Skip to content

Shadow IT in eDiscovery

| Written by Imogen Fraser-Clark

What is Shadow IT?

Shadow IT refers to information technology systems deployed by individuals or entire departments within a large-scale organisation that are outside of the ownership of the IT department. These systems are often sought to overcome the shortcomings of the central IT system and can have very real data security and compliance implications alongside their impact on discovery. 

Impact Of Shadow IT

The Covid-19 Pandemic has impacted every area of business for the past two years, some more than others. One area that has seen a monumental shift since 2019 is the variety of technologies used in everyday business life. The unprecedented adoption of video platforms such as Teams, Zoom and Google Meets as well as short messaging platforms like Whatsapp for business purposes has led to increasingly diverse filetypes and kinds of data needing to be collected for review, in much higher quantities than previously found.

Hybrid working has thrown another spanner in the works for eDiscovery in the distribution of data to be collected. Processes that were once limited to work PCs and servers are now stored on every employee's personal devices, confidential information left on the family desk rather than in a secure office location etc.

This, of course, is something we had very little control over and has brought about several benefits to the work lives of many. Unfortunately, it has also introduced added complications into the world of eDiscovery. Now add to this the issue of Shadow IT and we can see why in-house eDiscovery service provider teams are struggling more than ever to complete their disclosure projects in a timely and proportionate manner.

Student girl with trainer working on computer and tablet

The biggest problem with Shadow IT is that employees often add to the problem without realising it, whether it is sending that urgent text from your home phone, accidentally leaving your laptop at work so working from your PC, or downloading that bit of software to help with an immediate task without first checking if it is approved. All of these actions contribute to Shadow IT and though they individually are pretty small-scale instances, when multiplied across an entire workforce they quickly begin to build up. 

While the problem of Shadow IT existed before the pandemic, largely due to the longwinded processes involved in IT approving a piece of software, the sudden move to working from home, away from the watchful eye of managers and without easy access to said IT department has led to a massive spike in the amount of Shadow IT being found on devices marked for collection. 

The issue that this creates is the spreading of data. This results in businesses being unable to locate all their data because they don't know what data has been created or where it is being stored. In eDiscovery, you run the risk of missing vital information pertinent to a case because it is stored in some software that the data host didn't know was installed on a device. In terms of GDPR, it is significantly easier to leak sensitive information if there aren't any security measures protecting it, which you cannot put in place if you don't know where the data is, or even if the data exists. This creates a very real danger of sensitive information slipping through the cracks, going undetected – compromising both your cybersecurity and your ability to remain compliant.