Moving to the Cloud represents a seismic upheaval in the design of an organization’s internal infrastructure – one that significantly changes the way legal and compliance teams operate. We are used to working within a static infrastructure system that doesn’t change unless we decide to change it, enabling us to feel in control of company data and risk. The Cloud, however, is not designed that way. It is a dynamic force that is constantly shifting under our feet.
How do legal and compliance teams evaluate these considerations? Recently, Lighthouse gathered a team of legal and advisory experts to discuss Microsoft 365 (M365), G-Suite, and how to manage a Cloud migration.
Cloud Transformations from a Legal and Compliance Perspective
“Cloud Transformation” is a term we see a lot in marketing materials. What does it mean to legal and compliance teams? In a broad sense, it can mean a loss of control. A loss of control over understanding exactly what data we have, where that data resides, whether we can access the data we need, and if we can adequately collect and produce it.
It also means a loss of control over the tools themselves. M365 and G-Suite are massive in size and scope and are constantly updating. This forces us to constantly assess and update our own workflows. Moreover, legal and compliance teams are often brought in after key decisions, like what to purchase and how to implement it, have already been made. The risks can seem overwhelming. But, one of the key steps in mitigating these risks is to understand them and prepare for them as best as possible.
Understanding Common Risks in Cloud Migration
One of the most common risks in migration resides in the inability to completely understand the data that resides within the Cloud. Prior to migrating, data storage and searching was simple. Post migration, we may find ourselves constantly worrying: What if data I thought was subject to legal hold is no longer preserved, or the data I thought I collected is not in the dataset I sent to my vendor. These questions lead to risks around incomplete collection or over preservation.
We also face risks around the ability to find and retrieve the data we need. Search functions within these tools are built for the business, and many times are not designed to meet the expectations of legal and compliance teams (even if they are marketed as such). Testing these tools and working to remediate any gaps found by the testing can help alleviate this risk.
Another area of concern involves not having the experts on staff to effectively manage your migration and the cloud infrastructure. These complex systems require a level of sophistication that you may not currently have on hand. Remediating this risk may require an investment by the organization to hire experts who understand cloud migration and infrastructure.
All of this leads to one of the biggest risks we face in cloud infrastructure: inadvertent misrepresentation. M365 and G-Suite are incredibly complex and constantly changing. Something you represented to a regulator or opposing counsel may have been true three months ago, but because of an update or a change in workflow, is no longer true. These constant updates can also lead to misrepresentations around preservation if you are not actually aware of what you are preserving due to updates in workflows.
Tips for Cloud Migration Preparation
Successful migration requires a top-down approach to assemble the relevant stakeholders and build a roadmap that fits within your migration timeline. Management needs to be aware that success depends on having the right people in place to support the migration. This also means that all stakeholders need to be educated. Ensure that everyone on your IT, legal, and compliance teams are aware of what tool is being purchased, how it works, and what information will reside there.
Evaluate the data your organization has and start the remediation process before you migrate. Almost every organization has data that can be purged, and there is no need to take on the risks of Cloud migration for data that does not need to be retained.
Ensure that your organization not only documents every workflow and standard operating procedure (SOP), but also why those processes were chosen. At some point down the road you will be asked questions about almost every aspect of the migration, including why each of those decisions were made. Without documentation, the answers to these questions may get lost over time.
Test your workflows (and then re-test them). Preparing for migration doesn’t just mean learning about the functionality of the new system. It also means confirming that those features are going to work as intended. Ensure that the tasks and features meet your service level agreements (SLA) and then test them again under different scenarios (low volume, high volume, etc.). In addition to lowering risk around functionality, it also ensures that you will have the necessary documentation down the road.
Consulting & Testifying Considerations
One of the first things to keep in mind when deciding who to choose as a testifying expert is that testimony surrounding Cloud data and processes will be exhaustive. Experts will now not only be asked if you searched a custodian’s mailbox, but if you searched the entire tenant for an email for that custodian (and if not, why not). The expert you choose will need to have spent time on the ground with your organization to ensure that they are educated on what you are doing and why you are doing it. You can prepare for this in advance by gathering information now, documenting everything, and keeping all documentation up to date. If possible, get the expert involved at all Meet and Confers, to avoid early-on misrepresentations.
Also bear in mind that there are two types of witnesses: an expert with knowledge of a particular process (preservation, collection, etc.) and an expert with knowledge about the particular system or product. Be sure you define the scope for each type of witness and ensure that each can stay on task. Also, ensure that you developing the right documentation to prepare each type of witness.
Just as important as finding an expert with the right type of knowledge is finding an expert who has the ability to communicate that knowledge in a clear, consistent message (without using technical jargon) and, at the same time, understands the risks and purpose of their testimony. Choose someone who recognizes that the questions they are fielding may have more to do with opposing counsel leveraging the opportunity as a gateway to more discovery, rather than actually trying to gain information on the technical aspects of the product or process.
To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com.
