You are on page 1of 13

White Paper

Leveraging In-house eDiscovery Technology for Protecting Data Privacy, Enabling IP Protection, and Controlling Sensitive Data
Sponsored by:

Abstract
This paper provides an overview of the problems and risks associated with increasing amounts of data and the inability to quickly and efficiently identify sensitive data for business and legal reasons and the impact of data privacy requirements. It also provides an overview of challenges associated with Intellectual Property and how an organization can utilize eDiscovery solutions to address these growing data management risks, including how the same framework and tools that are used for eDiscovery processes can be leveraged for protecting data privacy, enabling IP protection, and controlling sensitive data across an enterprise.

Disclaimer
Contoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However, legal information is not the same as legal advice the application of law to an individual's or organization's specific circumstances. Contoural and its consultants do not provide legal advice. Organizations should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each organizations particular situation.

Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Table of Contents

Introduction ___________________________________________________________ 3 Accumulation of Sensitive Data Across the Enterprise __________________________ 3


Data Leakage from Repositories ________________________________________________ 3

Data Privacy Challenges__________________________________________________ 4


Data Breaches, WikiLeaks, and Inadvertent Disclosure ______________________________ 4 Identifying What Data Is Where ________________________________________________ 5 Data Control Requirements for Data Privacy ______________________________________ 6

Intellectual Property: Switching from Defense to Offense _______________________ 7


Intellectual Property as a Corporate Asset ________________________________________ 7 IP: The New Risks ___________________________________________________________ 7 Data Control Requirements for Intellectual Property Management ____________________ 8

Leveraging In-house eDiscovery Processes ___________________________________ 9


Creating and Extending an ESI Map for Identifying Where Specific Data Is ______________ 9 Identifying Privacy Information and Keeping it Secure ______________________________ 9 Tracking IP and Patent-related Information ______________________________________ 10 Securing Trade Secrets ______________________________________________________ 10 Enabling Ongoing Deletion ___________________________________________________ 10 Creating Ongoing, Repeatable Processes ________________________________________ 10 Create a Documented Audit Trail ______________________________________________ 11

Conclusion ____________________________________________________________ 11

Page 2 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Introduction
Do you know what data you have and where it is? While these may seem to be relatively simple questions, given the massive amount of data created and retained by organizations today, the answers are sometimes hard to come by. Not knowing the answers can be disastrous for an organization. These simple questions are faced by data security, intellectual property (IP) and legal departments alike, albeit in somewhat different contexts. Data security departments need to understand what data their organization has, and where it is located in order to protect it from outside breach or an internal leak. IP managers need to understand where confidential IPrelated information exists in order to protect and assert their IP rights. Legal departments need to understand what data the organization has in order to be litigation ready and be able to respond timely to discovery requests in the event of litigation or investigation. Although these are different business functions, they all have a common need: identifying and controlling data.

Accumulation of Sensitive Data Across the Enterprise


Electronic information accumulates at an alarming rate. According to a UC Berkeley study, more than 96% of all information an organization creates or receives is in electronic format. Depending upon the industry and company, overall data growth averages from 20% to as high as 60% per year. Enabled by ever-greater capacity of data storage systems, companies create and save more and more electronic documents, often simply throwing more disk at the problem when their systems become full instead of addressing the underlying problem of too much data accumulation. An organizations large store of data typically contains a small amount of oftenaccessed active content, as well as a large portion of older, rarely-accessed inactive content. Regardless of whether data is active or inactive, both types are likely to contain sensitive information. Sensitive information includes financial information, such as credit card or other banking data, social security numbers, personal home addresses or other personally identifiable information (PII) that can distinguish or trace an individuals identity. It can also include personal health information (PHI) such as medical history, insurance information or other information regarding employee benefits or healthcare organizations. In addition to data about individuals, organizations also collect and store information that is sensitive for the organization as a whole, including confidential intellectual property such as trade secrets or other commercially sensitive information that could become financially disastrous and/or a public relations nightmare if made public.

