Those with a clear view into the future of e-discovery are noticing that the line between established e-discovery processes and other business functions that span the area of a “digital investigation” are blurring. Many organizations continue to debate the proper home for functions like a governance risk and compliance (GRC) program and a cyber-security team (which seems to morph and evolve on a daily basis). Ultimately the decision as to where these functions live is as unique as an organization’s culture -what is not up for debate is the tools and skill set required to support them.
The corporate in-house legal team clearly plays a role at the intersection of e-discovery, GRC and security. Many concerns require frequent and tight cooperation between the corporate legal team and the compliance team as a GRC program matures and new security headaches come to light. Here are a few examples:
- Risk Management and Assessment – Topics like non-compliance and investigation of new and yet to be identified risks can, and should, be sourced through legal.
- New Internal Policy Review – There is no better source than the legal team for review and ultimate approval – especially for public organizations. Legal is also a great source of exceptions and how they should be handled according to new policy.
- Regulatory Guidance and Interpretation – What and how does a new regulation apply to an organization and what steps need to be taken to ensure compliance? Corporate legal teams are also a great source for historical reference when clear precedent is yet to be set.
- When a Cyber-Security Incident turns into Litigation – The sooner legal is involved, the greater the potential to reduce risk and exposure. Attorneys think in terms of a timeline or sequence of events. Having them play an active role as events unfold is invaluable.
- E-Discovery Sanction Avoidance – There are still organizations out there that treat the process of e-discovery in a disjointed manner, meaning the collection, analysis and preliminary case assessment is performed by IT or a third-party without legal oversight. Legal should understand and routinely review these practices to ensure compliance with a dynamic legal landscape.
I’m a pragmatist and while this sounds great, actually extracting the value of this interaction is a challenge. I submit that the technology used to effectuate and enable these business functions can serve as a catalyst to draw these seemingly disparate groups together. What do I mean? I mean e-discovery tools have very similar workflow and features to GRC and even cyber-security investigation platforms. For example, although at its core a litigation support tool, a proper enterprise class e-discovery platform also provides the following features:
- A rules and notification engine – these features support litigation hold, status updates when processing or collecting data and reporting on review/analysis jobs
- Audit and logging – who touched/viewed/exported what data elements and when is paramount to ensuring security and compliance, especially when that system has proprietary, financial or data related to HR
- Document and data management – usually in the form of a database, but some way to supervise data as it flows through the system, including disposition
- Automated workflow – an engine that guides the system user from inception to point of decision – in e-discovery terms this is inception from legal hold to production of data for litigation
- Reporting – any number of summary documents that describes status, metrics and stats about the data, investigation or case
All of these features are necessary for e-discovery, GRC and cyber-security investigation teams. A common system supporting the common data stored therein reduces redundancy and also consolidates the overhead in securing and managing teams and systems. While these are valuable returns onto themselves, the real value appears when the corporate legal team and others involved can begin to stitch together the true status of an organization’s environment. This leads to a more proactive approach to changes in the business and more insight into the true cost of what once were separate teams. The e-discovery tool that supports this has application across the entire enterprise.