Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | sara-harper |
View: | 213 times |
Download: | 0 times |
Place image here
INFORMATION MANAGEMENT
Getting IT and Legal to Agree (on anything)
Bill Tolson, Director, Iron Mountain
2
Email as a Business Record
When is a document or email a business record?
An e-mail and or an
document/attachment is considered a
business record if it contains information
about the running of the business
An e-mail and or document/attachment
is usually considered a business record
if it contains information about an
employee or a potential employee
HR Brief
How are emails viewed by corporate governance?
3
Email as a Regulatory Record
How are email viewed by regulatory and legal bodies?
E-mail and documents are viewed by
regulatory agencies as an auditable
source of company information to track
how a company does business
Judicial bodies view records, including
emails and documents, as potential
evidence in civil lawsuits
4
ESI and eDiscovery
“Receiving a discovery request is like being pulled over for a broken headlight and having a full body cavity search performed on you.”
Fortune 500 CEO
5
The eDiscovery Trend is to Pull More in-HouseTo Reduce Cost and Risk
Yesterday/Today
Corporat
e Legal
Outside
Counsel
Trend
Corporat
e Legal
Outside
Counsel
6
Discovery and Legal Risk
Federal Rules of Civil ProcedureEffective Dec 2006, “now require organizations that operate within the U.S. to manage their electronic data so it can be produced in a timely and complete manner”•Organizations are reporting trigger events (audits, litigation, and investigations) at a 33% higher rate than previous years•Each litigation event offers the risk of sanctions due to info management practices
Compliance with new regulations re: personally identifiable information (PII)oHealth Insurance Portability and Accountability Act (HIPAA)o State Personal Information Security Laws
62% of executives said that eDiscovery was a top
driver for email management strategies- IDC survey conducted for Iron Mountain, 2009
7
Most Frequently Requested Record Types in eDiscovery
Telephone call recordings and other audio files
ESG Research Discovery Survey Nov 2007
5 %
1 6 %
2 1 %
2 5 %
2 9 %
3 6 %
4 1 %
4 9 %
6 0 %
8 0 %
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
General office productivity
documents
E-mail (and attachments)
Database records
Invoices and other customer
documents
Digital images
Instant messages
Video files
Other
Financial
statements
8
Average Age of Data RequestedESG Research Discovery Survey Nov 2007
0%
10%
20%
30%
40%
50%
60%
4% 4%
15
%
15
%
15
%
48
%
Don’t know /
refused to
answer
Most data is
less than 6
months old
Most data is
between 6
and 12
months
Most data is
between 12
and 24
months
Most data is
between 24
and 36
months
Most data
more than
36 months
old
9
An attempt at legal humor…
A minister and a lawyer arrived at the pearly gates, Saint Peter greeted both of them and gave them their room assignments.
"Pastor, here are the keys to one of our nicest efficiency units. And for you, sir, the keys to our finest penthouse suite.“ "This is unfair!" cried the minister. "Listen," Saint Peter said, "ministers are a dime a dozen up here, but this is the first lawyer we've ever seen."
10
BackupArchiving
Does a Backup Help in eDiscovery?
is for Discovery is for Recovery
Backups are not 100% inclusive
Backups do not perform retention management, short of saving everything
Backups are meant to recover data in case of a disaster
11
Tape is costly during litigation
In Toussie v. County of Suffolk , the county argued search of backups was overly burdensome. The court
narrowed the search request to 35 terms, but it still required an estimated 470 backup tape restorations at a
cost of $600,000-$900,000.
Tape consumption soars during periods of litigation
12
The Legal Standard for ESI Retention
The regular policy-based destruction of ESI (electronically stored information) including e-mail messages is a legal and appropriate business practice if no law or other obligation requires retention.
13
Legal Issues: Records ManagementWhat is a Record?
A record is information created, received, and maintained by an organization or person that is evidence of its activities or operations, and has value requiring its retention for a specific period of time.
It can be used in pursuance of legal and regulatory obligations.
– American National Standard ANSI/ARMA 9-2004
But…An item does not need to be classified a “Record” to be discoverable…
15
Company Desktop or Laptop
Network FileServer
PC Local Hard Disk
Removable CDs, DVDs
PrinteriPod
Mail Server: Automatic Deletion
USBDrives
Backup Tape
Recipient E-mail System
Employee Underground Archiving
WWW
Gmail, Hotmail, Yahoo, etc.
