On January 4th, 2017, the Financial Industry Regulatory Authority (FINRA) published its Annual Regulatory and Examination Priorities Letter to highlight issues of importance to FINRA's regulatory programs. 

The letter can be found by selecting this link:  http://www.finra.org/industry/2017-regulatory-and-examination-priorities-letter#1

Below are some notable points from the FINRA letter:

SOCIAL MEDIA AND ELECTRONIC COMMUNICATIONS RETENTION AND SUPERVISION

FINRA will review firms’ compliance with their supervisory and record retention obligations with respect to social media and other electronic communications in light of the increasingly important role they play in the securities business.

CYBERSECURITY

Cybersecurity threats remain one of the most significant risks many firms face. FINRA will continue to assess firms’ programs to mitigate those risks. FINRA recognizes there is no one-size-fits-all approach to cybersecurity, and will tailor their assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size, and risk profile.

•  Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.
• FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, they will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a number of factors, including a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access.
• They may also examine firms’ controls to protect sensitive information from insider threats. The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.
• FINRA will also draw firms’ attention to two areas in which they have observed repeated shortcomings in controls.
  • First, cybersecurity controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. They have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data.
  • Second, in multiple instances, firms have failed to fulfill one or more of their obligations under Securities Exchange Act (SEA) Rule 17a-4(f) that requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once, read many (WORM) format. This includes situations where vendor-provided email review and retention services did not fulfill SEA Rule 17a-4(f) requirements. FINRA recently announced enforcement actions against 12 firms for, among other things, failure to preserve broker-dealer and customer records in WORM format.

SUPERVISORY CONTROLS TESTING

FINRA will assess firms’ testing of their internal supervisory controls. Regular testing is critical to enabling firms to identify and mitigate gaps or inadequate controls (e.g., poorly set parameters in automated compliance systems) that, left undetected, may lead to significant, systemic control breakdowns. These problems arise in firms’ day- to-day operations, but FINRA has observed that they can be more prevalent when firms increase the scale or scope of their business or change from legacy to new compliance systems.

• Control breakdowns can include record-retention omissions and failures to deliver requisite disclosure or other documents to clients. In addition, FINRA has observed situations where data is inaccurate, for example, with respect to product or order types. This can lead to situations where automated alerts fail to identify activity in client accounts for further review or where extensive manual intervention is necessary to make the data useable. FINRA reminds firms of their obligations with respect to supervisory controls testing and chief executive officer certifications pursuant to FINRA Rules 3120 and 3130.

CONCLUSION

FINRA urges compliance staff, supervisors, and senior business leaders to consider the topics addressed in this letter. Using the information as part of firms’ compliance, supervision and risk management practices can better protect investors, the markets, and firms themselves.

We only hear about the companies that figure out that they've been breached... and most often, they figure it out WAY too late!

As for where the threats originate, insider threats by employees are always going to be the biggest security risk for businesses. Employees without proper information security access controls and training are more likely to succumb to popular tactics used by hackers.

You must consider what information/data to which your employees have access.

Michael Hack, Senior VP of EMEA Operations at Ipswitch said, “It’s no longer good enough just to have the right policies in place for secure data transfer, an organization must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training.”

Employers must also consider the serious responsibility of receiving and managing customer information in a way that retains customer confidence when using their information/data.

Finding the nugget of Critical Data out of a Massive Datastore- a story about finding 1 out of 3 Billion cans of beans.
Why Beans? The can of beans represents a single email and its attachments. When we’re talking about Terabytes of data, we tend to lose perspective on how big a problem these files can be, and how difficult it is to find what you’re looking for.

Watch the video

What Legal Professionals Needs To Know

The importance of achieving Type II Service Organization Control (SOC 2) compliance cannot be undervalued by the legal community. SOC 2 compliance is part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control reporting platform. These guidelines were introduced in an attempt to restructure the existing (outdated) reporting methods of service organizations, and to align with the growing trend toward more globally accepted accounting principles.

The SOC reporting platform has three options: SOC 1, SOC 2 and SOC 3. Although SOC 1 and SOC 3 will be addressed briefly in this whitepaper, the primary focus will be on SOC 2 compliance, which is designed specifically to address the increasing popularity of cloud computing and other forms of shared technology within the service organization world.

Maintaining secure channels for the transmission and storage of this type of data is of particular concern when dealing with legal matters. Achieving compliance with SOC 2 is indicative of maintaining objective levels of security, availability, confidentiality and privacy. Determining criteria are evaluated by independent auditing agencies, and include such elements as operating effectiveness, design, processes, and procedures involved with data-center controls.

