Traveling to the company board meeting, an assistant to the corporate secretary forgets her password and gets locked out of the company’s network share. In a hurry, she adds comments from a phone call with a senior VP concerning an acquisition to a PowerPoint meant for the board. She then adds a design flourish using Clearslide – an application the company does not own — and saves a version there.
Under a deadline to send the presentation to a director, she saves a copy on her laptop, loads it to her private Google drive and sends a link to the director. The director downloads the PowerPoint and makes further changes. Later the assistant leaves the company, and soon Director & Officer (D&O) litigation arises.
Drafts of a critical board presentation with unique comments now exist in several locations outside the companies’ IT infrastructure and data map. As a result, these documents were neither collected nor produced during discovery.
This is just one example of the risk that shadow IT can pose to your eDiscovery process.
What is Shadow IT?
Shadow IT is hardware, software, and data (`shadow ESI’), created within an enterprise that is not supported or administered by the organization’s IT department. By some definitions, the IT group may not know the software and data exists.
Although the word shadow suggests some reprehensible intent, shadow IT usually results from employees wanting to work more conveniently. While most of the literature concerns the security risk of shadow IT, our concern is the risk to the eDiscovery process.
To use the EDRM framework, shadow ESI may not be readily identifiable, and if you cannot identify it, you cannot preserve it or review it. The example above is shadow ESI created by an individual, but project teams and entire lines of business increasingly create shadow IT.
In this post, we will look at the scope and challenge shadow IT presents to litigators. A second post will overview ways to mitigate the risk of shadow ESI throughout the eDiscovery process.
Why Shadow ESI is Growing
The growth of shadow IT is driven by widely available, cheap, easy-to-buy cloud-based SaaS apps like Google workspace, Dropbox, and Slack.
To put this in perspective, there are over 1 million apps on the Microsoft app store, including thousands designed for business. And there are many other application markets, like Salesforce AppExchange.
A procurement or IT run process may frequently take months to acquire an enterprise-grade SaaS product. Employees are used to buying the applications they need for their work when they need them.
Work from home and the more distributed workforce of the Covid era accelerated this trend. Employees frustrated by their company’s clunky remote access/VPNs, file sharing, and collaboration capabilities bought their own applications. One survey found that 62% of employees confessed to using shadow applications.
Consider the example of a product project group of fourteen employees who dislike their company’s old-fashioned Basecamp project management software. They buy the project management application Trello for $10 per user per month. The project leader uses a corporate credit card and expenses it, but the cost does not register in any IT budget.
While the team later creates a summary of the Trello project in Word and distributes it by company email, they do not transfer the original project data to enterprise network shares for storage.
If litigation follows, there is hope that IT will surface this Trello data if the project members used their company email addresses; or if one of the team appears on the key custodian list and is thoroughly interviewed.
But imagine this phenomenon repeated hundreds of times across the enterprise, and the danger of shadow ESI is clear.
The Scale of Shadow IT and Shadow ESI
Data from a variety of studies and surveys from the last few years reveal the scope and rapid growth of the shadow ESI problem:
- Shadow IT constitutes 30%-50% of IT spending in big enterprises.
- IT controls just 27% of spending on SaaS applications and directly manages just 23%.
- 80% of employees say they use applications on the job that aren’t approved by IT.
- IT administrators estimated around 30 to 40 cloud applications used by employees, yet the average was over 1,000.
- 67% of individuals and teams bought their tools for their organization.
- Only 8% of enterprises know the scope of shadow IT within their organization.
- The number of applications/software used in the enterprise can be six times bigger than the number known to the IT department.
- Shadow IT grew by 59% since 2020 due to Covid-19.
In summary, there is more data, in more applications, in more places outside of the knowledge of corporate IT; and therefore, outside of your data map, your information governance, and your eDiscovery process.
So significant is the problem that in some records and information governance quarters, there is talk of decentralization of IT and application management as desirable–essentially making a virtue out of necessity.
But the resulting shadow data and ESI still have to be managed for governance, compliance, and litigation.
Sources of ESI that Commonly Live in the Shadows
So, if you are litigation counsel, it pays to be familiar with the sort of software applications that might be missed by the existing eDiscovery identification, hold, and preservation workflow.
Below are applications popular in the Fortune 1000 that are most frequently part of Shadow IT. This list is necessarily a moving target, as applications popular today are disfavored tomorrow.
In order of magnitude by category of software:
- Productivity and project management apps (Trello, Asana, Evernote, Calendly, Canva, Adobe Acrobat).
- Collaboration apps (Microsoft Teams, Slack, Asana, Tableau, WebEx, Miro, Coda).
- Communication/Messaging apps (Snapchat, WhatsApp, Zoom).
- Cloud storage and file sharing (Dropbox, Box, Google Docs & Workspace, One Drive, O365, Atlassian Cloud, Google Cloud Platform).
- Communication apps (Skype, VOIP, Postman).
- No code/low code: (MS Power Apps, Salesforce, Service Now, Zapier, Bubble)
According to one study, the average F500 employee uses 15 separate applications to do their work, many of them in the shadows. Not all ESI is being created, edited, and found within the familiar confines of Microsoft or Google products.
At the same time, shadow ESI is frequently found in other instances of applications the company is already using, for example, Google Drive — a potential point of confusion in a custodian interview.
One implication of this list is that a traditional `email and attachments’ centric eDiscovery process will become a thing of the past. Counsel should be aware that the real work and communication of business is increasingly conducted not in email but in collaboration apps like Slack.
The Risks of Shadow ESI in eDiscovery
Critical legal questions beyond the scope of this blog post are whether shadow applications are within FRCP 26’s “possession, custody, or control” or “reasonably available to the organization” under FRCP 30(b)6. But it may be dangerous, however, to assume shadow ESI is beyond the reach of such rules.
The main implication of the growth of shadow ESI is that it is increasingly risky to rely on the IT department or any single information stakeholder to tell counsel where to find potentially relevant data. So much of corporate ESI is ever more beyond the data map or the knowledge of IT, or those who are meant to be knowledgeable about ESI in the legal department.
Shadow IT calls for a deeper investigation by litigation counsel to uncover potential shadow ESI.
For example, in-person custodian interviews may be increasingly important to understand precisely how the custodian creates and stores data—custodians who may be reluctant to admit the scale of the work done outside of the awareness of IT. Written questionnaires may not be a sufficient custodian interview tool. And a search for shadow ESI may change the assessment of who are the key custodians.
Another problem is that shadow IT can create multiple sources of truth, for example, multiple financial applications reporting different financial results.
Counsel should also cast a wider net for potentially relevant ESI beyond email and documents to the increasing number of applications in use in the enterprise. Also, be aware that some departments like finance and engineering are particularly heavy users of applications in general and generators of shadow ESI.
There are technical solutions for IT that can help find unapproved cloud software used by employees, for example, Microsoft Defender for Cloud Apps. Counsel should investigate what, if anything, is being used by IT and its effectiveness. Yet some shadow IT will always evade these systems, and counsel likely should not solely rely on technological fixes for the shadow ESI challenge.
In the next blog post, we will further explore the implications of shadow ESI and outline some fixes. Meanwhile, if you are issuing holds, preparing for Rule 26 or 16 conferences, or certifying initial disclosures, consider what ESI may be hiding in the shadows.