Category Archives: Data Audit

Incident Reporting Requirements Under GDPR and CCPA Require Effective Incident Response

By John Patzakis

The European General Data Protection Regulation (GDPR) is now in effect, but many organizations have not fully implemented compliance programs. For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. Under GDPR article 33, breach notification is mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach.  Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.GDPR-stamp

In order to comply, organizations must accelerate their incident response times to quickly detect and identify a breach within their networks, systems, or applications, and must also improve their overall privacy and security processes. Being able to follow the GDPR’s mandate for data breach reporting is equally important as being able to act quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

It is important, however, to note that the GDPR does not mandate reporting for every network security breach. It only requires reporting for breaches impacting the “personal data” of EU subjects. And Article 33 specifically notes that reporting is not required where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

The California Consumer Privacy Act contains similar provisions. Notification is only required if a California resident’s data is actually compromised.

So after a network breach is identified, determining whether the personal data of an EU or California citizen was actually compromised is critical not only to comply where a breach actually occurred, but also limit unnecessary or over reporting where an effective response analysis can rule out an actual personal data breach.

These breaches are perpetrated by outside hackers, as well as insiders. An insider is any individual who has authorized access to corporate networks, systems or data.  This may include employees, contractors, or others with permission to access an organizations’ systems. With the increased volume of data and the increased sophistication and determination of attackers looking to exploit unwitting insiders or recruit malicious insiders, businesses are more susceptible to insider threats than ever before.

Much of the evidence of the scope of computer security incidents and whether subject personal data was actually compromised are not found in firewall logs and typically cannot be flagged or blocked by intrusion detection or intrusion prevention systems. Instead, much of that information is found in the emails and locally stored documents of end users spread throughout the enterprise on file servers and laptops. To detect, identify and effectively report on data breaches, organizations need to be able to search across this data in an effective and scalable manner. Additionally, proactive search efforts can identify potential security violations such as misplaced sensitive IP, or personal customer data or even password “cheat sheets” stored in local documents.

To date, organizations have employed limited technical approaches to try and identify unstructured distributed data stored across the enterprise, enduring many struggles. For instance, forensic software agent-based crawling methods are commonly attempted but cause repeated high computer resource utilization for each search initiated and network bandwidth limitations are being pushed to the limits rendering this approach ineffective, and preventing any compliance within tight reporting deadlines. So being able to search and audit across at least several hundred distributed end points in a repeatable and expedient fashion is effectively impossible under this approach.

What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of days or weeks. None of the traditional approaches come close to meeting this requirement. This requirement, however, can be met by the latest innovations in enterprise eDiscovery software.

X1 Distributed GRC  represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints from a central location.  Legal, cybersecurity, and compliance teams can easily perform unified complex searches across both unstructured content and metadata, and obtain statistical insight into the data in minutes, instead of days or weeks. With X1 Distributed GRC, organizations can proactively or reactively search for confidential data leakage and also keyword signatures of personal data breach attacks, such as customized spear phishing attacks. X1 is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs and quickens response times while greatly mitigating risk and disruption to operations.

Leave a comment

Filed under compliance, Corporations, Cyber security, Cybersecurity, Data Audit, GDPR, Information Governance

USDOJ Expects Companies to Proactively Employ Data Analytics to Detect Fraud

By John Patzakis and Craig Carpenter

In corporate fraud enforcement actions, The US Department of Justice considers the effectiveness of a company’s compliance program as a key factor when deciding whether to bring charges and the severity of any resulting penalties. Recently, prosecutors increased their emphasis on this policy with new evaluation guidelines about what prosecutors expect from companies under investigation.DOJ

The USDOJ manual features a dedicated section on assessing the effectiveness of corporate compliance programs in corporate fraud prosecutions, including FCPA matters. This section is a must read for any corporate compliance professional, as it provides detailed guidance on what the USDOJ looks for in assessing whether a corporation is committed to good-faith self-policing or is merely making hollow pronouncements and going through the motions.

The USDOJ manual advises prosecutors to determine if the corporate compliance program “is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives,” and that “[p]rosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

Recently, Deputy Assistant Attorney General Matthew Miner provided important additional guidance through official public comments establishing that the USDOJ will be assessing whether compliance officers proactively employ data analytics technology in their reviews of companies that are under investigation.

