I am going to begin a series of posts dealing with "Information Compliance" (aka "Governance Risk and Compliance - GRC").
To kick it off, I'm attaching a storyboard that shows, with pictures, some of the challenges that organizations face in putting policy management discipline around their information so that they can achieve the three (3) core goals of information management - reduce cost, reduce risk, and extract value from organizational information.
The following is a new article, entitled "Avoiding Faux eDiscovery" recently published by Jim Shook and myself. Jim is an attorney, eDiscovery expert and member of Sedona Conference.
Craig Ball, an EED special master and frequent contributor to law.com, wrote an article today about his crystal ball predictions for eDiscovery. Not surprisingly, these predictions mirror some forward looking trends in IT. This is not surprising because eDiscovery potentially impacts all aspects of an organization's information and information management strategies, policies, governance and compliance.
The link is http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1201864414445.
Included in the article are predictions about virtualization, networked storage, storage and content management in the cloud, security, privacy, and the use of appliances to index and efficiently collect content. All of these trends read like a roadmap to EMC's product and solution portfolio and strategy (http://www.emc.com/products/index.htm).
Last week, I sat on a panel at Georgetown University (Advanced eDiscovery Institute) where the focus was on technology tools for bringing eDiscovery in-house. The concept is that, rather than spending on reactive data collections and third party consultants who charge by the project, what aspects of eDiscovery should be done with an organization's own people, process and technology.
The panel considered four types of technologies - email management, work-flow, search/collection, and review. Each have positive and negatives, which I summarize as follows:
Before discussing the technologies, one point had the universal support of the panel and the audience; namely, that no technology will fully succeed in helping to solve eDiscovery challenges unless the organization first understood where that technology fit into a defensible and repeatable process.
Email Archive/Management: there was strong agreement on the panel that a tipping point had been reached for most organizations, and it was more costly (both from a storage management perspective and an eDiscovery perspective) to do nothing versus building out an email archive. An archive allows the emails to be brought to one place where they can be found, de-duplicated, stored more efficiently, and importantly deleted at the end of a retention period. Without an archive, emails tend to end up as psts (personal archives on individual desktops and shared drives) or on backup tapes, where they're duplicated over and over, never deleted and the content is costly and risky to discover and preserve. The downsides of email archives include the lack of granular classification, and implementation cost (but those costs should be re-couped if the archive is done properly, and depending on the chosen policy).
Work-flow: this is a tool that does not control the flow of information, but rather automates aspects of the eDiscovery litigation hold process (ie rather than manually keeping track of which employees are subject to litigation holds on spreadsheets, this type of tool provides a dashboard for managing that process). There was general agreement that this type of tool was very helpful to the paramount issue of having in place a defensible process. It is typically a fit only for larger organizations who have so much litigation that they're willing to invest in a 'dashboard' to help manage it and reduce the risk.
Search/Collection: think of these tools as utilities that crawl unstructured environments and index them, allowing for much more efficient data collection. There was a difference of opinion about these tools, where one panel member thought they were not mature enough and that he was more comfortable doing manual collections that could be demonstrated to be forensically sound. I didn't get much of a chance to say so on the panel, but I disagree with that point of view. In my view, these tools are increasingly going to be leveraged by companies who want to collect and policy manage content that is sitting on file shares and desktops (and is outside of a central repository such as an email archive). Given that these tools allow for hashing and chain of custody, I believe they will more than meet the (developing) court requirements for authenticity and the admissibility of evidence.
Review: the concept here is that, after collecting content, it is loaded into a review platform (for attorneys to review each document and determine if it is responsive/non-responsive, and privileged/non-privileged). Today, most review is hosted by third parties, but a small number of organizations have brought these review platforms in-house. There did not seem to be a huge amount of support for this type of application. My point of view is that eventually this type of tool might be brought in-house by some organizations, but for now, what I see organizations doing, is focusing on the core issue, which is how the information is being managed in the first place, rather than focusing on how it gets reviewed on the back end.
The bottom line for me was (i) you must have a defensible process, (ii) technology is increasingly being leveraged and in-sourced because a purely outsourced model is expensive, and (iii) the core issue to be addressed is the policy management of information throughout its lifecycle. --A
In talking with many customers and peers, I find that I repeatedly use the concept of a funnel to describe practical ways to overcome the challenges associated with classifying sometimes massive volumes of electronically stored information (ESI), and applying defensible policies for retention, security/privacy, eDiscovery and ultimately "defensible deletion". Please see slide 5 of the attached presentation. Download Funnel.ppt
The funnel is a logical metaphor because organizations are being tasked with managing huge amounts of electronic content, some which has tremendous value, but much of which is either junk or is being retained long past the time when it has any business, legal or referential value. Across all types of organizations, around the world, the goal is the same - how do I get to the important stuff at the bottom of the funnel?
