Modern Law and Purview

Many firms are bringing legal advice in house and in the process starting to re-envision the value that they have been receiving from outside counsel for several years.

One of the great historical challenges when it comes to the law and IT has been a hidden path dependency creating a large amount of technical debt and a poor end-user experience for employees.

We all have heard it before: "oh, we can't do X because of legal" when a technology solution is found to a business problem. This apocryphal story mirrors, in many organizations, the same tale only using "internal IT". What's disappointing is that both sides of the house began, decades ago, with perfectly good reasons for their policies. The failure to keep up, and to coordinate with each other, isn't intentionally malicious, but to an employee it may seem that way.

If we go back a few decades to the emergence of email as a primary collaboration tool, at the time, IT had limited resources, and therefore most employees had a "hard limit" on how much email they could accumulate. Physical servers, hard drive storage capacity - even the network itself were all bottlenecks limiting how much space staff could use to store email and the size of emails that could be sent to one another.

At the same time, when more communications were becoming digital, legal teams were rightfully concerned that being hit by a discovery motion, which could takes weeks or months in the physical world (going through boxes of paper and file cabinets) might take even longer when it came to servers - and because the ability to search through digital storage was newer, potentially require even more expensive staff to perform.

Both sides, therefore, had an incentive to limit the amount of space used for email. The legal team, to reduce the risk of storing potentially damaging digital evidence, would advocate for a time cutoff, after which all documents + emails were deleted. The IT team, to reduce the cost of storing the data, concurred.

Meanwhile, processing power continued to drop in price. And storage became even cheaper.

In the new world of almost unlimited storage in the cloud and more robust tooling for e-discovery motions - did IT and legal change? Of course not.

And thus, one would see IT blaming legal for a policy requiring all emails to be deleted after a year. It wasn't their fault, IT would say - it is that legal is making us delete every email after that time. Legal would, again correctly, point out that reducing email to a single year would reduce risk at an organization and would reduce cost associated with an e-discovery motion. Having said that, most organizations failed to put rigid controls in place to prevent employees from forwarding emails on to others - and at the end of the day, a person could always take a smartphone out and snap a picture of any particularly damning email. More importantly, the cost of e-discovery had fallen as the toolset matured.

So what does a modern organization do to ensure they are taking an appropriate stance towards email retention, policy implementation and proper governance? The first step to recognize is that all digital assets enable greater degree of control. In an age of physical copies of paper, it is difficult to place controls that work effectively. (Just look at the ongoing Discord Leaks investigation.) By contrast, with digital controls, one can setup files and communications to be encrypted by default, require authorization to adjust classification levels and even segregate your organization via proper information barriers.

Microsoft has been steadily improving their data governance platform - and with the latest updates Microsoft Purview has become a single repository for compliance requests, risk management and overarching data governance. In the last year since announcement, Microsoft has streamlined and standardized how data is labelled, protected and discovered for organizations of all size.

Need to discover where your data is today? Use the Purview Data Map.

Want protection from insiders acting maliciously? Try Insider Risk Management.

Interested in preventing employees from saying the wrong thing? Communication Compliance can address that.

Best of all, once data is encrypted, it can continue to be co-authored by your employees in real time, on all types of devices, meaning you don't have to trade off protection with functionality.

Yes, e-discovery is more robust to boot - taking minutes instead of hours to locate targeted data. And legal holds are easier than ever to setup and administer.

The most important thing to convey to both your legal department and IT is that the technology exists, thanks to Purview, to keep everyone in the organization safe and productive even if the individuals don't change their behavior. That's the biggest cultural shift: instead of demanding staff read and understand a thick binder of policies - the technology itself will help ensure folks don't inadvertently make a mistake. IT and Legal can move away from being seen as "the police" of an organization to instead driving true innovation.

And that, ultimately, is how modern organizations are going to differentiate themselves from their slower, less nimble competitors. As I often say about security - you can't protect the horses that already left the barn - so starting to classify and protect your data estate should start today. With Purview, that time period has shrunk immensely - and organizations can begin to see value in days instead of weeks.