It is a fact of modern life in our digital world that companies generally have a poor understanding of the nature, quantity and form of the electronically stored information (ESI) in their possession. Information governance is any set of policies, procedures, processes, and controls designed to manage an organization’s data in order to mitigate the risk of future regulatory, legal, and other risks associated with keeping data for long periods of time. More recently, information governance guidance has focused on how it can provide business intelligence such that corporate teams can be in a better position to make bottom line-driven decisions.
The Gartner consulting firm defines Information Governance as “the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
In 2002, Arthur Andersen partner David Duncan pled guilty to destruction of records related to Enron, leading to a criminal indictment of his firm. In that case, Duncan led an effort to shred documents even after he had learned of a pending federal investigation and received warnings that destroying documents violated the firm’s policies.
Despite that abject lesson in the downside of data destruction in the face of litigation, spoliation continues to happen. If a company or organization fails to suspend an Information Governance program in the face of a litigation hold notice, it can be sanctioned or penalized in court.
An Information Governance regime is in part designed to set standards for when and how records and documents should be disposed of within the company. The policies are in place to designate when the organization no longer needs to be retained or no longer needs to be collected for compliance and regulatory purposes. When litigation arises, if the organization has faithfully deleted or destroyed data within the guidelines of the program, the organization in most cases cannot be forced to produce that data for discovery. This ability to purge records according to corporate policies set with respect to legal and compliance obligations is generally referred to as “safe harbor.”
This does not necessarily mean that all documents or records can be deleted when the retention period is over. In highly regulated industries such as banking, securities, and pharmaceuticals, there is often a need to retain information long after it has served its business purpose in order to comply with laws and industry-specific regulations.
In banking, for instance, some information will often need to be retained for 7 to 10 years. Life insurers need to retain policy documents and information for as much as 100 years. Business units may work with a Records Management department to determine how long different classes of information should be retained before deletion. Some companies are establishing Information Governance Committees, drawing representation from departments such as risk management, compliance, legal, I.T. and various executives to oversee the process.
In some companies, information is retained indefinitely and never deleted. This increases costs and risks in the face of litigation, as more information is caught up in the discovery dragnet and must be collected, analyzed and reviewed.
One of the biggest sources of risk and headaches is how to handle the records belonging to employees who have left a company. In order to make an IG program work, organizations must track departing employees to ensure ESI under litigation hold is not lost or taken when an employee leaves the company.
To begin, efforts must be taken to ensure that potentially relevant information is not improperly deleted or that the departing employee's hard-drive is not re-purposed and given to another employee. Regular retention and deletion policies which govern ESI of employees must be suspended as soon as it is known that an employee has left the company. Any policies in place to preserve ESI of departed employees should be implemented immediately.
Federal Rules of Civil Procedure Rule 26(a)(1)(A) demands that an organization be responsible for all data within its “care, custody or control.” Courts have often punished parties or counsel for e-discovery failures when they fail to know what ESI they had and in what forms, what custodians held it, where they stored it and what risks of alteration or disposal affected the ESI.
Federal Rules of Civil Procedure Rule 30(b)(6) allows a party to have a corporate employee give testimony about their legal hold and all the decisions around it. Having a well-documented hold will make preparing for such a deposition much easier and reduce the opposing party’s chances of finding the hold insufficient.
When a litigation hold is issued, an organization must respond and suspend deletions accordingly. In order to show that an organization has acknowledged and responded to a litigation hold order, it should be able to address these issues:
Before you can preserve, review or produce ESI, you must first know what you have, where you have it, the forms it takes and how much of it you’ve got. The process by which a litigant and counsel build an inventory of potentially relevant ESI is called data mapping.
Data mapping is one of those e-discovery buzz phrases -- like technology-assisted review or information governance itself -- that takes on any meaning the fertile minds of marketers can think up. But at its most basic, a data map is likely a list, table, spreadsheet, database or simple Excel spreadsheet. In fact, a “data map” might be better termed an “Information Inventory.” It’s very much like the inventories that retail merchants undertake to know what’s on their shelves by description, quantity, location and value.
As a rule of thumb, as the business value of information decreases, the relative costs and risks to maintain the information increases. Information Governance and litigation readiness is also referred to as proactive e-discovery because it encompasses the policies, procedures and steps an organization has in place to follow when and if a litigation event occurs.
There are a few questions that need to be asked about an organization's ESI and its environment. These questions fall within the scope of Information Governance which addresses a need larger than litigation readiness. They are: What is it? Where is it? How safe and secure is it? Who controls it? Why do we need it? How long do we need it? What does it cost to keep it?
Making an IG program work in the digital world is not easy. Many businesses have adopted a BYOD (Bring Your Own Device) model when they allow employees to connect their personal phones and tablets to the corporate network. Many other companies don’t have a BYOD policy but their employees use personal devices for work purposes regardless. Securing the ability to access these devices for e-discovery requires employers obtaining consent in employment agreements, complicating the work of enforcing an Information Governance program. In order to make a plan work in the real world, consider the following steps: