The amount of information generated by business today is continually increasing—some estimate 1.8 zettabyes of data will be created in 2011. While word processing, social media, and email have made it easier to create information, it remains important to effectively govern that information in order to minimize risk while maintaining the information’s value to the organization. Information governance is important because it allows business to share information more effectively across departments and geography, and prevent the mistakes and wasted energy so often caused by lack of communication and information silos. While a company cannot typically control the increasing number of lawsuits, audits, and investigations it may face, it can establish parameters around its response to those obligations, minimize the company’s public scrutiny, remain compliant, and reduce business and legal risk, cost, and impact. To that end, it is important to establish guidelines and policies around information governance and leverage technology to help implement those protocols.
Information governance is not a new term or concept, but it has become more important since the 2006 revisions to the Federal Rules of Civil Procedure, which codified that Electronically Stored Information (ESI) is discoverable in litigation. In order for ESI to be properly preserved and retrieved in discovery, it must be properly managed at all times. Information governance is pivotal in this process, which technology research and advisory company Gartner Group defines as “the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” Information governance supports business objectives while managing legal risk.
The key to establishing a process for information governance is to set guidelines that are understandable, well communicated, and enforceable. Employees must also have the tools and technology to comply with established policies and procedures. Policies should make it clear that there are repercussions for noncompliance, up to and including termination. Management should be able to demonstrate that the company took reasonable steps to ensure compliance. With that in mind, the first step is to put together a cross-functional information governance team. Legal, IT, records management, and compliance departments should all be represented. Making sure that each participant understands the company’s ultimate goal and the value that each team member adds can make the difference between success and failure. For example, IT may be incentivized if they realize that they will expend less effort on discovery responses in the long term. And compliance benefits from better institutional controls around the company’s information. You may face a rocky road, especially between IT and legal. IT may feel that legal is requesting work that is outside its area of responsibility, and legal may feel that IT is unresponsive. Legal must understand that IT’s main responsibility is to ensure that technology is easily usable by businesspeople and remains functional at all times. And IT needs to understand the importance of complying with legal discovery requirements. Senior management buy-in is a key motivator. It can be achieved by discussing lessons learned from other companies or from your company’s past history, such as the importance of sharing information or judicial sanctions that have been imposed as a result of poor information governance. Or there may be more specific catalysts, such as a bad experience in a matter or a big reduction in workforce that can cause difficulty in complying with legal discovery requirements. With a team in place, it is important that whatever policies and guidelines are adopted can be achieved by the company’s technology. For example, a policy that states that voicemail will be retained for a certain time period cannot be enforced if voicemail expires after 10 days and the company has no unified messaging platform to turn voicemail into sound files for storage on the company’s servers. Similarly, if you outsource IT, make sure your provider is contractually obligated to deliver timely accessible ESI. All policies should also be reviewed for compliance. Whether by audit, sampling, or some other means, the company has to be able to understand where it is out of compliance and be able to show third parties that it is in compliance. A policy that cannot be enforced provides little benefit—and actually increases risk, as courts and regulators look unkindly on companies that do not follow their own protocols. In addition, policy documents should not be so long that employees do not take the time to read and understand them. Instead, policy documents should be practical, with easily understandable guidelines and examples. Current case law generally only discusses egregious behavior, rather than providing clear guidance on what a good policy looks like. For example, in Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., 2005 Extra LEXIS 94 (Fla. Cir. Ct. Mar. 23, 2005), the court states that a company must be diligent in knowing where all potentially relevant information sources exist, and under no circumstance may it be less than truthful with the court—even when sources are discovered at a later date. However, while courts have not drawn a bright line around negligent behaviors (for example, how “diligent” is diligent enough?), there are some elements that are clear: