Organizations create and share enormous volumes of sensitive information, and with the rise of SaaS applications and collaboration tools, this information can exist in many places: emails, Slack messages, Jira tickets, Salesforce records, internal HR databases, Asana projects, and anywhere else work is getting done.
But any time information is being shared freely, there is a risk of personally identifiable information (PII) and personal health information (PHI) finding their way into these channels. That’s why protecting and managing this data is of the utmost importance for corporate legal and compliance teams.
This was the topic of discussion during Hanzo’s webinar, “Drive Data Intelligence with Collaborative Data.” The speakers included:
- Jon Braunstein, who is a Partner at Seyfarth Shaw, LLP. Jon is a successful business litigator, advisor, and strategist who provides practical, business-driven advice to clients on the challenging issues, risks, and opportunities they face, and has experience working with clients in the healthcare, insurance, employee benefits, financial services, technology, real estate, retail, construction, and global defense industries.
- Jason Trip, who is a Solutions Engineer at Nightfall AI. With a background as a software engineer and experience in the financial, education, and healthcare industries, Jason helps build Cloud Data Loss Prevention (DLP) solutions for security and compliance teams.
- Dave Ruel, who is the Head of Product at Hanzo. Dave has more than 20 years of experience in software and product development and has spent considerable time in the legal, compliance, and information governance space. He has helped develop a broad range of products and solutions for big data challenges and is passionate about emerging technologies like machine learning, artificial intelligence, and visual analytics.
Challenges for Legal and Compliance Teams with Today's Enterprise Data
When talking about the biggest challenges they’re seeing in their respective areas of expertise, Jon led things off by talking about the volume and complexity of data. “Data on data and data within data,” he said. “So the biggest question companies should be asking themselves is, ‘How do we monitor it, track it, store it, and control it.’ It’s not email. It’s more complex. When you print it out, it looks like code. So it creates a lot of challenges.”
Dave agreed, stating, “Data’s all over the place, and the big challenge is connecting to all the various data sources. There are many companies out there using dozens and sometimes hundreds of unique data sources. So connecting to them with a user-friendly interface which can then make sense of all of that data is a major challenge.”
Jason brought up some of the technical challenges which come with the growing expanse of enterprise data. “When the idea of Data Loss Prevention was created, an organization’s data existed in what was essentially a ‘walled garden.’ But with the rise of SaaS applications, along with communications channels like Gmail and Slack, all of this data now resides outside of your network. So DLP becomes a unique challenge, because now it’s much easier for PII, PHI, and other sensitive data to find its way outside of a system in SaaS environments.”
Along with the challenges in capturing data, the ways in which that data is captured may be susceptible to risks as well. “Along with PII and PHI, sometimes API keys, credentials, and secrets can find their way into SaaS exports,” Jason added, “which could allow for breaches upstream if not monitored. For example, Slack Connect allows you to connect with organizations outside your own system, and anytime you do this, there is of course increased risk. So knowing these risks, monitoring, and managing them is important.”
When it comes to best practices, Jon suggested a good first step is solidifying your organization’s document retention policies before litigation takes place. “What are your retention policies, how much storage do you have, how much are you willing to pay for that storage, and should litigation arise, what sort of legal hold policies exist.”
He continued, “Five years ago, attorneys knew what they were asking for when faced with a subpoena, because then it was still mainly emails. Now they need to rethink what enterprise data is and how they need to ask for it, so they can include it in their initial disclosures or preserve it should opposing counsel request it. They should also consider all of the different versions, edits, screenshots, comments, and other forms of data and metadata that may be relevant. And they need to do this work ahead of time, way before a subpoena comes in.”
To hear the full discussion between these industry experts, register for the on-demand webinar recording.