Management of electronic information
September 2010 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion between Joseph (Joe) Coltson at Harvester Forensics Ltd., Neal Lawson at Intelligent Discovery Solutions, Inc. and Michael A. Gold at Jeffer, Mangels, Butler & Mitchell LLP on how companies should look to manage electronic information.
FW: In your opinion, are companies paying enough attention to electronically stored information (ESI) strategies? Is there a lack of awareness about its importance?
Coltson: In my opinion companies are not paying enough attention to ESI. It has been my experience that companies tend to take a reactive stance when it comes to the management of ESI – one need only look as far as the US case of Takeda Pharm. Co., Ltd. v. Teva Pharm. USA, Inc., 2010 WL 2640492 (D. Del. June 21, 2010) wherein 18 years of ESI was requested. Many companies do not want to absorb the capital expense of giving ESI the importance it requires.
Lawson: I don’t think there is necessarily a lack of awareness but, for many companies, there certainly isn’t enough attention paid to it—due to a variety of factors including, but not limited to, time, resources, and company priorities. However, let me quickly praise those corporations who have shown a strong commitment to and have actualised strong ESI programs, they do exist. For those other companies, the question is why? For starters, there seems to be some disconnect between the needs of the core business with the necessity for a comprehensive ESI program. While the ramifications for a poor or non-existent ESI strategy are typically clear to the general counsel who has to fund discovery and disclosure activities, it’s less apparent (at least not as a priority) to the CEO or the board. At least, not until it’s too late. It’s almost as if the C-suite sees the ESI strategy as an optional insurance policy. The costs are real enough as are the headlines of others missteps but not being able to put a tangible value on risk mitigation or cost savings often makes the discussion a challenging one.
Gold: Many companies have stepped up to the line and recognise the significance of ESI and its legally effective management. This awareness has been prompted both by a recognition of the perils of ignoring the effective management of ESI and the considerable business benefits of being in control of ESI. Too many companies, however, continue to pay lip service to ESI management, for a variety of reasons, including cost issues and also not having personnel who are sufficiently trained to do the job of effectively managing ESI.
FW: Although most companies have implemented policies to secure their electronic data from external threats, many companies have failed to update their policies to protect against the ever increasing internal threats to data security. Can you outline the current threats to internal data security?
Lawson: Some top internal security threats include the lack of extrusion detection, disgruntled employees, and social networking. Extrusion detection is something I’ve been discussing with my clients for years and is one of the biggest internal data security threats they face today. Whether it’s a corporate spy, a vindictive co-worker, a misplaced computer asset, or an unsecured access point, ESI accessed from within an organisation is easily transmitted to outside sources. Second, disgruntled employees – regardless of the policies and controls in place – have access to sensitive ESI which gives them ample opportunity to steal or pass that information along. Protecting against and detecting such activity can be very challenging. Lastly, social networking issues are less about specific ESI records leaving an organisation and more about sensitive information being leaked, by accident or with intent. Much like email, people tend to be more comfortable and let their guard down while using social networking tools. People may vent issues, gossip, share personal facts and sometimes divulge sensitive corporate information.
Gold: I see the chief threat as a loss of control over a significant business asset – ESI – which in the long run increases the cost of dealing with important business information and exposes that information to unauthorised use (and misuse) by company personnel who do not understand the need to secure electronically stored information or who intend to make some wrongful use of the ESI, such as trade secret theft.
Coltson: It is a difficult task to protect against internal threats – whether it’s a disgruntled employee using webmail to send out company data, or that same employee carrying a thumbdrive in their pocket – internal threats are likely one of the most prevalent as far as data security goes. This risk doesn’t just sit in the lap of the disgruntled employee – how often do trusted employees lose their laptop or a thumbdrive in a public place?
FW: What impact does a high volume of ESI have on productivity and costs?
Gold: The costs incident to high volumes of ESI are varied. As I see the issue, it is not so much the volume of ESI that is the problem; storage costs are relatively low. The real problem is the personnel costs of dealing with ESI that is not effectively managed or stored. Absent ongoing destruction of unnecessary ESI pursuant to a thoughtful ESI retention policy and a ‘map’ of the company’s ESI, the costs of locating and retrieving ESI – say, for litigation purposes – can be extraordinarily high.
Coltson: A high volume of ESI normally means the lack of an effective data retention policy. The cost of data storage can become extremely significant if such a policy does not exist and the volume of data continues to grow – this growth is often exponential. The lack of that effective policy can also put an organisation at considerable risk – keep in mind when litigation holds are introduced, they are often done so to collect a breadth of data, oftentimes going as far back as is available. Without a proper data retention schedule a company may very well have to face the risks, and the costs inherent with the collection and review of data that would likely have otherwise not existed were a retention policy to be in effect.
