Place image here

INFORMATION MANAGEMENT

Getting IT and Legal to Agree (on anything)

Bill Tolson, Director, Iron Mountain

2

Email as a Business Record

When is a document or email a business record?

An e-mail and or an

document/attachment is considered a

business record if it contains information

about the running of the business

An e-mail and or document/attachment

is usually considered a business record

if it contains information about an

employee or a potential employee

HR Brief

How are emails viewed by corporate governance?

3

Email as a Regulatory Record

How are email viewed by regulatory and legal bodies?

E-mail and documents are viewed by

regulatory agencies as an auditable

source of company information to track

how a company does business

Judicial bodies view records, including

emails and documents, as potential

evidence in civil lawsuits

4

ESI and eDiscovery

“Receiving a discovery request is like being pulled over for a broken headlight and having a full body cavity search performed on you.”

Fortune 500 CEO

5

The eDiscovery Trend is to Pull More in-HouseTo Reduce Cost and Risk

Yesterday/Today

Corporat

e Legal

Outside

Counsel

Trend

Corporat

e Legal

Outside

Counsel

6

Discovery and Legal Risk

Federal Rules of Civil ProcedureEffective Dec 2006, “now require organizations that operate within the U.S. to manage their electronic data so it can be produced in a timely and complete manner”•Organizations are reporting trigger events (audits, litigation, and investigations) at a 33% higher rate than previous years•Each litigation event offers the risk of sanctions due to info management practices

Compliance with new regulations re: personally identifiable information (PII)oHealth Insurance Portability and Accountability Act (HIPAA)o State Personal Information Security Laws

62% of executives said that eDiscovery was a top

driver for email management strategies- IDC survey conducted for Iron Mountain, 2009

7

Most Frequently Requested Record Types in eDiscovery

Telephone call recordings and other audio files

ESG Research Discovery Survey Nov 2007

5 %

1 6 %

2 1 %

2 5 %

2 9 %

3 6 %

4 1 %

4 9 %

6 0 %

8 0 %

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

General office productivity

documents

E-mail (and attachments)

Database records

Invoices and other customer

documents

Digital images

Instant messages

Video files

Other

Financial

statements

8

Average Age of Data RequestedESG Research Discovery Survey Nov 2007

0%

10%

20%

30%

40%

50%

60%

4% 4%

15

%

15

%

15

%

48

%

Don’t know /

refused to

answer

Most data is

less than 6

months old

Most data is

between 6

and 12

months

Most data is

between 12

and 24

months

Most data is

between 24

and 36

months

Most data

more than

36 months

old

9

An attempt at legal humor…

A minister and a lawyer arrived at the pearly gates, Saint Peter greeted both of them and gave them their room assignments.

"Pastor, here are the keys to one of our nicest efficiency units. And for you, sir, the keys to our finest penthouse suite.“ "This is unfair!" cried the minister. "Listen," Saint Peter said, "ministers are a dime a dozen up here, but this is the first lawyer we've ever seen."

10

BackupArchiving

Does a Backup Help in eDiscovery?

is for Discovery is for Recovery

Backups are not 100% inclusive

Backups do not perform retention management, short of saving everything

Backups are meant to recover data in case of a disaster

11

Tape is costly during litigation

In Toussie v. County of Suffolk , the county argued search of backups was overly burdensome. The court

narrowed the search request to 35 terms, but it still required an estimated 470 backup tape restorations at a

cost of $600,000-$900,000.

Tape consumption soars during periods of litigation

12

The Legal Standard for ESI Retention

The regular policy-based destruction of ESI (electronically stored information) including e-mail messages is a legal and appropriate business practice if no law or other obligation requires retention.

13

Legal Issues: Records ManagementWhat is a Record?

A record is information created, received, and maintained by an organization or person that is evidence of its activities or operations, and has value requiring its retention for a specific period of time.

It can be used in pursuance of legal and regulatory obligations.

– American National Standard ANSI/ARMA 9-2004

But…An item does not need to be classified a “Record” to be discoverable…

14

Where Does ESI Hide in the Corporate Infrastructure?

15

Company Desktop or Laptop

Network FileServer

PC Local Hard Disk

Removable CDs, DVDs

PrinteriPod

Mail Server: Automatic Deletion

USBDrives

Backup Tape

Recipient E-mail System

Employee Underground Archiving

WWW

Gmail, Hotmail, Yahoo, etc.