Security Risks in Outsourcing

The way business is done has changed so drastically that it’s become necessary for companies to outsource portions of their functions or tasks – and sometimes even core operations – to outside service organizations. When the service organization takes on these functions, they also adopt the inherent risks that used to be the company’s sole responsibility. Yet, since they are external to the user entity, they often operate outside the bounds of existing safeguards. In other words, the same rules may not apply.

Recent increases in privacy breaches, fraudulent activities, and other malicious ‘hacking’ have served to similarly increase internal regulatory controls, such as HIPAA, the Sarbanes-Oxley Act, and Basel II. As a result, due diligence during the vetting process of prospective service organizations is increasing and the government is now overseeing existing outsourced organizations. Regulatory changes, especially in the field of technology, have underlined the need for assurance that management is capable of maintaining client security and data integrity. The systems used by both the originating organization and any satellite service organizations must process data with the same level of privacy, confidentiality, and integrity.

Enacting SOC 2 compliance, along with meeting other compliance standards, allows an independent entity or CPA to determine whether the existing controls of a service organization meet the necessary standards. Additionally, the service organizations are able to respond with concrete action plans to achieve compliance through this objective evaluation. The three Service Organization Control reporting options laid out by the AICPA provide this necessary framework.

Focus on SOC 2 Compliance

As mentioned previously, there are three different types of SOC reports.

·         SOC 1 Report: Provide focus on internal controls that are relevant to financial reporting. These are conducted in accordance with SSAE 16.

·         SOC 2 Report: Address the controls regarding security, availability, and processing integrity of internal systems, as well as the confidentiality and privacy of any data that is processed by that system.

·         SOC 3 Report: Handle controls related to security, availability, confidentiality, and processing integrity in accordance with Trust Service Principles.

Unlike SOC 1 reports, SOC 2 compliance relies on the AT Section 101 professional standard which uses a criteria-based analysis that centers on the five Trust Service Principles, as stated by the AICPA and CICA:

Security. The system is protected against unauthorized access (both physical and logical).

Availability. The system is available for operation and use as committed or agreed.

Processing Integrity. System processing is complete, accurate, timely, and authorized.

Confidentiality. Information designated as confidential is protected as committed or agreed.

Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally-accepted privacy principles issued by the AICPA and CICA.”

Specifically, SOC 2 compliance is based on the reporting of non-financial controls, like those within the technological sector such as managed services, data-centers, and other aspects of service organizations.

The development of the SOC 2 guidelines arose from the multitude of changes within service organization reporting, the growing trend toward international accounting standards, the previous abuse of outdated auditing standards, and the simple need to provide a more appropriate reporting platform for the way business is done today. The SOC framework delivers a multifaceted approach for reporting platforms among service organizations.

Core Requirements

·         System Description:  A key aspect for obtaining SOC 2 compliance is to maintain a written description of the “system” used by the service provider. The narrative must be both detailed and comprehensive, addressing the services provided as well as any supporting processes, internal policies and procedures, and any other core operational activities that are relevant to the service provider’s user entity. This system description requires much more in-depth detail than the control descriptions mandated by the SAS 70 predecessor audit.

·         Written Statement of Assertion: The service auditor who is performing the examination for SOC 2 compliance must be provided with a written statement of assertion. This document declares factual statements regarding the service provider’s control environment.

·         Criteria Description: Since SOC 2 compliance is based on criteria rather than objectives, documentation is required showing the metrics that are in place to meet the Trust Service Principles.

Benefits of SOC 2 Compliance for the Legal Community

The American Bar Association Formal Opinion #451 specifically states that:

"The challenge for an outsourcing lawyer is, therefore, to ensure that tasks are delegated to individuals who are competent to perform them, and then to oversee the execution of the project adequately and appropriately. When delegating tasks to lawyers in remote locations, the physical separation between the outsourcing lawyer and those performing the work can be thousands of miles, with a time difference of several hours further complicating direct contact. Electronic communication can close this gap somewhat, but may not be sufficient to allow the lawyer to monitor the work of the lawyers and non-lawyers working for her in an effective manner. At a minimum, a lawyer outsourcing services for ultimate provision to a client should consider conducting reference checks and investigating the background of the lawyer or non-lawyer providing the services as well as any non-lawyer intermediary involved."

Rule 1.6(a) of the ABA Model Rules of Professional Conduct states:

“A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).”

Rule 1.6(c) adds:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Comment 3 on Rule 1.6 clarifies:

“The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law. The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source. A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct or other law. See also Scope.”

