Showing posts with label E-Discovery. Show all posts
Showing posts with label E-Discovery. Show all posts

Tuesday, November 29, 2022

E-Discovery and Information Governance

More and more companies are operating throughout the world, so the impact of differing requirements for e-discovery is increasing, especially those relating to privacy. The rules tend to be much more rigorous outside the United States, particularly in the European Union.

Europe has adopted the General Data Protection Regulation (GDPR), which was promulgated in April 2016 and has a two-year implementation timeframe. It regulates the manner in which data can be collected and moved across international borders. The regulation makes an e-discovery company or law firm responsible for any compliance failure. If there is a breach, the data handling entity can be held liable for up to 4 % of its gross revenues worldwide, whether the breach was intentional or not.

A number of other trends are occurring in international litigation that are having an effect on e-discovery. Litigation is beginning to be seen as a business strategy in Asia as evidenced by the aggressive litigation some Korean electronics companies are taking with regard to protecting their IP. Those companies are seeing the potential benefits of using litigation as a method to protect or monetize their IP, which results in greater requirements for e-discovery.

Other factors are also driving the demand for e-discovery. The United States was the first country to carry out antitrust investigations that reached beyond its borders, and there is a domino effect with other countries now doing the same thing. These government investigations are often followed by class action lawsuits, creating additional challenges for the multinational companies.

The international nature of that litigation also creates more issues with respect to moving data across borders. Therefore, it is all the more important for companies to be aware of local laws and customs regarding privacy.

One question about data resulting from the proliferation of data is whether it will become a more frequent target of e-discovery. 

Potential issues abound including whether personally identifiable information (PII) is involved. Most information is stored in structured databases and it could be used in litigation to make a claim that an individual was doing something at a certain time. The information may or may not be encrypted; it could also involve health data from wearable devices, for example, that could be considered PII. Organizations may need to take a step back and think about who the custodian is, whether the data could be part of e-discovery and whether it is being appropriately protected.

Moving to the cloud

Every organization has information stored across a multitude of systems, computers, shared drives, repositories, and now a lot of this information is moving to the cloud. This is going to require a new approach and new technologies in order to address the challenges arising from the growing volume and format of information being generated.

Managing cloud based content may be new to an organization and as a result there might be uncertainty of the risks involved and the various approaches to mitigate them.

Most of cloud repositories lack information governance. This means that an appropriate architecture and supporting processes have to be put in place to ensure hat content is properly governed and managed. By joining a could enabled information governance platform with those cloud content repositories, an organization will be able to make those cloud based repositories complaint with e-discovery requirements.

SaaS-based delivery models for e-discovery are becoming more prevalent. The move to Office 365 is another part of this equation. With more data in the cloud, it makes sense to have cloud-based e-discovery solutions. The established benefits of SaaS delivery such as scalability, faster release of new features and simpler interfaces apply to e-discovery as well.

SaaS delivery also offers simpler inclusive cost models and, in general, lower costs than on-premise and legacy hosted products. 

With more data in the cloud, it makes sense to have cloud-based e-discovery solutions.

Information governance should be deployed within a traditional IT infrastructure, a cloud-based environment, a hybrid of traditional and cloud infrastructure. Information governance is rapidly moving toward an enterprise service model enabling organizations to deploy shared services across the complex IT infrastructure, eliminates dependence on users, and enables uniform governance across all applications and systems.

In order to remain competitive and maintain costs, organizations must consider information governance as a service. Technologies with a flexible central policy engine capable of managing the challenges of complex, federated governance environments are going to be the ones that enable organizations to make the most strategic use of information. These technologies have an enforcement model not tied to a specific store or repository but leverage standards to enable automatic enforcement across all systems, repositories, applications, and platforms. 

Monday, March 26, 2018

E-Discovery and its Stages

Every organization should take necessary steps to be prepared for E-Discovery. What is E-Discovery?

Electronic discovery or E-Discovery refers to discovery in legal proceedings such as litigation or government investigations where the information is sought is in electronic format. This information is often referred to as electronically stored information or ESI.

Electronic information is considered different from paper information because of its intangible form, volume, transience, and persistence. Electronic information is usually accompanied by metadata that is not found in paper documents and it can play an important part as evidence. For example, the date and time a document was written could be useful in a copyright case. The preservation of metadata from electronic documents creates special challenges to prevent its destruction.

