ediscovery

Subscribe to ediscovery via RSS

It’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply.
Continue Reading Why govern your information? Reason #3: “Your” information may belong to others … and you’re responsible to take care of it.

Manually digging a holeLate last month in Mirmina v. Genpact, the Honorable Sarah Merriam of the United States District Court for the District of Connecticut properly confirmed that it remains permissible to manually preserve and collect discoverable email.  Her opinion was concise and spot-on, swatting away the plaintiff-movant’s speculative “concern” that defendant must have “withheld communications” that were responsive to the case’s discovery protocols.  Citing Zubulake V, Magistrate Judge Merriam accepted defendant’s detailed affirmation that in-house counsel appropriately coordinated and supervised the manual search for reponsive email by defendant’s ESI custodians, and she therefore denied plaintiff’s motion to compel.

The ediscovery blogosphere lit up once the Mirmina ruling was handed down – see here, here, here, here, here, and on and on.

What’s remarkable about this ruling is that a singularly unremarkable point has somehow become remarkable.
Continue Reading Breaking news from Captain Obvious – it’s still OK to manually preserve and collect ESI

clouds and lightningIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes).  How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, through cloud providers.  We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example:
Continue Reading Why govern your information? Reason #4: Your information is in others’ custody … but you’re still responsible for it.

Monster Ant“What if ants were as big as dinosaurs?”  I remember asking my kids that question, forever ago when they were young.  Maybe the thought came from reruns of old monster movies, like the 1954 classic Them! (pictured here).  Anyway, it was a cool game, for as the ant’s size multiplies, the laws of math, physics, and biology play their part:

  • The ant’s exoskeleton wouldn’t be strong enough to support the increased weight, so an internal skeleton is needed.
  • Gravity would play havoc with the ant’s open circulatory system, so a closed system is crucial.
  • The ant’s energy needs would soar, and so a different diet and digestive system are required.
  • The ant’s newfound size would totally alter its place in the food chain (The Lion King, “Circle of Life,” right?), driving fundamental changes in behaviors and capabilities.
  • And on, and on.

Until, we finally end up with an ant the size of a dinosaur … that looks a lot like a dinosaur.

But what’s this have to do with Information Governance?Continue Reading Ants, Dinosaurs, and Information Governance

Bean of Chicago Millennium Park, Illinois, USAIt happens every day.  A company spends a huge amount of money on a new technology system, without fully addressing the information implications.  Maybe the decision (to move on-premise operations to a cloud SaaS or PaaS, or to retire and replace an enterprise database, or buy a comprehensive new tool suite) was reactive, driven by an impending crisis.  Maybe the decision-making was siloed, with IT not clearly hearing what the rest of the business truly needs (or more likely, the rest of the business not speaking up).  Or maybe IT just responded literally to a business directive of the moment (let’s get into IoT, or Big Data, or Blockchain!).  Regardless, the green light is lit, the dollars are spent … and problems ensue, painfully multiplying the procurement’s all-in cost.

What was missing? Strategic consideration of repercussions for information compliance, risk, and value for the organization as a whole, including privacy, data security, retention/destruction, litigation discovery, intellectual property, and so forth.  In other words, Information Governance.  And when was it missing?  Before the decision was made and the dollars were spent.

So, what if something could be hard-wired into the procurement process, a trigger that timely prompted decision-makers to call time-out; get focused input from all stakeholders; assess the repercussions for information compliance, risk, and value; and align the procurement requirements and purchase decisions with organizational strategy for governing information?Continue Reading X Percent for Information Governance

A metal cattle brand with the word brand as the marking areaThe “business case” for information governance often focuses solely on quantifying specific costs for data management and exposures for data security and ediscovery.  Number crunching is of course important, but it misses something bigger, more strategic, and ultimately more crucial to the organization – its brand.  Companies, regardless of industry, are fundamentally in the information business.  It follows that how an organization manages its information assets reveals how the organization manages itself.  And that matters, a lot, because companies that align themselves with their brand, achieving brand discipline, are more successful.
Continue Reading Why govern your information? Reason #8: It can build – or bust – your brand

3d blue cubes come together from different directions. Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.”  Records retention reminds us that important is not the same thing as exciting.  I get it – records retention schedules are boring.  But the fact remains that literally thousands of records retention requirements apply to your organization’s information.  I know, because my firm finds and tracks these laws as part of our many years of retention schedule work for clients across industries.  And your regulators expect you to know them too.Continue Reading Why govern your information? Reason #11: Thousands of federal and state records retention laws apply to your company

Image of one hundred bill burning on black background“If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

– U.S. District Court Magistrate Judge John Facciola (now retired, and missed)

We all know that ediscovery is expensive, and various research reports have so confirmed. The 2012 Rand study, Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery, found that median costs for collection, processing, and review are $17,507 per gigabyte (roughly 3,500 documents or 10,000 e-mails).  The math is not pretty – a case involving 482 GBs of source data could exceed $8 million in ediscovery costs.

And on top of that are preservation costs. The 2014 Preservation Costs Survey demonstrated that large companies incur significant fixed costs for preservation (for in-house ediscovery personnel and also for procurement and maintenance of legal hold management and data preservation technology systems), averaging $2.5 million annually.  More significant is the cost of employee time lost in complying with legal holds.  While companies with up to 10,000 employees incur the average time cost of over $428,000 per year, costs for the largest companies exceed $38 million per year.

There is indeed great complexity in how to cost-effectively process huge amounts of data through the ediscovery funnel. Tighter management of ediscovery processes is important, and TAR continues to be a promising alternative to traditional review, with significant cost-savings potential.

But as we ponder how to cut costs, let’s not forget to use Occam’s razor:
Continue Reading Why govern your information? Reason #12: Unnecessary business data causes unnecessary litigation costs

Hammer ponding computer keyboardPoor data. Though more essential to business than ever before,  data is simultaneously frustrating for its inaccessibility, intimidating in its volume and complexity, distrusted for its unreliability, maligned for its management costs, and feared for its litigation, privacy, and security risks.

But let’s not cast business data as the culprit. Data is basically inert.  It sits where we store it, goes where we send it, does what we (or some system programmer) tell it to do, and is as secure as the safeguards we provide.  Data is not the “actor” – good, bad, or indifferent.  We are.

If we’re honest with ourselves, we can see that most every problem we experience with business data has its root in what people do, or fail to do, as individuals, work teams, or organizations:Continue Reading People don’t have data problems ….