Encryption and e-Discovery are Often at Odds

Posted 1/31/2012

Electronic Discovery doesn’t always align with other IT processes and business requirements. Some organizations need to archive data to relieve strains on data storage and comply with data retention requirements. And, increasingly, organizations are encrypting sensitive data to meet regulatory mandates and prevent data breaches. Both of these processes can impede e-Discovery readiness.

A lot of ink has been spilled discussing the impact of archival on e-Discovery. Questions asked include: Where is the data located? On what type of media is it stored? Will you be able to access and produce it in response to an e-Discovery request?

Encryption is an emerging challenge. According to Symantec’s 2011 Enterprise Encryption Trends Survey (download requires free registration), 42 percent of organizations have been unable to respond to e-Discovery requests due to encryption issues.

The problem is only going to increase. Forty-eight percent of enterprises increased their use of encryption over the past two years, and almost half of their data is now encrypted at some point in its lifecycle. But one-third of survey respondents said unapproved encryption deployment is happening on a somewhat to extremely frequent basis. Because these projects are not necessarily following the company’s best practices, 52 percent of organizations have experienced serious issues with encryption keys including lost keys (34 percent) and key failure (32 percent). In addition, 26 percent have had former employees who have refused to return keys. That means the encrypted data is essentially lost.

Fragmented encryption creates risk from the lack of centralized control of and access to sensitive information. That’s why it can disrupt critical processes such as e-Discovery and compliance monitoring. In fact, the inability to access important business information due to fragmented encryption solutions and poor key management is costing each organization an average of $124,965 per year, according to the survey.

The inability to respond to an e-Discovery request could cost much, much more. Encryption must therefore be tightly integrated with e-Discovery tools, processes, and policies. Organizations should take steps now to prevent ad hoc encryption and ensure that data can be decrypted in the event of litigation.

Cloud Computing

Cloud computing is a new buzzword for technology that has existed since the advent of the Internet. What has changed, however, is the rate at which companies are using these services. Find out if your cloud-computing provider can comply with your data retention plan and various litigation holds. If you’re entering into an agreement with a new provider, ask about support during the collection phase of the Electronic Discovery Reference Model (EDRM). Also ask about service level agreements (SLAs) for uptime, what happens to your data upon separation, and how the provider will recover from a disaster. Or, contact The Whitehouse Law Firm to have the firm ask those and many other important questions on your behalf.

The Whitehouse Law Firm can also help cloud-computing providers review current or planned services to address common concerns of today’s business owners. Contact The Whitehouse Law Firm to discuss your options in this area.

Legal/Litigation Holds

If you’re wondering whether you should issue a litigation hold, the answer is most likely yes. Contact The Whitehouse Law Firm today to review your options. The consequences for failing to issue a litigation hold can be severe.

The issuance of a litigation hold is not an easy process, and those going through the process must take their responsibilities seriously. The Whitehouse Law Firm can work with you to identify key individuals who might hold information related to the litigation. The firm will ask a series of questions about how your business operates and the technology you utilize. Do your employees use smart phones or perform company business on home computers? When did you last reuse backup media or when do you plan to do so? Let’s discuss these items in detail and identify other areas your company may need to address in its litigation hold.


Once you have issued a litigation hold, The Whitehouse Law Firm can help you maintain your obligations while it is in effect. If your employees are busy earning money for the company, a simple reminder email many months after issuing a litigation hold might not be enough. The Whitehouse Law Firm can help you find a way to continue utilizing your technology without the unnecessary risk of accidentally changing or deleting data.

The firm can also discuss with you how to determine when your litigation hold is complete and what to do once it is. Don’t forget that unrelated litigation occurring after the issuance of a hold might require the preservation of currently held information.

Contact The Whitehouse Law Firm today to discuss options.


Data Retention Policies

Every business—regardless of size—should have a data retention policy. The contents of that policy, however, are different for each company. Allow The Whitehouse Law Firm to understand your business’ data retention needs and construct a policy specifically for you.

A data retention policy can help maximize your technology investments by ensuring that only data needed to run your business remains on your valuable IT assets. Implementing a data retention policy could increase performance on your applications that don’t perform like they used to. More importantly, a data retention plan will address how to treat your information before, during, and after litigation.

The Whitehouse Law Firm can also help you assess whether your existing data retention policy is being enforced. After all, there’s no use having a policy if it isn’t in use. And for many companies, not following a documented policy could result in a formal audit finding. Audit findings can reduce confidence in your business’ clients and investors, which can be very costly. Contact The Whitehouse Law Firm to review your existing data retention policy against your business’ current requirements. Remember that as technology evolves, so must the policies that control it.