Information Governance: Managing Risks & Rewards
Implementing an effective information governance strategy is one of the ways an enterprise can help protect themselves against potential litigation. And yet, according to some recent surveys, many organizations remain either ignorant or unwilling to adopt a wide-reaching internal information governance strategy.
What reason is there for this continued resistance to change? What steps should be taken to adopt and implement an effective, streamlined information governance strategy? What exactly constitutes information governance, and why does it matter at all?
Understanding Information Governance
Think for a moment about the vast amount of digital data that’s transmitted every single typical workday. From quick emails to massive digital file archives, it’s estimated that the total amount of stored digital data doubles approximately every two years. Yet, despite this impressive increase in volume, most companies continue processing and storing their digital records the same way they always have: haphazardly, and without an eye toward the future.
For companies who end up facing the risk of litigation, the prospect of sorting through terabytes’ worth of digital records to find relevant data for their case is daunting at best, and can result in expensive and costly legal battles, or even sanctions if the court feels that essential electronic evidence was deliberately withheld or destroyed.
Beyond just addressing a company’s storage system for inactive data, information governance at its best reflects a holistic system of examining what types of data are handled by your enterprise, how they’re processed and stored, and determining the optimum approach for sorting, categorizing and archiving this data in order to comply with eDiscovery if needed.
Managing your information stores and practices in an efficient, traceable manner is just as vital to the health of your enterprise as financial solvency and sound business policies. And yet, many companies treat information governance as optional, taking a noncommittal approach toward revamping their existing processes.
A policy and procedure-based information governance system can help companies lower their data overhead, reduce vulnerability to litigation, and ensure compliance with guidelines and standards that are required within your field. Ideally, information should be effectively managed throughout its entire lifecycle, from inception through destruction. This includes setting clear data retention policies, as well as addressing long-term preservation requirements.
When information governance policies are well-planned, well-executed, and well-managed, data becomes more visible and accessible to your entire organization, facilitating the next course of action. Plans should be in place for both passive information management, such as long-term storage needs and active data management, such as logs of who accessed which files and for what purpose. Decisions must be made in advance about which types of data should be archived for future use, and which should be destroyed.
In March 2013, an analyst and data company called 451 Research released a report on eDiscovery practices. This report surveyed 2,320 respondents who represented a combination of large, small, and midsized organizations. The report covered such areas as enterprise IT, asking tough questions about how these businesses approach the access, management, and retention of their data.
The 451 Research report states that less than half of the study respondents believed that information management was important for their enterprise. In general, larger organizations felt more strongly about managing their data properly compared to smaller companies. Only 32% of respondents who were in senior management felt a need for clear information management strategies, while over half of the respondents who were IT staff felt that setting up these strategies were important. With senior management, rather than IT staff, making the financial decisions about internal developments, the numbers indicated that future investment in information government among those particular organizations was unlikely.
A survey conducted by AIIM (Association for Information and Image Management) specifically on information governance, reports that 31% of their respondents reported having problems with audits, regulating bodies, and courts due to issues with poor data storage and organization. Rather than taking a look at making existing processes more efficient, over a quarter of those surveyed reported that they just bought additional storage in response to increased data management needs. In addition, one-third of the surveyed enterprises said that 90% of their current IT expenditures are not adding value to their business.
The AIIM survey respondents also stated that most of their employees are likely to have multiple copies of files and emails across their devices (mobile, laptop, and desktop), and yet 12% of respondents still lack any official archiving policy for company emails. Companies, who do have these types of policies already in place, are often still conducting eDiscovery searches manually in the event of litigation. Many businesses have yet to implement official information governance policies, while those who do have them are not enforcing them, and/or are not training their staff to follow the new guidelines.
The 451 Research report respondents added that social media and the greater variety of types of data companies use today are making eDiscovery considerations much more complicated than previously. AIIM reports that 42% of their respondents are actually seeing increases in terms of physical paperwork, rather than moving toward paperless operations. Additionally, those surveyed are reluctant to move away from paper records and aren’t quite ready to trust the security of their record storage to cloud services providers.
