E-discovery or DLP: Which one is right for you?

Chris Martinez
May 28, 2020
E-discovery or DLP: Which one is right for you?E-discovery or DLP: Which one is right for you?
Chris Martinez
May 28, 2020
On this page

Many cloud-based businesses and services use some form of data discovery. The term “data discovery” can apply to a lot of different functions and processes. E-discovery and data loss prevention (DLP) are two widely used applications that provide data discovery to businesses who need to find or know where their information and data lives. Without proper knowledge of what e-discovery and DLP can do, it’s easy to confuse the two and assume that DLP tools can be used for any kind of data querying and discovery, or that e-discovery tools can protect an organization from data exfiltration. Both processes begin with data discovery, but that’s where the similarities end. Each function serves a unique purpose and produces different results.

This article will help you learn the differences between e-discovery and DLP, when and where each is typically used, and how to choose the right option for your business.

E-discovery helps shoulder the load of heavy lifting for attorneys

E-discovery is also known as electronic discovery. Legal professionals use e-discovery to search for electronic information in litigation, government investigations, or Freedom of Information Act requests. This technology can be used at the federal and state levels in the United States, as well as in jurisdictions around the world.

The legal profession has a laundry list of requirements and regimes to follow when accessing data through e-discovery. The National Law Review has information on frameworks for the e-discovery process that show how complex and sensitive this essential function can be. One in particular, the Electronic Discovery Reference Model (EDRM) divides the e-discovery process into nine iterative stages:

  • Information Governance (IG): As companies create, collect, and store data they must consider how to keep that data secure, private, and compliant. IG seeks to help legal teams establish and execute a series of procedures for how to create, manage, store, and secure electronically stored information (ESI). 
  • Identification: To prepare for litigation, legal teams must determine which pieces of ESI are relevant.
  • Preservation: Relevant ESI cannot be destroyed or altered. That’s where preservation comes in: a legal hold sent to the custodians of the data informing them not to delete certain ESI.
  • Collection: ESI must be gathered for processing and review with no alterations to the data.
  • Processing: The collected ESI must be prepared for attorney analysis. Specialized software can help reduce the volume of data processed in this stage.
  • Review: This stage involves evaluating ESI for relevance and privilege. Software like Computer Assisted Review (CAR) or Technology Assisted Review (TAR) can distinguish between relevant and non-relevant documents.
  • Analysis: ESI must be evaluated for content and context, including key patterns, topics, people, and discussion.
  • Production: Attorneys will present relevant ESI as evidence following court rules and procedures.
  • Presentation: The last step is displaying ESI as evidence in a trial or deposition hearing.

Some parts of the e-discovery process rely on data discovery and classification — two pillars of DLP. It can be hard to understand how e-discovery stands apart from DLP, especially when many DLP solutions support compliance regimes based on federal, state, and international laws and regulations. When everything is wrapped up in legalese, more information is power.

DLP and compliance regimes work together for ultimate data protection

Protecting customer data should be a top of mind concern for all businesses working in the cloud. Organizations use DLP solutions to protect business-critical data from being lost or misused. Privacy and compliance regimes exist to safeguard customer’s rights and protections in regards to their data, and many companies are turning to DLP to meet common compliance standards.

Most compliance directives are based on legal standards and precedents. In these cases, it’s important not to confuse how DLP works  with how e-discovery can work. Here are a few compliance and privacy regimes that DLP can support.


The Health Insurance Portability and Accountability Act (HIPAA) is a set of industry standards that determine how protected health information (PHI) must be handled, mandating physical, technical, and administrative safeguards to protect PHI. In the United States, the Department of Health and Human Services guidance recommends that organizations backup their data. A HIPAA-compliant DLP solution ensures that only authorized users have access to sensitive data, and that data is not lost or misused. But DLP alone isn’t enough to protect PHI. We previously wrote about how to make your Slack instance HIPAA compliant. Leaving your customer PHI vulnerable makes your entire business vulnerable to lawsuits, loss of consumer confidence, and heavy penalties and fines.


The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes, like Visa and Mastercard. PCI DSS provides protection for card issuers by ensuring that merchants meet minimum levels of security when storing, processing, and transmitting cardholder data. While this compliance regime isn’t federal law in the U.S., some states have adopted PCI DSS standards or make equivalent provisions in state law pertaining to credit card transactions and data protection. Variations within state-level laws can cover limitations on data retention or diminished liability for compliant organizations. DLP can help protect the enormous volume of personally identifiable information (PII) flowing through the cloud from every credit card transaction. There’s a lot to get right for PCI DSS compliance, so get familiar with the 12 standards of PCI DSS compliance for an overview of how to begin.


