Discovery Risk Mitigation – Remediation

Improving preparedness to eDiscovery events

In the previous article, we explored considerations when assessing your current eDiscovery and information governance maturity.  Having undertaken that exercise and established a benchmark, clearly, the next step is to implement a series of corrective measures.

But where should you start? What demands your most immediate attention, and what can be addressed more leisurely?

A maturity assessment is essentially a statement of fact. The other dimension that would be really helpful would be overlaying the associated risks. What is the implication of a poor score in any given area? What are the possible adverse outcomes if I fail to improve that aspect?

Clearly, it’s not feasible to address everything at once. Resource and budgetary constraints dictate that, so gaining an understanding of the risks enables you to remediate more effectively; and by understanding, I mean more specifically, evaluating the scope and size of the risk, the likelihood of it occurring and the financial and reputational impact if it does befall you. The answer to each of those questions will vary, company by company, but you should attempt to quantify the impact. Doing so, across the multiple facets of an eDiscovery maturity analysis, will leave you better informed to prioritise any corrective actions.

Corrective actions themselves essentially fall into two types; those which reduce the likelihood of the cause being of significant impact (preventative or proactive) and damage limitation actions, which are self-explanatory and reactive. 

Equally, in the context of this piece, I would summarise the remediation actions into two main journeys; eDiscovery and the Information Governance paths.

Hopefully, everyone reading this has appreciated from my earlier articles the interconnectivity between eDiscovery and Information Governance. Accordingly, the remediation actions may well follow separate paths. Still, they should be considered parallel paths and ultimately, in a well-structured organisation, converge at the end to deliver both an effective eDiscovery response and an overall eDiscovery Risk Mitigation strategy.

As a reminder, the benefits of Discovery Risk Mitigation can be summarised as:

  • Ensuring reactive eDiscovery works well

Being prepared in terms of how to find, preserve, collect Electronically Stored Information (ESI), the processes and ownership thereof, the resources upon which you depend (human, systems and external/outsourced resources), will all help in delivering cost-effective, relatively stress-free and rapid response to litigation, investigatory and compliance events.

  • Delivering proactivity and supervisory capabilities

In my opening piece in this series, I led with the premise that prevention is better than cure. With that in mind, consider that the same solutions that you apply reactively can also be combined with existing IT infrastructure and applied proactively across the data estate to mitigate the financial and reputational risk of situations adverse to the business arising, such as fraud, non-compliance and other nefarious or damaging behaviours.

eDiscovery Path

To some extent, the eDiscovery remediation path could be considered the quicker and easier to address, but that perhaps assumes the only consideration is technology and would be a rather one-dimensional conclusion. However, in reality, developing (or strengthening) the eDiscovery strategy (a proactive action) is a very achievable objective and one that can be done without major outlay. The considerations should include:

  • Establishing and documenting your processes – universal policies defining how you will respond to events
  • Establishing and communicating responsibilities and ownership of each step in the process
  • Identifying the resources tasked with executing the processes. Both internal and external
  • Monitoring adherence with policy and process. Critical for measuring the success of the strategy

You may choose to involve external advisors in this exercise, but done properly from the outset, an eDiscovery strategy shouldn’t require too much revisiting over time.

Secondly, deciding whether you build an operational eDiscovery capability in-house or whether you outsource it (or pursue a hybrid strategy) is the next consideration and probably follows closely on from your resourcing analysis. The technology platform itself is just one consideration; having people to operate it effectively is equally important, as indeed is deciding whether you perform legal review in-house or not. The typical options open to you would be:

  • Procuring a technology licence and provisioning, maintaining and operating it yourself
  • Platform as a Service (PaaS); buying in capacity on a Cloud-hosted platform on an as-required basis but operating it yourself
  • Software as a Service (SaaS); as above, but including (varying degrees of) services to operate the platform on your behalf
  • Outsourcing the entire requirement (optionally including legal review services) as a managed service to a legal service provider

There are benefits and disadvantages to each option, but the volume and frequency of eDiscovery work you undertake will be a strong influencing factor on the approach you elect. However, don’t forget the convergence of the two remediation paths. At Salient, we strongly believe that appropriately selected technologies can be applied proactively to your information estate in a supervisory context, to prevent or mitigate against potentially damaging situations occurring. Forewarned is forearmed! So how you make provision for both the capacity and capability to deliver upon that proactive approach, should also be a consideration.

Information Governance Path

The Information Governance remediation path can be more challenging, as it often has more stakeholders to corral, requiring alignment between legal, compliance and operational teams, each with their own perspectives.

Having clarity on the compliance landscape within which you are operating as a business is essential, including generic and any industry-specific regulations that may exist. If this is currently a weakness, it’s highly advisable to seek independent advice.

Next, establishing a data map is probably the single most significant undertaking you can make, as it will be invaluable in the effective identification of potentially responsive material when undertaking an investigation or responding to litigation.  Having clarity as to what data you have, its relative importance, its vulnerability, where it resides and any security and privacy constraints, will pay dividends downstream in your ability to accurately identify and defensibly preserve ESI. It will also assist in projecting ESI volumes and consequently eDiscovery costs and timelines. Not to mention reducing your risks of spoliation or sanctions for failing to respond in a timely manner.

That’s all easy to say, but in terms of achieving this, you are likely to expose the need for fundamental decisions to be made, including:

  • Location or Storage – where should you keep your information; should you follow an on-premises or Cloud-first strategy? 
  • Retention and disposition – what should your policies be for this, balancing compliance obligations with cost and perceived value/risk in that information?
  • Security – how should you manage access to your information estate?
  • Enrichment –indexingclassification and labelling of data to assist with all the above!

And all of this also needs to tie in with day-to-day operational needs, so the challenges don’t expand exponentially going forwards. So, it’s clearly not a quick fix and requires C-suite sponsorship.

Modern Cloud-based platforms such as the Microsoft 365 environment provide many solutions to this technically, including the generation of inside threat indicators that can be used to initiate proactive investigative workflows, but taking expert advice can help establish these data governance strategies and solutions.

We’ll be exploring preservation considerations and prevention approaches more in the coming weeks but in the meantime, if you’d like to find out more about potential solutions to your eDiscovery and Discovery Risk Mitigation challenges, contact us here.

Microsoft 365

Was the cyber attack successful?

The challenge: Provide reassurance to our law firm client that a recent phishing attack had not compromised security or left malware on their system. We

Read More »