Big data sources are no different than traditional data sources in that big data sources and the use of big data should be protected like any other critical corporate document, dataset, or record.
Mitigating Risk to Data from Internal and Third-Party Users
To best mitigate risk from both internal and third-party users, certain procedures related to data access and handling should be implemented via IT control:
- Auditing and validation of logins and access
- Logging of actions
- Monitoring
- Chain-of-custody
Executive oversight, however, is also an extremely important method of managing data risk. Organizational commitment to appropriate control procedures evidenced through executive support is a key factor to creating, deploying, and maintaining a successful information risk management program. Employees who are able to see the value of the procedures through the actions and attitudes of those in management more appreciate the importance of those procedures themselves.
A Practical, Holistic Approach is Best for Risk Mitigation
Here are some tips for managing legal information/data risk:
- Use a team approach: Include representatives from legal, IT, risk, and executives to cover all bases.
- Use written SOPs and protocols: Standard ways of operating/responding/process management and following written protocols are key to consistency. Consistency helps defend the process in legal proceedings if needed.
- Leverage native functionality when responding to legal requests: Reporting that is sufficient for the business should be appropriate for the courts. Also be sure to establish a strong separation of the presentation layer from the underlying data for implicated system identification purposes.
Multi-departmental involvement is also very important to creating and maintaining a successful risk mitigation environment and plan. It is easy to lose track of weak spots in data handling when only one group is trying to guess the activities of all the others in an organization. Executives, IT, legal, and risk all have experiences to share that could implicate weakness in the systems. Review by a team helps cover all the bases.
Implementation across departments also reinforces the importance to the organization of the risk procedures. Organizations that create risk programs but choose not to implement them, or that implement them inconsistently, face their own challenges when dealing with the courts in enforcing data and document requests, even those requests with a broad scope.
What’s Ahead in Big Data Security and Governance
This is a new field for legal professionals and the courts. Big data is here to stay and will become increasingly ubiquitous and a necessary part of running an efficient and successful business. Because of that, those systems and data (including derived analysis and underlying raw information) will be implicated in legal matters and will thus be subject to legal rules of preservation, discovery, and evidence. Those types of legal requirements are typically burdensome and expensive when processes are not in place and people are not trained. Relevant big data systems and applications are not designed for the type of operations required by legal rules of preservation and discovery—requirements related to maintaining evidentiary integrity, chain-of-custody, data origination, use, metadata information, and historical access control.
This new technical domain will quickly become critical to the legal fact-finding process. Thus, organizations must begin to think about how the data is used and maintained during the normal course of business and how that may affect their legal obligations if big data or related systems are implicated—which may likely be the case with every legal situation an organization may face.
For more articles related to big data, download DBTA's Big Data Sourcebook.
About the author
Alon Israely, Esq, CISSP, is a co-founder of Business Intelligence Associates. As a licensed attorney and IT professional, together with the distinction of the CISSP credential, he brings a unique perspective to articles and lectures, which has made him one of the most sought-after speakers and contributors in his field. Israely has worked with corporations and law firms to address management, identification, gathering, and handling of data involved in e-discovery for more than a decade.