E-Discovery Stages

Identification

The identification phase is when potentially applicable documents are identified for further analysis and review. Failure to issue a written legal hold notice whenever litigation is reasonably anticipated, will be deemed grossly negligent. This is why it is very important to implement legal holds on specific electronic information.

Custodians who are in possession of potentially relevant information or documents should be identified. To ensure a complete identification of data sources, data mapping techniques can be used. Since the scope of data can be overwhelming in this phase, attempts are made to reduce the overall scope during this phase, such as limiting the identification of documents to a certain date range or search term(s) to avoid an overly burdensome volume of information to be on legal hold.

Preservation

A duty to preserve begins upon the reasonable anticipation of litigation. During preservation, data identified as potentially relevant is placed in a legal hold. This ensures that data cannot be destroyed. Care should be taken to ensure this process is defensible, while the end-goal is to reduce the possibility of data destruction. Failure to preserve data can lead to sanctions. Even if the court rules the failure to preserve as negligence, they can force the accused party to pay fines if the lost data puts the defense at an undue disadvantage in establishing their defense.

Collection

Once documents have been preserved, collection can begin. Collection is the transfer of data from a company to their legal counsel, who will determine relevance and disposition of data. Some companies that deal with frequent litigation have software in place to quickly place legal holds on certain custodians when an event (such as legal notice) is triggered and begin the collection process immediately. The size and scale of this collection is determined by the identification phase.

Processing

During the processing phase, native files are prepared to be loaded into a document review platform. Often, this phase also involves the extraction of text and metadata from the native files. Various data sorting techniques are employed during this phase, such as de-duplication. Sometimes native files will be converted to a paper-like format (such as PDF or TIFF) at this stage, to allow for easier redaction labeling.

Modern processing tools can also employ advanced analytic tools to help document review attorneys more accurately identify potentially relevant documents.

Review

During the review phase, documents are reviewed for responsiveness to discovery requests and for privilege. Different document review platforms can assist in many tasks related to this process, including the rapid identification of potentially relevant documents, and the sorting of documents according to various criteria (such as keyword, date range, etc.). Most review tools also make it easy for large groups of document review attorneys to work on cases, featuring collaborative tools and batches to speed up the review process and eliminate work duplication.

Production

Documents are turned over to opposing counsel, based on agreed-upon specifications. Often this production is accompanied by a load file, which is used to load documents into a document review platform. Documents can be produced either as native files, or in a paper-like format (such as PDF or TIFF), alongside metadata.

Types of ESI

Any data that is stored in an electronic form may be subject to production under common E-Discovery rules. This type of data can include email and office documents, photos, video, databases, and other file types such as raw data.

Litigators may review information from E-Discovery in one of several formats: printed paper, "native file", or a paper-like format, such as PDF files or TIFF images. Modern document review platforms accommodate the use of native files, and allow for them to be converted to PDF and TIFF files. Some archiving systems apply a unique code to each archived message or chat to establish authenticity. The systems prevent alterations to original messages, messages cannot be deleted, and the messages cannot be accessed by unauthorized persons.

Because E-Discovery requires the review of documents in their original file formats, applications capable of opening multiple file formats would be very useful.

In order to prevent data to be inadvertently destroyed, companies should deploy which properly preserves data across companies, preventing inadvertent data destruction.

Proper retention and management of electronically stored information (ESI) is crucial in every organization in order to be able to comply with E-Discovery process. Improper management of ESI can result in a finding of evidence destruction and the imposition of sanctions and fines.

We helped many organization in their E-Discovery preparedness in the last 17 years. We can do the same for you. Please call us for a free consultation.

Thursday, January 25, 2018

E-discovery and Legal Processes

When a company has a much stronger handle on the status of each legal hold, the less effort and less financial strain it will be on the company in case of a litigation.

Data must be protected during e-discovery just as it does when it is a part of any other business activity.

The degree of security risk depends on the nature of the data. Standard business contracts might not be highly sensitive and thus create minimal risk, but exposure of intellectual property that represents the crown jewels of a company could be a major risk.

Data that attackers go after most often, such as credit card and bank account information, is not frequently subject to e-discovery requests, but other types of highly sensitive data such as executive communications, strategic projections and financial performance data are often found in litigation.