Rule 5.3(b) requires that lawyers who utilize the skills and talents of non-lawyers must “make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer.”

Above all, the lawyer must preserve fiduciary responsibility to their client. When hiring outside parties and service providers, it’s counsel’s responsibility to ensure that the attorney-client privilege is kept sacrosanct. Independent auditing to determine SOC 2 compliance delivers an extra layer of protection for both counsel and client. Clients have an objective set of guidelines that they know their team is bound by, and counsel has the assurance that all members of the staff must hold to the same ethical guidelines as they themselves are required to uphold.

SOC 2 compliance extends far beyond personnel, as well. The entire organization is covered, as well as the technological infrastructure being utilized. This includes the data-center operating environment, management of data storage, server and database administration, and tools and processes used for system monitoring. Both physical and virtual system security are included, as well as common support processes that are applicable to multiple avenues of service provider and primary business.

Ensuring SOC 2 compliance satisfies the ethical obligations set forth by the ABA in providing insurance that systemic and necessary protocols are in place to protect the lawyer-client privilege. This offers clients a higher level of confidence in their counsel, as well as assurance that any critical data or sensitive information will be handled and stored securely. For clients, doing business with a legal team with SOC 2 compliance delivers an additional seal of approval for the methods used to handle client information, allowing for greater peace of mind for client and counsel alike.

IN CLOSING

There are quite a few individual certifications that complement SOC 2; some of the more relevant to a services company include:

• CISSP – Certified Information Systems Security Professional
• CIPP (US, IT, Europe) – Certified Information Privacy Professional
• ECMP – Enterprise Content Management Practitioner
• ERM – Enterprise Risk Management

Completing a Type II SOC 2 examination relevant to security, availability, confidentiality and privacy provides attestation that processes, procedures and controls are formally evaluated and tested by an independent auditing firm.  Passing this audit provides certification of compliance to a service organization that qualifies the design and operating effectiveness of their organization.  This examination demonstrates that the service organization is compliant with the relevant criteria and its clients are being served by a SOC 2 standard controlled facility.  The examination's completion also provides valuable insight into the people and procedures responsible for successful data-center controls.

Implementing an effective information governance strategy is one of the ways an enterprise can help protect themselves against potential litigation. And yet, according to some recent surveys, many organizations remain either ignorant or unwilling to adopt a wide-reaching internal information governance strategy.

What reason is there for this continued resistance to change? What steps should be taken to adopt and implement an effective, streamlined information governance strategy? What exactly constitutes information governance, and why does it matter at all?

Understanding Information Governance

Think for a moment about the vast amount of digital data that’s transmitted every single typical workday. From quick emails to massive digital file archives, it’s estimated that the total amount of stored digital data doubles approximately every two years. Yet, despite this impressive increase in volume, most companies continue processing and storing their digital records the same way they always have: haphazardly, and without an eye toward the future.

For companies who end up facing the risk of litigation, the prospect of sorting through terabytes’ worth of digital records to find relevant data for their case is daunting at best, and can result in expensive and costly legal battles, or even sanctions if the court feels that essential electronic evidence was deliberately withheld or destroyed.

Beyond just addressing a company’s storage system for inactive data, information governance at its best reflects a holistic system of examining what types of data are handled by your enterprise, how they’re processed and stored, and determining the optimum approach for sorting, categorizing and archiving this data in order to comply with eDiscovery if needed.

Reducing Risks

Managing your information stores and practices in an efficient, traceable manner is just as vital to the health of your enterprise as financial solvency and sound business policies. And yet, many companies treat information governance as optional, taking a noncommittal approach toward revamping their existing processes.

A policy and procedure-based information governance system can help companies lower their data overhead, reduce vulnerability to litigation, and ensure compliance with guidelines and standards that are required within your field. Ideally, information should be effectively managed throughout its entire lifecycle, from inception through destruction. This includes setting clear data retention policies, as well as addressing long-term preservation requirements.

When information governance policies are well-planned, well-executed, and well-managed, data becomes more visible and accessible to your entire organization, facilitating the next course of action. Plans should be in place for both passive information management, such as long-term storage needs and active data management, such as logs of who accessed which files and for what purpose. Decisions must be made in advance about which types of data should be archived for future use, and which should be destroyed.

Supporting Statistics

In March 2013, an analyst and data company called 451 Research released a report on eDiscovery practices. This report surveyed 2,320 respondents who represented a combination of large, small, and mid-sized organizations. The report covered such areas as enterprise IT, asking tough questions about how these businesses approach the access, management, and retention of their data.