Think of a funnel as representing the electronic information that enters your enterprise every day (for some organizations, this might be several million objects per day, across hundreds and hundreds of different applications and content types, and even for a relatively small organization, there is going to be a lot of content flying around the network at the speed of light, and then piling up unmanaged on drives and tapes).
The core challenge for companies is classification - how do I in a practical way put this information into logical categories so that reasonable policies can be applied (and so that the important information can be found efficiently)? As discussed in an earlier post (Aspirational Records Management Policies), if you merely declare that the existing records management manual, which was put into place for paper documents (and which often contains hundreds of records types), applies to the electronic content, the classification and policy goals of the official records program typically are not met. Given current systems, processes, the state of auto-classification technology, and the refusal of employees and organizations to allow efforts at RM to reduce productivity, the IT department is just not able to operationalize what end up being "aspirational records management policies".
Now picture a funnel divided into three (3) pieces. On the top (and often the largest part of the funnel) is information with little value (or even negative value) to the enterprise. The goal at the top of the funnel generally is to "filter" or get rid of this content as soon as practicable, provided that the effort associated with separating out this content is not greater than the efficiencies and risk reduction of getting rid of it sooner.
In the middle of the funnel is what I think of as "productivity" documents, or content that has referential value, but is NOT an official company record. Think of the emails, powerpoints etc that you might save in subfolders on your desktop every day. These are not likely to be identified as official records in the company records manual, but they do have value to individuals and small working teams. Importantly, at most companies, if you try to take those away from employees by setting across-the-board short email and file retention periods for non-records, often employees will not react well and they will come up with their own (uncontrolled) ways to save those documents (which may completely undercut the goals of the underlying policy). Conversely, it is important to note that despite the strong feelings of employees about the "need" to keep these types of productivity documents, at nearly every organization in the world, the reality is that when you examine actual utilization rates from an IT perspective, after 180 days, very few of these "productivity" documents are actually accessed. This lines up with the personal experiences of many - we set aside these documents every day, but how often do we really go back and use ones that are years old?
At the bottom of the funnel (and often the smallest overall volume of content) is a company's most important business and legal records, and increasingly, included in that category is content on "litigation hold" (in other words, the file that was not a record yesterday, ends up being treated like a record once it is determined to be potentially relevant to a legal matter). For the content at the bottom of the funnel, there is often a need to attach much greater security, content management and process discipline of true on-line records management. (I note that in earlier posts, there was some healthy back- and-forth and some may have been left with the impression that my view is that records management should be marginalized in favor of a small number of simplistic policies. That is not my view. My view is that records management has never been more important. That said, there is too much content to try to get employees to classify each and every object. Rather, you need to determine how to get to the bottom of the funnel and then apply the RM discipline where it belongs.)
The funnel model discussed above does not solve all the issues, and it is wildly oversimplified, but simple is good. I've found it to be a valuable starting place for a risk adjusted approach to setting policy. I'll plan to expand on some of these concepts in future posts, which will be more frequent than in the past. --Andy
Prudent attorneys typically avoid absolutes (e.g. we don't like to say "all" or "every" because we worry about what's on the margin). Despite that, I believe it is true that "every" company in the world has what I think of as aspirational records management policies. The lawyers and compliance people define record types and categories, and they map those record types to the legally required retention periods, based on perhaps thousands of statutory requirements from around the world. The problem, however, is that those written policies never fully map to the way the IT department is actually managing the information; the policies are aspirational.
Records Management today is like Prohibition. There's a set of rules on the books that we pay lip service to, but everyone knows that those rules are not going to be fully followed. There are two key problems with this. First, it is risky. Companies that publish their aspirational records management policies face the prospect of having those policies shoved down their throats by regulators, as well as attorneys in the context of eDiscovery matters. The current statutory landscape, and the new Federal Rules of Civil Procedure make the treatment of information much more transparent, thus the gaps are easily exposed. Second, aspirational records management policies in fact lead to cost increases from over-preservation of content. When an unrealisticly short retention policy is established, the reality is that most companies either completely fail to enforce it (they never "push the delete button") or they delete some of the content, but allow duplication in individual and unmanaged repositories (including desktops, files shares and tapes), which in fact leads to over-preservation.
