The proliferation of data and how it is being managed — or in most cases mismanaged — is causing more organizations to question whether they have information assets or liabilities.
Two of the major drivers pushing organizations to finally get their data under control are costs and risks.
“People are starting to get interested in reducing their overall data in many cases for regulatory issues,” said Dera Nevin, managing director and an electronic discovery lawyer at re:Discovery Law PC.
Nevin, who was speaking to the International Legal Technology Association last week at an event hosted by Norton Rose Fulbright Canada LLP, was part of a panel discussing best practices for information governance and how it and e-discovery are related.
“We have all this legal infrastructure, but nobody knows how to manage their electronic documents,” said Nevin.
“E-discovery is the pain point for information governance but they are actually quite separate disciplines. It’s a bit like tax and securities law merging together. One is a stakeholder of another and sometimes more than the other.”
Organizations are finding themselves awash in an information quandary, said Nevin. “Data is growing at 50 per cent a year, but storage budgets are growing linearly at eight per cent a year and so companies have hit the point where their long-term budgets for storage are completely inadequate to deal with the logarithmic effect of duplication of data.”
There are many situations that prompt organizations to consider the state of their information assets, often when they are under pressure to produce information on demand for mergers and acquisitions when systems can’t speak to each other and also in regulatory matters.
What it means to have information governance often depends on who the audience is and who is listening to your story, said David Rohde, senior director for consulting services at Epiq Systems Inc.
There are many stakeholders involved in information governance: the technology department, internal audit, the law department, records management people, and information security.
“Governing information could not be a more intangible construct given the ease with which we create, proliferate, and disseminate but do not manage disposition of information in the ordinary course of our business,” said Rohde.
Rohde recalled a situation involving a biomedical device manufacturer after it had received a subpoena in a Foreign Corrupt Practices Act matter in the United States. Complying with the subpoena request for information was outsourced to PricewaterhouseCoopers and the bill for it — not including the legal services — was more than $25 million because they had no idea where the information was.
“When they were done, they put a compliance chair at the board table and brought in a consultant to look at information governance. The information was an asset to them until it became a huge liability,” he said.
So what are some of the early warning signs a company has a data retention problem? Nevin says mailbox size limits are a red flag.
“If you hear a litigation client talking about this, it’s a red flag to get an e-discovery expert in there ASAP because they are dealing with duplicative data, dark data,” she said.
If that’s the case, the approach should be one of “dam the stream and drain the swamp,” said Rohde. “Stop the problem and get rid of legacy data. Take action.”
When you’re trying to determine how to tackle an information governance program, said Rohde, “be informed by its culture, its structure, its longevity” and whether it’s regulated or not or highly regulated such as the pharmaceutical industry or financial sector.
“Think of the value of information to you. If you’re dealing with a company that sells a product, then information may be in their mind incidental to the widget but trust me, there is value in the information that surrounds the supply chain, distribution, and marketing.”
Getting the various stakeholders in an organization on board with having an information governance system can be hugely beneficial.
“Cross functionality is a huge selling point,” said Rohde. “If you can get the constituencies to work together, you will get a couple of benefits and chief among them is buy-in and budget. Once you have some money, you should be able to get some things done.”
Nevin said she has been saying for some time now that electronic discovery is expensing through legal, something she said represents a failure of the enterprise to capitalize on information governance initiatives.
“I’ve been saying that for nine years and people are finally starting to get it,” she said.
Getting people to understand what is and isn’t a record can be a challenge whenever an organization thinks its data is important.
An important starting point is an information governance policy document along with a records retention schedule. The policy and the schedule should be separate.
“You want to refresh your schedule on a more regular basis,” said Rohde. “Your policy may inform your schedule refresh at about 18 months and that way you’re forced to look at what’s new. For example, if you didn’t have tweets or social media as a pervasive form of corporate marketing four years ago, you may need to address that, or a new acquisition.”
Defining the record retention period in the schedule is a combined legal and business function, said Nevin. “Where record retention period must be established by a law — that’s a legal function.
Classifying the records themselves is not really a legal function, but making sure the schedules are harmonious is a combined legal and specialist function.”
And information governance is becoming big business for lawyers. Rohde said of the AM Law 100 firms, about 30 of them have opened or rebranded a practice as an information governance practice in the last year.
“So information governance is now real because we have people with business cards and law degrees saying it’s real,” said Rohde.