Miner noted that the Justice Department has had success in spotting corporate fraud by relying on data analytics, and said that prosecutors expect compliance officers to do the same: “This use of data analytics has allowed for greater efficiency in identifying investigation targets, which expedites case development, saves resources, makes the overall program of enforcement more targeted and effective.” Miner further noted that he “believes the same data can tell companies where to look for potential misconduct.” Ultimately, the federal government wants “companies to invest in robust and effective compliance programs in advance of misconduct, as well as in a prompt remedial response to any misconduct that is discovered.”

Finally, “if misconduct does occur, our prosecutors are going to inquire about what the company has done to analyze or track its own data resources—both at the time of the misconduct, as well as at the time we are considering a potential resolution,” Miner said. In other words, companies must demonstrate a sincere commitment to identifying and investigating internal fraud with proper resources employing cutting edge technologies, instead of going through the motions with empty “check the box” processes.

With these mandates from government regulators for actual and effective monitoring and enforcement through internal investigations, organizations need effective and operational mechanisms for doing so. In particular, any anti-fraud and internal compliance program must have the ability to search and analyze unstructured electronic data, which is where much of the evidence of fraud and other policy violations can be best detected.

But to utilize data analytics platforms in a proactive instead of a much more limited reactive manner, the process needs to be moved “upstream” where unstructured data resides. This capability is best enabled by a process that extracts text from unstructured, distributed data in place, and systematically sends that data at a massive scale to an analytics platform, with the associated metadata and global unique identifiers for each item.  One of the many challenges with traditional workflows is the massive data transfer associated with ongoing data migration of electronic files and emails, the latter of which must be sent in whole containers such as PST files. This process alone can take weeks, choke network bandwidth and is highly disruptive to operations. However, the load associated with text/metadata only is less than 1 percent of the full native item. So the possibilities here are very compelling. This architecture enables very scalable and proactive solutions to compliance, information security, and information governance use cases. The upload to AI engines would take hours instead of weeks, enabling continual machine learning to improve processes and accuracy over time and enable immediate action to be taken on identified threats or otherwise relevant information.

The only solution that we are aware of that fulfills this vision is X1 Enterprise Distributed GRC. X1’s unique distributed architecture upends the traditional collection process by indexing at the distributed endpoints, enabling a direct pipeline of extracted text to the analytics platform. This innovative technology and workflow results in far faster and more precise collections and a more informed strategy in any matter.

Deployed at each end point or centrally in virtualized environments, X1 Enterprise allows practitioners to query many thousands of devices simultaneously, utilize analytics before collecting and process while collecting directly into myriad different review and analytics applications like RelativityOne and Brainspace. X1 Enterprise empowers corporate eDiscovery, compliance, investigative, cybersecurity and privacy staff with the ability to find, analyze, collect and/or delete virtually any piece of unstructured user data wherever it resides instantly and iteratively, all in a legally defensible fashion.

X1 displayed these powerful capabilities with Compliance DS in a recent webinar with a brief but substantive demo of our X1 Distributed GRC solution, emphasizing our innovative support of analytics engines through our game-changing ability to extract text in place with a direct feed into AI solutions.

Here is a link to the recording with a direct link to the 5 minute demo portion.

In addition to saving time and money, these capabilities are important to demonstrate a sincere organizational commitment to compliance versus maintaining a mere “paper program” – which the USDOJ has just said can provide critical mitigation in the event of an investigation or prosecution.

Leave a comment

Filed under Best Practices, compliance, Corporations, Data Audit, eDiscovery & Compliance, Information Governance

Want Legal to Add A LOT More Value? Stop Over-Collecting Data

blog-cassting-net

The 2019 CLOC (Corporate Legal Operations Consortium) Conference ended last week, and by all accounts it was another great event for an organization that continues to gain relevance and momentum.  A story in Thursday’s Legaltech News entitled “Why E-discovery Savings Is About Department Value for Corporate Legal” summarized a CLOC session focused on “streamlining e-discovery and information governance inside corporate legal departments.”  At the risk of sounding biased, that seems like a perfect topic to me.

The article’s conclusions from the panel session, namely adding value by wresting control of eDiscovery from outside counsel, consolidating hosting vendors and creating a “living data map”, were all spot on and certainly useful.  One way for legal to add enormous value, however, was NOT discussed: collecting far less data as part of the eDiscovery, investigatory and compliance processes.

