COVID-19 + Shadow IT = Trouble Ahead

The pandemic is a unique event for almost every organization. Many had to go from what had been their normal in-office operations to having everyone work from home. In some cases, they discovered that their computer networks and systems weren’t designed to support a substantial remote workforce and couldn’t do so. IT departments in many cases worked around the clock to make the arrangements that they believed necessary to begin to support the new way of working and doing so within hours or days.

One of the issues that existed before the pandemic is referred to as “shadow IT.” This is generally defined as cyber operations that are arranged without the permission and knowledge of the organization’s information technology management. In the COVID-19 situation, it can also mean someone in the IT department short-cutting normal controls and not documenting, for example, the use of a cloud storage service that is arranged online, and paid for with a credit card, with the cost charged to an expense account. Whether done in normal circumstances by a non-IT employee or by an IT employee as a expeditious way of meeting the different challenges COVID-19 poses, these shadow IT processes shortcut the standard practices that enable an IT department to manage how data is processed, who processes it and how they secure it.

Most importantly, shadow IT decisions made in haste may well be seen as temporary, to be used only until more definitive long-term arrangements can be made. Both in these short-term cases and in the cases of systems that are unknown to IT management, there is an additional risk that by its nature may not be considered, either by the IT people making sudden short-term arrangements or non-IT people making arrangements for processing outside the purview of IT (or compliance).

When users think about what they want the system to do, they focus on the functions the system performs for them. But virtually every system has another vital function—collection and preservation of evidence.

Whether the system is performing an accounting function, facilitating communication, providing connectivity or giving access to data storage, systems capture data that represents evidence that may be vital in some future litigation. 

Consider, for example, future litigation that contends that management of a company knowingly procured defective N95 masks that failed to protect employees who dealt with the public from exposure to COVID-19. A dozen employees were found to have the virus and three died. Testing later showed that the masks all failed to meet the standards for N95 protective equipment.

The plaintiffs provided evidence that the company the masks were purchased from sold personal protective equipment that had failed certification testing. If the defendant corporation had emails that showed that the purchaser inquired into the authenticity of the masks and received copies of what turned out to be falsified test results and certifications as attachments to emails from the seller, that could be valuable evidence that the defendants carried out commercially reasonable due diligence and did not know that the masks were defective. 

But what if that email transaction was run on an email system that was in temporary use during the period of transition from an in-office to at-home workforce? IT arranged it with an “emergency waiver” from procurement. Under this waiver, the contract (which was displayed in part on a computer screen with a button available—but not used—to read the entire thing) was never reviewed by legal. It was only used for 45 days, only half of the time covered by the waiver. At the end of the 45 days, IT reconnected the at-home users to the regular email system.

But what of the email traffic during those 45 days? The company email policy calls for 10-year retention. But the practice at the temporary email system was to only store email for 10 days. This was explained in the contract which was never reviewed. When the time comes to transfer everyone back to the regular system, the temporary email processor provides a file with all the previous 10 day’s email traffic, but 35 days of email is gone forever. In fact, this might not be noticed for some time. But when, two years from now, email traffic during those lost days seems to be the difference between losing and winning a multi-million-dollar lawsuit, there will be a lot of looking back and wondering how it could have happened.

What should be apparent is that while there may be exigencies that require agile movement to alternative systems, whether on a long or short-term basis, they should not trump the need to think about things like evidence collection and preservation. In most cases, you don’t get a second chance.