WHITE PAPER Managing Modern Data Sources for Compliance and eDiscovery Information Governance of Website, Team Collaboration, Mobile Text, and Social Media Content in the Era of COVID-19 CONTENTS 4 18 Introduction Solutions for Compliant 4 The New Compliance and Discovery Recordkeeping Landscape 18 Data Loss Prevention and Monitoring 5 The CCPA, GDPR, and Other Privacy 18 See all Content in Context Considerations 18 Never Miss a Change Again 6 19 Find What You Need in One Platform The Challenges of Modern 19 Exports that Work for your Business Information Governance Processes 7 Why Online Recordkeeping Is Hard 19 Incontestable Evidence 8 The Demands of Digital Evidence 19 Collect Content Related to a Case 9 20 Align With Your Retention Scheduling The EDRM and the Information Policies Governance Reference Model 20 Easily Place Content on Legal Hold 10 20 Pagefreezer’s Information Let’s Connect! Governance Lifecycle Model 11 Create 13 Retain 15 Manage 17 Dispose Managing Modern Data Sources for Compliance and eDiscovery 2 Introduction Introduction The New Compliance and Discovery Landscape As countless companies instructed their employees to work from home at the start of the COVID-19 pandemic, an existing information challenge was greatly magnified: the challenge of dealing with online data sources that are difficult to monitor and manage. And with so much of the global workforce working from home—and relying on online platforms to communicate—these data sources hold greater amounts of sensitive information than ever before. Just consider internal team collaboration tools. Employees could be creating documents in Microsoft Office, G Suite, and countless other lesser-known solutions (like Dropbox Paper), and then sharing them through email and team collaboration tools, which includes everything from Slack, Workplace from Facebook, and Microsoft Teams to Asana and Trello. And on top of that, they could be hosting (and recording) Zoom calls, during which sensitive information is discussed and displayed. Needless to say, keeping track of all of this can be tricky. Mobile text messaging and instant messaging tools (like WhatsApp) offer a similar challenge. These are often used to share sensitive information both internally and externally, yet legal and compliance teams can struggle to gain access to these communications. What, for instance, would happen if an employee deleted a text message from their mobile device? How easy would it be to retrieve that content for a regulatory audit or legal matter? These considerations extend to external-facing online sources like websites and social media channels as well. With more business and communication happening online, keeping track of online content is crucial but often tricky. A company website is a good example. It’s likely to exist on top of some kind of content management system (CMS), but might also have a section behind a user login screen with data hosted elsewhere. Then it could also have multiple forms that feed information to cloud-based sales and CRM solutions, as well as a chat bot from a third-party vendor. Managing Modern Data Sources for Compliance and eDiscovery 3 Introduction As for social media, these platforms allow anyone to post a comment to an organization’s account—or to share sensitive information via direct messaging. As an example, someone might ignore requests to send an email or call a support center, and instead share their customer details directly through a social media platform. This introduces clear risks that should be mitigated through good information governance. But how can it be accurately collected and preserved— especially when social media content can be edited and deleted? The CCPA, GDPR, and Other Privacy Considerations Going hand in hand with the rise in online communication is a steady increase in privacy legislation. New legislation, like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), are placing stringent demands on organizations when it comes to managing individuals’ data. These regulations demand that organizations know exactly what user data they hold and what they do with it. Additionally, companies are expected to respond effectively to a Data Subject Access Request (DSAR) or Right to Erasure Request. In other words, organizations need to be able to identify relevant data right down to an individual subject—and this extends to web, social media, team collaboration and mobile text content. Because of the above, Pagefreezer has created this white paper. It offers an Information Governance Lifecycle Model that aims to assist organizations in dealing with web, team collaboration, social media, and mobile text content. The model addresses proper management of online data throughout its lifecycle— through the stages of: • Creation • Management • Retention • Disposal Before we dive into this, however, it is worth taking a moment to understand why online data can be challenging to collect and preserve. Managing Modern Data Sources for Compliance and eDiscovery 4 The Challenges of Modern Information Governance Despite the fact that organizations need to keep detailed records of online data for litigation and compliance, many still fail to do this effectively. Why? Well, modern electronic recordkeeping can be challenging, and many companies struggle to understand exactly what’s required. While keeping records of official emails and discreet electronic documents is one thing, capturing dynamic online content is quite another. Enterprises are expected to maintain records of: • Websites (including password-secured pages) • Social Media Accounts (Facebook, Twitter, Instagram, etc.) • Message Boards and Forums • Enterprise Collaboration Content (Slack, Teams, Workplace from Facebook) • Text Messages and Messaging Apps (WhatsApp) Doing this isn’t easy since content is constantly evolving—every passing minute brings more comments, replies, likes, and shares—and they all result in new electronic records. As an example, every new reaction or comment added to a social media post technically creates a new record. In other words, one Facebook post that sees a lot of engagement can result in hundreds of new records. And to make things even more complex, even deleted posts and comments should be collected to meet compliance and litigation needs. Managing Modern Data Sources for Compliance and eDiscovery 5 The Challenges of Modern Information Governance Why Online Recordkeeping Is Hard Here are some of the main reasons why organizations struggle to keep accurate records of online data. Mix of Content Message boards, forums, blogs, enterprise collaboration platforms, social media accounts, and instant messaging conversations don’t necessarily consist of one simple stream of content—they can have timelines, pages, direct messages, images, videos, comments, etc. This can easily lead to missing content and gaps in archives if not captured correctly. For instance, a screenshot of a social media or team collaboration post would obviously not capture a playable version of a posted video. A screenshot of a post could also miss crucial comments that have been collapsed and are not immediately visible under the post—and will offer no insight into edits and deletions. Real-Time Activity When it comes to electronic records management, social media channels and enterprise collaboration platforms are unique in the speed at which things happen. Thousands of comments, likes, and shares can happen in an hour, and with each new interaction, a new record is generated. This neverending real-time activity poses a tremendous challenge, since a record can be outdated almost the moment that it’s created. It’s also all too easy for a post to be edited or a comment deleted before an accurate record is created. And what would happen if content was ever to be deleted from the original platform? Would any record remain? Evolving Platforms Since a manual process like screenshotting is labor-intensive, can lead to incomplete records, and is unlikely to result in records that’ll satisfy a court or auditor, many organizations resort to some form of recordkeeping that collects social media data automatically. While this is a good approach, it’s worth keeping in mind that social media and team collaboration platforms are always evolving, so whatever solution an organization opts for, it needs to be able to adapt to platform changes. Otherwise, every platform change will result in lengthy downtimes and record gaps. Managing Modern Data Sources for Compliance and eDiscovery 6 The Challenges of Modern Information Governance Integration Requirements In order to ensure that social media content is always collected in real-time, that archives are of evidentiary quality, and that any changes to a platform will not impact the ability to archive data, it’s necessary to leverage platform APIs. By integrating their own applications with the APIs of these platforms, archiving vendors ensure that all necessary information is gathered. Gaining access to these APIs and building the necessary integrations isn’t always easy, but it’s undoubtedly the best way to ensure accurate records. The Demands of Digital Evidence Along with the complications of online data collection and archiving mentioned above, it’s also important to discuss what is required in order for digital information to be accepted by a court or auditor. An organization has to be able to prove the integrity and authenticity of any record provided, which means showing that the data hasn’t been tampered