The 451 Research report states that less than half of the study respondents believed that information management was important for their enterprise. In general, larger organizations felt more strongly about managing their data properly compared to smaller companies. Only 32% of respondents who were in senior management felt a need for clear information management strategies, while over half of the respondents who were IT staff felt that setting up these strategies were important. With senior management, rather than IT staff, making the financial decisions about internal developments, the numbers indicated that future investment in information governance among those particular organizations was unlikely.

12% of respondents still lack any official archiving policy for company emails

A survey conducted by AIIM (Association for Information and Image Management) specifically on information governance, reports that 31% of their respondents reported having problems with audits, regulating bodies, and courts due to issues with poor data storage and organization. Rather than taking a look at making existing processes more efficient, over a quarter of those surveyed reported that they just bought additional storage in response to increased data management needs. In addition, one-third of the surveyed enterprises said that 90% of their current IT expenditures are not adding value to their business.

The AIIM survey respondents also stated that most of their employees are likely to have multiple copies of files and emails across their devices (mobile, laptop, and desktop), and yet 12% of respondents still lack any official archiving policy for company emails. Companies, who do have these types of policies already in place, are often still conducting eDiscovery searches manually in the event of litigation. Many businesses have yet to implement official information governance policies, while those who do have them are not enforcing them, and/or are not training their staff to follow the new guidelines.

The 451 Research report respondents added that social media and the greater variety of types of data companies use today are making eDiscovery considerations much more complicated than previously. AIIM reports that 42% of their respondents are actually seeing increases in terms of physical paperwork, rather than moving toward paperless operations. Additionally, those surveyed are reluctant to move away from paper records and aren’t quite ready to trust the security of their record storage to cloud services providers.

eDiscovery Responsibilities

The companies who feel that establishing information governance is unnecessary aren’t paying attention, especially when considering litigation risks. It’s impossible to completely separate information governance from electronic discovery. Many companies, who do develop comprehensive information management policies, have done so specifically with an eye toward protecting themselves against potential litigation.

Coming from a per-gigabyte pricing structure, the costs for electronic discovery are now leveling off. Yet, the sheer amount of data that needs to be sifted through in the event of litigation, means eDiscovery bottom lines will never really go away. When weighing the time/cost investment of a disorganized information storage system, as compared to an efficient, defensible information governance practice, the savings speak for themselves.

Beyond finances, other rewards manifest as a result of streamlining daily operations through appropriate information management policies, particularly in terms of preventing productivity loss and eliminating redundancies. These payouts are similarly reflected during electronic discovery, preventing spiraling defense costs when it really counts for your company. And, of course, a positive outcome during litigation means preserving your enterprise’s good name and reputation, delivering a truly priceless return on the investment.

Information Management Basics

Without a set standard as to what, exactly, constitutes appropriate information management, the accountability framework currently applies to all aspects of data creation, collection, storage, retention, and eventual destruction. The more holistic definition suggests that information governance should address the full life-cycle of all data, including quality and protection aspects of information. The governance of managing data also extends heavily toward the sphere of electronic discovery, since the relevance of appropriate data retention and management becomes all too clear in the face of litigation.

• Records Management addresses the creation, storage, retention, and disposal of electronic records. This includes databases, emails and application data. Enterprises must examine both long-term and short-term internal policies, and decide for themselves what falls under their realm (e.g., whether social media profiles are exempt).

• Access Controls look at who can access stored and active files. How is data kept private and by what metrics? Is there a log to track access points for easy reference? If litigation arises in the future, it’s vital that this information can be provided upon request, and ideally with a minimum of effort.

• Structural Organization takes into consideration the needs not just of daily business operations, but also the key stakeholders who are involved with effective information governance: IT staff, legal counsel, and compliance departments must all have a clear understanding of their company’s data policies and practices.

One of the primary sticking points of information governance is determining accountability. Are management executives responsible for developing, implementing and maintaining an effective plan for managing their company’s data? Or does this fall under the scope of IT support? Should legal counsel take the lead in deciding what constitutes defensible, eDiscovery friendly policies? For most companies, not knowing the answer to these questions can be a major obstacle in preventing forward growth. Most enterprises that have an information governance plan already in place have drawn on aspects of all these disciplines in order to more effectively manage their data.

Including Social Media

Regardless whether or not companies have already put an information governance plan into effect, most enterprises think that the applicable data is fairly straightforward; internal emails, documents and data, or just about anything that relates to their business, should all be fair game. While this seems like a safe enough definition, one major data stream is often left out- social media.

