eDiscovery Challenges: The Intersection of Data Mapping and Shadow IT

As organizations start to think about having their team members return to the office or the organization is contemplating an acquisition, the age-old question is still very relevant today as it was in the beginning of COVID: “Did we do enough to create and capture data within compliance of our policies?”

With that in mind, what can organizations do to assure that all data creation policies are being followed and is not being lost in the Shadow IT world? Organizations with little cost can create a data map survey that employees complete to assure that all data is being identified and addressed.

Creating a data map involves generating a thorough guide to the various locations of data relevant to your organization, along with key information regarding its purpose and handling. It can be a fair amount of work and organization leaders may question how necessary it is.

However, as eDiscovery becomes one of the primary discovery processes in court, Federal Rules of Civil Procedure have weighed in on the concept, with key adjustments to FCRP 26 and 37. The amendments to these rules now create a duty for parties to preserve electronically stored information (ESI), determine which information is reasonably retrievable, and disclose relevant ESI within 100 days of a case being filed. Without a proper data map, organizations involved in a case may be scrambling in a chaotic frenzy to track down pertinent ESI.


Evolver provides legal technology services and eDiscovery to clients every day, supporting hundreds of attorneys on hosted eDiscovery projects, large and small. Learn more about our eDiscovery managed services, information governance, and redaction technology.


Thus, data mapping has moved beyond simple good practice to something essential for modern organizations. A data map can be as intricate as a graphical visualization of how data storage relate to each other or it can be rendered in the form of a spreadsheet or survey. But regardless of the intricacy of the document, the complexity of the task is only growing and that’s due in part to a modern concept: Shadow IT.

Shadow IT is the term for the concept of your data now being handled by outside parties in charge of email servers and various clouds, without your IT department’s approval. It’s a challenge that’s compounded when we consider the various types of data organizations now deal with, including emails, voicemails, dropbox, OneDrive, instant messages across applications like Teams or Slack, slideshows, text messages, ephemeral messaging and data generated by the Internet of Things.

Whether approved by IT or part of an employees’ shadow IT network, there is now a laundry list of outside parties getting pulled into an ESI data map. This can include Microsoft, Google, Box, Amazon, SaaS applications, thumb drives, third party VPNs, IoT – all of this make up part of the framework and some of it may be part of Shadow IT, regardless of whether an employee is aware. Both Shadow IT and approved outside parties now need to be part of the data map.

Naturally, this presents something of a security stress source. It can be difficult enough to secure and retrieve data within your own IT network. But the addition of shadow IT adds a layer of complexity to attempts to be responsible for data, both for your day to day purposes and in the context of eDiscovery.

That has only become more of an issue as we move into a world of hybrid remote workforces. More than ever before, organizations can’t assume all relevant data are being kept on their own servers and devices. Data accessed from mobile devices, personal computers, even older printers need to become part of the data map. This especially means incorporating cloud servers and home networks into your data map.

The complexity of the intersection of Shadow IT, approved third party vendors, and data Mapping needs are a prime example of why organizations are seeking eDiscovery service providers with experience in both mapping and securing data.


You can contact our team to learn how Evolver Legal Services provides technology solutions in the entire EDRM lifecycle, including an early stage data mapping procedure that incorporate the realities of Shadow IT. You can also learn more about Evolver’s eDiscovery, managed services, and redaction solutions in our services section.