Page 15 - CCCA Magazine Winter 2014
P. 15
{ legal UPdate } controllIng e-dIscovery costs and data securIty By Marlon Hylton information governance (ig) is a means to defne and manage and domestic privacy laws that may apply to them. how information is controlled, accessed and used in an organization to minimize legal and compliance risk and improve protect against data breaches and business effcacy. it is emerging as a way by which organizations improve the response to breaches. Even organizations with the best cyber- can control e-discovery costs and address data security concerns. security are susceptible to data breaches. When a breach occurs, the more sensitive the information exposed, the more cost- ontrolling e-discovery costs is becom- Similarly, in the face of ever-escalating ly the breach. IG controls in connection ing harder as information multiplies concerns over data security and the possible with cyber security will help the organiza- cand is shared ever more widely around introduction of mandatory notifcation tion identify the areas of greatest threats; the world. Even where lawyers effectively requirements for data breaches in Canada, prevent unauthorized changes to data, control costs at each stage of the process, e- organizations with disorganized informa- data structures, confguration fles and discovery continues to consume a substan- tion may face high costs if breaches occur. logs; avoid disclosure or leakage of sen- tial share of departments’ budgets. Bill S-4, Digital Privacy Act, was introduced sitive data to reduce the cost of a breach; The freedom employees have to create, in April 2014 and proposes mandatory no- and respond effectively to breaches by set- use and store information in many dif- tifcation requirements for data breaches ting out, for example, immediate steps to ferent forms and places can be effectively under certain conditions, along with fnes be taken, who to contact, what to preserve controlled by IG. A failure to develop IG of up to $100,000 for non-compliance. either for the government or private liti- controls will result in organizations hav- In the U.S., where breach notifcation gation later and what notifcation require- ing disorganized information: they won’t is mandatory in most states, data breach- ments apply. know what information they have, where es in 2014 cost companies an average they have it, why they have it, how they USD $5.85 million per breach, accord- streamline response to litigation, use it and when to discard or destroy it. ing to the 2014 Cost of Data Breach Study: regulatory and audit matters. In the face of litigation and regula- Global Analysis. These numbers do not IG controls in connection with an e- tory investigations, organizations with account for the litigation costs from such discovery/litigation readiness plan will disorganized information spend con- breaches, which would, of course, include balance cost and strategy at each stage by siderable time and money attempting to the increased cost of e-discovery for orga- outlining best practices and steps to be satisfy their discovery obligations, and nizations with disorganized information. taken at each stage of the e-discovery or face increased risk of court sanctions for The starting point of an effective IG regulatory response process. failing to discharge them. L’Abbé v. Allen- strategy is organizing information: deter- IG proactively formulates the practices Vanguard 2011 ONSC 4000 illustrates the mining what information the organiza- and resources your organization requires point well. The court levied cost sanc- tion has, where it has it, why it has it, how to reduce e-discovery cost, limit the cost of tions against Allen-Vanguard for breach- it uses it and how long it needs to be kept. a data breach, and avoid disclosure or leak- ing production obligations and failing to This assessment lays the ground-work for age of sensitive data. As increasingly more meet e-discovery deadlines. Among the the legal and technological controls in- organizations are starting to take IG seri- reasons for the delays were last-minute cluded in a well-developed IG framework. ously, the benefts continue to emerge. ❚ discovery of additional data sources; and Such controls generally include policies, technical issues related to collecting, pro- procedures and technology that: cessing and reviewing that data. Indeed, Marlon Hylton is an e-discovery the court found that Allen-Vanguard’s safeguard confdential information and and information governance production diffculties resulted mainly facilitate compliance with privacy laws. lawyer at McCarthy Tétrault. from its lack of complete understanding IG controls help organizations create, use of its information architecture at the out- and store information in a manner that set of the litigation. accords with the panoply of international Canadian Corporate Counsel assoCiation | CCCa-aCCje.org 15
