information governance in the age of cloud …

INFORMATION GOVERNANCE IN THE AGE OF CLOUD COMPUTING

INACTION IS NOT AN OPTION www.lighthouseglobal.com

2

Introduction

What makes information governance in the cloud

different?

How should we respond?

Final thoughts

Proprietary/Confidential 3

John Shaw

Director, Account Management / Business [email protected]

• Over 20 years' experience working in technical roles: software engineering, digital forensics, e-Discovery and technical consulting

• Responsible for client relationships, engagement commercials and operational delivery and oversight

• Strong track record guiding clients through complex issues and ensuring service delivery at the highest level

© 2018 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.

Lighthouse

Proprietary/Confidential 4© 2018 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.

Introducing Lighthouse

Damian Murphy

Executive Director, Global Advisory Services, [email protected]

• Practising barrister / trial attorney and leads Lighthouse’s Global Advisory Services within the UK.

• For over 20 years, Damian has been advising and representing clients facing complex legal issues, developing and implementing practical solutions in a legal context and managing change across a wide variety of clients in pharma, government and financial services.

• Damian is responsible for providing the whole range of Lighthouse advisory services including eDiscovery, data protection and data movement, dawn raid response planning, managed services, information governance and records management.

• Before becoming a barrister, Damian worked at Accenture where he focused on business process design and change management within pharma, government and financial services in the UK and the US.

• As well as his legal qualifications, Damian has a degree in English Literature from Christ’s College Cambridge and a diploma in French from the University of Bourgogne.

5Proprietary/Confidential

Microsoft + Lighthouse Alliance

• Working relationship began 20 years ago

• Grew up together in eDiscovery

• Lighthouse is the leading Microsoft Compliance Partner for Microsoft 365

• Lighthouse is Microsoft’s eDiscovery service provider

• Engaged in all major U.S. regions, the UK and EU; working with 200+ corporations globally

• Key advisory positions include Partner Advisory Council (PAC); GDPR partner program; Financial Services Consortium

• Relationships within the Security and Compliance Product Group, O365 PAC, and CELA

• Strategic alignment between Microsoft and Lighthouse

6

Introduction


different?


Final thoughts

• The regulatory landscape is more demanding than ever before

• Data is more accessible

• Tools to provide control over data are readily available

7© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.Proprietary/Confidential

The cloud has radically changed the nature of information governance

• Accumulation of privacy regulations• GDPR, CCPA

• Increasingly militant regulators• Around €200 million in fines imposed under GDPR• Notable information governance fines (focused on failing to delete old personal

data)• Deutsche Wohnen – €14.5m• Denmark:

• ID Design - €200,000• Taxa4x35 – €160,000• Arp-Hansen Hotel Group A/S – €150,000


The regulatory landscapeTop 5 GDPR fines (€)

Google (Fr) 50mH&M (Ger) 35mTIM (It) 28mBA (UK) 22mAustrian Post (Aus) 18m

The accessibility of data

Proprietary/Confidential © 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies. 9

• Adoption of cloud-based data is one of the most disruptive and significant trends to hit the information governance profession in the past 20 years

• Having data in the cloud (e.g. in M365) means you have the data in, effectively, one place and in, effectively, one searchable format


Insider

Risk Management

Identify and remediate critical insider risks

Protect and govern data anywhere it lives

Information

Protection &

Governance

Quickly investigate and respond with relevant data

Discover

& Respond

The availability of tools

Compliance Management Simplify and automate risk assessments


• Insider Risk Management• Communications Compliance• Information Barriers• Customer Lockbox• Privileged Access Management

• Retention & Disposition• Cloud DLP• Communications DLP• Rules-based auto classification• Machine Learning auto

classification• Records Management• Customer Key• Advance Message Encryption

• Advanced Audit• Core eDiscovery• Advanced eDiscovery• Data Subject Access

Requests

Microsoft’s Investment in Compliance (Including GDPR)

Compliance Management• Compliance Manager• Compliance Score• GDPR Dashboard


The regulatory landscape, the accessibility of data and the availability of tools…

These combine into the perfect storm meaning that no company can afford to place itself in a position where it is not planning to delete the data that it does not need

13

Introduction


different?


Final thoughts


Foundational considerations

Adoption strategy

Dealing with email

Dealing with Teams

Dealing with old data


Foundational considerations - definitions

Make sure everyone understands the meanings

Gartner defines information governance as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information”.


Foundational considerations - teamwork

Assemble a team with solid credentials, a clear framework and a plan

eDiscovery•End to End workflow including review

Records Management •Retention & disposition

Privacy•Auto Classification (Sensitivity Labels)•GDPR Data Subject Access Request Automation

Data Protection•Data Loss Prevention•Alerts/Monitoring

Cyber Security•Data Investigations•Threat Analysis

Risk•Compliance Monitoring

Knowledge Management•Delve


Foundational considerations - privacy by design

18

• Frequently (not always) first workload implemented

• Typically 90% + of mailboxes moved to cloud

Exchange Online

• Will we adopt?

• Will it become our corporate standard for user file sharing?

• Will we migrate home share, My Documents, file sharing service

OneDrive for Business

• Will we adopt?

• Will SPO replace file server based file sharing?

• Will me migrate file shares to SPO?

SharePoint Online

OneDrive


Adoption strategy – email typically first

Although Teams is being prioritised more and more

• 500K organizations as of April 2020

• 91 of the Fortune 100

• 75 million daily active users

• 60% of Teams users reside outside the US

• Available in 51 languages


Email Governance

Where are emails that constitute records going to be stored?


Email Governance


Non-Regulated Examples

Highly-Regulated Examples


2 Year Baseline Retention &

Deletion

Exempt

10 Years

5 Year

7 YearsLabels may be applied to folder or individual items

Example Framework in M365 (Exchange Online)

Lega

l Hol

d

Permanent(Sr. Mgmt

Only)

M365 Teams Governance


• Considerations• Not just retention and deletion• “Level-Up” governance (for example: naming convention; who can create a Team)• Deployment configuration to meet legal, regulatory, compliance, and data privacy

requirements• Retention and deletion• Chats (channel and private)• Files• Day 1 and go-forward: How will you stay in front of changes, e.g., Teams private

channels?

M365 Teams Governance


• Approach• Participate actively in the evaluation, strategy, and planning for Teams• Develop/acquire baseline understanding of how Teams works, especially:• What data is available• Where that data is stored• Tools available to manage the data and how those tools work in practice – this requires a

detailed understanding• Systematically review features and functions to assess their impact on information governance• Develop governance and configuration preferences and present to other stakeholders

Dealing with old data

25

Forklift move? “Information Governance” cleanup prior to move?

• Identify data subject to legal hold• Identify data subject to legal,

regulatory, or business retention requirements (records, work in progress, etc.)

• Identify data with business value• Leftovers are “ROT”

“Information Governance” cleanup after move?

• Move ESI into M365 then turn on policies

© 2020 Lighthouse. All rights reserved. Lighthouse is a registered trademark of Lighthouse Document Technologies.

26

Introduction


different?


Final thoughts

What to take away?


• GDPR regulators appear to be focusing more on the storage limitation principle – data should be retained for no longer than is necessary

• Data in the cloud is both readily accessible and pre-formatted so that tools can be applied to make a rapid improvement in information governance

• Getting to grips with email is a good starting point

• Given the COVID-triggered proliferation of collaborative tools such as Teams, a tactical approach to information governance should include these tools in scope

• Communications management deals with the going forward position, realistically defensible disposal of legacy data will be needed significantly to reduce regulatory risk in relation to the storage limitation principle