As we highlighted on an insightful webinar with our partner Compliance Discovery Solutions last Tuesday (which can be viewed here), the way most eDiscovery practitioners conduct ESI collection is remarkably unchanged from a decade ago, an example of which is shown in the infographic below: consult a data map, image entire drives from each and every custodian (e.g. with EnCase), load these many images into a processing application (e.g. Nuix), process these huge amounts of data (most of which is entirely irrelevant), then move this now-processed data into a review application (e.g. Relativity).

blog-legacy-collection-infographic

This legacy collection process for GRC (Governance, Risk & Compliance) and eDiscovery is wildly inefficient, disruptive to the business and costly, yet many if not most practitioners still use it, most likely because it’s the status quo and change is always hard in the legal technology world.  But change here is a must, as this “image everything à then process it all à and only then begin reviewing” workflow causes myriad issues not just for legal but for the company as well:

  • Increases eDiscovery costs exponentially. The still-seminal Rand study on eDiscovery pegged an overall cost-per-GB for identification through production of $1,800/GB.  While some elements of this price have come down in the intervening 6-7 years, especially processing and hosting rates, data volumes and variety have grown by at least as much thereby negating these reductions.  Imaging entire drives by definition collects far more data than could ever be relevant in any given matter – and the costs of this overcollection multiply every step thereafter, forcing clients to pay hundreds of thousands if not millions of dollars more than they should.
  • Is extremely disruptive to employees. Forensically imaging a drive usually requires gaining physical access to the laptop or desktop for some period of time, often for a day or two.  Put yourself in each of those employee’s shoes: even if you are given a “loaner” machine, you still don’t have all of your local information, settings, bookmarks, etc. – which is a major disruption to your work day and therefore a significant drag on productivity.
  • Takes far too long. With forensic imaging of drives requiring physical access to a device, each custodian’s machine must be dealt with.  In many collections, custodians are spread across multiple offices, or on vacation, or remote employees, which often extends the process to many weeks if not months.  All of this time lawyers are unable to access this critical data (e.g. to begin formulating case strategy, negotiating with opposing counsel or a regulator, etc).
  • Creates unnecessary copies of data that could otherwise be remediated. An often-overlooked byproduct of over-collection is that it creates another copy of data that is outside of most (if not all) data remediation programs.  For companies that are regulated and/or encounter litigation regularly, this becomes a major headache and undermines data governance and remediation programs.
  • Forces counsel to “fly blind” for months. Every day the IT and legal teams are spending forensically imaging each custodian’s drives, then processing it, and only then loading it into a review or analysis application is a day in-house and outside counsel are flying blind, unable to look at key data to begin constructing case strategy, conduct informed interviews, negotiate with opposing counsel (e.g. on the scope of a matter, including discovery) or interact with regulators.  This is incredibly valuable time lost for no value received in return.
  • Using forensic tools for non-forensic processes is unnecessary overkill. The irony of this “image everything” approach is that it is extreme overkill: it would be like a doctor whose only procedure to get rid of a mole was to cut off the arm.  Forensic images can always be utilized on a one-off basis in narrow circumstances where there are concerns about possible spoliation of evidence, but for the vast majority of circumstances, a forensic image is completely unnecessary.

As was a focus at the recent CLOC conference in Las Vegas, corporate legal operations are quite correctly focused on showing the value legal is bringing to the business.  However, there is still a fundamental change they need to make to how they handle the collection of ESI for eDiscovery, GRC and privacy purposes that would be an enormous value-add to all parts of the company, including legal: ending the systematic over-collection of data.  How this can be done quickly and cost-effectively has been the subject of previous blog posts, but will be addressed in detail in the next few weeks as well.

Leave a comment

Filed under Best Practices, collection, compliance, Data Audit, eDiscovery, Enterprise eDiscovery, Uncategorized

GDPR Fines Issued for Failure to Essentially Perform Enterprise eDiscovery

By John Patzakis

The European General Data Protection Regulation (GDPR) came into full force in May 2018. Prior to that date, what I consistently heard from most of the compliance community was general fear and doubt about massive fines, with the solution being to re-purpose existing compliance templates and web-based dashboards. However, many organizations have learned the hard way that “paper programs” alone fall far short of the requirements under the GDPR. This is because the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to search for, identify and remove it when required.GDPR-stamp

Frequent readers of this blog may recall we banged the Subject Access Request drum prior to May 2018. We noted an operational enterprise search and eDiscovery was required to effectively comply with many of the core data discovery-focused requirements of GDPR. Under the GDPR, a European resident can request — potentially on a whim — that all data an enterprise holds on them be identified and also be removed. Organizations are required to establish a capability to respond to these Subject Access Requests (SARs). Forrester Research notes that “Data Discovery and classification are the foundation of GDPR compliance.” This is because, according to Forrester, GDPR effectively requires that an organization be able to identify and actually locate, with precision, personal data of EU data subjects across the organization.