The right approach, in my view, is a risk adjusted approach the relies on what I think of as "frameworks for simplification". There is a critical need for the discipline of records management, but before an enterprise gets to that granular discipline, there's a need for a strategy to policy manage information. If, for example, your enterprise's email and file environments contain 100s of different record types, but you have no way of achieving that classification, then it makes little sense to establish a policy that aspires to be perfect, but in fact results in non-compliance. Rather, why not drive to a policy management classification scheme that only has three categories, instead of hundreds, but that allows the enterprise to take a first cut at classification. There are several key benefits to this "big bucket" approach -- it can be operationalized by the IT department, it allows for systematic deletion of content that has no legal, business or referential value and it allows the identification of priority content, on which records managers and compliance people can focus, apply more granular policies and apply more robust content and information services.
By way of example, I had a discussion yesterday with a very thoughtful group of RM and IT professionals from a large automative company. One example that came up was the treatment of leasing files, and the issue of "event based retention". Essentially, the goal was to keep the files for the life of the lease, plus some fixed number of years, and then delete the files. In fact, the complexity of aligning the "trigger" (in other words, knowing when the lease was up so the retention period clock begins ticking) acorss millions of such files was too complex and the result was that no files were deleted - for fear of deleting the wrong ones too soon. The approach they were considering was in my view spot on - taking the longest lease period, together with the retention period (which was collectively 16 years) and applying it to all of the (millions of) files uniformly. This policy is less than perfect, and it will result in some files being kept "too long", but as compared to not deleting any files, this strikes me as a very smart and very reasonable approach.
It is better to set realistic imperfect policies that can actually be operationalized by IT and enforced, than it is to set aspirational ones.
Yesterday, the FL state appellate court threw out the $1.5 billion award against Morgan Stanley. This case, which was first filed in 1998, has been heavily analyzed, especially because of the sheer size of the award, and because of the eDiscovery implications of the case. The case concerned the allegations of financier Ron Perelman, who obtained Sunbeam stock in a transaction, but that stock lost most of its value after it was determined that Sunbeam's former executives had engaged in financial fraud. Morgan Stanley was the investment bank on the transaction and Perelman alleged that Morgan helped falsify the value of the Sunbeam stock. Morgan vigorously denied those claims.
The trial court, however, the underlying claims in the case were almost overwhelmed by eDiscovery issues having to do with Morgan Stanley's failure to produce certain electronically stored information. The trial judge eventually sanctioned Morgan after a series of eDiscovery problems, essentially telling the jury that Morgan's failure to produce email and other electronic content to the other side in the case itself amounted to fraud. That ruling resulted in Morgan never really getting a chance to defend itself on the actual facts of the case (the underlying fraud claims relating to the value of the Sunbeam stock); they never got the chance to overcome taint of the initial eDiscovery problems.
The appellate court completely avoided a review of whether the trial judge's eDiscovery sanction was justified. Instead, the appellate court found that the Plaintiff (Ron Perelman) failed to make a proper proof of economic damages; basically, that his expert did not correctly calculate the loss in the value of the Sunbeam stock. Because such a proof is an essential element of the claim, that failure - the appellate court held - was fatal. The case will continue to be appealed to the next level in the FL appellate court system; it is not over for either party.
Despite the failure of the appellate court to expressly review the eDiscovery issues in the case, there are two key eDiscovery lessons to be taken from the case at this point. First, trial judges have tremendous discretion to sanction parties for eDiscovery abuses, but those sanctions still have to bear a proportional relationship to the underlying conduct. Here, the notion that a company could essentially lose a massive verdict without ever getting the chance to defend itself was, in my view, excessive.
Second, and most importantly, the eDiscovery lessons of the Morgan case remain unchanged (despite the reversal of the verdict). It would have been hard enough (and expensive enough) for Morgan just to defend itself on the underlying allegations in the case. However, due to their eDiscovery problems, Morgan has been on its heels for several years, the appeals will continue, the legal bills will continue, and Morgan will spend perhaps tens of millions more than they would have spent had they had good records management, proactive and repeatable eDiscovery processes and a proactive information management infrastructure in the first place.
Much will be written in the coming weeks and months about the eDiscovery and preservation issues in the AMD/Intel case, and the court will ultimately decide the outcome there. However, there are a number of practical issues that have come up in that case, that come up in many cases, and that apply to just about every entity that does business in the US. The following is a discussion of some of those issues.
