store data across your enterprise, be it partially in the cloud, be it online, be it offline. It’s a major challenge, I think, for organizations to really understand what their data footprint is. And this is especially true as we touch on some of the apps and those types of things. 

Certainly, it’s so important from that standpoint to really look at policy design and to make sure that as you’re thinking about an information governance program, and just your data posture, in general, that you’re doing it in a way where you’re designing a system and process that allows your organization to get the most value out of your data, while also really following cybersecurity fundamentals. 

Obviously, this year has been incredibly newsworthy, I think, as the cybersecurity challenges every organization is facing and really every individual. How many of you get weird text messages on your phones these days all the time asking you to click on links for things you didn’t buy, or for services you maybe used several years ago in a little Bitly link. I think that’s probably the next challenge that many of us are going to have to deal with. 

Certainly, we just see so many different types of data types. We see unstructured data, structured data is incredibly more common, we have cloud repositories, we have servers, we have really a robust amount of – what amounts to shadow IT. It is so difficult these days to control what repositories employees may be using, be it from home networks, be it from work networks, the list goes on and on. And as soon as you get to a point in time where you’re able to somewhat come up with a systematic policy that locks things down, somebody finds a way to evade it just by a new nature of access coming into play. 

So, mission-critical, strong information governance is going to really allow any organization to really start to grasp… I think this is so important in the age of COVID – and I hate talking about COVID anymore, I hate saying it, but everybody is remote now, and that’s truly the case. And being able to have policies and procedures that manage that remote work while also allowing you to collate data, to get the most value out of it is so important. And we’re going to talk about more strategies there as we move into the presentation. 

Thanks, Matt. 

Matthew Miller

And with that in mind, and all these challenges of working from home, John, it’s even more complicated nowadays with all the different data privacy and cybersecurity obligations that are out there. Anything you want to talk about with the challenges related to balancing how you deal with all of these different obligations, be it regulations or standards that are out there. 

John Wilson

So, it really is a crossroads when you start talking about the intersection of data privacy and your cybersecurity obligations, where you have all of this data and the privacy constraints around not just GDPR in the EU, and China’s new privacy laws. So, there are all these international constraints and requirements, but now you’re also getting into where quite a few states have proposed legislation or have legislation on the books. It will include California with the CCPA and several other states that are coming up with regulations. 

And so, you’ve really got to account for that across your governance programs to deal with the privacy and the cyber constraints. So, there’s a lot of talk about safe-haven states for cybersecurity purposes where the States, “Hey, if you meet all of these criteria, then you can’t be liable for a breach incident, fines and exposure”. And a lot of that comes to having to mitigate that privacy data, making sure that the privacy information is surely segmented and put in locations that are under stricter controls and stricter access requirements. 

Matthew Miller

There we go. 

Michael Sarlo

Let me just pipe in too for one second. Privacy by design is something that we heard many years ago, and I was reading all the blogosphere getting ready for GDPR, and really the way that Europe operates in the IT-sphere, it is privacy by design, and even from an application standpoint, it’s privacy by design. Thinking about information governance, cybersecurity, and really for the eDiscovery professionals on the call, it’s so important to be acutely aware of the privacy issues and bring those up in dealing with them. Some of the most sophisticated organizations in the world don’t have a good grasp of what their privacy obligations are. And as a data processor, there’s increased liability. 

And for the corporations on here, if you’re looking for budget, getting a hold of your privacy risk, it’s very easy when you start to quantify that in context of a potential data breach, and I’m sure Matt will talk about some stats later on. 

John Wilson

And one quick add to that is while a lot of these locations and places are adding all these policies around data privacy and security requirements, and you have the US – the newer states that have legislation, and GDPR, they have a lot of similar elements, but they are not identical. A lot of it is interpreted in slightly different ways and has different and sometimes even contradictory meanings within the context of those privacy laws. 

So, getting full coverage becomes very challenging. 

Matthew Miller

And that’s why you need to have a programmatic approach to the information governance program, and it has to really take into account everything that John and Mike were just talking about from a privacy and cybersecurity perspective. 

Over the course of time, NIST has actually laid out some pretty solid content around how these different issues are coming into play and the risks associated with cybersecurity and the overlapping privacy risks. Now, that middle part right there in that Venn diagram, this is what we’re all trying to avoid, a cybersecurity-related privacy event, where there’s a breach or there’s access of data by an unauthorized attacker or even something could be done without malicious intent that still compromises the integrity of the data on the network, and if it’s exposed out on the web and there are private data in it, PII, PCI, PHI, then it’s going to trigger all of those different rules and regulations that the guys were just talking about. 