Failure to respond to SARs has already led to fines and enforcement actions against several companies, including Google and the successor entity to Cambridge Analytica. This shows that many organizations are failing to understand the operational reality of GDPR compliance. This point is effectively articulated by a recent practice update from the law firm of DLA Piper on the GDPR, which states: “The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect, process, securely store, share and securely wipe personal data (emphasis added).”

These GDPR requirements can only be complied with through an effective enterprise eDiscovery search capability:

To achieve GDPR compliance, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and returning results within minutes instead of days or weeks. The need for such an operational capability is further heightened by the urgency of GDPR compliance.

X1 Distributed GRC represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1 Distributed GRC is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while effectuating that all-too-elusive actual compliance with information governance programs, including GDPR.

1 Comment

Filed under Best Practices, compliance, Data Audit, GDPR, Uncategorized

Why I Joined X1

X1 Logo 559w 288t

Two weeks ago I joined X1 as CEO, a company I am convinced is in the process of disrupting not just the eDiscovery industry, but the regulatory compliance and corporate governance markets as well.  As I discussed at length with the X1 team and board of directors during the interview process, I see in X1 a ton of similarities to Recommind circa 2007 (shortly after I joined), alongside several additional advantages we didn’t have at Recommind back then.  Does this guarantee greatness for years to come for X1?  Absolutely not.  But it gives us the opportunity to control our own destiny which is all a software startup can ask.  Here’s why.

  • X1’s team and culture are strong. I have learned the hard way how important culture is, how it can be instrumental in raising a collective effort to new heights or hold an otherwise successful company back from reaching its potential.  X1 is filled with people who have been here for 5, 7, 10 and even 14 years (here’s looking at you Alan!).  People here just want to win, to help make clients successful.  Our balance sheet and cap table are clean.  Revenue is growing nicely and we are cashflow positive.  Our investors, shareholders and board of directors have reasonable expectations about our plans and timelines (so far, anyway J).  X1ers are actually nice, which is a refreshing throwback coming from what has become a frequently cutthroat, arrogant culture amongst many of Silicon Valley’s largest tech companies and VC community.  We are building something special at X1, and if we execute well with a customer-centric focus at all times, everything else – accolades, continued revenue growth and profitability, financial gain – will take care of itself.

 

  • Making information actionable is really hard. When I worked at AccessData, a few VC friends of mine gave me grief for being at a company named after a problem that had already been solved.  “Accessing” information is indeed easy in most cases; however, making the right information “actionable” is an entirely different endeavor that is extremely difficult without X1 software.  What has changed over the last 10-15 years is the sheer volume and variety of information being created and therefore subject to litigation, regulatory scrutiny and corporate governance mandates.  Our industry-leading X1 Social Discovery product is proof of this, but the variety of today’s information doesn’t stop at social media: think of collaboration tools like Slack, Skype or Teams.  Simply put, people communicate in a far more varied way today than they used to, and making these varied data types available and actionable is hard.  I want to be at a company that is already addressing these challenges for our corporate, government, law enforcement and law firm clients, with ample runway to extend these capabilities, and X1 is exactly that.

 

  • The pressure on companies to find and act upon data is enormous. In the last 2 weeks we have done webinars on finding information on the Dark Web and California’s Consumer Privacy Act (CaCPA).  These topics weren’t on corporate radars – and in the latter case didn’t even exist – as recently as last year.  Add in GDPR, the growing impact of cybersecurity/breaches, migration of information to SaaS platforms and the cloud and the ever-present scrutiny of regulatory authorities globally and companies are struggling to make their information actionable as never before.  And this situation is unlikely to get any simpler or easier in the coming years, as the way we all communicate continues to evolve more quickly every year.

 

I have learned over my career (and life for that matter) that timing is a key part of life.  It’s rarely something we can control, but it has a huge impact on all of us.  X1 has a terrific opportunity to fill key customer needs at the exact time they need it, and has a team committed to customer success that genuinely cares.  I am extremely fortunate to be here at this time and can’t wait to see where we can take the company over the next 5 years and beyond.

– Craig Carpenter

Craig Carpenter 250 sq

 

Leave a comment

Filed under compliance, Data Audit, eDiscovery, Information Governance, Uncategorized