Lawson: This issue depends on numerous factors. It depends on the existence and sophistication of a good ESI strategy. It’s less about the volume and more about the plan. Even with the ever-increasing ESI volumes, which is unlikely to change, a good ESI strategy can and should reduce your costs and increase your productivity. They key is to classify the types of ESI your organisation has, know where the data is stored, control how it is accessed, and have a strategy to locate only those records that are relevant when a request is made. Conversely, having a poorly designed or non-existent ESI strategy creates increased complexity, significant challenges and tangible risk. A lacking ESI program may lead to uncertainty and chaos that typically translates to increased cost and reduced productivity.
FW: What strategies should companies employ to manage their ESI? How can they reduce risks, ensure compliance and improve efficiency?
Gold: There are a variety of approaches. However, the biggest issue in my view is that companies keep far more ESI than necessary. Fundamentally, there are only three reasons to keep ESI on hand – support of business and financial functions, regulatory purposes and litigation response. If ESI does not meet one of those criteria, it is not necessary and should not be kept. Keeping enormous volumes of useless legacy ESI only enhances the costs and risks of storing and managing the ESI.
Coltson: First and foremost, companies need to adopt a records management policy, complete with a retention policy. The adoption of such policies greatly reduces the risk of over collection and analysis, the costs of which can be crippling. Where compliance is an issue, companies need to understand both their rights and obligations, and that understanding needs to go beyond the boardroom and into departments of production wherein ‘buy-in’ is essential. Where there is a disconnect, say, between the boardroom and the IT department, risk is created.
Lawson: Strategy is the key word. It’s not about tactical decisions or specific technology – there is no silver bullet. The primary strategy should identify guiding principals that drive corporate behaviour and day-to-day activities. There are a number of steps to take. First, spell out how individual and departmental goals support the corporate ESI vision. Second, create a culture where your ESI strategy receives the same level of care and feeding as your regulatory and compliance obligations. Missing the mark on your ESI strategy can have the same impact as violating regulatory obligations. Third, focus on education. Put simply, poor execution will eat good strategy for lunch every day. Finally, monitor the policies, procedures, and tools that make-up and support your ESI strategy. Again, when developing ESI strategies focus on the macro. It’s very easy to get distracted with what’s in the weeds. The tactics and technology will become apparent once a clear map has been provided. Execute on these strategies then risk, compliance, and efficiency will work out.
FW: In your opinion, what are the top three most critical aspects to developing a successful ESI strategy?
Coltson: The top three most critical aspects for developing a successful ESI are strategy are: risk mitigation, litigation readiness and cost reduction.
Gold: There are numerous factors that should be considered, but the three aspects that come immediately to mind are: end-user understanding and buy-in; consistently enforced ESI destruction criteria; and selection of ESI storage and management technology and tools.
Lawson: Keeping in mind the macro strategies outlined earlier, consider the following suggestions. First, create and maintain a corporate data map. Think extraordinary access to extraordinary information. A technology data map provides systems profiles that include a functional description, business purpose, data dictionary, retention schedules, user access, and interdependencies to name a few. Any time you need to make a change, find data, or modify your strategies the data map will allow you to make informed decisions. Second, response planning is the cornerstone of any successful ESI strategy. Whether it’s planning for disaster recovery, discovery/disclosure response, or government/regulatory inquiries, knowing how to respond will keep the corporate ESI engine running smoothly with little or no distraction. Ask yourself, how much easier response planning will be with a good data map. Third, decide what will be in-sourced and what will be outsourced and do both consistently. Evaluate, decide and commit. Uncertainty will lead to reduced productivity and increased costs.
FW: Should your ESI strategy be a reactive tool, used only during a crisis, or can it serve as a corporate asset?
Lawson: Creating an effective ESI strategy requires investment both in human resources and financial capital. As such, it must be treated as an asset, albeit an intangible asset. So here’s the bad news: while the Finance Committee will be able to measure, to the penny, the cost of developing and maintaining this asset, they will never be able to measure its value. Now for the silver lining: this asset will guide you through the reactive crisis. Whether a third party request, discovery or disclosure activities, or a board driven investigation, your ESI strategy provides the road map. The value of this asset is realised through its cost containment during these reactive crises as well as risk mitigation before, during, and after these crises. To better understand the exposure of not having an ESI strategy, search recent eDiscovery opinions that include adverse inference or sanction rulings.
Coltson: An ESI strategy should most certainly be approached as a proactive, corporate asset that seamlessly sits in the corporate infrastructure. By having a system in place, a company can mitigate risks and costs inherent in litigation is it moves forward – by utilising a system that is crisis driven, a company promotes that risk and greatly increases the cost per incident ratio. These systems and approaches are not cheap, and take considerable planning at multiple levels – the payoff exists once the risk is presented to the company, and it is effectively mitigated.
Gold: An ESI strategy, to be truly effective, cannot be merely defensive. The fact is that ESI, when properly managed, is a critical and valuable business asset. In some companies, it is the key asset. A sound ESI strategy certainly needs to have a defensive element; for example, companies need to be able to respond effectively to information requests made in litigation or regulatory proceedings. But companies also need to manage their ESI so that is it efficiently available as and when needed to support business and financial functions. This requires a proactive approach to ESI management, with all key ESI being adequately mapped and accessible to appropriate business and legal users. Simply storing more and more ESI, with no thought to where it is and how to access it effectively is a passive approach that does not serve any company’s long-term business interests.
FW: Should a company’s ESI strategy factor into corporate ‘cloud computing’ decisions? What is the downstream impact?
Lawson: Cloud computing is one of the hottest technology trends today. Companies are rushing to leverage it, while service providers are determining how to provide ‘cloud solutions’, or at least market them. While there are compelling advantages to leveraging the cloud, enter with eyes wide open. While IT spend can be reduced, there may be unforeseen effects. Key questions to consider include the following. Where, geographically, will my data be stored? Can I access and freely export my data? What data privacy or safe harbour regulations govern the data from the corporation’s perspective? Does the provider’s perspective match mine? Is my data co-mingled with others? Is this really the cloud? This last question can be a tricky one to answer. With PaaS, SaaS, and IaaS the true definition of ‘the Cloud' and what you’re buying may be elusive. No matter which path you take, know what services you’re buying and how they impact and are governed by your ESI strategy.
Gold: Cloud computing is obviously a critical development and a dynamic space, with cost and security issues. The bottom line, as it always is with ESI strategies, is that any decision to employ cloud computing must be made in the context of a deep understanding of its benefits and downsides.
FW: Given the increasing level of ESI, should companies adopt a mindset of continually updating and improving their data management strategies?
Coltson: Data management, as with any improvement to infrastructure, is only as effective as the management of that system. It is imperative to view this system as a risk mitigator, and as such it requires continuous attention. Were the system allowed to become antiquated and thus ineffective, the cost couldn’t be justified and the risk would no longer be effectively mitigated.
Gold: Far too many companies implement an ESI strategy as part of an overall information retention policy and never look at it again to check that it ensures legal compliance and still effectively serves the company’s business, financial and legal interests. A passive approach to such strategies is a recipe for disaster.
Lawson: The tail shouldn’t wag the dog and an ESI strategy shouldn’t dictate the frequency at which an organisation updates its data management strategies. To be clear, data management strategies should be driven by business needs and not regulatory demands. Having said that, the impact to a company’s ESI and their ability to maintain an effective ESI strategy should certainly have a seat at the table. The most mundane technology decision can have a significant impact on a company’s ability to manage an ESI strategy as well as the cost to enact an ESI strategy for discovery or disclosure purposes. If a company has a historical framework for updating data management strategies, they should stick to it. Just make sure the ESI strategy has a seat at the table and is part of the conversation.
Joseph (Joe) Coltson is the President and one of the principle founders of Harvester Forensics Ltd., a litigation support firm specialising in eDiscovery, Forensic Investigations, records management and proactive training. Prior to developing the Harvester brand, Mr Coltson worked as a Vice President for a major international accounting firm as a leading member of their e-Discovery and Forensic Technology practice. Previous to that, Mr Coltson was an officer with the Peel Regional Police for 16 years. Mr Coltson has testified at all levels of court proceedings, and has been deemed an expert witness on a number of occasions, including Superior Court criminal proceedings, and civil litigation proceedings. He can be contacted on +1 (905) 582 6099 or by email: firstname.lastname@example.org.
Neal Lawson is the President and co-Founder of Intelligent Discovery Solutions, Inc (www.iDiscoverySolutions.com). Mr. Lawson has been consulting in the technology and litigation industries for over 16 years. Currently, Mr. Lawson serves as an eDiscovery expert and strategic consultant providing law firms and Fortune 500 corporations with electronic discovery, litigation readiness, and ESI strategy advise. Mr Lawson can be contacted on +1 (703) 209 824 or by email: NLawson@iDiscoverySolutions.com.
Michael A. Gold represents closely-held, entrepreneurial and early-stage companies and their owners across a wide spectrum of industries. In addition to domestic companies, he represents foreign companies in connection with the development and protection of their business interests in the United States. As part of his practice, Mr Gold routinely works with lawyers in other parts of the world, including Latin America and the Far East. In addition, he is a founder and co-chair of the firm's Discovery Technology Group, one of the first such practice groups in a major law firm. Mr Gold counsels clients in a wide variety of matters, including the development of computer-based information retention systems, forensic investigations of computer systems, computer and internet privacy issues and e-discovery. He can be contacted on +1 (310) 203 8080 x6435 or by email: JB7@JMBM.com.
© Financier Worldwide
Joseph (Joe) Coltson
Harvester Forensics Ltd
Intelligent Discovery Solutions, Inc.
Michael A. Gold
Jeffer, Mangels, Butler & Mitchell LLP