So, one way to kind of get through that is to bring together the different groups, the lines of businesses inside your organization and this is an interpretation that we have of the 492 page NIST document 800-53, which really has become a key NIST guideline that even cybers insurance companies are leaning on when they go through and conduct their surveys and try to figure out where do you stand and what should your premiums be. 

Mike or John, any comment on 800-53 and making sure that you bring together legal, IT security, data privacy, and records management as you’re working on building out your own program? 

John Wilson

I think it’s imperative. In the current ecosphere of the world with privacy and security and the various challenges and the rapidly escalating insurance costs, I think it’s essential that we start to bring together the various entities, the privacy team, the legal team, the security team, records management, and IG within the organization. It is quite essential that they actually start cooperating and working towards a better sense of compliance in order to have any possibility of curtailing or controlling the rising costs and costs of compliance, but risks of failure to comply, and the costs around that are quite extreme. And controlling the costs of the insurance, controlling the costs – just being able to do business becomes critical that they all start cooperating. 

Matthew Miller

Now, let’s talk a little bit about getting the controls in place. 

Michael Sarlo

Just real quick, I want to pipe in. I just want to say one thing. The reason why these folks need to come together too is if there is an incident, it’s really, I think, for organizations that haven’t had a major incident, and really a privacy issue, it’s a security incident, it’s a breach. Losing a laptop, an employee’s data with customer data on it, it’s a breach. They’re all really are data breaches in some ways. Everybody beyond IT is going to get thrown over the coals. And having a playbook in place for this, so many organizations are lacking it that when something does happen, it’s utter chaos. And it’s going to be utter chaos anyways if you get your entire network ransomed, but at least knowing who is responsible for what and what the potential work streams could be is going to put you in a much better place. 

And for the lawyers on the call, I can’t tell how many folks come to us for work, they don’t know what a data processing agreement is. It is so important when you start to look at the ethical rules, one in particular, as it relates to competence that you have a sound grasp of the eDiscovery process and the privacy risks from a regulatory standpoint when you’re dealing with this type of data, and really starting to work that into your workflow is so critical any time that you’re conducting general eDiscovery. And I know we’re talking about information governance and cybersecurity, but for data processing, in general, lawyers can’t really look away from this anymore. I think it’s really kind of what it was like when people needed to learn about eDiscovery. Now, there’s a general awareness and most folks are fairly competent, or at least know where to go to provide proper oversight. So, so important, even from an ethical standpoint to maintain that and to be aware of it. 

Matthew Miller

That’s a really good point, Mike. Legal really weighs in and has a lot of pull in this space of developing the controls and they need to really have a grasp of, like Mike said, all of these different areas, and that’s the challenge that lawyers didn’t have when – 15, 20 years ago. 

So, let’s talk a little bit about the core of the situation here, which is the corporate data, the logistical challenge of protecting the organization and its data itself. 

So, we know kind of where our data is, hopefully, you know where your data is. That would begin with a data mapping exercise if you haven’t done so already. And once we know where our data is, we then – we have the systems, the applications, the business units, all these different processes and policies of how the data is managed and the places that it flows internally within the organization. So, with the data map in place, you should have an idea of the way that the data flows between all of these different groups. 

Now, on top of that, you’ve got a network of third parties accessing that same data. Therefore, the accountability now extends beyond your organization to those accessing or interacting with the data on your network, contractors, customers, etc. And so, putting in the controls that make up the foundation of your cybersecurity program is so important, and mapping that to how your assets are supported by the controls. This is where the control framework really comes into play. And it should enable your organization to see that everything is working together, that the controls can map downstream or upstream to the standards and regulations based on changes, and be flexible. Your controls need to be able to adjust to everything that’s going on in the outside world. 

So, as you build out your program, you need to take into account the governance, the risk, and compliance as this regulatory landscape is changing on a daily basis. The end result being a good balance of compliance and efficiency. You want to see the effectiveness of your coverage and controls while you maintain compliance. And if the landscape changes, then you can fine-tune certain controls, rather than starting the whole process over again for the entire organization. This is a common problem for companies because they’re juggling so many different frameworks with all these regulations and standards. 

