From the Experts: Information Governance and Its Impact on Litigation
The amount of information generated by business today is continually increasing—some estimate 1.8 zettabyes of data will be created in 2011. While word processing, social media, and email have made it easier to create information, it remains important to effectively govern that information in order to minimize risk while maintaining the information's value to the organization. Information governance is important because it allows business to share information more effectively across departments and geography, and prevent the mistakes and wasted energy so often caused by lack of communication and information silos.
While a company cannot typically control the increasing number of lawsuits, audits, and investigations it may face, it can establish parameters around its response to those obligations, minimize the company's public scrutiny, remain compliant, and reduce business and legal risk, cost, and impact. To that end, it is important to establish guidelines and policies around information governance and leverage technology to help implement those protocols.
What is "information governance"?
Information governance is not a new term or concept, but it has become more important since the 2006 revisions to the Federal Rules of Civil Procedure, which codified that Electronically Stored Information (ESI) is discoverable in litigation. In order for ESI to be properly preserved and retrieved in discovery, it must be properly managed at all times. Information governance is pivotal in this process, which technology research and advisory company Gartner Group defines as "the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals." Information governance supports business objectives while managing legal risk.
How to create a process for information governance.
The key to establishing a process for information governance is to set guidelines that are understandable, well communicated, and enforceable. Employees must also have the tools and technology to comply with established policies and procedures. Policies should make it clear that there are repercussions for noncompliance, up to and including termination. Management should be able to demonstrate that the company took reasonable steps to ensure compliance.
With that in mind, the first step is to put together a cross-functional information governance team. Legal, IT, records management, and compliance departments should all be represented. Making sure that each participant understands the company's ultimate goal and the value that each team member adds can make the difference between success and failure. For example, IT may be incentivized if they realize that they will expend less effort on discovery responses in the long term. And compliance benefits from better institutional controls around the company's information.
You may face a rocky road, especially between IT and legal. IT may feel that legal is requesting work that is outside its area of responsibility, and legal may feel that IT is unresponsive. Legal must understand that IT's main responsibility is to ensure that technology is easily usable by businesspeople and remains functional at all times. And IT needs to understand the importance of complying with legal discovery requirements.
Senior management buy-in is a key motivator. It can be achieved by discussing lessons learned from other companies or from your company's past history, such as the importance of sharing information or judicial sanctions that have been imposed as a result of poor information governance. Or there may be more specific catalysts, such as a bad experience in a matter or a big reduction in workforce that can cause difficulty in complying with legal discovery requirements.
With a team in place, it is important that whatever policies and guidelines are adopted can be achieved by the company's technology. For example, a policy that states that voicemail will be retained for a certain time period cannot be enforced if voicemail expires after 10 days and the company has no unified messaging platform to turn voicemail into sound files for storage on the company's servers. Similarly, if you outsource IT, make sure your provider is contractually obligated to deliver timely accessible ESI.
All policies should also be reviewed for compliance. Whether by audit, sampling, or some other means, the company has to be able to understand where it is out of compliance and be able to show third parties that it is in compliance. A policy that cannot be enforced provides little benefit—and actually increases risk, as courts and regulators look unkindly on companies that do not follow their own protocols. In addition, policy documents should not be so long that employees do not take the time to read and understand them. Instead, policy documents should be practical, with easily understandable guidelines and examples.
Current case law generally only discusses egregious behavior, rather than providing clear guidance on what a good policy looks like. For example, in Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., 2005 Extra LEXIS 94 (Fla. Cir. Ct. Mar. 23, 2005), the court states that a company must be diligent in knowing where all potentially relevant information sources exist, and under no circumstance may it be less than truthful with the court—even when sources are discovered at a later date. However, while courts have not drawn a bright line around negligent behaviors (for example, how "diligent" is diligent enough?), there are some elements that are clear:
- Information should be kept for business purposes and must be kept for litigation or regulatory purposes, to the extent the information is relevant.
- The policy should define "document" and "business record." Records managers typically view "business records" as information that has value to the company.
- Policies must conform to all regulatory requirements.
- Policies must be enforceable.
- Policies must be easy to understand and/or efforts must be taken to train employees.
- Policies must be periodically updated to keep up with new technology and technological requirements.
- Policies must enable the company to be in a position to respond to discovery or regulatory requests.
Implementing information governance guidelines.
Once information governance policies and guidelines have been created and disseminated, it is crucial to put steps in place to ensure they are followed. This can be done with audits, random tests, sampling, dry runs, or other tools. A company's compliance department is generally tasked with the expertise, responsibility, and authority to enforce these policies and guidelines.
Finally, if at all possible, figure out a way to incentivize employees to comply. For example, each department could receive a pizza party or priority parking if they can show they are in full compliance with the program. Or employees who are not in compliance can find their bonus, or even employment, impacted.
Once you build a team and cut through any tension, legal and IT can cooperatively work to share information that may be helpful in a litigation context. Overall, the objective is to ensure that the team is working together to provide the organization with good information governance at all times.
Debbie Carlos is a senior counsel at Sunoco, Inc., where she manages the company's complex litigation, including commercial and environmental matters and Sunoco's responses to government information requests and subpoenas. She also manages the production of electronically stored information (ESI) for Sunoco's major litigation matters, as well as coordinating and implementing document review protocols for Sunoco's major litigation matters. Jennifer Coyne is an attorney, discovery consultant, and global alliances manager with Applied Discovery, a division of LexisNexis, where she counsels in-house and outside legal teams on a wide range of discovery matters, including records management and preservation obligations, data-gathering techniques, maintaining the proper chain of custody, document review strategies, and production of data to outside parties.