The companies who feel that establishing information governance is unnecessary aren’t paying attention, especially when considering litigation risks. It’s impossible to completely separate information governance from electronic discovery. Many companies, who do develop comprehensive information management policies, have done so specifically with an eye toward protecting themselves against potential litigation.
Coming from a per-gigabyte pricing structure, the costs for electronic discovery are only now leveling off. Yet, the sheer amount of data that needs to be sifted through in the event of litigation, means eDiscovery bottom lines will never really go away. When weighing the time/cost investment of a disorganized information storage system, as compared to an efficient, defensible information governance practice, the savings speak for themselves.
Beyond finances, other rewards manifest as a result of streamlining daily operations through appropriate information management policies, particularly in terms of preventing productivity loss and eliminating redundancies. These payouts are similarly reflected during electronic discovery, preventing spiraling defense costs when it really counts for your company. And, of course, a positive outcome during litigation means preserving your enterprise’s good name and reputation, delivering a truly priceless return on investment.
Information Management Basics
Without a set standard as to what, exactly, constitutes appropriate information management, the accountability framework currently applies to all aspects of data creation, collection, storage, retention, and eventual destruction. The more holistic definition suggests that information governance should address the full lifecycle of all data, including quality and protection aspects of information. The governance of managing data also extends heavily toward the sphere of electronic discovery, since the relevance of appropriate data retention and management becomes all too clear in the face of litigation.
- Records Management addresses the creation, storage, retention, and disposal of electronic records. This includes databases, emails and application data. Enterprises must examine both long-term and short-term internal policies, and decide for themselves what falls under their realm (e.g., whether social media profiles are exempt).
- Access Controls look at who can access stored and active files. How is data kept private and by what metrics? Is there a log to track access points for easy reference? If litigation arises in the future, it’s vital that this information can be provided upon request, and ideally with a minimum of effort.
- Structural Organization takes into consideration the needs not just of daily business operations, but also the key stakeholders who are involved with effective information governance: IT staff, legal counsel, and compliance departments must all have a clear understanding of their company’s data policies and practices.
One of the primary sticking points of information governance is determining accountability. Are management executives responsible for developing, implementing and maintaining an effective plan for managing their company’s data? Or does this fall under the scope of IT support? Should legal counsel take the lead in deciding what constitutes defensible, eDiscovery friendly policies? For most companies, not knowing the answer to these questions can be a major obstacle in preventing forward growth. Most enterprises that have an information governance plan already in place have drawn on aspects of all these disciplines in order to more effectively manage their data.
Including Social Media
Regardless whether or not companies have already put an information governance plan into effect, most enterprises think that the applicable data is fairly straightforward; internal emails, documents and data, or just about anything that relates to their business, should all be fair game. While this seems like a safe enough definition, one major data stream is often left out- social media.
As the majority of court cases now include some form of virtual evidence in the form of data or email, new precedents are being set with regards to social media and information governance. In more than one case, personal data has been subpoenaed from Facebook pages, MySpace profiles, and Twitter feeds as evidence for either side of litigation in an active case. While the success rate of requesting this data varies, as does the impression whether or not the data may be relevant at all, companies can no longer afford to exclude social media from the core of their information governance policies and management practices.
While companies continue treating information governance largely as an abstract, there are many concrete examples of how data retention policies have had huge impacts on companies during litigation, both positive and negative.
- Apple, Inc. v. Samsung Electronics Co., Ltd: In this much-publicized patent infringement case, Apple claimed that Samsung’s Galaxy phone was an intellectual appropriation of Apple’s iPhone, both in terms of software and physical design. In the end, a jury ruled in Apple’s favor, awarding significant damages that are likely to change the design of future smartphone competitors for good. As part of the verdict, the court additionally found Samsung at fault because they failed to properly circulate litigation hold instructions at the initial ‘anticipation of litigation’. Specifically, Samsung neglected to provide several key emails to the court, resulting in sanctions from the court. Ironically, Apple was also sanctioned for similarly failing to circulate a litigation hold notice to its own staff, leading the court to rule that Apple was also guilty of neglecting to preserve documents in a timely and appropriate fashion.
