The proliferation of collaboration tools has transformed the information landscape altering the risk profiles of security, privacy, and compliance. Add to this the potential liabilities inherent to new data stores—that may include PII or sensitive information—and it may be that evaluating new tools and services solely from the perspective of the content owners needs and IT requirements is not enough. The full spectrum of potential risks created by new applications must be considered in context of different business groups, their interactions, and the data they access. The Information Governance team is uniquely suited to bring this vital perspective. This need is vividly illustrated by collaboration tools such as Zoom, Trello, Slack, or Microsoft Teams. And the risks they pose can be far more consequential than counsel appearing in court disguised (albeit apologetically) as a cat.
Information Governance Risks
Managing organization-wide tools like a “Microsoft Teams environment is no easy task” writes Microsoft Partner AvePoint. “Ensuring that you’re able to contain sprawl” and “keep internal data safe…requires some serious governance measures.” (Hunter W., 2018). While extensible unified communication and collaboration tools per se are not new, consider the complexity of properly governing collaboration tools with content hosted in the cloud and syncing to both employer-provisioned computer and BYOD assets. For example:
Data Security Risk
The use of collaboration tools that support freely sharing documents, messages, and data across jurisdictions, corporate infrastructure, and personal devices—especially in a work-from-home environment—represent an attractive new point of entry for hackers to gain access not just to the information on the device or in the cloud but on company systems as well.
Data Privacy Risk
Collaborative workflows that give users the ability to create multiple workgroups, workspaces and channels substantially increases the likelihood of PII or sensitive data breaches and leaks. A study conducted by Symphony, “found that 25% of workers have used collaboration tools to share personal information, such as HR and pay details, while 21% admitted to having sent company financial information,” (NordLocker, 2019).
The data, documents, and messages contained within collaboration platforms are discoverable in litigations or investigations. Legal and Records Management (RM) will need to develop retention policies and understand how those policies can be enforced. The methodologies for preserving, collecting, reviewing, and producing the message threads and attachments need to be understood.
Proactive Information Governance
While just a small sample of the considerations that need to go into the vetting collaboration tools, they serve to highlight that vetting and implementation of any application can cut across legal, operations, compliance, InfoSec, IT, privacy, and records management. Importantly, the requirements will differ among the various content owners as the risks associated with say Finance and Accounting or HR information being shared are much different than those of Sales for example.
These considerations are not the sole province of IT, nor should they be addressed after the fact. Rather, the adoption of collaboration tools should include the Information Governance team at the outset.
Want additional resources? Take this decision path to see if your IG house is in order.
Matt Mahon, CEDS, IGP, is the National Manager for Ricoh Information Governance & eDiscovery Sales. He leads strategy and training for the sales team, and consults with clients, delivers CLE training, and is a frequent speaker and writer on eDiscovery issues.