So, one of the ways that we can go about fixing it, and we kind of touched on this a little bit on the previous slide, is that there’s this idea that Google is using and Apple is using, it’s this hub approach. And with an information governance program, and for your data management and records management, and cyber, for it all to work together, it’s also a great approach for your organization, this hub approach. You need a steering committee that represents all of these different groups, these different lines of businesses within your organization that takes into account all the different obligations of these different lines of business, from the CIO, and records management, to your compliance officer, now your data privacy officer, and obviously, the general counsel’s office. 

Now, let’s talk a little bit about the network vulnerability and what’s going on today. So, Mike, John, you guys, in your daily practice, all the different investigations, all the forensics that you’re involved in, COVID it’s that term that we don’t want to talk about, but what have we been seeing with the attacker. 

Michael Sarlo

I can start off for a minute here. Out the gate, the ransomware ecosystem and the threat actors that operate inside of that really have become much more sophisticated from a business standpoint. There are partnerships, there are broad cartels forming between gangs. And what used to be a process that was really a kind of machine-gun approach to infiltrating networks for threat actors, mass, mass phishing attempts, mass kind of untargeted attacks has become a much more sophisticated enterprise, towards the term of “Big Whale Hunting”. And what we see is groups working, really, as brokers who may be just on the infiltration side, who may be working with a broker who is going to then reach out to another group who may be better at penetrating further into a network. There are other folks who are working with them who are just sophisticated enough to actually deal with more robust negotiations. There are fencers involved who are working as freelancers. And there are robust web-based platforms that literally are very clean and nice to deploy ransomware or to purchase ransom payloads that will parse on a victim’s network. 

What this really means is incredibly more sophistication, and when a threat does happen for an organization that’s large, it’s usually going to come off insomuch as it’s going to take down a broad piece of your network. 

In general, as well, threat actors got a little bit smart, I think, to organizations just becoming so much better at backup, be it DR and securing their backups. What we’re usually going to find in a large-scale ransom event, and I’m talking about ransoms, but ransoms oftentimes can also be sometimes a diversion tactic when there’s a group that’s trying to steal IP. This is something we come across now as well. There are different issues in biotech, in some of the bigger oil pipelines, different industries have different problems. Law firms are a huge target these days. The consultancies are a huge target. And the overall net effect is a much more coordinated, sophisticated approach, oftentimes, leveraging zero-day malware. And this means malware that there’s no method to detect out in the wild. And that’s for big companies. 

What’s really still the biggest way that people go down is phishing attempts. And those are getting incredibly sophisticated and when we say phishing, we mean those email links you get, spoofing of an Amazon, but there are also things when somebody wants to call you and ask you for your password, and very embarrassing to be that person in your enterprise that takes down your entire business. 

So, more and more training is totally, totally, totally one of the most important things and really training over and over and over again, simulating phishing attacks in order to secure your environment from the human element, which has become so much more targeted and so much more sophisticated. 

John, do you have anything to add there?

John Wilson

Yes, just a couple of quick things. One, you’re just talking about the growth of – the volume of attacks. I think one of the interesting factors is that we’re starting to now see that some of the more successful organizations are kind of acting like venture capitalists for the threat actors. Hey, if you can get in, we’ll fund you. So, they’re providing a lot of that funding and really helping a lot of those attacks grow. But then beyond that, what gets really frightening is a lot of times like an organization may decide they want to target somebody, they get in. In order to help them cover their tracks and also further monetize the event, they then go out and say, “Hey, we’ve breached Company X and we’ll sell you access to that breach”. And so, now they’re not just one-hit attacks where they go in, they capture some data or encrypt your data and hope to get a ransom or whatever their trajectory was, they’re now saying, “I’ve got in, I got what I wanted, now I want to have five other hackers come in and do whatever they want to do to bury what I did, so nobody ever gets that far”. 

And so, using it as kind of camouflage. And so, that’s a really new kind of post-COVID thing that’s really starting to happen and has really helped a lot of these attacks grow in volume. And a lot of times, organizations are discovering the last event that occurred but might be missing the events that happened prior to that that then sold the access to have other people stomp all over their evidence and hide what they did. 