Unfortunately, the business people who are in the best position to understand the risk value of the data are not those who are responsible for ensuring its protection during the discovery process. This function is carried out by the IT department or by the legal department. And so it is important for internal stakeholders to communicate effectively. Companies need to focus on protecting their most important and valuable data. Not everyone in a company will agree on what that is, but it’s essential to have this conversation.

Some companies have been using manual methods for legal holds until just a few years ago. Legal holds are required when a company might reasonably expect litigation and therefore should not delete information that might be relevant to the litigation.

Managing legal hold helps minimize the risk of financial and other court sanctions for failing to preserve data. Data is scattered throughout companies and has become progressively more difficult to manage. Companies are dealing with big data, data in shared repositories such as Box.com, data on mobile devices, and so on.

People tend to keep everything. When legal hold is used effectively, companies can meet their preservation duties, then do targeted collections as needed in the case. Good hold process plus targeted collections can significantly reduce the amount of information that must be reviewed by attorneys, which accounts for 70% of e-discovery costs. It is important it to check the information of terminated employees to see if it might be subject to hold.

Another value proposition in using an automated legal hold solution that is integrated with collections and first-pass review is the ability to re-purpose a collection. The same collection and review tagging could be used again by adding only the incremental data generated since the original one.

Several trends are contributing to strong growth in the e-discovery market, including the ever increasing amount of litigation, greater volumes of data and a move toward adding in-house e-discovery capabilities. Each product has particular strengths, and that wide array offers options that can be used very selectively or in conjunction with each other to meet a company’s goals.

In addition to a group of large e-discovery vendors, many smaller vendors have products that are working well for their customers.

Once a set of documents is located that may be responsive to the e-discovery request, it needs to be searched. The effective use of human skills in conjunction with computer capabilities is a key ingredient in winnowing down the volume of data that needs to be reviewed by attorneys or other legal professionals. Technology-assisted review (TAR), also called predictive coding, is a method for training a computer to spot documents that may be relevant and distinguish them from those that are not.

One of the tools to consider is Catalyst Insight.

Catalyst Insight is a secure cloud-based platform where clients can search, review, mark and produce documents. It can be augmented with Insight Predict, a predictive ranking TAR 2.0 solution that uses continuous active learning (CAL) to speed the review process by allowing technology to work alongside the judgments that human reviewers make. The solution brings the most relevant documents to the top of the list rather than working in a linear fashion.

The company’s TAR 2.0 software is specially designed for e-discovery. With TAR 2.0, attorneys and legal professionals who are subject matter experts do the initial coding for relevancy. Each of their judgments about the relevancy of a document is fed back to the system as a means of "training" to identify others that also might be relevant.

TAR 2.0 allows new coding to be immediately incorporated into the algorithm for searching the document repository so that it is correctly tuned to the current problem domain.

As a cloud product, Legal Hold Pro is quick and easy to launch, and is updated frequently. There is no burden on the IT staff for software maintenance.

In general, cloud providers understand that a data breach poses an existential threat to their business. If they lose a client’s information, especially in a sensitive context such as financial or legal activities, the reputation damage can be severe.

The well established companies understand this. Nevertheless, it is important to discuss with the provider what measures they are taking to protect your sensitive data. There has been quite a bit of fear about the cloud, but for the most part, data can be as safe in the cloud environment as it would be within the organization so long as best practices around access controls and other security measures are employed.

In the future, more sophisticated technology will allow such actions as the reuse of attorney judgments, checking for outliers and monitoring the repository for problems in advance This kind of proactive strategy will help companies reduce their risk exposure and speed up e-discovery.

Sunday, April 30, 2017

E-Discovery Tools

Electronic discovery or e-discovery refers to discovery in legal proceedings such as litigation or government investigations where the information sought is in electronic format. The ever increasing amount of litigation, greater volumes of data and a move toward adding in-house e-discovery capabilities require strong tools for e-discovery.

Data is scattered throughout companies and has become progressively more difficult to manage. Companies are dealing with big data, data in shared repositories such as Box.com, data on mobile devices, etc.

Data must be protected during e-discovery just as it does when it is a part of any other business activity. The degree of security risk depends on the nature of the data. Standard business contracts might not be highly sensitive and thus create minimal risk, but exposure of intellectual property that represents the crown jewels of a company could be a major risk.