As the majority of court cases now include some form of virtual evidence in the form of data or email, new precedents are being set with regards to social media and information governance. In more than one case, personal data has been subpoenaed from Facebook pages, MySpace profiles, and Twitter feeds as evidence for either side of litigation in an active case. While the success rate of requesting this data varies, as does the impression whether or not the data may be relevant at all, companies can no longer afford to exclude social media from the core of their information governance policies and management practices.

Case Studies

While companies continue treating information governance largely as an abstract, there are many concrete examples of how data retention policies have had huge impacts on companies during litigation, both positive and negative.

• Apple, Inc. v. Samsung Electronics Co., Ltd: In this much-publicized patent infringement case, Apple claimed that Samsung’s Galaxy phone was an intellectual appropriation of Apple’s iPhone, both in terms of software and physical design. In the end, a jury ruled in Apple’s favor, awarding significant damages that are likely to change the design of future smartphone competitors for good. As part of the verdict, the court additionally found Samsung at fault because they failed to properly circulate litigation hold instructions at the initial ‘anticipation of litigation’. Specifically, Samsung neglected to provide several key emails to the court, resulting in sanctions from the court. Ironically, Apple was also sanctioned for similarly failing to circulate a litigation hold notice to its own staff, leading the court to rule that Apple was also guilty of neglecting to preserve documents in a timely and appropriate fashion.

• E.I. du Pont de Nemours v. Kolon Industries, Inc.: In another patent infringement

case, this one spanning two decades, the court ruled that Kolon Industries, a company based in South Korea, was guilty of stealing critical trade secrets surrounding the production and marketing of Kevlar©, a patented synthetic fiber from DuPont. During proceedings, the court issued an adverse inference jury instruction due to evidence spoliation against Kolon Industries. Despite being informed of the lawsuit and receiving multiple litigation hold notices, Kolon had proceeded to delete almost 18,000 different emails and files that were related to the core of the case. The court, rather than blaming employees for evidence spoliation, instead pointed the finger at the high-level executives and attorneys for Kolon, stating that the notices were mistranslated, delivered too late or in too limited distribution to be effective in preventing spoliation, and it had been their responsibility to adopt a responsible approach toward the litigation hold notices.

• People of the State of New York v. Malcolm Harris: The city of New York brought charges against Malcolm Harris, one of many participants arrested during a mass Occupy Wall Street protest march in October 2011 that took place on the Brooklyn Bridge. The defendant in this case refused to voluntarily submit records of his Twitter feed, specifically those ‘tweets’ that were transmitted during the protest, which had since been deleted. Manhattan Criminal Court Judge Matthew Sciarrino then subpoenaed Twitter directly for a record of Harris’ tweets from that time period, in an attempt to prove or disprove whether Harris was responsible for disorderly conduct and had used Twitter to rally other protesters. While the Occupy movement is not a business, this case does raise the question of whether corporate information governance policies are effectively addressing social media communications, and if they may be held liable for that data in the future.

•Viramontes v. U.S. Bancorp: In this case, the defendant actually defeated a sanctions motion due to proactive internal information governance strategies. The bank, U.S. Bancorp, already had a communications retention policy in place that only kept email for 90 days before overwriting and destroying them. However, this policy carried the provision that, in case of litigation or other trigger event, their normal retention procedure would be immediately suspended, and all documentation would be preserved until further notice. By showing a ready willingness to modify their retention procedures in the face of legal proceedings, the court found that the bank had acted in good faith, and was protected from court sanctions under the “safe harbor” clause of the Federal Rules of Civil Procedure.

The cases listed above are just a representational handful. Dozens of cases exist that are informing the modern litigation landscape with regards to information governance responsibilities and electronic discovery.

Future Implications

Over the next two years, according to AIIM, 45% of their survey respondents are planning to increase expenditures in records management and information governance. The bulk of this investment is predicted to come from automated classifications such as data clustering and taxonomies.

With such diverse information storage and management methods among different enterprises and even between departments, the idea of setting a unilateral information governance standard isn’t realistic. However, some aspects can and should apply to those companies who wish to protect themselves and their investments from the ravages of electronic discovery associated with litigation:

• IT practices must be optimized in terms of storage capacity, backup capabilities, and infrastructure cost reduction.

• Data that’s relevant to business objectives, regulatory restrictions or legal action, must stay visible, accessible, traceable and defensible.

• Security should take top priority, in terms of customer safety as well as employee privacy and corporate operations.

• Any record retention practices must meet industry standards and governmental regulations.