Matthew Miller

To make it even more personal, it’s not just the big companies that are getting attacked more frequently now. I was talking to one of my friends just yesterday, he did not receive an Amazon package, it said it was delivered. And so, he goes onto Google type in “Amazon customer service”, because on his phone there was no way to say that my package wasn’t delivered. And the top link that comes up with a phone number for Amazon customer service, he calls it, and they tell him, “Oh sir, we’re really sorry, of course we’ll refund your money, just install this app onto your phone”, it turns out it’s a screen mirroring application. They were able to get into his Coinbase and set up an automatic deposit of a thousand dollars per day, which is the maximum from Wells to Coinbase and then turn that into bitcoin and send it to themselves. That literally happened this week to a buddy of mine until he figured out what was going on. 

So, it’s become individual – people are being attacked in addition to the major corporations, which is really frightening. 

Now, how does this play out?

John Wilson

And Matt, that’s exactly where the venture capital concept is now, hey, anybody, you can go out there and you can get some access to something, we’ll fund you. Those targets have moved down to much lower, smaller targets because of that. 

Matthew Miller

And the cost, though, from recovery keep going up. The average cost of data breach in the US has gone up. Globally, it’s going up, right John? 

John Wilson

Absolutely, substantially going up. And I think the estimates for 2021 are probably still low, because they’re only from early 2021. It’s continued to escalate throughout the year. 

Matthew Miller

That’s right. This report from Ponemon only covers up until, I think it was April. So, as you can see, the cost of a data breach, especially when it includes personally identifiable information, and even more so in healthcare, that cost per record – and when you think about these breaches that have hundreds of thousands, if not millions of records that get out on the web, these numbers add up really quick and are staggering. And that’s why we’re talking about getting these controls in place ahead of time, being a little bit more proactive with your efforts around cybersecurity and privacy and tying that all together so that you don’t end up in one of these situations. 

Michael Sarlo

And I think it’s important to just acknowledge why are healthcare breaches so much more expensive. Particularly speaking, in the US, if a healthcare organization is breached, just their name alone, an entity, a patient, a partner, a lot of times people don’t realize too is all the files you receive incoming to your network depending on your contractual obligations with your customers when there’s a breach, you certainly may have to notify them. And with medical entities, just going – basically, something that says you were treated somewhere is enough to trigger really a harmful situation. And that’s what truly is the qualifier for most data breach notification is their harm, and for healthcare companies, just a name alone is enough to actually require a full data mining exercise. 

And for anybody that doesn’t know what data mining is, it’s basically the term in the incident response industry for document review, extraction of sensitive PII out there. 

For other companies, typically that isn’t in healthcare, and it’s not PHI, or there are not minors, changes from state to state, usually, you need to have some type of identifiable characteristic, a name plus a social, or a general social, a bank account number plus a name to constitute harm. 

Now, what’s so important, and when you do have a breach, if the data that’s taken is encrypted and you can prove that those encryption keys haven’t been taken, you don’t have to notify. And that, from an optics standpoint, just from a business standpoint is so important to think about, because it’s only a matter of time for everybody on this call before you encounter a breach scenario. 

Matthew Miller

Those in healthcare organizations, hopefully, are paying special attention, because the impacts are just so, so dramatic. 

Now, we’ve got this concept of a Zero Trust Architecture, and NIST 800-207 details in very, very particular detail about the different types of Zero Trust Architectures that you could set up within your network. And what we have really is a journey now rather than a wholesale replacement of the infrastructure and the processes. The organization really needs to incrementally implement Zero Trust principles, process changes, different technology solutions that protect their highest value data assets. Most enterprises might continue to operate in a hybrid Zero Trust/perimeter-based mode for an indifferent period of time while they’re investing in modernizing their IT initiatives. 

So, organizations need to know their data and who can and should have access to that data. Here’s the connection between information governance and Zero Trust, it’s the concept of minimal or least privilege access. Only the folks that need to be able to get to certain types of critical data, or protected data, sensitive data on the network, those are the only people that should really be getting to it. In order to know who should have access to what, we also need to know what all of our data is that’s out there. 

So, John or Mike, with the clients that you guys have worked with, are they talking about implementing Zero Trust and reducing access rights and permissions for different groups on their network? 

Michael Sarlo

Absolutely. That’s the modus operandum here at HaystackID. I think it can be challenging because some of the principles here are about data centralization. In order to really implement fluid Zero Trust Architecture and policies, it’s really a policy design more so, in some ways, than a technology design. There are some things with setting up certain types of attack surfaces and things like that from a strong perimeter. 