Data Leakage from Repositories


Many organizations know they have sensitive information, but mistakenly believe that this information is stored in secure repositories. Even in tightly controlled environments, sensitive information often leaks from secure to unsecure areas. For instance, data may be taken from a secure repository and stored in an unsecure

Page 3 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

repository for convenience purposes, storage limitation reasons, or transitory storage reasons. Employees, contractors and other authorized individuals often store confidential or sensitive data on corporate file shares, in email, or on portable devices such as unencrypted laptops, USB and flash drives. Once in this unsecure location, the data may simply be forgotten, but still represents a potential risk of a data breach or data leak, since unsecured repositories have an inherent lack of access control. Couple the ever-increasing volumes of data that organizations are accumulating with the growing number of potentially unsecured places that data may reside, and the risk of a breach or leak is much greater. Exacerbating the problem is the fact that employees are often unaware that they are prohibited from storing data in a particular location, or worse, the company may not have a policy prohibiting this type of behavior or any specific training on how to deal with a particular type of information.

Data Privacy Challenges


Data Breaches, WikiLeaks, and Inadvertent Disclosure
A data breach is an incident where confidential or sensitive information has potentially been accessed, stolen or used by unauthorized individuals. Data breaches and leaks can occur in a number of different ways. The most common type of data breach is a black hat attacker hacking into the corporate network, often to steal data for financial gain. This is a huge problem because the hacker may have access to a wide range of data sources at a variety of access levels. Another, newer type of leak is a so called WikiLeak where large quantities of electronic documents are stolen, and then sent or posted online. The intent of Wikileaking is to damage or embarrass an organization, with the hope that within the sheer quantity of documents released some will contain hurtful information. During the past year both governmental and private sector organizations have been victims of WikiLeaking campaigns. The other type of leak is inadvertent disclosure, where sensitive data is stored on a removable media, such as a USB thumb drive and subsequently lost. The breach and subsequent harm occurs when the information is lost, even if there is no evidence that the lost data was accessed or used for nefarious purposes. Regardless of the mechanism or intent of the breach or leak, the consequences can be severe. Many countries have enacted "notice" laws and 42 states and the District of Columbia have enacted some form of similar notice law that requires the breached company to notify customers if they are involved in a data breach. There are also a number of industry-promulgated guidelines and government compliance regulations that mandate strict governance of sensitive or personal data to avoid data breaches. For example, the Payment Card Industry Data Security Standard (PCI DSS) directs who may handle and use sensitive PII such as credit card and bank account information. In the healthcare arena, the Health Insurance Portability

Page 4 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

and Accountability Act (HIPAA) regulates who may see and use PHI such as name, Social Security number, date of birth, and health history information.

Texas Data Breach Exposed 3.5 Million Records


In March of 2011, The Texas State Comptroller's Office discovered that they had inadvertently placed private information from the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an internet accessible server. The data leak included Social Security numbers, drivers license numbers, and names and addresses of more than 3.2 million Texans. The data was not encrypted, which was a breach of policy rules that were designed to protect people's Personal Identifiable Information (PII). The mishap occurred in early 2010 when the Texas Retirement System, the Employee Retirement System and the Texas Workforce Commission transferred the personal information to be matched by the Comptrollers Office against a list of people owning unclaimed property. More than 10 months later the Office discovered the information had been left unprotected on an Internet server for almost a year. In the wake of the incident the Comptrollers office fired its head of Information Security and of Innovation and Technology and two other individuals. The Comptrollers Office did not find any evidence that the data had thus far been misused, but those affected by the data loss may be at risk for identity theft for the rest of their lives because of the longevity of Social Security numbers and dates of birth.

Identifying What Data Is Where


One of the primary challenges for any business is understanding what data resides where. If data is stored in non-compliant, unknown, or unsecured storage areas, the risk of not being able to find data or worse, a data leak, is drastically increased, as we have already mentioned. The increasing amount of data that organizations generate and the vast number of repositories available to store or archive data compounds the difficulties of keeping track of which data is stored in what location. With advances in collaboration and communication technologies and the globalization of companies that have offices in multiple geographical locations, the task of centralizing and tracking data is becoming an increasingly difficult task. Ensuring that the right data is in the right place is extremely important from a data compliance, security, eDiscovery and IP protection standpoint. Adding to this challenge is that todays data takes many forms, including email, unstructured data on file shares, and structured data in databases, social networking and other collaboration tools just to name a few.

