Taking a step back could leap you ahead of eDiscovery€¦ · Taking a step back could leap you...
53
Taking a step back could leap you ahead of eDiscovery Legal Tech 2016 February 2, 2016
Transcript of Taking a step back could leap you ahead of eDiscovery€¦ · Taking a step back could leap you...
Taking a step back could leap you ahead of eDiscovery
Legal Tech 2016February 2, 2016
Gareth EvansGibson Dunn
Litigation Partner
Matthew LevyHewlett Packard Enterprise
Vice President, Legal Solutions
Marty ProvinJordan Lawrence
Executive Vice President
Michael SimonSeventh Samurai
Principal
SPEAKERS
1Legal
Perspective
2Key to
Defensibility
3Leveraging
Technology
PURPOSE
AGENDA
1. Information Governance: What Is It?
2. The Information Governance Problem
3. Information Governance: Is It A Duty?
4. A Solution: The Information Governance Program
5. Records Management: The Roadmap to Information Governance
6. Technology: The Gateway to Information Governance
Information Governance: What is it?
Information Governance: What Is It?
– Information governance is an integrated approach across records management, legal/compliance, and IT to manage and control information.
– Information is among the most valuable assets for most organizations.
– Intellectual property.
– Proprietary information.
– Confidential information.
– Mismanagement, unintended disclosure and misappropriation can be highly damaging.
– Information governance includes lifecycle management to address information risk management, business needs, litigation readiness, retention and disposal.
– An auditable, accountability program.
The Information Governance Problem
The Information Governance Problem:Why You Need To Manage Your Data Diet
– Storage is Not Cheap
– System Performance
– Data Privacy
– Litigation Spend
– Litigation Risk
– Data Security
Why Information Governance?
System Performance
For example, as quantity of saved emails increases:
– Efficient Operation of Servers is Compromised
– Backup Operations Become More Difficult to Complete in a Timely Manner
– Email servers may slow down (or malfunction as capacity limits are reached)
– Upgrades are complicated by burdensome migration of large quantities of saved messages
Why Information Governance?
– Many Global Data Privacy/Data Protection laws require that data with Personally Identifiable Information be kept no longer than necessary for business purposes
– PII defined broadly, and includes name, email address, and phone number on employee emails
Data Privacy/Protection
Why Information Governance?
–Enormous Impact on E-Discovery Spend
–Duty to preserve (oftenthrough collection)
–High costs for processing, searching & reviewing for production
Impact on Legal Spend
– 2012 RAND Study:– 70% of companies’ legal spend is on
litigation– 50% of that on discovery phase– 70% of that on document review
Pace & Zakaras, Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery (RAND 2012)
–$3M: Average Cost to Collect, Cull, Process and Review Info Per Case
Litigation Cost Survey of Major Companies 2010 (Duke Law School)
Impact on Legal Spend
Expected
- 50 custodians- 10 GB ea.- Tech. fees = $200k- Review cost = $840k
Actual
- 50 custodians- 50 GB ea.- Tech. fees = $1M- Review cost = $4M
No Data Disposal: A Real Life
Example Impact on Litigation
Spend
Medium-Sized Case
Impact on Legal Spend The Pay-Off for Volume Reduction
– E-discovery costs more or less scaled with volume
– Front end information management cuts costs in every step of discovery process
– Investments in information governance can pay off in large multiples
Reduce volume here Save money here
Why Information Governance?
– Unnecessarily kept data dramatically increases the potential costs and consequences of data breaches
Data Security
Organizational Information
1%Legal Hold
25%Business
Need
69%No Legal or
Business Value
5%
Retention Scheme
Source: 2012 Compliance, Governance and Oversight Council (CGOC) Survey
Almost 70% of Companies’Retained DataIs Unnecessary
Matters Departments Laws & Regs
Legal Holds
Systems
RetentionSchedules
Information
Legal Business RIM
IT
Current Practices Often Don’t Solve The Problem
• Legal, RIM & IT Separately Siloed
• End users are de facto records managers
• No Integration of Legal Holds &Retention Schedules with IT Processes
• Informal liaisons & “people glue” used to link discovery & regulatoryobligations to IM/IT practices
• Absence of reliable, repeatable systemsand processes
• “Our systematic approach is toover-preserve and keep everything.”
Source: 2012 CGOC Survey
Information Governance: is it A duty?
Information Governance: Is It A Duty?
Board members have fiduciary duties of care, loyalty and to remain informed.
Board and senior management generally responsible for overseeing the business and setting strategy so as to minimize unnecessary risks.
