[Editor’s Note: EDRM is proud to publish the advocacy and analysis of Antonio Gesteira and Felipe Palhares. The opinions and positions are those of Antonio Gesteira and Felipe Palhares.]
Throw the first stone who never started a WhatsApp conversation, switched to Instagram and continued the chat via direct message on LinkedIn. At the corporate level, the same logic applies: an email exchange can continue in Teams, later the subject is discussed in a meeting via Zoom and end up in an action plan compiled in Trello.
With the evolution of technology and the increasing digitization of the work environment due to the pandemic, countless emerging data sources have emerged, which were previously not used for exchanging corporate information but have now become ubiquitous.
An emerging data source is any cloud-based database, collaboration platform or application used for business purposes. The best known are Microsoft 365, Google Workspace and chat tools like Slack and WhatsApp.
By nature, cloud applications are constantly changing, improving and adjusting to business and productivity needs. While the rapid pace of change can be beneficial from an end-user perspective, it is equally problematic in the context of data governance, compliance, investigations and legal discovery. When a new functionality or adjustment is performed without proper change control, new vulnerabilities emerge and specialized investigation teams work to identify, preserve, collect, analyze and review platform data.
The e-Discovery and compliance features available on certain platforms also change frequently. This may affect data export formats, and bring changes in export options, the inclusion of linked content and attachments, as well as relevant metadata.
The use of emerging data sources represents a complex challenge for litigation and investigations that require the analysis of conversations and information exchanged by electronic means. Considering the variety of technologies used daily in the corporate environment, the mere knowledge of all the applications that are used by employees of an organization already proves to be an arduous task, especially when the use of certain software has not even been cataloged by the administrator of the company’s technology resources information (a practice known as Shadow IT).
Added to the challenges is the need to collect and organize this vast amount of information, which, for the purposes of a corporate investigation or to serve as evidence in the resolution of disputes, needs to be concatenated with all other available data sources, allowing you to draw a timeline of events and properly assess the facts that occurred, based on concrete subsidies and the preservation of the chain of custody.
In the context of research on emerging data, there are 4 pillars that should be considered as a paradigm shift, they are: (i) shared access without user identification; (ii) chat messages with quick content removal; (iii) sharing content and documents with links and hyperlinks as an attachment; and (iv) access to several versions of files, making it difficult to see the historical content.
From a legal point of view, obtaining such data also encounters possible complications and limitations. Due to the rules established in the General Law for the Protection of Personal Data (LGPD), any personal data processing activities – which include the collection and analysis of information – must respect certain general principles and specific requirements, such as the existence of a hypothesis legally provided for in the legislation.
In this regard, the expectation of privacy of data subjects (which include employees of an organization) is a relevant point to assess the compliance of data collection from emerging sources with the provisions of the LGPD. Although there are reasonable arguments to defend that an employee should not have a high expectation of privacy when using tools made available by their employer, the frequent adoption of bring-your-own-device policies by organizations, which allow employees to use their personal devices to carry out their corporate tasks, makes the situation cloudy.
The same difficulties are present under the prism of data protection and information security. When messages are exchanged through instant messaging applications installed on cell phones for personal use, how can one guarantee that the respective employee will not delete the entire message history, or even that he will use a secure application for the exchange of sensitive information?
In this scenario, it is essential that organizations adopt at least the following measures: (i) have an inventory of applications used by their employees to exchange information; (ii) investigate the existence of unknown tools that are being misused; (iii) establish internal policies on the use of tools, data retention and eventual limits on the adoption of proprietary devices; (iv) are prepared to analyze data from emerging sources, with technologies that allow a sequential evaluation of events, even if collected from different sources.
Without them, the proper analysis of data from emerging sources during future litigation or internal investigations may be compromised, bringing potentially irreparable damage to the respective organizations. Isaac Newton’s famous quote also applies to emerging data sources: “What we know is a drop, what we don’t know is an ocean”.