Blackberry or Palm
Employee Personal Home PC
Remote Offices
Aggressive Deletion Drives Underground Archiving
16
Litigation Risk of Over-Saving Electronic Documents
Collection - $1,500/PC- $1,000/GB network
files
Processing/Culling
$1,000/GB
Outside DocumentReview $200/hour per person @ 40
items/hour = $5/file or e-mail
50% of cost of litigation is discovery Majority of discovery is of electronic documents
Source: Socha Consulting
18
Blanket Retention Policies – Unsafe Harbors
“We save everything until our mail server gets full – then we delete everything and start anew.”
“We save everything for 30 (60 or 90) days and we’ve never had a problem.”
“We gave up trying to figure out individual retention rules and now keep everything for 10 (15 or 20) years.”
20
The Major Conflict(s)
Whose requirements are more important? Who pays? What about retention policies?
24
Eight Tenets Of Effective Document Retention Policies
1. Understand your regulatory requirements2. Understand how employees use data3. Create a common sense retention schedule4. Create a litigation hold process5. Inform and train your employees on the new policies6. Enforce the policies with audits and punishments if
not followed7. Ensure the language of the policy stands up to
scrutiny in the event of litigation by having outside counsel review the policy annually
8. Document everything
25
Don’t Let Perfect Be the Enemy of Good
- Perfect policies and discovery processes don’t exist- Don’t get stuck on defining perfection at the expense of
execution- Develop good policies, processes and practices today- Show the courts and regulators
- You have a policy- You are taking reasonable efforts to follow your policy- You have a discovery hold process which you periodically test- You know what data you have where- You destroy unneeded, older, non-litigation or compliance
related documents on a routine basis
- Improve your policy and processes over time
26
The Five Second Rule
The average employees will spend less than five seconds considering retention policies for a given email or document
If the organization's retention schedule is more complex then 3 choices, the employee will
either delete it or keep it indefinitely
So don’t make your retention policies unnecessarily complex
29
Possible Retention Policies
Create role-based or “high water mark” retention polices based on regulatory requirements or best practices
- By corporate function/department
Sales
1 Year
Finance
3 Years
Marketing
6 Months
Investor Relations
7 Years
R&D
3 Years
Legal
30 Years
30
Possible Retention Policies
Manual - End-user driven…
Inbox
Project 1
Project 2
Project 3
Sent Items
No Retention
2 year retention
3 year retention
1 year retention after deletion
6 month retention
31
Possible Retention Policies
Automatic classification
Project 1
Project 2
Project 3
2 year retention
3 year retention
1 year retention after deletion
Policy
Engine
32
The Keys to Getting IT and Legal to Agree
1. Get them talking2. Put together a cross department team3. Make sure the other side understands your department’s
concerns4. IT – compliment the attorney’s on their choice of suits5. Legal – compliment IT on their choice of T-Shirt “content”6. IT – Don’t be intimidated by the corporate attorneys. If they were
real attorneys, they would be working for a big law firm…
33
Another attempt at humor…
The Los Angeles Police Department (LAPD), the FBI, and the CIA are all trying to prove that they are the best at apprehending criminals. The President decides to give them a test. He releases a rabbit into a forest and each of them has to catch it.
The CIA goes in. They place animal informants throughout the forest. They question all plant and mineral witnesses. After three months of extensive investigations they conclude that rabbits do not exist.
The FBI goes in. After two weeks with no leads they burn the forest, killing everything in it, including the rabbit, and they make no apologies. The rabbit had it coming.
The LAPD goes in. They come out two hours later with a badly beaten bear. The bear is yelling: "Okay! Okay! I'm a rabbit! I'm a rabbit!"
34
A True Story…
Attorney: Did you check for his blood pressure?Answer: NoAttorney: So, then is it possible that the patient was alive when you began the autopsy?Answer: NoAttorney: How can you be sure doctor?Answer: Because his brain was sitting on my desk in a jarAttorney: But could the patient have still been alive nevertheless?Answer: It is possible that he could have been alive and practicing law somewhere