- E.I. du Pont de Nemours v. Kolon Industries, Inc.: In another patent infringement case, this one spanning two decades, the court ruled that Kolon Industries, a company based in South Korea, was guilty of stealing critical trade secrets surrounding the production and marketing of Kevlar©, a patented synthetic fiber from DuPont. During proceedings, the court issued an adverse inference jury instruction due to evidence spoliation against Kolon Industries. Despite being informed of the lawsuit and receiving multiple litigation hold notices, Kolon had proceeded to delete almost 18,000 different emails and files that were related to the core of the case. The court, rather than blaming employees for evidence spoliation, instead pointed the finger at the high-level executives and attorneys for Kolon, stating that the notices were mistranslated, delivered too late or in too limited distribution to be effective in preventing spoliation, and it had been their responsibility to adopt a responsible approach toward the litigation hold notices.
- People of the State of New York v. Malcolm Harris: The city of New York brought charges against Malcolm Harris, one of many participants arrested during a mass Occupy Wall Street protest march in October 2011 that took place on the Brooklyn Bridge. The defendant in this case refused to voluntarily submit records of his Twitter feed, specifically those ‘tweets’ that were transmitted during the protest, which had since been deleted. Manhattan Criminal Court Judge Matthew Sciarrino then subpoenaed Twitter directly for a record of Harris’ tweets from that time period, in an attempt to prove or disprove whether Harris was responsible for disorderly conduct and had used Twitter to rally other protestors. While the Occupy movement is not a business, this case does raise the question of whether corporate information governance policies are effectively addressing social media communications, and if they may be held liable for that data in the future.
- Viramontes v. U.S. Bancorp: In this case, the defendant actually defeated a sanctions motion due to proactive internal information governance strategies. The bank, U.S. Bancorp, already had a communications retention policy in place that only kept email for 90 days before overwriting and destroying them. However, this policy carried the provision that, in case of litigation or other trigger event, their normal retention procedure would be immediately suspended, and all documentation would be preserved until further notice. By showing a ready willingness to modify their retention procedures in the face of legal proceedings, the court found that the bank had acted in good faith, and was protected from court sanctions under the “safe harbor” clause of the Federal Rules of Civil Procedure.
The cases listed above are just a representational handful. Dozens of cases exist that are informing the modern litigation landscape with regards to information governance responsibilities and electronic discovery.
Over the next two years, according to AIIM, 45% of their survey respondents are planning to increase expenditures in records management and information governance. The bulk of this investment is predicted to come from automated classifications such as, data clustering and taxonomies.
With such diverse information storage and management methods among different enterprises and even between departments, the idea of setting a unilateral information governance standard isn’t realistic. However, some aspects can and should apply to those companies who wish to protect themselves and their investments from the ravages of electronic discovery associated with litigation:
- IT practices must be optimized in terms of storage capacity, backup capabilities, and infrastructure cost reduction.
- Data that’s relevant to business objectives, regulatory restrictions or legal action, must stay visible, accessible, traceable and defensible.
- Security should take top priority, in terms of customer safety as well as employee privacy and corporate operations.
- Any record retention practices must meet industry standards and governmental regulations.
- Maintaining readiness for potential legal discovery requests is a necessary part of doing business in today’s world. Overwhelming litigation costs can be mitigated through a proactive approach toward information governance.
The ever-increasing amounts of data, both structured and unstructured, in modern business practices are not going away; rather, they are only multiplying at an increasingly rapid rate. Effective management of this massive information transmission and storage must be included as part of the enterprise governance strategy, policies and practices.
Taking a holistic view of managing information allows solutions to present themselves with greater clarity, compared to an emergency response attitude. Meticulous assessment and planning also allows businesses to take a graduated approach toward revamping existing information governance policies, making the initial evolution more painless and less intimidating. This broader view also allows businesses to address the grey areas of information governance such as, mobile devices and telecommuters, social media platforms, and how to handle departmental boundaries.
Although it’s tempting to brush this responsibility ‘under the rug’, failing to assess your information governance needs appropriately can lead to liabilities, sanctions, and significant and costly penalties. Taking a proactive approach instead, allows this obligation to be dealt with while still remaining relatively manageable, as well as facilitating daily business operations as usual without losing productivity.