Babione: Manage employees’ use of “shadow IT” apps at work

Babione

By John C. Babione

In-house and outside counsel face many challenges managing company data. One significant challenge is employee use of software applications (“apps”) which are not part of the employer’s official information technology (“IT”) infrastructure. For example, employees may use messaging apps on their smartphones, such as WhatsApp, to communicate about work. Or, employees may download apps such as Dropbox onto their work computers, iPads or laptops without the knowledge of their IT department. These scenarios are common in today’s workplace. In most cases, the employees simply intend to do their job faster or more efficiently. Sometimes they may want to communicate in a more collaborative manner, or outside of official channels. The use of technology outside the official IT structure (often called “shadow IT”) raises a variety of problems and potential costs for in-house counsel and others who deal with the organization’s data, such as outside litigation counsel.

Increased risk and loss of control over data

Allowing the use of unapproved apps increases the risk of data leakage and even data breach. Employees may use apps that lack adequate security and create vulnerabilities and possible entry points into the company’s network. The apps may send or receive trade secrets or other confidential information over the internet without sufficient protection. Because apps used at the employee’s lone initiative fall outside company IT management, data developed or stored on the apps likely falls beyond the organization’s data backup procedures. Accordingly, if a group of employees uses the free version of the latest team communication app on a project, even if it does not cause a breach, they risk losing company data because it may not be properly backed up.

Employee use of unapproved apps also results in loss of control and visibility over data. In order for apps to allow users to access and share data from any device at any time, they often store data in the “cloud”, which in reality means it is stored on another company’s server somewhere else. But as Facebook’s recent privacy troubles have highlighted, organizations need to keep a close eye on what third parties are doing with their data. If the employer does not even know the third party app has the data, the employer cannot possibly monitor its use and protection. In addition, if the organization’s activities fall within the reach of the General Data Protection Regulation (“GDPR”), it is critical to have knowledge of all data to implement and maintain a proper compliance strategy.

One of the bedrock information governance principles that can help a company reduce its risk of a data breach, or at least lessen the fallout from a breach, is knowing what data it has and where it is stored. This allows the organization to actively categorize, manage and protect its data. This cannot be accomplished in an environment where employees use whatever apps they individually decide to use. Conversely, a company cannot harness the full value of its data to drive improvement unless it has some reasonable amount of control.

Downstream increase in litigation costs

To make matters worse, the rogue use of apps can significantly complicate electronic discovery and therefore increase costs when litigation arises. First, standard legal holds may miss relevant electronic evidence if it is held on apps not even known to IT and in-house counsel. This may lead to disputes over spoliation of evidence. Secondly, the attorneys or in-house staff tasked with collecting the needed electronically stored information (“ESI”) will have a more complicated project if employees have created or stored potentially relevant data in various locations unbeknownst to their employer.

Jim Boyers, a Wooden McLaughlin partner with extensive experience assisting clients with ESI issues in discovery, explains, “When retained for litigation or potential litigation, outside counsel needs to determine what data sources are likely to contain relevant information, what data needs to be preserved, and how to preserve it in a cost-effective way. If employees create potentially responsive data on apps outside the official IT environment, it requires more of the attorney’s time, and will increase litigation costs for clients.” Furthermore, rogue use of apps will prevent data from being managed according to the organization’s document retention plan. Thus, the lack of control may haunt the organization in both current and future matters.

A strategy and way forward

Fortunately, there are steps companies can take to address these issues. First, employers must establish a culture, policies and processes that result in open collaboration between employees, IT and management regarding the use of technology. Organizations can start by collecting information about what apps and technologies employees currently use and what apps and technology employees believe may assist them with their duties. In addition to this dialog with employees, IT personnel should gather further information to identify and confirm the full inventory of apps used within the company.

Once IT and management understand the apps used and the capabilities desired, the company can conduct a cost/benefit analysis to decide which apps should be officially incorporated into the business and which apps cannot be used, and identify alternative technological solutions needed. In some cases, it may be as simple as providing additional employee training on how to use existing software. If not, informed decisions must be made about whether there is an app available that meets the entity’s business needs but is also sufficiently secure and compatible with other IT and information security components.

Apps and technology are an integral part of most peoples’ lives and are constantly evolving. As with most data security and cybersecurity issues, proactive planning based upon a careful understanding of company data will lead to the best strategy. Businesses and their employees will always strive to find better solutions to get the job done. For that reason, innovative technologies must be embraced and incorporated as efficiency drivers, rather than resisted or ignored.•

____________

• John C. Babione is a partner with Wooden McLaughlin LLP in Indianapolis. His practice encompasses a range of civil litigation, with an emphasis on data privacy, electronic discovery and information governance. Opinions expressed are those of the author.