As the use of smart-phones, tablet computers, and other handheld devices explodes across Corporate America, managing and monitoring that enormous volume of “mobile information” can be a herculean task at the best of times. Add the threats of litigation, swiftly changing technology, and increased regulation, and most compliance programs are left flailing.
Three separate surveys released recently show just how frustrating the situation can be, even when companies make some headway in managing e-discovery and similar challenges. New research from Kroll Ontrack, for example, indicates that while more companies are adopting a strategy to respond to discovery requests for electronically stored information, many of those strategies remain untested.
Straight
More than half (52 percent) of the 203 IT and legal executives polled in the survey said they had some sort of e-discovery policy in place—yet only 38 percent have tested them. “That can expose them to more risk than not having a policy,” says Jason Straight, vice president of business development at Kroll Ontrack.
Straight says companies ought to conduct drills based on hypothetical or real legal cases, and also update policies regularly to reflect new technologies or new user habits. He recommends a policy review every six months; the Kroll survey found that 55 percent of respondents either hadn’t updated their policies at all in 2010 or didn’t know if one happened.
Gloomy news, but the Kroll survey also had some brighter spots. Foremost, corporate legal and IT departments are working together more often on e-discovery, or at least say they should be. Forty-four percent of respondents said legal and IT should share responsibility for developing and enforcing e-discovery strategy, up from 35 percent who said the same in 2009—and 23 percent think it should fall on a cross-functional team, compared to 11 percent in 2009. That’s a major change in attitude from 2007, when 41 percent of respondents said legal alone had that responsibility.
The cost of e-discovery also remains high: Corporations are spending an average of $1.25 million dollars annually, according to Kroll. Straight says most organizations aren’t yet doing all that they could to cut costs.
“You can’t effectively manage e-discovery with a decentralized litigation function. It’s like trying to hit a moving target.”
—Rick Wolf,
Founder,
Lexakos
One example is the lack of a “data map” at many corporations. Kroll and others say data maps—an inventory of where all of a company’s information is stored—are critical e-discovery management tools. But many still disregard the practice; only 44 percent of respondents said they have a data map, one-third said they don’t have one, and one-quarter didn’t know.
“You can’t have a defensible discovery strategy if you don’t have an accurate map,” Straight says. The data map should be updated twice a year to include new systems, new storage devices, and new technologies such as cloud computing. E-discovery policies should then be matched back to the map to ensure that all sources of data are covered by a policy.
“What often gets companies into trouble is not preserving data, because they didn’t know it existed,” Straight says.
Overload
Most companies also face the problem of storing too much data, usually far more than they should. That increases litigation risks (as plaintiff lawyers see what’s in those piles of data) and costs more money as well. A recent poll of legal, records management, and IT executives from the Compliance, Governance & Oversight Council found that almost all of them—98 percent—say defensible information disposal is a key objective of their information governance program. But how many actually do delete unnecessary data? Just 22 percent, according to Deidre Paknad, founder of the council and chief executive of PSS Systems.
ESI TESTING
The following chart from Kroll Ontrack shows how many corporations who participated in the survey have tested policies for ESI.
Source: Kroll Fourth Annual ESI Trends Report.
Paknad points to data from Fulbright & Jaworksi that shows legal organizations spent an average of $3 million per legal case to collect, cull, and review information in 2009. Worse yet, companies only really need to keep 30 percent of the data reviewed, she says. “CIOs are spending a huge amount of money … on managing garbage.”
Wolf
The problem is that companies constantly produce huge volumes of information, but can’t destroy any of it until they know whether it might be needed for litigation. That’s only possible with a centralized litigation function, says Rick Wolf, founder of consulting firm Lexakos.
“You can’t effectively manage e-discovery with a decentralized litigation function,” he insists. “It’s like trying to hit a moving target.”
Legal departments are starting to hear that message, according to Lexakos’s annual law department survey. Fifty-five percent of respondents report having a centralized litigation function, up from 49 percent in 2009 and 33 percent in 2008. It’s a modest improvement, Wolf says, but the others aren’t doing much more than nodding at the problem and spending “new money on old information.”
“They don’t have processes in place to reduce the overall volume of information they have to manage,” he says. “I call it corporate plaque: It just builds and builds.”
Another obstacle is the nature of data retention schedules that legal departments draft—they look good on paper, but can’t be implemented by IT departments. Half of the IT respondents to the CGOC survey said they don’t use the retention schedule when migrating or retiring data, and nearly the same number (47 percent) said their organization’s retention schedules couldn’t be executed by the business and IT staff who actually own the information in question.
Paknad
Paknad says that’s because the major players involved—legal, records management, the business teams, and IT—often don’t communicate.
For instance, she says, “Records management’s retention schedule may say, ‘keep 88A01 for seven years,’ but IT doesn’t manage data by calling it 88A01, and legal departments typically send legal hold notices to individual employees in the business, not to IT.”
Companies are also still confused about who really is responsible for information, she says. The majority of records management executives surveyed by CGOC said they were responsible for information management and governance, while most IT executives (many from the same company) said it was their responsibility.
No comments yet