Page 5 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Heartland Payment Systems


To date, the largest data breach in history happened to payment processing company Heartland Payment Systems. Heartland handles the transfer of funds and information between retailers and cardholders' financial institutions. The breach was the result of key logging malware that managed to get through the corporate firewall, and recorded keystrokes on an infected computer. Another piece of malware, a sniffer, that captures entire data packets on a network, was then used to capture transactions as they were sent across the Heartland network. It is still unclear as to the amount of transactions the sniffer was able to grab, or the percentage of those transactions the intruder was able to access. The data stolen included the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. This data could potentially be used to create fabricated cards using the information encoded on the stripe. Within days of the attack being made public, Heartlands stock plunged 50%. The stock has recovered some ground, but is still below what it was before the breach. The company has accrued millions of dollars in expenses related to the breach, including litigation fees for class-action lawsuits filed on behalf financial institutions, cardholders, and stockholders. The incident has also led Federal agencies, including the Federal Trade Commission, to look into Heartland's handling of information security, and the Securities & Exchange Commission has begun an informal inquiry into whether executives unlawfully sold shares amid the crisis.

Data Control Requirements for Data Privacy


Data Security faces a fundamental question: how do organizations provide employees, customers, and other legitimate stakeholders access to data, while at the same time limiting access to unauthorized or non-legitimate users? Data privacy presents the following challenges: What type of data do organizations have? Which of these data contain sensitive information, and what types of sensitive information? Where does this data reside? Which non-designated media, such as e-mail, contain sensitive data? Where has this data leaked? How can organizations ensure sensitive information is managed and controlled appropriately?

Page 6 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Intellectual Property: Switching from Defense to Offense


Intellectual Property as a Corporate Asset
In todays business world, intellectual property (IP) is not only viewed as a legal asset, but increasingly as a financial asset. Companies in knowledge-based industries such as the high technology and biotech industries spend most of their time researching and developing IP as building blocks of innovation. Intellectual property is also one of the main assets looked at in performing due diligence for mergers and acquisitions. The valuation of ones IP assets, both from a financial standpoint and also a risk/liability assessment, weigh heavily on the minds of potential investors and purchasers.

IP: The New Risks


One form of IP common in todays business world is the trade secret. Trade secrets are often an overlooked corporate asset because the very existence depends on secrecy and the fact that they are not registered with any government office or disclosed to the public. When taking inventory of intellectual property assets, the full scope of a companys trade secrets may be overlooked if the right identification and tracking procedures are not in place. This could turn out to be a costly mistake if trade secrets are the main source of IP for the company. As with any form of IP, companies have a responsibility to protect their trade secrets. Trade secret owners have a duty to use reasonable measures to protect their secrecy. One of the main reasonable measures companies employ is the use of confidentiality and nondisclosure provisions in employment contracts or other appropriate documents. Assuming that employees/contractors and vendors are abiding by the provisions in their contract, there is the additional issue of understanding where the protected data is actually being stored. Understanding what the data is, and where it is being stored, are the first steps in identifying, and subsequently protecting, valuable trade secrets.

Keeping Trade Secrets Confidential


For information to be considered a trade secret, it must meet three criteria: a) something that is generally not known to the public b) by not being known, the information provides economic benefit to its holder c) it is subject to reasonable efforts to keep it secret. Unlike patents, trade secrets can exist indefinitely (e.g. Coca-Cola or Kentucky Fried Chicken). In a world dominated by electronic communications across a growing variety of media, organizations face the biggest challenge with the third criteria: keeping information secret. Trade secrets can and have been leaked through emails, files and other media, often inadvertently. In order to safeguard trade secrets today, companies have to demonstrate that they have an ongoing process for protecting this information.

Page 7 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Patents, another form of intellectual property, can also make up the bulk of a companys financial assets. Patents typically are developed over several years of research and development and the documents and records created in the development of the method, process, or technology can be quite extensive. Because of the exclusive rights derived from owning a patent, the financial value of patents has become more and more the subject of high stakes litigation. One particular category of patent litigation that has been on the rise in recent years is litigation brought by patent holding companies or non-practicing entities. A patent holding company (pejoratively often referred to as a patent troll), typically amasses a large amount of patents in a particular field, not to practice the claimed inventions, but to license the technology for others to practice. Some patent holding companies also frequently litigate those they believe are violating the patents in their portfolio. A typical practice of these entities is to send a cease and desist letter to those in the target field or industry, often offering a license to use/practice the inventions covered in the patent(s). A recipient of a cease and desist letter is faced with one of two options: either fight the law suit (usually at significant expense), or pay the license fee, which typically should be less the total cost of litigation. Typically a patent holding company is looking to monetize their patents and obtain the most money with the least amount of expense. Companies with limited ability to analyze their IP portfolios are likely to spend more during litigation and/or are more likely to settle these types of suits. Therefore unprepared companies are a more likely target for infringement cases by patent holding companies. Most holding companies engage outside counsel on a contingency basis and all cost are subtracted from the settlement or verdict amount. A quick win through settlement is thus more attractive. Often, larger businesses are at an extreme disadvantage when it comes to discovery because they generally will have a much larger universe of responsive data to identify, collect, review and produce a than a patent holding company. Having a deep understanding of where all patent-related information is stored and how to retrieve it quick and efficiently can quickly put an organization on the offensive in the discovery process.

