Where is your data stored?

By Paul Birch | 23 January 2019

The hardest part of writing any article is trying to find a meaningful way to communicate what it is that you want to say. In my research phase for this article, I was looking for a way to convey the many and varied data scoping skills that my team and I possess. 

An hour later, I came across an interesting (and I do not use this word lightly) article entitled ‘England and Wales pilot can make disclosure ‘more intelligent, tailored’’[1]. The article, written by Richard Dickman, a Legal Director at Pinsent Masons, explains how the new pilot, starting this month (January 2019), is set to radicalise current rules by giving us more specific options that will apply on a case by case basis. The part of the article that really interested me though, was the area concerning document preservation.

• Strong duties to preserve documents: the need to preserve documents has long been an important feature of litigation and this is reinforced under the pilot. It is now set out expressly that once a business knows that it is or may become a party to proceedings it must take reasonable steps to preserve relevant documents in its control. Moreover, the pilot goes further and specifies that this requires: the suspension of relevant document deletion or destruction processes; sending a written notification to preserve documents not only to all relevant employees but also to all relevant former employees; and also taking reasonable steps so that agents or third parties who may hold relevant documents do not destroy them. Parties will have to confirm expressly that they have taken these steps

Part of the work that the BDO Forensic Technology team has completed over the past twelve years involves assisting our Fraud and Business Restructuring teams in securing electronic data from individuals and small, medium and large companies.

Invariably, when we speak to the IT departments of SMEs, a good knowledge of certain areas of the network are known by one or two people, but no one person has a good overall knowledge of the whole system.

This is understandable as companies grow and develop. Twenty years ago, whilst not best practice, it was understood that a company could run all it required on one server. Nowadays, with the exponential use and reliance on digital data and the development of complex IT systems, a basic IT system will undoubtedly consist of a minimum of three servers: one email, one data and one to control who accesses the network (domain controller) with the data stored upon external storage. 

When looking for these servers, an added complication can be thrown into the mix when virtualisation is utilised to host these three separate virtual servers on one physical server.

In one instance, we were told that the company only had three servers. When investigated further, the initial information was not quite accurate. Whilst the company did have just three physical servers; it also ran fourteen virtual servers alongside!

We have frequently found that, as companies grow, their IT infrastructure must be managed and documented properly. Whilst data may be available to the user (databases, accounts packages etc.), it is possible that the location of the data is unknown.

There have been a number of occasions where the only way to track the server down was to follow the network cable!

One occasion took place in a saw mill when the server was finally located under a work bench, the server had been covered by a mound of sawdust. The only indication that it was there was a hole in the sawdust created by the server’s cooling fan.

Another such occasion was in a seventies office building. The network cable lead us to a small room that had been bricked up two years previously!

Whilst there are some comical anecdotes, implications of not knowing where your data is stored are serious. These can include:

• Missing vital time lines and incurring large penalties e.g. data subject access requests
• Lack of documentation
• Standard Operating Procedures
• Network diagrams
• Server documentation
• Clear and comprehensive designation of duties and responsibilities
• Staff retention 
• The perception that the IT department is a cost rather than a valuable company necessity
• Servers being left unpatched and so vulnerable to exploitation by hackers

Despite being the era of huge technical advancements, it is abundantly clear that companies and often companies that have experienced rapid growth, do not always have a true idea of where all their data is stored.

One of the recommendations in Richard’s article is to “know your data: information governance is now more important than ever.” If you think our expertise in data scoping could assist you and your company, please email me at [email protected].

[1] https://www.out-law.com/en/articles/2018/december/england-and-wales-pilot-can-make-disclosure-more-intelligent-tailored/