SOX refers to the Sarbanes–Oxley Act of 2002, a U.S. federal law that set new and expanded requirements for all U.S. public company boards, management, and public accounting firms. SOX compliance requires organizations to follow strict new rules for accountants, auditors, and corporate officers with stringent recordkeeping standards. The law was written as a response to financial recordkeeping scandals in the early 2000s involving major firms like Enron. SOX requires more stringent reporting and auditing standards, which means more information could be retained and for a longer period of time than in previous compliance regimes. Since SOX covers financial records and documentation regulations, PII is at risk of data exfiltration and other improper usage. DLP is a safe and easy method to ensure companies can stick to SOX requirements for swift and thorough financial reporting while protecting essential PII data.


The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). GDPR doesn’t apply solely within EU and EEA borders, however — it also addresses the transfer of personal data outside the EU and EEA. That means that anyone doing business with a business based in the EU or EEA can be subject to GDPR. This regime was established to allow individuals to control their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU. The management and protection of personal data is at the heart of GDPR regulations, and has become a model for other national and state laws. The California Consumer Privacy Act (CCPA) shares many similarities with GDPR as a consumer-first data privacy regime, for example. As the volume and variety of personal data grows exponentially in the cloud, DLP is an essential tool for protecting PII and other forms of personal data moving in and out of the cloud around the world.

Organizations rely on many other compliance and privacy regimes in their everyday functions, and a good DLP solution can handle the discovery, classification, and protection required to prevent data exfiltration. DLP is your right hand for making compliance regimes work with your cloud-connected apps and platforms.

Case study: How Slack supports DLP and e-discovery — and shows how different they are

Now that you can see how DLP and e-discovery share some similarities but are ultimately different, let’s take a look at a platform that can perform both functions. Slack’s Discovery API allows Enterprise plan users to utilize approved third-party apps to export or act on messages and files within the Slack platform. These third-party partner apps fall into the two categories we’re focusing on in this blog post: e-discovery and DLP.

E-discovery apps pull messages and files from Slack, and store the information in third-party data warehouses. From the data warehouses, messages and files can be searched, archived, or retrieved. DLP apps ensure confidential PII isn’t shared outside of Slack by scanning for content within messages and files that break predefined policies.

Think of Slack’s Discovery API as a log of the data in Slack that can be pushed to apps, like Nightfall. The Discovery API itself can handle many types of data discovery requests, but the difference comes from the class of apps pulling the data and the desired outcomes from each one. E-discovery indexes the data that exists in a database or other repository. According to Slack’s Discovery API help page, customers may use e-discovery for one-off civil or criminal legal cases, or to replicate and keep a record of all message and file data for compliance purposes. Slack includes a brief overview of how third party e-discovery apps work:

  • They typically have read-only access to Slack message and file data
  • Data can't be quarantined, removed, or tagged within Slack
  • Data is captured and archived within a data warehouse 

The Discovery API page also outlines how DLP apps, like Nightfall, work in Slack. By detecting and removing potential threats, DLP third-party tools allow users to secure your data from within. Third party DLP apps in Slack can do the following:

  • Have read and write access in Slack
  • Ensure confidential information (including PII like social security numbers) isn't shared within your Slack workspaces
  • Allow authorized personnel to manage workspace activity and enforce predefined policies on messages and files shared in Slack
  • Allow quarantined messages and files to be reviewed or removed

Cloud security and litigation are two complex industries with a lot of dense, challenging topics that can be confusing at best and off-putting at worst. Tools that enable practitioners in these fields are hard to understand without a primer on what each tool does and how it works. Fortunately, with collaboration tools like Slack working with enterprise partners like Nightfall to implement DLP to protect sensitive data, and e-discovery apps that keep data safe while quickly and efficiently searching for legal information, the decision of which tools to pick is getting easier. 

We hope this article on the similarities and differences between e-discovery and DLP sheds new light on the subject and helps you make a more informed choice on the apps and platforms to choose.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data with workflows and remediation tools. Nightfall is designed to work with popular SaaS applications like Slack as well as IaaS platforms like AWS and repositories like GitHub. You can schedule a demo with us below to see the Nightfall platform in action.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo