Information Governance & Management Practices, Managing Data to Lower Risk & Costs, and e-Discovery Implications

ILTA Meeting – April 25, 2013David Kearney – Volunteer City Representative

Overview

Why implement data management practices? “I just keep everything.”

Overview

Unmanaged data raises…Costs – Infrastructure, labor, power,

onsite/offsite storage, backups & disaster recovery, disguises true discovery costs, and review time.

Risks – Credibility, sanctions, internal burden, security, litigation, and compliance & regulation, e.g. Healthcare

OverviewInformation Governance (Managed Data)

Adds value by supporting the business strategyRevenue Efficiency Compliance

Overview

Information management practices should be implemented at all companies that may be subject to…LitigationRegulations and ComplianceClient/Customer Data Policies

OverviewApplied to Electronic Discovery Discovery is the process of exchanging evidence

between parties. During discovery, each side must share with the other side all information that is relevant to the matter, and significant penalties/sanctions may be levied on any party that does not hand over information properly.

Because discovery involves the physical collection, restoration, and review of information, it is a costly process. If the scope of the information an attorney requests is too broad and results in excessive information being produced, the litigation costs will be exponentially increased.

OverviewAddressed at the Far Left of the Electronic Discovery Reference Model

OVERVIEWEDRM - Information Management

Many issues can be better managed if this stage is taken seriously and implemented with consistent & sound practices.

This is THE STARTING POINT for the entire process. Sound and comprehensive information management strategies aid organizations in the identification, preservation, and collection steps of the process and can lower the number of documents that need to be preserved, collected, reviewed and produced. This is where more organizations can GET IT RIGHT. Furthermore, risks and costs are reduced.

Overview“Part of the reason eDiscovery is so

expensive is because companies have so much data that serves no business need. … Companies are going to realize that it’s important to get their information governance under control to get rid of the data that has no business need … in ways that will improve the company's bottom line…” — U.S. Magistrate Judge Andrew J. Peck, CGOC Faculty Member, in a video interview courtesy of JD Supra Law News, February 4, 2013.

OverviewSanctions have been issued for the failure to

preserve documents, negligence during the processes, and delay in delivering requests…

Pension Committee of the University of Montreal Pension Plan v. Banc of America Securities, LLC

Harkabi v. SanDisk Qualcomm v. Broadcom Philip Morris Morgan Stanley

OverviewData Growth

40 Zettabytes is how much digitally stored data humankind will possess by 2020 - IDC

Data production will be 44 times greater in 2020 than it was in 2009.

According to estimates, the volume of business data worldwide, across all companies, doubles every 1.2 years.

According to execs, the influx of data is putting a strain on IT infrastructure. 55 percent of respondents reporting a slowdown of IT systems and 47 percent citing data security problems, according to a global survey from Avanade.

Data generation will become significant

even at the smallest of organizations

Information Management/Information Governance

The set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements. –Wikipedia, 3/12/13

The specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. -Gartner

A holistic approach to managing and leveraging information for business benefits and encompasses information quality, information protection and information life cycle management. -IBM

Records Management (RIM) Records Management is management responsible

for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.

A Record is any recorded information, regardless of medium or characteristics, made or received and retained by an organization in pursuance of legal obligations or in the transaction of business

Data Retention Policies Policies of Data Meeting Legal and Business Requirements Weighs Legal and Privacy Concerns Determination of Time, Rules, Data Formats Determination of Storage, Access, & Encryption A Legal Strategy that Affords Certain Legal

Protections

Resources IGRM (Information Governance Reference Model) - http://

www.edrm.net/projects/igrm

ARMA International - http://www.arma.org/

InfoGov Community - http://www.infogovcommunity.com/

AHIMA (American Health Information Management Association) - http://www.ahima.org/

Information Governance Reference Model (IGRM)Provides

Common, practical, & flexible framework Helps organizations develop and implement

effective and actionable information management programs

Offer guidance to stakeholders within organizations

Facilitates dialogue among stakeholders by providing a common language and reference for discussion and decision-making based on the needs of the organization

ARMA International Maturity Model for Information Governance Defines the characteristics of information

governance programs at differing levels of maturity, completeness, and effectiveness.

The Principle (Generally Accepted Recordkeeping Principles) frames 8 principles of recordkeeping; Accountability

Transparency

Integrity

Protection

Compliance

Availability

Retention

Disposition

ARMA International Maturity Model for Information Governance Characteristics typical for each of the

‘Principles’ (Generally Accepted Recordkeeping Principles) of recordkeeping; LEVEL 1 (Sub-standard)

LEVEL 2 (In Development)

LEVEL 3 (Essential)

LEVEL 4 (Proactive)

LEVEL5 (Transformational)

People, Process, & TechnologyOne of the reasons companies hesitate to

create and enforce retention policies is cost of software, cost of personnel needed to manage it, etc. But, the cost is minimal compared to paying a six-figure settlement.

This is a Business Initiative, NOT an exclusive IT, Records, or Legal problem.

The process needs defined, adopted, and audited

Technology to automate and assist in defined process needs identified, implemented, and audited

StakeholdersCollaboration Must Exist Between

Business Users – Operate the organizationRecords Management - Control of the

creation, receipt, maintenance, use, and disposition of records

IT – Implements mechanics of Info Governance

Legal Risk & Regulatory Departments - Understand the organization’s duty to preserve information beyond its immediate business value

Approach Identify what you have

Assess Risks Business needs Legal holds Regulatory obligations

Develop Plan

Document Plan

Implement Plan

Follow Plan – Consistency is Key

Audit Plan

Questions to Ask About DataDoes the Data Have Business Value

Is the Data a ‘Record’ and is it still under retention

Is the Data Under Legal Hold

Law Firms – Is the Data Firm Data or Client Data, Is it a Record, and Do Your Clients Know About It/That You Have Their Data

Corporations – Do You Know Where Your Data Is?

PracticesDevelop a transparent and collaborative team

Understand the locations (includes BYOD & Cloud) of the data & create data map

Understand the requirements for the data, such as regulations, cross-border issues, data types, business needs, and legal needs

Practices Manage all information, not just “records.” Connect legal, privacy and regulatory retention obligations

directly to relevant information. Retention periods must take into account the business

value of information in addition to legal and compliance value.

Identify where information is located. Ensure that retention and disposal obligations are

communicated and publicized in a language that stakeholders can understand.

Allow for flexibility to adapt to local laws, obligations and limitations.

Include a mechanism that allows legal and IT to collaborate in executing and terminating legal holds.

Identify and eliminate duplicate information.

Tools – EMC Comply with business rules and policies,

industry and governmental regulations, and assure security and privacy for employees, customers, and corporate intelligence. http://

www.emc.com/archiving/intelligent-archiving.htm

Ideal for: Large Enterprises, Financial Services, Healthcare

Built to: Improve storage management, Increase operational efficiencies, Implement compliance and reduce risk

Tools – NuixNuix information governance solutions transform your

organization's unstructured data from a liability to an asset with powerful technology and workflows for searching, investigating and actively managing information. http://www.nuix.com/

Solutions for e-Discovery, Information Governance, Investigation, Defensible Deletion, and Archive Search.

Enables you to respond quickly and effectively to litigation or regulatory action, mitigate risk, reduce costs and extract value from your data.

Tools – IBM The IBM InfoSphere Information Governance

solutions establish sustainable governance of information quality, master the complete lifecycle of information, secure and protect privacy and establish standards across all types of information projects. http://

www-01.ibm.com/software/data/information-governance/overview.html

Tools – Google VaultGoogle Vault, a set of information governance

tools for Google Apps customers.

Google Vault provides a place where businesses can manage, archive and preserve Google apps data, an action that is key to the eDiscovery process.

Of course, Google also brings search to bear on the eDiscovery problem because you can use Google search tools to find documents that meet certain criteria in an eDiscovery request.

OpportunitiesCorporate/C-Level Personnel

Attorneys

Business Units

Records Managers

Technologists

Roles We Can Play…Law Firms

Get the house in order Assist corporate clients to get their house in order

Corporations Proactively get the house in order (ideally before

an event) Advise in-house and/or outside counsel of

processes needed to develop info governance plan

Now is the time to understand and adopt information governance.

Don't be caught trying to extinguish a fire when fire prevention was

really the answer.