Two Sides of a Coin - Policy Management and a Repeatable eDiscovery Process
When thinking about eDiscovery it is helpful to think of two sides of a coin. First, how is the "source" information being operationally managed. Where do the emails and files sit, is there control over that content, and are any policies being systematically applied. Second, on the other side of the coin, the question is - what is the process that is used after the subpoena or discovery request hits? The two issues are tightly linked since the better the policy management of the electronically stored information, the more efficient and less risky the eDiscovery process can be. A few observations are as follows:
There is a need for a repeatable cross functional business process for eDiscovery. That process will almost certainly include "hold notices" that rely on the employee "honor system", but also there will be a need for a "menu" of other collection and preservation methods that leverage the right IT infrastructure to drive out costs (especially intelligent federated search and automated collection) and to drive out risk (with forensically sound data collections, and a collection and preservation repository or "matter vault").
Policy Management
On the policy management side of the equation, the goal is to keep what you need and get rid of the content when it no longer has business or legal value. One of the central questions is - how is classification to be achieved? In an email environment, for example, there is everything from absolute junk to an enterprise's most critical content. How do you sort that out? The first steps are to get control over the information and to get cross functional inputs on what a simplified set of policies should be. Some thoughts and considerations regarding policy management:
Proactive information management is critical. You cannot policy
manage a warehouse full of tapes. For most enterprises, there is a
need some combination of archive, index, search and content management
tools and strategies
"Archiving" strategies allow information to be brought into a
central repository to be indexed and policy managed. Alternatively,
there are developing "in place" information management strategies
(Intelligent Information Management) where the information stays where
it is (perhaps on shared drives for example), but its meta data is
mined, brought into a repository, orchestrated, and then policies are
applied back to the information in place.
On the policy setting side, think "big buckets." It is better to
actually set and enforce a 3 year policy (ie really "push the delete
button" after 3 years) then to set a 3 month policy that in fact is
never enforced.
Consider what role if any you want employees to have in the
classification of content. Anticipate how they'll respond and change
management impacts. Consider if you want to have employees act as a
"filter" (merely making keep/don't keep decisions) rather than asking
employees to become records managers (who get involved in tagging and
classification of content).
Email box size limitations and even auto-delete policies, in the absence of some archiving or systematic records management tools, typically lead employees to create "personal archives" (psts, nsfs) on their own desktop hard drives and shared drives. Thousands of psts and nsfs leads to a lack of information sharing, tremendous duplication and therefore no policy management, and costly eDiscovery. Think of it this way - if a document resides on a 1000 desktops, you cannot delete it, but if it is de-duplicated in a central repository, with 1 object having 1000 pointer to it, then it can be deleted. The key is to have a policy you're actually going to be willing to enforce, and not allow the eDiscovery preservation obligations to overwhelm that policy (see below).
When choosing a policy for unstructured files and email, get cross functional inputs. Some may want to delete everything after 30 days, and others may want to save everything forever. Typically, the appropriate policies are somewhere in the middle.
If you choose a short policy, you must have extremely efficient and effective eDiscovery collection and hold processes and capabilities. If you don't, every time a subpoena hits you'll either: (a) take the risk of being held accountable for failure to preserve ("evidence spoliation") or (b) as a practical matter, you'll never actually enforce your "official" policy (nothing will be deleted because no one will be in a position to "push the delete button").
Remember that this is risk management. There are no perfect answers, but the goal is to show that your program is thoughtful, reasonable, aligned with legitimate business objectives such as cost efficient information management, and that the program can be validated.
The eDiscovery Process and theHonor System
In an effort to meet legal "hold" or preservation of evidence responsibilities under the eDiscovery rules, it is standard practice for many companies to issue "hold" notices to employees directing them not to destroy certain categories of information. Is some respects, this is an "honor system" since employees may need to be trusted to follow the direction set forth in the notice. Under what set of circumstances will the "honor system" be enough to meet preservation obligations? Some thoughts and considerations regarding the eDiscovery process:
Establish a cross functional team - Legal needs previously identified contact people in IT and often in Records Management to drive the process.
Train the attorneys, RMs and other staff that as soon as they get notice of a case (a "triggering event" for litigation hold), they must do 2 things: (1) identify the key witnesses and custodians and get them hold notices, and (2) contact the right people in IT to trigger their part of the process (and give direction to IT on the "menu" of choices for preservation - see below).
Maintain an audit trail of the hold notices. This can be manual or automated, but if questioned, you have to be able to prove that you sent the right notices to the right people, that the proper directions were provided, that compliance with the notices was validated, reminders were sent as appropriate, and so on. This is more art than science, but you have to show a reasonable effort (and what that means exactly is still being defined by the courts).
Create a source map or inventory. Don't wait for the subpoena to hit before you figure out (even at a high level) what applications and content types you have, where the information resides and who is responsible for it. There's a lot of judgment that goes into how you create your source map, but you might want to start simply (get a "top down" understanding of your key data sources.) This knowledge, together with technology tools allows more focused collections and holds (rather than the attorneys saying that they don't know where anything is, so everything must be saved).
