The consumerisation of IT has brought tremendous opportunity to the business world. By empowering employees with the functionality and convenience of smart devices along with other connected applications and technologies, enterprises can transact business across the globe at any time and in any place.
Despite these and other benefits, this trend has also introduced any number of problems into the corporate environment.
For example, there are troubles associated with the use of mobile technology in the workplace – including phones, tablets, watches, and other portable storage devices – which have received significant attention over the past few years. Despite the legal and security concerns of “bring your own device” (BYOD) programmes, due in part to the rise in data this produces, BYOD remains popular in many organisations.
The Internet of Things (IoT) phenomenon has also emerged as a challenge that businesses are having to incorporate into processes head on. Workplaces, businesses, and even homes are being flooded by an increasing number of interconnected devices, applications, technologies, and other innovations. This proliferation of the IoT is resulting in tremendous growth of the volume and variety of data being produced, giving rise to heightened concerns around the privacy and security risks associated with data protection.
Given the potential significance that rising connected device data could hold in legal matters, organisations should consider making preparations so they are ready when a larger wave of these issues arrives.
The data dilemma
Two key dangers of an increasing number of interconnected points for enterprises are data privacy and information security. These issues come into play when devices and technologies inadvertently or intentionally gather personally identifiable information (PII) belonging to employees or customers, or when that PII is then transmitted, processed, and stored by entities tasked with owning and/or operating the device.
Enterprises have the additional challenge of preserving and producing relevant data stored on devices for legal actions. These scenarios could land a company in treacherous legal waters.
Sweeping up PII could violate data protection laws that proscribe the collection of PII, particularly without the data subject’s consent. In addition, transmission or storage methods that lack appropriate security may leave PII subject to hacks or other unauthorised interceptions.
The eDisclosure maze
Beyond privacy and security, there are eDisclosure dangers lurking beneath the surface of companies’ information governance programs. On the BYOD front, a company’s litigation readiness program should be updated to include a process for preserving and producing relevant data from personal devices. Being proactive in anticipating the privacy and security issues that will inevitably arise from the proliferation of connected devices in the workplace will help companies avoid many of the associated treacherous legal and compliance problems.
The dangers posed by IoT – which are particularly acute in the context of litigation holds and data preservation – are becoming better known through industry education efforts. For example, Ignatius Grande from the international law firm of Hughes, Hubbard & Reed explained that the IoT was not designed with an eye toward litigation, saying “many products in the IoT sphere are not created with litigation hold, preservation and collection in mind… In terms of liability… companies will most likely be responsible to preserve data produced by the capabilities of their products and services in the event of a litigation hold.”
As a result, unless appropriate measures are adopted to ensure that IoT data is kept for litigation matters, relevant IoT materials could be lost, setting the stage for expensive and time-consuming compliance processes and additional regulatory issues.
To prepare for the continued rise in data volumes resulting from increasingly connected devices and technologies, organisations need to have an actionable plan to address the privacy, security and eDisclosure challenges. As an initial phase in preparation, companies should determine the extent to which technology phenomena such as the BYOD or IoT will affect their business. This will provide clarity on the next steps that should be taken.
A key step involves developing an information governance strategy that accounts for the continued rise in volume and variety of data from connected technologies. This includes a plan for identifying information that must be kept for business or legal purposes while isolating other data (particularly PII) for eventual deletion. It should also encompass steps to ensure compliance with the privacy expectations of data protection authorities. Enterprises will also need to ensure that their litigation readiness programs are updated to include a process for preserving and producing relevant data.
While smooth sailing all of the time cannot be entirely guaranteed, it will certainly establish a process that can enable the successful incorporation of connected technologies within an organisation’s infrastructure. Though impossible to remediate every associated data risk, organisations can develop a plan to tackle the data security, information retention, and eDisclosure problems arising from these connection points.
With actionable policies, along with subsequent employee training and regular policy enforcement, companies can prevent data disasters before they find themselves drowning in legal waters.
Philip Favro, senior discovery counsel, Recommind