• Maintaining readiness for potential legal discovery requests is a necessary part of doing business in today’s world. Overwhelming litigation costs can be mitigated through a proactive approach toward information governance.

The ever-increasing amounts of data, both structured and unstructured, in modern business practices are not going away; rather, they are only multiplying at an increasingly rapid rate. Effective management of this massive information transmission and storage must be included as part of the enterprise governance strategy, policies and practices.

Taking a holistic view of managing information allows solutions to present themselves with greater clarity, compared to an emergency response attitude. Meticulous assessment and planning also allows businesses to take a graduated approach toward revamping existing information governance policies, making the initial evolution more painless and less intimidating. This broader view also allows businesses to address the grey areas of information governance such as, mobile devices and telecommuters, social media platforms, and how to handle departmental boundaries.

Although it’s tempting to brush this responsibility ‘under the rug’, failing to assess your information governance needs appropriately can lead to liabilities, sanctions, and significant and costly penalties. Taking a proactive approach instead, allows this obligation to be dealt with while still remaining relatively manageable, as well as facilitating daily business operations as usual without losing productivity.

Information Governance: Managing Risks & Rewards

Implementing an effective information governance strategy is one of the ways an enterprise can help protect themselves against potential litigation. And yet, according to some recent surveys, many organizations remain either ignorant or unwilling to adopt a wide-reaching internal information governance strategy.

What reason is there for this continued resistance to change? What steps should be taken to adopt and implement an effective, streamlined information governance strategy? What exactly constitutes information governance, and why does it matter at all?

Understanding Information Governance

Think for a moment about the vast amount of digital data that’s transmitted every single typical workday. From quick emails to massive digital file archives, it’s estimated that the total amount of stored digital data doubles approximately every two years. Yet, despite this impressive increase in volume, most companies continue processing and storing their digital records the same way they always have: haphazardly, and without an eye toward the future.

For companies who end up facing the risk of litigation, the prospect of sorting through terabytes’ worth of digital records to find relevant data for their case is daunting at best, and can result in expensive and costly legal battles, or even sanctions if the court feels that essential electronic evidence was deliberately withheld or destroyed.

Beyond just addressing a company’s storage system for inactive data, information governance at its best reflects a holistic system of examining what types of data are handled by your enterprise, how they’re processed and stored, and determining the optimum approach for sorting, categorizing and archiving this data in order to comply with eDiscovery if needed.

Reducing Risks

Managing your information stores and practices in an efficient, traceable manner is just as vital to the health of your enterprise as financial solvency and sound business policies. And yet, many companies treat information governance as optional, taking a noncommittal approach toward revamping their existing processes.

A policy and procedure-based information governance system can help companies lower their data overhead, reduce vulnerability to litigation, and ensure compliance with guidelines and standards that are required within your field. Ideally, information should be effectively managed throughout its entire lifecycle, from inception through destruction. This includes setting clear data retention policies, as well as addressing long-term preservation requirements.

When information governance policies are well-planned, well-executed, and well-managed, data becomes more visible and accessible to your entire organization, facilitating the next course of action. Plans should be in place for both passive information management, such as long-term storage needs and active data management, such as logs of who accessed which files and for what purpose. Decisions must be made in advance about which types of data should be archived for future use, and which should be destroyed.

Supporting Statistics

In March 2013, an analyst and data company called 451 Research released a report on eDiscovery practices. This report surveyed 2,320 respondents who represented a combination of large, small, and midsized organizations. The report covered such areas as enterprise IT, asking tough questions about how these businesses approach the access, management, and retention of their data.

The 451 Research report states that less than half of the study respondents believed that information management was important for their enterprise. In general, larger organizations felt more strongly about managing their data properly compared to smaller companies. Only 32% of respondents who were in senior management felt a need for clear information management strategies, while over half of the respondents who were IT staff felt that setting up these strategies were important. With senior management, rather than IT staff, making the financial decisions about internal developments, the numbers indicated that future investment in information government among those particular organizations was unlikely.

A survey conducted by AIIM (Association for Information and Image Management) specifically on information governance, reports that 31% of their respondents reported having problems with audits, regulating bodies, and courts due to issues with poor data storage and organization. Rather than taking a look at making existing processes more efficient, over a quarter of those surveyed reported that they just bought additional storage in response to increased data management needs. In addition, one-third of the surveyed enterprises said that 90% of their current IT expenditures are not adding value to their business.