Data Control Requirements for Intellectual Property Management


Managing and controlling information is a fundamental component of enforcing and defending intellectual property rights. Organizations need to be able to: Perform reasonable measures to keep this confidential information secret. Quickly identify electronic documents throughout the enterprise which have content that supports intellectual property development claims. Enable this identification across multiple media, including emails, wikis and presentations, etc., keeping in mind that much intellectual property development is captured outside of formal development documents.

Page 8 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Leveraging In-house eDiscovery Processes


The data management requirements companies face for data privacy and intellectual property management are in many ways similar to those that organizations face for eDiscovery. Privacy, IP and eDiscovery requirements all focus on identifying managing, controlling and defensibly disposing of information and data across the enterprise. As such, eDiscovery processes can be leveraged to address compliance mandates, data privacy and IP protection. Instead of having tools and processes for each of these separated in silos, increasingly organizations are creating single processes which span all of these business drivers.

Creating and Extending an ESI Map for Identifying Where Specific Data Is
A current best practice for eDiscovery is creating an Electronically Stored Information (ESI) Map. An ESI Map is a defensible inventory of an organizations data repositories that may contain information potentially discoverable in a litigation proceeding or other legal proceeding or investigation. The Map contains important information such as the type of data, source, location and volume of information, as well as who to contact to collect information from the repository. Identifying what data exists, how, and where it is stored, and how long it is stored for, is the foundation of a sold litigation readiness and eDiscovery program. Inherent within this landscape of data characteristics is also the foundation of any good IP protection strategy that is equally important in a data security program. In the security arena, understanding what data exists, how/where it is stored, and how long it is retained is vital to implementing proper access and security controls and protection from breaches or leaks. Through leveraging and expanding an eDiscovery-oriented ESI Map, data compliance departments can add additional categories regarding the sensitivity of the information, such as identifying if it contains PII or other confidential or otherwise sensitive business information. This additional information about the data will help compliance and data security teams understand what data exists, and where data may be at risk from a leak or breach. In addition, including information about what patent or technology the data may relate to can help legal departments proactively understand the volume and location of IP data, so that they are better equipped to defend or assert their patent/IP rights.

Identifying Privacy Information and Keeping it Secure


Even seemingly open applications such as email are likely to receive some privacyrelated information. Organizations need to identify sensitive information as it is received or created. Even when sensitive or private information is created in appropriate and secure applications, this content often leaks from these secure repositories to unsecure areas. eDiscovery processes which identify relevant privacy in discovery can be used to identify sensitive information in these unsecure areas or repositories. The challenge is to identify and remediate any leak or inappropriate storage quickly and often.

Page 9 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

Tracking IP and Patent-related Information


Often the kernel of intellectual property is created well upstream of formal development processes. Engineers talk about new ideas in email or post messages on internal wikis or blogs. Effective IP protection begins with a deep understanding of what confidential intellectual property an organization has and where it resides, including these early, upstream documents. For patents, as we discussed, having a deeper understanding of what patent-related information is out there will enable a company to be prepared to better defend its patent rights, and to also assert them. With the appropriate amount of attention, eDiscovery processes can be applied to proactively manage and catalogue this information.

Securing Trade Secrets


In the realm of trade secret protection this proactive management is important so that an organization can perform reasonable measures to keep information a secret as required by law. Identifying what IP information exists and where it is being stored, is the first step in identifying and subsequently protecting valuable trade secrets.

