According to the British Computer Society’s Information Security Magazine, eDisclosure is a time bomb waiting to happen, and the key question for many organisations should be: “how ready are we for any potential fall-out?”
This excellent article claims that the astounding growth of Electronically Stored information (ESI) means that Security and Search / Accessibility, not Storage, have become the biggest challenge for most organisations. However, due to an increasingly stringent regulatory and legislative environment, we are witnessing a definite increase in the number of requests for ESI, or eDisclosure, by regulators and the legal process. It also predicts that “eDisclosure related investigations, prosecutions and fines are likely to become more common”. So just what is eDisclosure, and what does it mean for most organisations?
First of all, Disclosure is, according to the UK Crown Prosecution Service, “one of the most important issues in the criminal justice system” which requires that “…full disclosure should be made of all material held by the prosecution that weakens its case or strengthens that of the defence”. In other words, all relevant material information must be disclosed by both sides in order to ensure fair-play, and in the case of electronic information this is referred to as Electronic Disclosure or eDisclosure (Note: This is also known as eDiscovery in the USA).
Secondly, The repercussions for any organisation caught out by eDisclosure could be rather severe, as it is often commensurate with those accruing from major information management / compliance risks, which may result in significant costs and fines; charges of non-compliance; and damage to reputation and stakeholder / customer confidence. So what can organisations do to address this very real challenge, and to mitigate the associated risks?
- Build and Increase Awareness– there is a surfeit of information about eDisclosure online, and a simple Google or Bing query will throw up loads of links. (Note the most relevant links are not necessarily those of solution vendors). Also there are several high-profile conferences and events that take place each year on this topic, (e.g. see the upcoming Information Retention and E-Disclosure Management Europe)
- Improved Data Governance – this should go without saying, but the number of enterprises that are lacking in this particular area is quite alarming in light of reported incidents of data breach / loss. Most organisations and their CxOs need to raise the profile and priority for a holistic information security / management strategy that encompasses ALL aspects of information risk (e.g. compliance and risk management, information audit, security and access control / monitoring), and that’s just for starters.
- Investigation of Solution Options for eDisclosure (i.e. Build, Buy, or Services) – Several vendors may claim to do this, but the key is to find one/s that address not just eDisclosure, (which really boils down to good data management, search and retrieval capabilities), but also all the relevant / impacted areas as listed above under Data Governance. In addition they must include policies and provisions for new technologies / usage scenarios (e.g. Cloud, Blogs, Wikis, plus Social Networking Media e.g. Twitter, Facebook, LinkedIn, YouTube etc.)
In conclusion, and in line with a previous post about Data Loss, eDisclosure is a BIG topic that affects all legal, legislative, regulatory, enterprise and technology stakeholders alike; therefore the right solution/s (including IRM like capabilities for access tracking and control) must be equally wide-ranging and fundamental in order to be effective.
Jude Umeh is a Snr. consultant / Enterprise Architect within Capgemini, as well as Author, Blogger and Fellow of the British Computer Society (BCS). Jude is something of a rights management evangelist (when provoked), and you can follow / connect with him on Twitter