The AIIM survey respondents also stated that most of their employees are likely to have multiple copies of files and emails across their devices (mobile, laptop, and desktop), and yet 12% of respondents still lack any official archiving policy for company emails. Companies, who do have these types of policies already in place, are often still conducting eDiscovery searches manually in the event of litigation. Many businesses have yet to implement official information governance policies, while those who do have them are not enforcing them, and/or are not training their staff to follow the new guidelines.

The 451 Research report respondents added that social media and the greater variety of types of data companies use today are making eDiscovery considerations much more complicated than previously. AIIM reports that 42% of their respondents are actually seeing increases in terms of physical paperwork, rather than moving toward paperless operations. Additionally, those surveyed are reluctant to move away from paper records and aren’t quite ready to trust the security of their record storage to cloud services providers.

eDiscovery Responsibilities

The companies who feel that establishing information governance is unnecessary aren’t paying attention, especially when considering litigation risks. It’s impossible to completely separate information governance from electronic discovery. Many companies, who do develop comprehensive information management policies, have done so specifically with an eye toward protecting themselves against potential litigation.

Coming from a per-gigabyte pricing structure, the costs for electronic discovery are only now leveling off. Yet, the sheer amount of data that needs to be sifted through in the event of litigation, means eDiscovery bottom lines will never really go away. When weighing the time/cost investment of a disorganized information storage system, as compared to an efficient, defensible information governance practice, the savings speak for themselves.

Beyond finances, other rewards manifest as a result of streamlining daily operations through appropriate information management policies, particularly in terms of preventing productivity loss and eliminating redundancies. These payouts are similarly reflected during electronic discovery, preventing spiraling defense costs when it really counts for your company. And, of course, a positive outcome during litigation means preserving your enterprise’s good name and reputation, delivering a truly priceless return on investment.

Information Management Basics

Without a set standard as to what, exactly, constitutes appropriate information management, the accountability framework currently applies to all aspects of data creation, collection, storage, retention, and eventual destruction. The more holistic definition suggests that information governance should address the full lifecycle of all data, including quality and protection aspects of information. The governance of managing data also extends heavily toward the sphere of electronic discovery, since the relevance of appropriate data retention and management becomes all too clear in the face of litigation.

• Records Management addresses the creation, storage, retention, and disposal of electronic records. This includes databases, emails and application data. Enterprises must examine both long-term and short-term internal policies, and decide for themselves what falls under their realm (e.g., whether social media profiles are exempt).
• Access Controls look at who can access stored and active files. How is data kept private and by what metrics? Is there a log to track access points for easy reference? If litigation arises in the future, it’s vital that this information can be provided upon request, and ideally with a minimum of effort.
• Structural Organization takes into consideration the needs not just of daily business operations, but also the key stakeholders who are involved with effective information governance: IT staff, legal counsel, and compliance departments must all have a clear understanding of their company’s data policies and practices.

One of the primary sticking points of information governance is determining accountability. Are management executives responsible for developing, implementing and maintaining an effective plan for managing their company’s data? Or does this fall under the scope of IT support? Should legal counsel take the lead in deciding what constitutes defensible, eDiscovery friendly policies? For most companies, not knowing the answer to these questions can be a major obstacle in preventing forward growth. Most enterprises that have an information governance plan already in place have drawn on aspects of all these disciplines in order to more effectively manage their data.

Including Social Media

Regardless whether or not companies have already put an information governance plan into effect, most enterprises think that the applicable data is fairly straightforward; internal emails, documents and data, or just about anything that relates to their business, should all be fair game. While this seems like a safe enough definition, one major data stream is often left out- social media.  

As the majority of court cases now include some form of virtual evidence in the form of data or email, new precedents are being set with regards to social media and information governance. In more than one case, personal data has been subpoenaed from Facebook pages, MySpace profiles, and Twitter feeds as evidence for either side of litigation in an active case. While the success rate of requesting this data varies, as does the impression whether or not the data may be relevant at all, companies can no longer afford to exclude social media from the core of their information governance policies and management practices.

Case Studies

While companies continue treating information governance largely as an abstract, there are many concrete examples of how data retention policies have had huge impacts on companies during litigation, both positive and negative.

• Apple, Inc. v. Samsung Electronics Co., Ltd: In this much-publicized patent infringement case, Apple claimed that Samsung’s Galaxy phone was an intellectual appropriation of Apple’s iPhone, both in terms of software and physical design. In the end, a jury ruled in Apple’s favor, awarding significant damages that are likely to change the design of future smartphone competitors for good. As part of the verdict, the court additionally found Samsung at fault because they failed to properly circulate litigation hold instructions at the initial ‘anticipation of litigation’. Specifically, Samsung neglected to provide several key emails to the court, resulting in sanctions from the court. Ironically, Apple was also sanctioned for similarly failing to circulate a litigation hold notice to its own staff, leading the court to rule that Apple was also guilty of neglecting to preserve documents in a timely and appropriate fashion.