In re Caremark Int’l, Inc. Deriv. Litig. (Del. 1996):
“directors allowed a situation to develop and continue which exposed the corporation to enormous legal liability and in doing so they violated a duty to be active monitors of corporate performance.”
liability for breach of duty of care can arise “from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”
A Solution
The Information
Governance Program
A Strategy for Better Information Governance
1. Link business processes in Legal, RIM & IT to provide structural collaboration and transparency Use automation/technology to achieve systematic workflows and automated collaboration
– End the silo approach to records retention practices and legal holds
– These are enterprise processes rather than departmental processes
– Transparent, cross-functional processes for legal holds, discovery, record retention, and information management
22
A Strategy For Better Information Governance
2. Modernize the records management program so that it can provide reliable, actionable information procedures to IT for execution
– Role of records retention policy and schedules
– Role of technology solutions
A Strategy For Better Information Governance
3. Treat legal holds as an enterprise process rather than a legal department task utilize a technological solution
– Automated notification and tracking
– Automated preservation and collection
– Maintain inventories of holds and information under hold
– Written legal hold policy and procedures that are followed
– Focus on “consumption” of legal hold notices by custodians and information stewards rather than merely publication
– “Short form” hold notice vs. legalistic hold notice
A Strategy For Better Information Governance
4. Enable IT to determine—in real time—how to more efficiently and precisely manage data for the enterprise Rigorous Compliance + Defensible Disposal
– 98% of enterprise information is electronic and under the stewardship of IT
– What information does and does not have business value
– What information is subject to regulatory preservation obligations and what is not
– Who and what is on hold
– Treat IT as the consumer of records retention, records management, and legal hold information that is responsible for implementation
Matters Departments Laws & Regs
Legal Holds
Systems
RetentionSchedules
Information
Legal Business RIM
IT
Information Governance: Cross-Function Integration
Source: 2012 CGOC Survey
RECORDS MANAGEMENT
The Roadmap to Information Governance
What Makes Deletion Defensible?
BUSINESSPROCESSE
S
BUSINESSPROCESSES
RECORDSINVENTORY
WHAT
WHERE
BUSINESSPROCESSES
RETENTION
SENSITIVITY
The Key to Defensibility & Actionable Policies
Other
Information
Business
Value
Records
What are you Actually Keeping?
Accident/Incident Records
Advertising Records
Benefit Records
Budget Records
Contracts & Agreements
Coupon Records
Credit Approvals
Customer Information
Customer Orders
Employee Medical Files
Gift Card Functions
Payment Records
Sales Receipts
Engage the Business
1010100011
1001010011
0 1 1 0 1 0 0
1 0 0 1 0 1 1
0 1 0 0 1 1 0
1 0 0 1 1 0 1
1 0 0
0 1 0 0 1
Where is it?
BUSINESS NEEDS
DOL
PCI
GLB
HIPAA
OSHA
SEC
State Privacy Laws
Corporate Sensitive
PII
Customer Data
Intellectual Property
Bio Metric
Patient Health Info.
Sensitive EU
REQUIREMENTSSENSITIVITY
What are the requirements?
Benefit Enrollment & Participation
Distribution Centers HR - Benefits
HR – Canada HR – Compensation Human Resources HR - Regional
Health Information
Beneficiary #FMLADates of ServicePatient NamePatient Address
National ID Card #Partial Social Security #Social Security #
GovernmentID’s
Employment IDEmployment StatusHandicapped StatusMedical Conditions
Employment Information
AgeNameEmail AddressMarriage StatusPhysical AddressTelephone #
Personal Information
Insurance InformationRetirement Account
Financial Information
Corp - Legal ActionsEU - Health Status
Other
Applications3rd Party, Cognos , Microsoft Outlook, Microsoft SharePoint, PDF
Box Warehouse, Department File Cabinet, Secure File Cabinet
CD, DVD, Laptops, Shared Drives
Paper
Unstructured
Archive, Desktop Hard Drive, Email Inbox, Laptops, Printed Hard Copies, Shared Drives
20,000 GIGABYTES
50% ANNUAL GROWTH RATE
ACTIVE ENVIRONMENT
PII ON SHARED DRIVES (2+ ELEMENTS IDENTIFIED)
59 AREAS
206 RECORD TYPE PROFILES
[Word Documents, Power Points, PDFs, Excel Spreadsheets, Images, etc.]
50%
Less Than 3
Years Old30%
3 to 5
Years Old
20%
Older Than
5 Years
50% of Information on File Shares
Is More than 3 Years Old
Electronic Information on File Shares
6% Forward to Personal Email
20% Save to Flash Drives or DVDs84% Save to Laptops or Tablets
18% Save to Cloud Storage
59%
Aware
41%
Not
Aware
Information Security
Policy
Only 44%
Trained
69%
Aware
31%
Not
Aware
Records Retention
Policy37% Never
Dispose of
Records
Lack of Critical Policy Awareness
Over Retention Is a Substantial Cause of Risk to Sensitive Information
71% Retained
Longer
Shorter
In
Line
No
BP
Current Retention
Compared to Best Practice
48% Tagged with
Sensitive
Information
Show Your Work.
