Encryption and e-Discovery are Often at Odds

Posted 1/31/2012

Electronic Discovery doesn’t always align with other IT processes and business requirements. Some organizations need to archive data to relieve strains on data storage and comply with data retention requirements. And, increasingly, organizations are encrypting sensitive data to meet regulatory mandates and prevent data breaches. Both of these processes can impede e-Discovery readiness.

A lot of ink has been spilled discussing the impact of archival on e-Discovery. Questions asked include: Where is the data located? On what type of media is it stored? Will you be able to access and produce it in response to an e-Discovery request?

Encryption is an emerging challenge. According to Symantec’s 2011 Enterprise Encryption Trends Survey (download requires free registration), 42 percent of organizations have been unable to respond to e-Discovery requests due to encryption issues.

The problem is only going to increase. Forty-eight percent of enterprises increased their use of encryption over the past two years, and almost half of their data is now encrypted at some point in its lifecycle. But one-third of survey respondents said unapproved encryption deployment is happening on a somewhat to extremely frequent basis. Because these projects are not necessarily following the company’s best practices, 52 percent of organizations have experienced serious issues with encryption keys including lost keys (34 percent) and key failure (32 percent). In addition, 26 percent have had former employees who have refused to return keys. That means the encrypted data is essentially lost.

Fragmented encryption creates risk from the lack of centralized control of and access to sensitive information. That’s why it can disrupt critical processes such as e-Discovery and compliance monitoring. In fact, the inability to access important business information due to fragmented encryption solutions and poor key management is costing each organization an average of $124,965 per year, according to the survey.

The inability to respond to an e-Discovery request could cost much, much more. Encryption must therefore be tightly integrated with e-Discovery tools, processes, and policies. Organizations should take steps now to prevent ad hoc encryption and ensure that data can be decrypted in the event of litigation.