IT and legal perspectives on data security

How to play nice with your IT department when managing records

This article is the third of a four-part series. Previously, we have looked at security standards and best practices. In the next installment, we will conclude with best practices in e-discovery.

When it comes to a company’s data, both the IT and legal departments should be involved and understand how the data flows and where it resides. However, the two groups have different perspectives and, sometimes, conflicting priorities when it comes to data security and records management.

For many in IT, the best approach to records management would be to delete everything as quickly as possible, saving time, trouble and money. In the legal department, data management and destruction needs are different. Some types of information must be kept for specific lengths of time. Along with state and federal laws, specific regulations may govern industries. And once potentially responsive information is subject to litigation hold, all bets are off.

In order to manage their conflicting needs, in-house counsel need to work closely with the IT department. The burden may be on the legal department to reach out to IT to develop policies and good working relationships. When a litigation hold needs to be issued, IT will be the attorneys’ greatest ally.

There are several different areas where IT and the legal department may have different perspectives that require cooperation and understanding:

Records management policies

In-house counsel need to be thoroughly involved in creating, implementing and updating the company’s records management and destruction policies. For example, the IT team may not know that, under the Fair Labor Standards Act, the company has to maintain payroll records for at least three years. In-house counsel should understand the retention period for information, where and how the data is stored, and communicate that information to IT.

IT and the legal department also need to work together to educate employees and manage the way they handle records. Keeping employees in compliance with records management policies is hard enough when data is backed up on the company servers. It’s much more complicated to control the electronically stored information (ESI) that employees keep on their laptops or smartphones.

Some employees never seem to delete anything, and email hoarding can be a particular headache when it comes to records management. Working with IT and others in the company, in-house counsel may want to consider instituting policies that limit the amount of data employees can store in their inboxes, along with the length of time they can keep emails. Automatic destruction policies can be very helpful, but they must be carefully planned and thoroughly and consistently implemented.

New hardware and software

IT people like technology, and the newer and flashier it is, the better. However, they may not consider the records management implications of new apps or smartphones. In-house counsel need to be involved in the decision-making processes for purchasing and implementing new hardware and software, and make them comply with established procedures.

Storing data in the cloud

Many companies are looking to the cloud as a way to save money and space. IT may love the idea of virtual storage in the cloud, which removes the need for servers, the space they take up and the maintenance they require. However, before moving to the cloud, in-house counsel need to be sure that the data is secure and can be collected and processed during litigation.

At many companies, the level of cloud security is questionable. According to a survey by the Ponemon Institute, a privacy and security research organization, less than half of IT security practitioners and enterprise compliance officers believe their organizations have adequate technologies to secure their cloud infrastructures. The survey, “Data Security in the Cloud Survey of U.S. IT Operations, IT Security and Compliance Practitioners,” says that only one-third of IT security practitioners believe cloud infrastructure environments are as secure as data centers that are located on-site.

Along with security, the company needs to understand exactly who owns the data and what jurisdictional issues may be involved. If a litigation hold needs to be issued for data stored in the cloud, who receives the hold notice? What if the information is stored in a jurisdiction governed by EU privacy laws?

Keep a current data map

The IT department will have its own data maps outlining the company’s hardware and software and how data flows through the organization. The legal department needs its own version of that map, which shows where data resides, how accessible it is, how complex the data may be and how it can be removed from the company’s normal data destruction cycles if a litigation hold notice needs to be issued.

In today’s high-tech and virtual world, the nature and amount of data is constantly changing. In order to ensure that data remains secure, in-house counsel need to stay in constant communication with their IT counterparts and develop good working relationships with them.

Contributing Author

author image

Stacy Jackson

Stacy Jackson is corporate counsel with IE Discovery. She has managed IE Discovery’s legal services team, working directly with client attorneys in charge of cases...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.