To support e-discovery demands, it's imperative that legal teams have reliable and timely access to potentially relevant electronically stored information (ESI). Identifying which IT assets are most relevant to a case is the first challenge.Systematically suspending disposition policies, preserving and searching the ESI and eventually returning the data to its regular retention schedule is a much more formidable undertaking.
Enter information governance (IG).
Gartner defines IG as the “specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information." With a strong IG program, e-discovery appears to become just another IG function. However, the connection goes much deeper. For many organizations, e-discovery is the flashpoint for change and the impetus behind meaningful IG initiatives. These organizations are taking the lessons they've learned from e-discovery and the observed dangers that are associated with a lack of governance and attempting to apply those lessons to comprehensive set of IG policies and processes.
The intersection of e-discovery and IG was the topic of Exterro's recentseries webcast, “Making a Molehill Out of a Mountain." It featured Rich Vestuto, a director for Deloitte, and Scott Giordano, corporate technology counsel for Exterro. During the presentation, Scott and Rich described four steps involved in aligning IG and e-discovery principles:
- Audit and assess the degree of risk in your data environment
No organization can implement an effective IG strategy without first assessing its data environment. In the context of e-discovery, that assessment must focus on the level of risk present across various data repositories. The goal here is to identify those data sources that contain the highest levels of legal exposure and make sure they are a primary focus of subsequent IG policies and processes. Important information to gather includes how easy it is to access and search the high-risk data.
- Prioritize initial IG activities
The data environment assessment should drive the prioritization of initial IG activities. For example, if the audit reveals a preponderance of decentralized data stored randomly across a bevy of shared drives, a good first step might be to create a data map which connects employees to the data sources with which they most frequently interact. Likewise, if the initial assessment reveals a large accumulation of unnecessary backup tapes, the IG plan should place greater emphasis on developing and executing a better defensible deletion policy, ridding the company of data it no longer needs. Every organization has its own unique set of challenges, and the prioritization of IG activities should be reflective of the specific data environment. IG plans aren't created overnight, so it's critical to address the most pressing issues first.
- Create policies and processes to address retention, access, use and storage of data
The first two steps largely involve dealing electronically stored information (ESI) that has already been created. The next step addresses what to do with the creation and management of new data moving forward. A sound IG strategy includes clearly defined policies regarding who has access to certain types of data, where that data is stored and how long it is kept. The IG plan will be inherently weak if it doesn't involve cross-functional input from all key stakeholders, including representatives of key business units. Besides making the plan available to employees, there has to be accompanied training to develop a culture of compliance and underscore the importance of universal participation. As part of that, interviews with data custodians can help move the organization from a policy that looks good on paper to one that can actually work in practice because it takes into account how employees actually use ESI on a day-to-day basis.
- Apply technology
After the initial assessment, prioritization of activities and the creation of a comprehensive IG strategy, the final step is to bring in the necessary technology tools to support the overall process. Traditionally, data mapping has been so labor intensive that many organizations abandon projects before they reach completion or find that the data map is nearly impossible to update. By leveraging emerging specialized data mapping technologies, organizations can largely automate the creation and updating process and ensure the data map retains its value over time. Another way organizations can align their IG and e-discovery processes is by integrating certain technologies. Understanding the data landscape for e-discovery starts with identifying the pool of data custodians and which employees are most likely to have relevant information. Integrating the organization's HR system with its legal hold application can get legal teams the information they need very quickly and eliminate a lot of the manual data entry associated with scoping a legal hold that frequently leads to errors and delays. Another set of technologies that can be leveraged in support of aligning IG and e-discovery processes are data classification and categorization tools. These systems deliver intelligence about individual data repositories by extracting key information and content patterns that help expose certain types of ESI, such as personally identifiable information or sensitive proprietary content. When applied proactively to data at rest, organizations can use these data snapshots to make smarter decisions about how data is managed and retained across the enterprise and also be far more precise when it comes to what data is truly relevant to a given matter.
You can click on the video below to watch Exterro's Masters Quick Guide to E-Discovery Strategy, highlighting some of the key overlaps between IG and e-discovery.