Enabling Ongoing Deletion


Many records and documents containing sensitive information have little or no business use after a short period of time. Keeping this information around longer than its useful legal or business life increases the chance that it may be breached or leaked in the future. Furthermore, too much data clutter can hamper the search for valuable or relevant information. A cornerstone of any good litigation readiness and records management program is the ongoing defensible deletion of inactive and expired data. Utilizing retention schedules and tools that help automate deletion of expired data will help reduce the amount of data no longer needed in the organization. These same deletion policies and tools used in records management and eDiscovery can be utilized by data compliance teams and IP managers to ensure that the organization is not missing data or expending resources to protect data that shouldnt be kept in the first place. An additional benefit of this type of good housekeeping is that it will decrease the amount of money spent on searching and processing information during discovery or otherwise.

Creating Ongoing, Repeatable Processes


An organizations data is not static. It grows, changes, moves, is deleted and unfortunately, sometimes leaks. Therefore when addressing privacy and IP, companies need to develop dynamic, regular, and consistent processes for controlling this sensitive data. In addition to being able to quickly identify all relevant IP (even newly created information), each organization should create an automated and repeatable approach that patrols for sensitive information on a weekly or even daily basis. Each company should also implement defensible deletion at least

Page 10 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

monthly. The data environment will never stand still, and therefore processes need to be equally dynamic.

Create a Documented Audit Trail


Many legal departments already have a legal hold process to identify, hold and often segregate data for further analysis, as appropriate. For legal defensibility, these processes should be designed to be transparent, scalable, and repeatable. Equally important, they should withstand an audit or court scrutiny. Defensibility is greatly enhanced through documenting processes. The same applies to data security and IP protection. Creating an audit trail greatly increases the defensibility of an organization's IP and security of its data.

Conclusion
Whether ensuring data compliance, managing intellectual property, or executing eDiscovery, the main building block all three require is proper identification of information across the entire organization. Due to the overlap in benefits derived from understanding what data is where, a business can leverage existing tools and processes such as those that already exist in the eDiscovery world. In addition, business cases for such eDiscovery solutions do not need to be made exclusively on eDiscovery, rather the business case for eDiscovery can be a part of the business case for data privacy, IP management and other cases involving controlling sensitive data across the enterprise.

Page 11 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

About StoredIQ
StoredIQ is a leading provider of enterprise-class intelligent information governance solutions, including the award-winning Intelligent Information Management solution, which enables organizations to gain visibility and control over business-critical information to help meet their compliance, records management and legal discovery requirements. StoredIQ provides a unified solution for fast response to litigation and investigations, for proactive "litigation readiness," and for information protection and risk management, as well as storage management. Industry-leading companies rely on StoredIQ to streamline their information management and eDiscovery processes, while reducing risk and cost in the process. StoredIQ, Inc. 4401 West Gate Blvd Suite 300 Austin, TX 78745 Phone 512 334 3100 www.storediq.com info@storediq.com

Page 12 of 13
Copyright 2011 Contoural, Inc.

Leveraging In-house eDiscovery to Play a Bigger Role

About Contoural, Inc.


Contoural is a leading independent provider of business and technology consulting services focused on litigation readiness, compliance, information and records management, and data retention strategy. Our clients include more than 15% of the Fortune 500, as well as many small and mid-sized industries across the U.S., with engagements throughout the world. The company sells no products and takes no referral fees, offering our clients truly independent advice. We believe that creating a consensus across our clients organization is a cornerstone to an effective strategy. Our services encompass all electronically stored information (ESI), including e-mail, as well as paper documents. With an average of 14 years industry experience, our team is comprised of attorneys, former compliance officers and records managers who have a deep understanding of legal, compliance and business requirements for retaining and managing information -as well as seasoned IT professionals with expertise in document archiving, search, litigation management systems, data classification and data storage, all focused on effective program execution. Contoural services include: Assessment and Roadmap Development Services Records and Information Management Policy Development Services Data Classification Services Litigation Readiness Services Solution Design, Technology Evaluation and Vendor Selection Services Solution Implementation Services Ongoing Program Management Services

With these services, Contoural helps companies ensure compliance and reduce risk across the enterprise, while also achieving litigation readiness and reducing costs. Contoural, Inc. 1935 Landings Drive Mountain View, CA 94043 650-390-0800 www.Contoural.com info@contoural.com

Page 13 of 13
Copyright 2011 Contoural, Inc.

You might also like