When legal hold is used effectively, companies can meet their preservation duties, then do targeted collections as needed in the case. Good hold process plus targeted collections can significantly reduce the amount of information that must be reviewed by attorneys, which accounts for 70 percent of e-discovery costs.

Another value proposition in using an automated legal hold solution that is integrated with collections and first-pass review is the ability to re-purpose a collection.

Cloud offerings could be used to centralize all this data in one place for efficient reuse and risk management.

Several trends are contributing to strong growth in tools for the e-discovery. In addition to a group of large e-discovery vendors, many smaller vendors have products that are working well for their customers, and there is also room for new entrants that improve performance or address specific needs.

Each product has particular strengths, and that wide array offers options that can be used very selectively or in conjunction with each other to meet a company’s goals.

Sometimes, legal holds are required. Legal holds are required when a company might reasonably expect litigation and therefore should not delete information that might be relevant to the litigation.

Legal Hold Pro

This application has templates for the system and the database with the contact information for employees who are custodians of data. The system can also be used to track the information and people affected, automate the interviews with custodians, send reminders and release holds when appropriate. It allows to check the information of terminated employees to see if it might be subject to hold, and review responses from custodians to create the collection plan.

The same collection and review tagging could be used again by adding only the incremental data generated since the original one.

As a cloud product, Legal Hold Pro is quick and easy to launch, and is updated frequently.

Technology-assisted review (TAR)

Once a set of documents is located that may be responsive to the e-discovery request, it needs to be searched. The effective use of human skills in conjunction with computer capabilities is a key ingredient in lowering down the volume of data that needs to be reviewed by attorneys or other legal professionals.

Technology-assisted review (TAR), also called predictive coding, is a method for training a computer to spot documents that may be relevant and distinguish them from those that are not.

Catalyst

Catalyst provides e-discovery software and services.

Catalyst Insight is a secure cloud-based platform where clients can search, review, mark and produce documents. It can be augmented with Insight Predict, a predictive ranking TAR 2.0 solution that uses continuous active learning (CAL) to speed the review process by allowing technology to work alongside the judgments that human reviewers make. The solution brings the most relevant documents to the top of the list rather than working in a linear fashion.

The company’s TAR 2.0 software is specially designed for e-discovery. Some of the early TAR products were re-purposed machine learning tools. They can work in situations where the target documents are a large proportion of the total, but if you are looking for the one percent that are ‘hot docs,’ then they are not as effective. With TAR 2.0, attorneys and legal professionals who are subject matter experts do the initial coding for relevancy. Each of their judgments about the relevancy of a document is fed back to the system as a means of “training” to identify others that also might be relevant.

In the case of earlier versions of TAR, adding new documents caused the random sampling assumptions to no longer be correct. Unlike earlier products, which had a finite learning phase and then a production phase, TAR 2.0 allows new coding to be immediately incorporated into the algorithm for searching the document repository so that it is correctly tuned to the current problem domain.

It allows every decision made by an attorney to be put to maximum use, allowing humans to do what they do best, and then let the computer do what it does best, which is to quickly surface the relevant documents.

One practical limitation of early versions of TAR was that it could not handle small volumes of documents because the usual percentage of samples did not provide enough examples from which the computer could learn. This became improved in later versions of the tool.

Recommind

In 2006, the federal rules for discovery changed to include discovery of electronic information. E-discovery includes the collection, processing and analysis of e-mail and other electronic documents that might be relevant to a case, including determination of whether the documents are indeed relevant.

What sets Recommind apart from many industry solutions, is the ability to prioritize records and pull together similar records.

Recommind’s Axcelerate product can research, collate and assemble electronic records into reports. The electronic records for a single case can sometimes number into the millions.

Axcelerate’s adaptive batching expedites the feedback loop on search or analytics-based document sets, making continued batching not just automatic, but also conditional on the relevancy found through sampling. That enables a law firm to determine by batch if certain records are indeed relevant to a case, rather than reviewing them individually.

Magnum Software

It allows to quickly search, annotate and link to portions of documents. The collaboration capability is quite robust. Users can share their work product with any other users or groups of users via a one-click e-mail alert.

