December 3, 2020

The Intersection of GRC, Cyber-Security & Legal: How to Triple Your ROI in E-Discovery Technology

Those with a clear view into the future of e-discovery are noticing that the line between established e-discovery processes and other business functions that span the area of a “digital investigation” are blurring.   Many organizations continue to debate the proper home for functions like a governance risk and compliance (GRC) program and a cyber-security team (which seems to morph and evolve on a daily basis).  Ultimately the decision as to where these functions live is as unique as an organization’s culture -what is not up for debate is the tools and skill set required to support them.

The corporate  in-house legal team clearly plays a role at the intersection of e-discovery, GRC and security.  Many concerns require frequent and tight cooperation between the corporate legal team and the compliance team as a GRC program matures and new security headaches come to light.  Here are a few examples:

  • Risk Management and Assessment – Topics like non-compliance and investigation of new and yet to be identified risks can, and should, be sourced through legal.
  • New Internal Policy Review – There is no better source than the legal team for review and ultimate approval – especially for public organizations.  Legal is also a great source of exceptions and how they should be handled according to new policy.
  • Regulatory Guidance and Interpretation – What and how does a new regulation apply to an organization and what steps need to be taken to ensure compliance?  Corporate legal teams are also a great source for historical reference when clear precedent is yet to be set.
  • When a Cyber-Security Incident turns into Litigation – The sooner legal is involved, the greater the potential to reduce risk and exposure. Attorneys think in terms of a timeline or sequence of events.  Having them play an active role as events unfold is invaluable.
  • E-Discovery Sanction Avoidance – There are still organizations out there that treat the process of e-discovery in a disjointed manner, meaning the collection, analysis and preliminary case assessment is performed by IT or a third-party without legal oversight.  Legal should understand and routinely review these practices to ensure compliance with a dynamic legal landscape.

I’m a pragmatist and while this sounds great, actually extracting the value of this interaction is a challenge.  I submit that the technology used to effectuate and enable these business functions can serve as a catalyst to draw these seemingly disparate groups together.  What do I mean?  I mean e-discovery tools have very similar workflow and features to GRC and even cyber-security investigation platforms.  For example, although at its core a litigation support tool, a proper enterprise class e-discovery platform also provides the following features:

  1. A rules and notification engine – these features support litigation hold, status updates when processing or collecting data and reporting on review/analysis jobs
  2. Audit and logging – who touched/viewed/exported what data elements and when is paramount to ensuring security and compliance, especially when that system has proprietary, financial or data related to HR
  3. Document and data management – usually in the form of a database, but some way to supervise data as it flows through the system, including disposition
  4. Automated workflow – an engine that guides the system user from inception to point of decision – in e-discovery terms this is inception from legal hold to production of data for litigation
  5. Reporting – any number of summary documents that describes status, metrics and stats about the data, investigation or case

All of these features are necessary for e-discovery, GRC and cyber-security investigation teams.  A common system supporting the common data stored therein reduces redundancy and also consolidates the overhead in securing and managing teams and systems.  While these are valuable returns onto themselves, the real value appears when the corporate legal team and others involved can begin to stitch together the true status of an organization’s environment.  This leads to a more proactive approach to changes in the business and more insight into the true cost of what once were separate teams.  The e-discovery tool that supports this has application across the entire enterprise.

Devin Krugly

Devin Krugly is the VP of Marketing and Business Development at AccessData. He joined AccessData from ExxonMobil to guide the growth of the company’s marketing initiatives, lead generation and to modernize the company’s global VAR and partnership network. Prior to his current role, Devin led several large multi-million dollar solution design and implementation projects for the world’s largest publically traded company, ExxonMobil. His most recent experience was a three year effort to grow an in-house e-discovery team with proper tools to successfully execute data collection and processing related to litigation. The scope of that project included a year-long process to evaluate potential vendors which led to 24 months of assessing fit and purpose of an e-discovery team and design of an IT infrastructure to support the team’s activities. Prior to his role with ExxonMobil, Devin held a position with Halliburton in their Global IT Security department working on NISPOM compliance and developing best practices related to government classified information. Devin also served in the US Army and was deployed to Bosnia-Herzegovina in support of operation Joint Endeavor/Joint Guard during peace-keeping operations in that region.

More Posts

Speak Your Mind