Remember - prior to a triggering event, there is no eDiscovery legal obligation to preserve content (thus the operational policies, discussed above, are what apply). One key is to have an eDiscovery process and supporting tools that allow a company to continue to apply those operational policies, and not have to suspend them (ie. continue to allow auto-deletes).
From the process side, consider a "menu approach" to litigation
preservation. In some instances the hold notices (honor system) will
be fine. For example, if a customer slips, falls and injures himself,
and 10 employees see it, it probably won't be necessary to collect 10
desktops and conduct forensics on them. That response is not
proportional and therefore not reasonable. On the other hand, if a
company is hit with a huge government investigation, and there's 100
witnesses/custodians, there may be a need to do more than just send
notices. Again, reasonableness should dictate. For example, if 10 of
the 100 witnesses are identified as the most critical, then perhaps in
some cases all of their information should be completely locked down
(mirrored drives, journaled emails etc), for the next 60 witnesses,
perhaps some key word searches across a repository is sufficient, and
for the final 30, just notices are enough.
When unstructured information and email is under management, then
the tools that can be leverage as part of the "menu" are more efficient
and less risky. With federated search, there is the capability of
doing a more automated intelligent focused collections (including by
key words) and achieving preservation at the same time. The idea is
that there are times when companies need to make a copy and collect
relevant content into a secure "matter vault" repository. This allows
the company to continue to policy manage the underlying repositories
because they now have a set of the content locked down for the legal
case. The "delete button" on the operational repository can continue
to be pressed, without the lawyers telling IT "save everything because
we're under investigation."
The key under the new rules is that if you have a good process in place and if you have tools build into your infrastructure, as the producing party, you'll be ready for the early meet and confer, and you can be transparent with the other side about the approach you're taking. If they have a problem with it, then it will have to get resolved by the judge. If not, a lot of uncertainty (which traditionally led to significant over-preservation) has been forced out of the process as a result of the new rules.
- Andrew Cohen
The US District Court for the Northern District of CA has just amended it's local rules relating to eDiscovery to include that the evidence preservation obligation includes suspension of "on-going erasures of e-mails, voice mails, and other electronically recorded information."
In my view the rule doesn't make sense because of (i) the inclusion of viocemails, and (ii) the decision to use the undefined phrase "electronically recorded information" rather than "electronically stored information" (ESI) which is clearly defined in the rules.
From a customer perspective, I'm not sure how I'd respond to this, since it is just one court system (no other court is going to do this to my knowledge), but it does appear to create a new requirement for companies sued in N CA to find a way to preserve voice mails.
A number of media outlets have recently reported on "a new law that requires companies to keep all their emails forever". These reports refer to the new Federal Rules of Civil Procedure for eDiscovery, which went into effect on Dec 1, 2006.
- ESI or "electronically stored information" is now definitively subject to legal discovery (lawyers can no longer agree to completely ignore electronic content merely because they are more comfortable with paper documents);
Transparency - at the beginning of every case, the lawyers now must "meet and confer", including to exchange information about the "sources" of information from which their client companies are, and are not, producing information. Essentially, this is requiring companies to throw open the doors of their IT departments to the lawyers, who will inevitably seek to discover company information from many "sources", and who may attack the way companies manage, preserve and destroy their information. (Additionally, information now has to be produced in a "reasonably usable" format, likely leading to more productions in native file formats.)
- Preservationthe concept of "litigation hold" or preservation of relevant information is not new, but it is now officially required in every federal case. This means that every time a company is placed on notice of a new case, the company must identify the information that is potentially relevant to that case, and preserve it for subsequent production to the other side in the case. For example, if a set of files that normally has a 1 year retention period is potentially relevant to the "Smith v. ABC Corp" case, those files must be retained by ABC Corp not just for 1 year, but for the life of the Smith case. Most enterprise customers have dozens or hundreds of cases at any given time, and without good tools to find and preserve what's relevant, they may end up "saving everything" for fear of destroying the wrong things. This will lead some to retain more information for longer periods. For many, saving everything will be too painful, and this creates a strong incentive to implement proactive processes and policy management of information.
Since every company that does business in the US is subject to litigation risk, the impact of these new rules is widespread and significant. In sum, eDiscovery increases the costs and risks of (i) failing to implement policy management of information (including so that it can be defensibly disposed of when it no longer has value), and (ii) failing to implement a repeatable and cross-functional business process for eDiscovery.