The alert automatically includes a direct link to the note and passage so the recipient can log in from anywhere, review the remarks and continue the discussion thread within Opus 2 Magnum. Additionally, multiple users can “chat” within the application.

The application works much better with smaller files than loading them all to a large database, but Magnum can also scale for larger file sizes.

Exterro

This in an excellent tool for eDiscovery. It provides eDiscovery and other records management needs in a single platform. Genome data mapping module can be added which will create an excellent solution for the data mapping.

With the increasing number of records and need to keep track of them and pull them together efficiently, the demand for KM technology for records and information management will continue to grow.

Galaxy Consulting has 17 years experience in ensuring that ediscovery process is going smoothly.

Thursday, October 31, 2013

Information Governance With SharePoint

The goals of any enterprise content management (ECM) system are to connect an organization's knowledge workers, streamline its business processes, and manage and store its information.

Microsoft SharePoint has become the leading content management system in today's competitive business landscape as organizations look to foster information transparency and collaboration by providing efficient capture, storage, preservation, management, and delivery of content to end users.

A recent study by the Association for Information and Image Management (AIIM) found that 53% of organizations currently utilize SharePoint for ECM. SharePoint's growth can be attributed to its ease of use, incorporation of social collaboration features, as well as its distributed management approach, allowing for self-service. With the growing trends of social collaboration and enhancements found in the latest release of SharePoint 2013, Microsoft continues to facilitate collaboration among knowledge workers.

As SharePoint continues to evolve, it is essential to have a solution in place that would achieve the vision of efficiency and collaboration without compromising on security and compliance. The growing usage of SharePoint for ECM is not without risk. AIIM also estimated that 60% of organizations utilizing SharePoint for ECM have yet to incorporate it into their existing governance and compliance strategies. It is imperative that organizations establish effective information governance strategies to support secure collaboration.

There are two new nice features in SharePoint 2013 version that would help you with compliance issues. E-discovery center is a SharePoint site that allows to get more control of your data. It allows to identify, hold, search, and export documents needed for e-discovery. "In Place Hold" feature allows to preserve documents and put hold on them while users continue working on them. These features are available for both on-premises and in-cloud solutions.

2013 SharePoint has been integrated with Yammer which provides many social features. This presents new challenge with compliance. Yammer is planning to integrate more security in future releases. But for now, organizations need to create policies and procedures for these social features. Roles like "Community Manager", "Yambassadors", "Group Administrators" might be introduced.

There are 3rd party tools that could be used with SharePoint for compliance and information governance. They are: Metalogix and AvePoint for Governance and Compliance, CipherPoint and Stealth Software for Encryption and Security; ViewDo Labs and Good Data for Yammer analytics and compliance.

In order to most effectively utilize SharePoint for content management, there are several best practices that must be incorporated into information governance strategies as part of an effective risk management lifecycle. The goal of any comprehensive governance strategy is to mitigate risk, whether this entails downtime, compliance violation or data loss. In order to do so, an effective governance plan must be established that includes the following components:

Develop a plan. When developing your plan, it is necessary for organizations to understand the types of content SharePoint contains before establishing governance procedures. It is important to involve the appropriate business owners and gather any regulatory requirements. These requirements will help to drive information governance policies for content security, information architecture and lifecycle management.

When determining the best approach to implement and enforce content management and compliance initiatives, chief privacy officers, chief information security officers, compliance managers, records managers, SharePoint administrators, and company executives will all have to work together to establish the most appropriate processes for their organization as well as an action plan for how to execute these processes. During the planning phase, your organization should perform an assessment, set your organization's goals, and establish appropriate compliance and governance requirements based on the results of the assessment to meet the business objectives.

Implement your governance architecture. Once your organization has developed a good understanding of the various content that will be managed through SharePoint, it is time to implement the governance architecture. In this phase, it is important to plan for technical enforcement, monitoring and training for employees that address areas of risk or noncompliance. It is important to note that while SharePoint is known for its content management functionality, there are specific challenges that come with utilizing the platform as a content management system for which your governance architecture must account: content growth and security management.

In order to implement effective content management, organizations should address and plan to manage growth of sites, files, storage, and the overall volume of content. Organizations without a governance strategy often struggle with proliferation of content with no solutions to manage or dispose of it. This is a huge problem with file servers. Over time, file servers grow to the point where they become a bit like the file cabinet collecting dust in the corner of your office. It is easy to add in a new file, but you will not find it later when you need it. The challenge comes from the planning on how to organize and dispose of out-of-date content.