6. Technology—The Gateway to Information Governance
Organizations don’t understand what they have, where it lives, who owns it or its business context
Growing need to protect and retain all important information
Impact on business initiatives and ability to deliver services and results
High risk & valuable content presents unique management challenges & costs - defensibly dispose or securely manage
Global regulation driving lengthy and complex retention requirements and audit
Big data inflection points
How do I reduce cost associated with IT and information processes?
• Information footprint is growing exponentially along with costs to manage it
• Manual processes reduce staff efficiency and are error prone
• Storage is not optimized, data is not always stored according to value
How do I secure valuable business data and reduce risk?
• Dark data exists and is not being managed, retained or disposed appropriately
• Business critical and valuable data is not managed or secured according to its value and sensitivity
• Classification and application of policy to data is piecemeal and often not enterprise wide
BIG unstructured data challenges
Redundant, Obsolete, Trivial and Unknown
Legacy data tends to be:
– Redundant
– Duplicates and unauthorized copies
– Obsolete
– No longer in use or out of date
– Determined through creation, last modified or accessed date and retention policy
– Trivial
– File type with no content value
Legacy data resides in:
– Legacy applications and repositories,
– Unmanaged SharePoint sites, file shares and mail systems
What is legacy data?
What lies hidden in your enterprise data…the unknown?
Dark data tends to be:
– Human readable
– Unstructured
– Unindexed
– Unmanaged
– Inactive
– Orphaned
Dark data resides in:
– File servers
– SharePoint
– Email servers
What is dark data?
Legacy & dark data sitting outside the Information governance strategy exposes the organization to risk:
– Spiralling costs
– Expanding information footprint and storage costs
– Litigation and eDiscovery costs (“smoking gun” or inability to deliver)
– Security breaches and reputational damage
– Sensitive information unprotected (Personally Identifiable Information, Privacy regulations)
– Data leakage and misuse
– Poor business execution and performance
– Incorrect context
– Decisions based on outdated information
– Duplicate effort spent re-creating information
Risks of ignoring legacy and dark data
Three key zones to manage
Identify
Analyse
Classify
Manage
Preserve or Dispose
Records
5-15% of all data
Intellectual Property
25-50% of all data
ROT
30-70% of all data
Statistical data derived from Reference 2012 Compliance, Governance and Oversight Council Summit, as well as actual customer site data
Understanding the value of information
Make defensible disposal and retention an enterprise reality
• Allows organizations to identify “dark data”
• Understand data meaning and significance
• Categorize and classifyIdentify
• Treat related information consistently
• Apply policy to content type
• Streamline lifetime managementApply Policy
• Make management decisions on access, availability, location and disposition
• Actions supported by complete audit trail
Control & Take Action
Take action to manage-in-place, migrate or dispose
Process design
Stages of Legacy Data Cleanup
An inventory of your data holdings
Identify
– Identify data sources
– common repositories include SharePoint, Shared drives and Microsoft exchange
Index
– Metadata only index (light index)
– identifies redundant, obsolete and trivial data
– Provides insight into data aging and business relevance
– Metadata and content index
– Yields greater insight into business value and context
– Identify personally identifiable information (PII)
– Identify potential business records
Identify and index
Preparing for policy assignment
Assign data to categories
• Assess gaps between “actual” and “established” categories and groupings
• Train categories from file plan/classifications
– Filtering, sampling & document inspection
• Tag data into actionable groups (categories) based on analysis
Assign policies to tagged categories
• Use standard policies for disposition or ongoing management
• Workflow policies to route data through an approval process
• Audit logs of policy application and approvals
Organize
Cut down on the data volume, don’t keep everything forever.
Provide defensible disposition
• Report on items marked for deletion
• Seek approval from identified owners
• Review and approve workflow processes
• Execute deletion and de-duplication of tagged data based on policy
• Maintain audit log for policy application and execution (defensible disposition)
Big Data
Smart Data
Reduce
The pathway to ongoing information governance
Legacy data clean-up is not just about deleting redundant, obsolete & trivial data
– Merge valuable legacy data into your current information governance program.
– Declare as a record, move, secure move, apply a hold to manage in place
– Migrate cleaned legacy data between repositories or tiered storage
– Move declared legacy data records to the Records Management system
– Provide Lifetime management of new data through ongoing policy application
Manage/migrate
The benefits of legacy data clean-up
Thank you
53