Blackberry or Palm

Employee Personal Home PC

Remote Offices

Aggressive Deletion Drives Underground Archiving

16

Litigation Risk of Over-Saving Electronic Documents

Collection - $1,500/PC- $1,000/GB network

files

Processing/Culling

$1,000/GB

Outside DocumentReview $200/hour per person @ 40

items/hour = $5/file or e-mail

50% of cost of litigation is discovery Majority of discovery is of electronic documents

Source: Socha Consulting

17

Legal Issues: Records Management

18

Blanket Retention Policies – Unsafe Harbors

“We save everything until our mail server gets full – then we delete everything and start anew.”

“We save everything for 30 (60 or 90) days and we’ve never had a problem.”

“We gave up trying to figure out individual retention rules and now keep everything for 10 (15 or 20) years.”

19

Retention Periods for Email and IM -Customer Survey

20

The Major Conflict(s)

Whose requirements are more important? Who pays? What about retention policies?

21

Not Speaking The Same Language?

22

Creating a Coordinated Corporate Initiative

23

Building an Records / eDiscovery Team

24

Eight Tenets Of Effective Document Retention Policies

1. Understand your regulatory requirements2. Understand how employees use data3. Create a common sense retention schedule4. Create a litigation hold process5. Inform and train your employees on the new policies6. Enforce the policies with audits and punishments if

not followed7. Ensure the language of the policy stands up to

scrutiny in the event of litigation by having outside counsel review the policy annually

8. Document everything

25

Don’t Let Perfect Be the Enemy of Good

- Perfect policies and discovery processes don’t exist- Don’t get stuck on defining perfection at the expense of

execution- Develop good policies, processes and practices today- Show the courts and regulators

- You have a policy- You are taking reasonable efforts to follow your policy- You have a discovery hold process which you periodically test- You know what data you have where- You destroy unneeded, older, non-litigation or compliance

related documents on a routine basis

- Improve your policy and processes over time

26

The Five Second Rule

The average employees will spend less than five seconds considering retention policies for a given email or document

If the organization's retention schedule is more complex then 3 choices, the employee will

either delete it or keep it indefinitely

So don’t make your retention policies unnecessarily complex

27

Email/ESI Classification Options

28

Possible Retention Policies

Universal retention period

29

Possible Retention Policies

Create role-based or “high water mark” retention polices based on regulatory requirements or best practices

- By corporate function/department

Sales

1 Year

Finance

3 Years

Marketing

6 Months

Investor Relations

7 Years

R&D

3 Years

Legal

30 Years

30

Possible Retention Policies

Manual - End-user driven…

Inbox

Project 1

Project 2

Project 3

Sent Items

No Retention

2 year retention

3 year retention

1 year retention after deletion

6 month retention

31

Possible Retention Policies

Automatic classification

Project 1

Project 2

Project 3

2 year retention

3 year retention

1 year retention after deletion

Policy

Engine

32

The Keys to Getting IT and Legal to Agree

1. Get them talking2. Put together a cross department team3. Make sure the other side understands your department’s

concerns4. IT – compliment the attorney’s on their choice of suits5. Legal – compliment IT on their choice of T-Shirt “content”6. IT – Don’t be intimidated by the corporate attorneys. If they were

real attorneys, they would be working for a big law firm…

33

Another attempt at humor…

The Los Angeles Police Department (LAPD), the FBI, and the CIA are all trying to prove that they are the best at apprehending criminals. The President decides to give them a test. He releases a rabbit into a forest and each of them has to catch it.

The CIA goes in. They place animal informants throughout the forest. They question all plant and mineral witnesses. After three months of extensive investigations they conclude that rabbits do not exist.

The FBI goes in. After two weeks with no leads they burn the forest, killing everything in it, including the rabbit, and they make no apologies. The rabbit had it coming.

The LAPD goes in. They come out two hours later with a badly beaten bear. The bear is yelling: "Okay! Okay! I'm a rabbit! I'm a rabbit!"

34

A True Story…

Attorney: Did you check for his blood pressure?Answer: NoAttorney: So, then is it possible that the patient was alive when you began the autopsy?Answer: NoAttorney: How can you be sure doctor?Answer: Because his brain was sitting on my desk in a jarAttorney: But could the patient have still been alive nevertheless?Answer: It is possible that he could have been alive and practicing law somewhere

Place image here

Questions

William.tolson@ironmountain.com