SharePoint offers the technology to address these challenges, but only if it is enabled as part of your governance plan. Information management policies can be used to automatically delete documents, or you may be using third-party solutions to archive documents, libraries and sites. By default in SharePoint 2013, Shredded Storage is enabled to reduce the overall storage of organizations that are utilizing versioning. Remote BLOB Storage (RBS) can also be enabled in SharePoint or through third-party tools to reduce SharePoint's storage burden on SQL Server.

Tagging and classification plays a key role in information governance. Proper classification can improve content findability. Organizations can utilize SharePoint's extensive document management and classification features, including Content Types and Managed Metadata to tag and classify content. Third-party tools that extend SharePoint's native capabilities can also filter for specified content when applying management policies for storage, deletion, archiving, or preservation. Ultimately, however, the people in your organization will play the biggest role here. As such, your plan should identify who the key data owners are and the areas for which they are responsible. This role is often filled by a "site librarian" or those responsible for risk management in the enterprise.

In order to minimize risk to the organization, it is imperative to ensure information is accessible to the people that should have it, and protected from the people that should not have access. SharePoint has very flexible system of permissions that can accommodate this issue.

Ongoing assessments. In order to ensure that established governance procedures continue to meet your business requirements ongoing assessment is required. Conduct ongoing testing of business solutions, monitoring of system response times, service availability and user activity, as well as assessments to ensure that you have complied with your guidelines and requirements for properly managing the content. The content is essentially your intellectual property, the lifeblood that sustains your organization.

React and revise as necessary. In order to continue to mitigate risk, respond to evolving requirements, and harden security and access controls, we must take information gathered in your ongoing assessments and use that to make more intelligent management decisions. Continue to assess and react and revise as necessary. With each change, continue to validate that your system meets necessary requirements.

The risk has never been higher, especially as more data is created along an growing regulatory compliance mandates requiring organizations to ensure that its content is properly managed.

If you develop a plan, implement a governance architecture that supports that plan, assess the architecture on an ongoing basis, and react and revise as necessary, your organization will have the support and agility necessary to truly use all of the content it possesses to improve business processes, innovation, and competitiveness while lowering total costs.

Thursday, January 31, 2013

Information - Governance, Risk and Compliance – GRC - Part 3

In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to crisis management and e-discovery, and list general information governance control points.

Information Governance for Crisis Management

Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job.

Such situations can be:
  • Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
  • Technology – phone cut-off, system outage, applications is down, network problems
  • Volume/Capacity – huge number of calls (in the example of call center)
  • Special situations – pandemic, loss of facility, tornado, etc.
An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations.

For example, if your CMS is down, what happens to those departments who need to use critical documents?

Solutions:

What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.

Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.

Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.

Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.

Other points:
  • Address disaster recovery in addressing planned and unplanned downtime.
  • Virtualize your data center.
  • Ensure swift restoration of content items following corruption or accidental deletion.
  • Maintain all metadata during and after recovery events.
  • Ensure seamless transition to a warm stand-by system should the main system fail.
  • Plan what to do if outage happens.
  • Maximize platform up-time and swift restoration of platform following a disaster event.
  • Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.
Information Governance for E-Discovery

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

E-discovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.

Solutions: Integrate e-discovery into information governance practice. Include key capabilities:
  • understand and secure – identify and categorize docs; docs are distributed globally; find and correctly identify them
  • automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
  • protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
  • discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.
Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.

General Governance Controls
  • Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
  • Employ real-time indexing of content – to keep track of its changes.
  • Store the intelligence about your content (metadata).
  • Create an information intelligence service center and include data analysis, governance analysis.
  • Employ change management to stay current of new forms of content and new business requirements.
  • Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
  • Remove obsolete or unnecessary content.
  • Define content life cycle and retention policies.
  • Tier your access to enable relevant data to be closer to users and devices that are local.
  • Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
  • Categorize your information and determine its value and rank.
  • Use content approval function in your CMS.
  • As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
  • Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
  • Keep track of what info is created, stored, and accessed.
  • Use auto-classification and semantic tools within the search engines.
  • Move relevant documents from desktops and shared drives to your central docs repository.
  • Create efficient document versioning and check-in/check-out management for information consistency.
  • Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.