But you need to understand what’s out there on your network, you need to get it to singular copy and you need to have strong information governance, period, both from what’s there, but also how data is generated and where it’s saved. It can definitely be an undertaking, for sure. 

Some things make it easier than others, but of course as security increases, in any enterprise, productivity goes down. And those are the types of things that need to be balanced, that every organization is looking to balance. And you can certainly get to a place where productivity actually goes up, it just takes some work, and some budget, and some planning. Sometimes it almost makes sense to start from scratch to a Zero Trust Architecture, in some ways, around your crown jewels, which Matt, I think you alluded to. 

John Wilson

I think probably one of the key things you said there really comes to having that data map and the singular instance of any particular data. Data sprawl is very real and most organizations have suffered it because it was just so much cheaper to just throw more storage at it, then you wind up with dozens and dozens of copies of various data sets across your enterprise. And that’s where the whole information governance exercise, the policy exercises that we’re talking about here become really instrumental in getting the organization down to the singular instance of a particular data set and having the appropriate controls and least privilege access in place. It really is very heavily driven by policy and getting down to that singular instance. 

Matthew Miller

And so, it would seem that one of the ways to get to that consolidated and more singular instance of the control is by eliminating data that you don’t really need out on the network, while simultaneously, to Mike’s point, identifying and classifying the crown jewels that are out on the network. Never mind within that data set ensuring that the sensitive information is also appropriately remediated. As long as you can… if you have a business purpose for maintaining personal information out on the network, there are methods to protect that information that in the event of a breach, you will not be liable if – to Mike’s point about the encryption if the decryption keys don’t get out. You can do forms of de-identification and masking of social security numbers, and bank account numbers, and things like that out on the network. 

But this concept of data minimization on the other side, I think that’s what you’re getting at, right, John?

John Wilson

Absolutely, it is. It’s really about that data minimization, ensuring that you’re storing the data that you need, that you’re required to have either to operate your business or through regulatory concerns, etc, and ensuring that you’re storing only what you need to have, and only the information that’s required to be compliant, and then you’re not storing it in eight different places with different privilege controls and different access controls, various people in the organization have access to the same information from all these different locations. 

Matthew Miller

It definitely ties into that Zero Trust Architecture—

Michael Sarlo

And how do we find this data?

Matthew Miller

How do we find it? 

John Wilson

That comes down to the data mapping and understanding of your organization using tools. We do a lot of things here at HaystackID where we utilize AI-driven tools to data map or data mine the data in an organization, and start identifying, “Hey, where is the sensitive data located? What does that look like and how is it stored?” And identifying those buckets so that we can then take appropriate measures to start putting the appropriate policies around that and start doing that data minimization process. 

Michael Sarlo

I think for corporations too, there’s so much tooling for large organizations. There are already so many tools that give you the capability, probably in your enterprise that you’re not aware of, to identify sensitive data, PHI, PII, GDPR context-sensitive data that are native to Office 365, that are native to G Suite, that are native to AWS. And being able to work with those toolkits can go a long way for folks who are already in the cloud, or where they’re migrating to the cloud. But there’s also a slew of great tools, they all require expertise, which is – obviously, we’re the experts, feel free to give us a call – to leverage efficiently, but it doesn’t need to be a perfect exercise to start either, because nothing is ever perfect and you’ll never get every single drip-drop unless you really start to manually review. But effective sampling, AI, looking at the results of identification mechanisms. This can be a great way to find those ultra-rich pockets of data that can easily be purged or secured. 

And we have a great question actually from a panelist who is asking best practices by an acquirer during company acquisitions and integrations. 

And HaystackID’s made many acquisitions and, certainly, I think it’s a phased approach. What you generally find that’s out there maybe not the initial picture you’ve been presented from a network infrastructure standpoint. Certainly, conducting a hard network data map, which I think is a little bit different than a general data map from an eDiscovery, information governance context, although they completely overlap is really your first step. Identifying those departed employees that just may be sitting there and starting with getting the most knowledgeable IT people on deck to begin with the migration history. That’s where we find that there’s always a systematic loss of institutional knowledge for any company we walk into, be it a client we’re assisting who has made an acquisition and what’s to merge IT infrastructure, they want to migrate to a singular infrastructure. Or even in companies that are selling off a business unit, and they want to do a divestiture, and that can be a complex exercise as well, webbing, certain types of control rings around business units and work products and things like that and, oftentimes, transferring that to an acquirer. 