• E.I. du Pont de Nemours v. Kolon Industries, Inc.: In another patent infringement case, this one spanning two decades, the court ruled that Kolon Industries, a company based in South Korea, was guilty of stealing critical trade secrets surrounding the production and marketing of Kevlar©, a patented synthetic fiber from DuPont. During proceedings, the court issued an adverse inference jury instruction due to evidence spoliation against Kolon Industries. Despite being informed of the lawsuit and receiving multiple litigation hold notices, Kolon had proceeded to delete almost 18,000 different emails and files that were related to the core of the case. The court, rather than blaming employees for evidence spoliation, instead pointed the finger at the high-level executives and attorneys for Kolon, stating that the notices were mistranslated, delivered too late or in too limited distribution to be effective in preventing spoliation, and it had been their responsibility to adopt a responsible approach toward the litigation hold notices.

• People of the State of New York v. Malcolm Harris: The city of New York brought charges against Malcolm Harris, one of many participants arrested during a mass Occupy Wall Street protest march in October 2011 that took place on the Brooklyn Bridge. The defendant in this case refused to voluntarily submit records of his Twitter feed, specifically those ‘tweets’ that were transmitted during the protest, which had since been deleted. Manhattan Criminal Court Judge Matthew Sciarrino then subpoenaed Twitter directly for a record of Harris’ tweets from that time period, in an attempt to prove or disprove whether Harris was responsible for disorderly conduct and had used Twitter to rally other protestors. While the Occupy movement is not a business, this case does raise the question of whether corporate information governance policies are effectively addressing social media communications, and if they may be held liable for that data in the future.

• Viramontes v. U.S. Bancorp: In this case, the defendant actually defeated a sanctions motion due to proactive internal information governance strategies. The bank, U.S. Bancorp, already had a communications retention policy in place that only kept email for 90 days before overwriting and destroying them. However, this policy carried the provision that, in case of litigation or other trigger event, their normal retention procedure would be immediately suspended, and all documentation would be preserved until further notice. By showing a ready willingness to modify their retention procedures in the face of legal proceedings, the court found that the bank had acted in good faith, and was protected from court sanctions under the “safe harbor” clause of the Federal Rules of Civil Procedure.

The cases listed above are just a representational handful. Dozens of cases exist that are informing the modern litigation landscape with regards to information governance responsibilities and electronic discovery.

Future Implications

Over the next two years, according to AIIM, 45% of their survey respondents are planning to increase expenditures in records management and information governance. The bulk of this investment is predicted to come from automated classifications such as, data clustering and taxonomies.

With such diverse information storage and management methods among different enterprises and even between departments, the idea of setting a unilateral information governance standard isn’t realistic. However, some aspects can and should apply to those companies who wish to protect themselves and their investments from the ravages of electronic discovery associated with litigation:

• IT practices must be optimized in terms of storage capacity, backup capabilities, and infrastructure cost reduction.
• Data that’s relevant to business objectives, regulatory restrictions or legal action, must stay visible, accessible, traceable and defensible.
• Security should take top priority, in terms of customer safety as well as employee privacy and corporate operations.
• Any record retention practices must meet industry standards and governmental regulations.
• Maintaining readiness for potential legal discovery requests is a necessary part of doing business in today’s world. Overwhelming litigation costs can be mitigated through a proactive approach toward information governance.

The ever-increasing amounts of data, both structured and unstructured, in modern business practices are not going away; rather, they are only multiplying at an increasingly rapid rate. Effective management of this massive information transmission and storage must be included as part of the enterprise governance strategy, policies and practices.

Taking a holistic view of managing information allows solutions to present themselves with greater clarity, compared to an emergency response attitude. Meticulous assessment and planning also allows businesses to take a graduated approach toward revamping existing information governance policies, making the initial evolution more painless and less intimidating. This broader view also allows businesses to address the grey areas of information governance such as, mobile devices and telecommuters, social media platforms, and how to handle departmental boundaries.

Although it’s tempting to brush this responsibility ‘under the rug’, failing to assess your information governance needs appropriately can lead to liabilities, sanctions, and significant and costly penalties. Taking a proactive approach instead, allows this obligation to be dealt with while still remaining relatively manageable, as well as facilitating daily business operations as usual without losing productivity.