Tuesday, January 29, 2013

Information - Governance, Risk and Compliance – GRC - Part 2

In my last post about governance, risk, and compliance, I have described why information governance is important and where to begin with the information governance. Today, I will describe what needs to be considered in information governance polices and will give some recommendations.

What needs to be considered in information governance polices?

Government mandates - If you are in a regulated industry, you need to consider first and foremost government mandates such as GMP/GxP, ISO 9001. You need to make sure that your documents management and IT are compliant with these requirements.

Proliferation of content - there has been explosive growth in the creation and collection of content by organization and individuals. Content is stored in CMS, data warehouses, physical warehouses, desktop computers, file shares, back-up archives, mobile devices, cloud services, employees personal computers and other devices such as tablets, smart phones, etc. To complicate matters this information is also geographically disbursed.

In SharePoint, for example, you get a small department that has a site, other departments take notice and start their own sites. Suddenly you have small SharePoint instances pervading everywhere. What organization should do instead is take those separate silos of SharePoint and combine them into one centrally managed environment. It is the matter of having a plan in place first, then applying the technology to achieve those business goals.

Information governance policies should cover desktops and shared drives, CMSs, databases and data warehouses, email systems, cloud based apps, social media platforms, physical warehouses. Content may be stored with the 3rd party, this needs to be considered.

Employees send email with documents attachments. This email and attachments have significant value to the business whether they contain contract terms, meeting notes or even employees opinions on a given topic. Email requires governance and so it needs to be included in your information governance policies.

Big data – are you prepared? What measures your IT has taken to help with this issue?

Cloud computing – If you use cloud computing, you need to create governance policy for it.

Mobile Devices - Employees use mobile devices to do their job. Many companies don’t have policies that cover things like tablets and handhelds. They are starting to, but it is just a beginning. You need to create polices for mobile devices and a mechanism to enforce those policies. And in the regulated environment, you would need to prove that you are enforcing those policies.

Social media - effectively leveraging social media while protecting the organization from non-compliance.

Create comprehensive social media governance plan. It should include compliance, supervision to interactive social content; perform conceptual search and policy-based monitoring of all info, inside and outside the firewall; establish social media usage policies and procedures and then train staff on them; preserve and collect relevant social media content for compliance and litigation purposes.

Consider all content and access methods involved as users connect via smartphones and tablets.

Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring.

Wherever possible create separate business identities for social media to minimize capture of personal or private information.

Govern employees interactions. Most regulated organizations are taking a measured approach to social media, starting with small number of employees and approved social media sites.

Monitor and capture inside-based interactions within a corporate networks. Moderate inside-based interactions. Be mindful of legal and regulatory guidelines.

BYOD phenomena – “bring your own device”. People bring their iPads, iPhones, etc. to conferences, work, taking notes, making presentations, responding to email, updating pipeline, etc. All this content belongs to the organization but the device is not. What happens when this employee leaves the company? Or that employee loses the tablet? What happens to information?

I read about the case where a doctor had all his patients’ medical records unencrypted on his laptop. The laptop was stolen.

It could also be that there are multiple versions of documents floating around, gets passed from one person to another person, may be tweaked a little along the way. And they each are legally discoverable.

Be sure that the official version of the document is stored in your CMS and managed by your governance program.

It is imperative to have a policy to protect this information and to enforce that policy across all those devices.

Security – sensitive information must be protected – encrypted. LinkedIn got hacked and all passwords got stolen. What are you going to do that this does not happen to your organization?

Intellectual property - What about a pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?

Of special importance is information related to future revenue. For example, a pharmaceutical company should place a high priority on protecting information related to future products which are not covered by patents.

It is vital for companies to have a system in place to protect sensitive content such as for example product roadmaps, manufacturing plans, vendor supply lists, marketing and promotional strategies.

In my next post, I will describe information governance for crisis management and e-discovery.

Sunday, January 27, 2013

Information - Governance, Risk and Compliance – GRC - Part 1

Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company.

What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.

Governance is like an insurance policy that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.

KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.

To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.

Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.

Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.

Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.

For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.

To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.

Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.

Where to begin?

To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.

Outline the scope, timeline, and budget.

It should be rolled out from the top. This way everybody will be on the same page.

Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.

Information governance strategy must account for the value of information and how it is classified and accessed.

Information governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.

Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.

Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.

Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.

More about governance in the next post.

Thursday, August 9, 2012

E-Discovery and Records Management

Discovery is the pre-trial phase in a lawsuit in which each party can request documents and other evidence from opposing parties. E-discovery deals with discovery of electronically stored information (ESI), including documents and e-mails.

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

ESI presents special issues for discovery:
  • ESI can be replicated at a very low cost, resulting in tremendous volume;
  • Electronic content can be easily changed and deleted;
  • ESI can be backed up, creating more volume as content is copied;
  • Electronic content may require certain software to access and read;
  • ESI can reflect relationships based upon how it is distributed;
  • ESI may have associated metadata;
  • ESI can be searched.
Ediscovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

On the other hand, because all ESI is now discoverable, organizations may be tempted to destroy that information as soon as possible to reduce the cost of discovery. But, some information must be kept for regulatory and compliance reasons. For example, many organizations are governed by regulatory bodies that require business information to be retained for a specific period of time. Some of that information might also be important to support the organization in case of litigation. Destroying the wrong information can lead to fines and unfavorable judicial decisions.

Some organizations may randomly pick through content to remove content that is deemed most risky. But in litigation, it will be necessary to prove that the deletion of this content was consistent with a policy that has been applied rigorously. Without audit trails and certificates of destruction, it can be difficult to prove compliance with an organization’s policies.

To avoid this situation, many organizations are simply choosing to keep everything. But this experience proves that the cost of restoring backup and archive tapes, as well as the cost of discovery and the inability to identify content and place immediate holds, can make this policy economically disastrous in the event of litigation.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

Retention periods are historically thought of in terms of calendar events. A document that was created in 2000 may no longer be required in 2012, and so it may be destroyed. Retention periods for content are driven by events, such as the length of a project, the duration of a contract, or the termination of an employee. And the retention policies that match up to these content types must reflect the lifecycle of the content.

Organizations may choose to keep project information for x number of years after the end of the project. A workflow event that signals the end of a project, such as the publishing of a report, may commence the retention period for the associated e-mails and files. An organization may create a retention policy that a contract will be retained for x number of years after the end of the contract period. The end of the contract, then, could then trigger a lifecycle action for that document.

There are many types of events that could trigger a retention policy: content expired (e.g. a contract), usage statistics (e.g., document has not been accessed in six months), business event (e.g., environmental impact filing), content lifecycle event (e.g., new revision checked in).

There are many actions an organization can take based upon the retention policy: delete, notify author, archive, move, delete revisions, revise. These different actions can be applied to retained content over the course of its lifecycle as it moves from its active use to inactive status to its deletion.

The best approach to records management is where authors create content using their familiar tools and systems, and retention management is enforced on that content where it lives, from a centralized place. This approach has a number of benefits:
  • retention policies are centrally administered through a single interface;
  • a catalog of discoverable content is created;
  • holds can be placed instantly across these different systems, ensuring that evidence is not deleted during litigation;
  • disposition can be performed from a central place.
By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways. They include:
  • Decreased Risk – by keeping less content, an organization decreases the risk of adverse evidence being found;
  • Higher Productivity – by organizing content through a file plan, key information, such as regulatory filings, tax information, business licenses, invoices, and other content, can be more easily found;
  • Lower Discovery Costs – with less information available for discovery, an organization will reduce the cost of restoration of content and the cost of legal review;
  • Increased Flexibility – an organization will be prepared to present a catalog of discoverable content, which is a requirement in a case of a litigation;
  • Stronger Legal Action – By knowing the evidence that an organization possesses, legal counsel can more quickly assess strategy and pursue a settlement, which can be a huge money savings;
  • Less Vulnerability – organizations that are unable to comply with electronic discovery requirements are beginning to see nuisance lawsuits. When an organization cannot comply with discovery requirements, it may set a cost threshold – stating, for instance, that any lawsuit under $100,000 is not worth the discovery effort and should be settled. This exposes the organization to nuisance lawsuits that are brought at just under the threshold.
If you have not already done so, now is the time to develop ESI retention programs. Now is the time to create committees within your organizations and to bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation. And, now is the time to focus on one of any organization’s greatest assets, its information.