It’s the migration history that’s always a problem. It’s the legacy desktops, laptops that nobody is aware of that’s always a problem. We’ve done things where it’s kind of like a return-your-equipment-day, even if we’re not asking people to formally return it, and we know that we have inventory out there, we’ll just ask them to bring it in for check-in in these situations. And that’s been very effective to kind of get those devices that may be sitting in somebody’s shoebox. 

I’ve been with HaystackID since the dawn of time and I’ve recently returned some cell phones that were from when we were a different company from many, many years ago. 

So, everybody, especially the long-term employees, those are the ones you’re going to want to go after, and it’s the migration history. 

John, I know you’ve got a lot of advice here, especially as it relates to dealing with different security certifications and managing those, and having to rapidly become compliant with some organizations. And for the person who asked the question, sometimes it’s just a seal-off effect and you’re migrating them into a better security posture and hygiene posture, just depending on how bad it is. But go ahead, John. 

John Wilson

I think you hit the high notes there. It certainly becomes an issue of having a sense of understanding. Again, I think Matt said earlier, we don’t want to try to boil the ocean here. You’re going to have to pick, “OK, I’m going to get 80% of the data and I’m going to get it moved, keep the business operational, get it to safe buckets”. 

Where it gets really challenging and interesting is, say, your organization has achieved certain certifications and has certain requirements or regulatory obligations that the company you’re acquiring may not have had. And so, now, all of a sudden, you’ve got to figure out how do I get their data into our buckets, merge the organizations together, and still maintain my certifications. 

And so, it does take an intelligent approach and it, generally, is going to require leveraging those tools that are already in place, in many cases, and sometimes it does require bringing in a third party tool or third party expertise to really help streamline the process of identifying the information. 

Obviously, in an M&A type situation, due diligence is really important to make sure you have a sound understanding if you’re going to different regulatory obligations than the existing company that you’re acquiring may have been subject to, due diligence is going to be the key to understanding your risks there. 

Matthew Miller

That’s right. And so, if we do have an idea, even in that acquisition scenario, if you have the ability to, during that due diligence phase go in and, do some high-level scanning, indexing of the different repositories of what you’re about to bring on-board, so you have an idea of what’s out there before you go through and start to try and merge these networks, it’s going to be a lot easier for all these other downstream situations. And you can manage that data really at its point on the network, rather than waiting for something to happen. Getting that proactive approach towards managing the data seems to be the key to solving a lot of these different problems, from the cyber, from an M&A situation, all those different intertwined data challenges that were at the front of the presentation, including downstream eDiscovery, etc. 

So, if you get down the path of data disposition and you’ve actually finally made it to a point where legal says, “We can pull the trigger and potentially eliminate some of the risks that we’re sitting on with our data that’s out on the network”, NIST has also set up different guidelines for media sanitization, being able to purge and destroy or clear out different types of data. 

So, you’ve got these different workflows for the end of life of your data that need to be implemented, that really can affect and drastically reduce the risk for your organization overall, and make sure you have that audit trail. You want to understand where all of your data came from, we also need to be able to go back and report on where did it go when we were done with it as well. 

So, to John’s point about not really trying to boil the whole ocean at once, but rather have an approach towards your information governance, posture, and increasing your maturity level. 

At HaystackID, we have this six-step methodology to be able to really change the way that your business operates from a programmatic perspective, but that gets down to the granular level of file-by-file, email-by-email, repository-by-repository knowing what’s out there, and being able to control that. 

Since there are a few minutes left, we do have a couple of questions that have come in. I’m going to read one-off and then maybe we can answer these on the fly. 

“How do you all navigate and face numerous challenges in regard to mobile device environment for eDiscovery requests? For example, everyone working remotely and challenges conducting remote acquisitions from such devices?” 

John Wilson

I can certainly talk about that. There are a lot of challenges with mobile devices, especially when you start considering the remote environment of the world today. We use remote collection toolkits to do a lot of that. You can use mobile device management (MDM) solutions within your organization to ensure that the organization’s data on those mobile devices is kept under control. 

