End-to-end cyber security services provided by unrivaled experts.Cyber Risk
It’s hard to predict how businesses will fare in the world post COVID-19, but if the experience of prior disruptions can be used as a model, the pandemic is going to result in massive amounts of litigation that will take years to adjudicate. Shareholders will file actions charging boards and management with taking the wrong actions during the crisis. Employees will put forward claims that they weren’t properly protected or that they were treated poorly. Insurers are likely to be sued on issues relating to coverage. Litigation may also arise related to accounts receivable and accounts payable.
While we can’t predict the details of the litigation that any given company will face, we know that with any litigation, once it is filed (or it becomes evident that an action is pending) the first question counsel will ask is “what happened?” The question that will accompany it is “what evidence do you have to support the company’s position?”
It’s usually straightforward to search company email systems and files to provide the material that counsel will need and that may be required to be turned over in the litigation discovery process. You have probably accounted for these data sources in data mapping exercises run for GDPR and CCPA compliance before the pandemic. Now, people are working from home who may have never done so before. They are using cloud- and web-based systems like Office 365, and connecting from company computers, personal computers and mobile devices. They may be sending and receiving emails using their personal email accounts and using messaging systems like personal Zoom accounts, or “disappearing” messaging systems like Signal which are not part of the company’s normal suite of software. Finally, there will be data commingling—people at home are far more likely to use company equipment for personal reasons.
This will create a series of unintended regulatory and litigation impacts. It raises the question of whether the company’s IT management—in coordination with general counsel—is in control of its information. As data and litigation information points, it’s vital to know if emails, instant messaging, audio and video conferencing and all the other ways that people are communicating are being managed to assure that everything that should be preserved (whether as a matter of law or regulation, or based on the analysis of counsel) is actually being preserved.
Management and counsel may assume that communications that should be preserved are actually being preserved. Don’t make that assumption! Unless you have technology on the machines that people are using—both company and bring-your-own-device equipment—that can determine what programs are being used for communication, you may not get positive assurance that only authorized software is being used.
You need to let your people know what you expect. This is not a situation that is unique to COVID-19 disruptions. We see “shadow IT” in many organizations where individuals or groups adopt software that hasn’t been authorized or tested, and for which counsel hasn’t determined whether the contractual terms for use are acceptable.
Send an email (and preserve a copy, along with the list of people who received/read it, and the date and time it was distributed and read) stating that only “official” email and messaging (and other authorized) systems can be used for company business. Using personal email addresses or systems and other email and instant messaging systems is specifically prohibited. Emphasize that this is to assure that the company can preserve communications that are required or should be preserved. Send these communications regularly to demonstrate that you took reasonable steps to encourage the use of only official, preserved communications channels.
Additionally, you don’t want to be seen as encouraging your remote working staff to store company documents solely on their local machines. When litigation occurs, you may find yourself in a nightmare of trying to pull together information on dozens, hundreds or thousands of endpoints, not knowing what may have been deleted or modified.
As a result, we strongly recommend that IT management confer with the organization’s counsel and human resources specialists to craft a communication that is legally sufficient, takes into account users’ needs and gives instruction that the company’s systems, staff and networks can actually accommodate and accomplish.
Sending the message with your expectations for use of approved (and preserved) communication and storage technologies is vital, but can you simply assume that your instructions will be carried out without any issues?
To the extent your technology and in-house or outsourced endpoint monitoring systems permit, be on the lookout for people who have downloaded unauthorized and potentially dangerous applications like Signal onto their phones or laptops.
You can imagine opposing counsel in a deposition asking an executive why they felt a need to use a communication application which could not be preserved, and exactly what they used it for. These are questions for which you might not like the answers!
Many companies protect themselves by limiting the ability of an end-user to download application programs that are not on a pre-approved “white list.” If someone needs an additional application, there should be a mechanism to seek authorization.
A key step in gaining this control is deploying endpoint monitoring software to remote user systems. This can help identify the programs being run and the data sources being created, so that after the crisis, data can be relocated as needed into approved corporate storage systems.
However, these systems must be deployed with an additional series of approval and notices. They run the risk of triggering privacy or labor issues—so it is critical to make sure that employment counsel has helped craft the notice.
Many—perhaps most—companies, had little time to prepare for the disruptions related to COVID-19. Offices were suddenly shut down and the transition from an in-office to at-home work situation had to be accomplished almost instantly. The ways your technology team had to preserve evidence ahead of potential COVID-19 related litigation may have been rushed due to the rapid spread of the pandemic.
It is vital to prioritize any interruptions or problems relating to evidence collection and preservation. General counsel and IT need to discuss how collection will run during the crisis, and how data allocation has been tracked. You don’t want to find yourself in a situation where, in a deposition, a manager says something that is immediately and definitively contradicted (as an example) by an email message which originated from a private email account and sent to a client that wasn’t preserved by the company’s systems, but was preserved by the recipient whose counsel is now placing that email into evidence as an exhibit to the deposition. That kind of evidence can be devastating.
Two keys areas to consider for additional monitoring or collection capability are mobile devices and web-based communication systems. Do not assume that IT has the tools and the expertise to identify and collect data from all these sources.
Dealing with litigation requires evidence of what was done, why it was done and who communicated with each other. The disruptions relating to the pandemic may have interfered with your company’s ability to preserve what needs to be preserved. A court might understand the problems you had, but without evidence (at least that you have access to), defending or prosecuting a civil action may be difficult or impossible. Taking steps now to understand your risks and how to mitigate them may turn out to be one of the most important things you can do to safeguard your organization.
End-to-end cyber security services provided by unrivaled experts.Cyber Risk
Partnering with law firms to help deliver a core set of DPO services for GDPR compliance.Data Protection Officer (DPO) Consultancy Services
Leading organizations through crisis management and business continuity training exercises.Crisis Management and Emergency Response Training
Delivering actionable recommendations using the best technology and expertise available.Cyber Risk Assessments