Mobile devices are certainly getting more complicated. A lot of the platforms and solutions on mobile devices are adding their own levels of encryption. They’re adding cloud-based storage solutions. So, things aren’t necessarily being stored on the device locally, they’re being stored out in the cloud. So, mobile devices are starting to get quite complicated. Sometimes we have to do two, three, even four different things to collect information for an eDiscovery matter from a single mobile device. And managing all of that is going to become something that you’re going to have to be aware of and start to find solutions around because some of these platforms are storing the data in the cloud only. It’s no longer on the device. 

WhatsApp, for instance, has a new interface that’s in beta that, basically, if you’re going to collect the WhatsApp data, you’re going to have to go to the cloud to get it. The stuff that’s stored locally is only going to be really recent, active data, and it’s going to be encrypted in such a way that it’s going to be very difficult to collect and utilize. 

So, mobile devices definitely have their challenges, but there are certainly ways to deal with it and staying abreast of it, talking to experts that have daily and regular experience with it, knowledge and knowhow is going to be the key, as well as the information, the policies within your organization. Are you implementing MDM that’s going to control how that device is utilized or what applications can be run on the device and things of that nature to maintain positive control over where the data can be and how you’ll need to collect it? 

Matthew Miller

That’s great. So, let’s tie it all together. 

At the end of the day, there are all these different challenges, regulatory compliance, data breach prevention, and the response when an incident has occurred, handling records management on a level and scale that is unprecedented up until now. There are statistics that say 90% of all of the data that is out there in the world today was created in the last two years, that’s from IDC, and that 90% of that 90% is unstructured, and the hardest to manage. 

So, identifying, classifying, inventorying, and remediating data can help with all of these different challenges, regulatory compliance, data breach prevention, records management, eDiscovery, and investigations. If we know our data better, we can handle all of these things in a much more efficient manner to mitigate risk and reduce cost overall for your organization. 

Any final comments from John or Mike before I wrap up? And I will tell the audience that the slide deck will end up being available. I believe it’s going to be emailed out. It will also be on the HaystackID website shortly and in… we will have the transcript available as well. 

John or Mike, any final comment?

John Wilson

I appreciate everyone’s time. The key here is planning and organization to minimize the risks and minimize the data sprawl. There’s a lot there. 

Michael Sarlo

My closing remarks are just going to be with the privacy challenges out there, that’s the modus operandum around all of this for the lawyers, for the eDiscovery professionals, for the corporations. The privacy risk and really looking at information governance, and even looking at your cybersecurity, your device management, just the way you handle an acquisition, what type of data might you be taking that is resident and under jurisdictional regulation from another country that you may not be aware of. That’s the way to think about this and to move forward. 

Matthew Miller

That’s great. Mike and John, thank you so much for your information and insight. We also want to thank everyone who took time out of their schedule to attend today’s webcast. We know that your time is valuable and we appreciate you sharing it with us today. I also hope that you’ll have an opportunity to attend next month’s webcast. It’s currently scheduled for January 12th. That webcast will feature Protect Analytics. It’s an exclusive set of technologies and processes that allow clients, their datasets, and analysis for sensitive information, ranging from PII and PHI to data breach code anomalies, enabled by a collection of proprietary workflows and proven tools. Our Protect Analytics, it’s a proactive or reactive way to help determine sensitive data concentrations, locations, and relationships to inform notification lists, exposure assessments, and discovery targets. 

You can find all the information for all of the webcasts on the website, HaystackID.com. 

Thank you again for attending and I hope you have a great day. This concludes today’s webcast. Thank you so much. 


About HaystackID®

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms securely find, understand, and learn from data when facing complex, data-intensive investigations and litigation. HaystackID mobilizes industry-leading cyber discovery services, enterprise solutions, and legal discovery offerings to serve more than 500 of the world’s leading corporations and law firms in North America and Europe. Serving nearly half of the Fortune 100, HaystackID is an alternative cyber and legal services provider that combines expertise and technical excellence with a culture of white-glove customer service. In addition to consistently being ranked by Chambers USA, the company was recently named a worldwide leader in eDiscovery services by IDC MarketScape and a representative vendor in the 2021 Gartner Market Guide for E-Discovery Solutions. Further, HaystackID has achieved SOC 2 Type II attestation in the five trust service areas of security, availability, processing integrity, confidentiality, and privacy. For more information about its suite of services, including programs and solutions for unique legal enterprise needs, go to HaystackID.com.