By: Brian Kim, iDiscovery Solutions and Therese Craparo, Reed Smith LLP
Most experts agree that a sound information governance and data remediation program is vital to driving an organization’s business and reducing its risk profile. But how and why and when and with whom are all questions under active consideration. In this interview, Therese Craparo of Reed Smith and Brian Kim of iDiscovery Solutions give us their perspectives on the rapid evolution of information governance and how it is transforming the way in which organizations think about and manage data. Their remarks have been edited for length and style.
MCC: What is information governance and data remediation? Who should be involved in an organization’s information governance policy?
Craparo: I view information governance as the management of corporate information to facilitate business operations, manage risk, and ensure compliance with legal and regulatory obligations. It is essentially a corporate governance function for managing the most critical and valuable asset of a company – their data and information. Data remediation is part of the information governance process. To have good information governance, you need to make sure that you don’t keep data that you don’t need. Data remediation is the sensible disposal of data that the corporation no longer needs to retain for any business or legal reason.
Today we’re seeing cross-functional committees or working groups focused specifically on data risk. That includes records and information management, IT, legal, compliance and often risk. The risks associated with data touches upon all of them.
Kim: Coming at information governance from the technical side, it’s about understanding the data you have, how long you’ve had it, and how it flows through your systems. That leads to data remediation. If you don’t know what you have, you can’t defensively dispose of data you no longer need, and that’s the big question. I absolutely agree that all of those groups should be involved. We’ve also seen the business owners involved. For example, HR owns the HR systems, including employee records, and often needs to have a voice in information governance. As a consultant, I have worked with various groups within organizations and have acted as a translator and mediator to guide the collective group toward the common goal of disposing of unnecessary data.
Craparo: The business point is critical. Corporations are in the business of making money. The business depends on information and information systems to function. If you are not talking to the business people, you may not be putting in place a solution that works for the business. Their buy-in is critical to a successful information governance program.
MCC: Why should organizations be concerned about information governance? What are the benefits of having such a program – and the risks of not having one?
Kim: There are many corporations that keep all of their data for all time. That’s an untenable solution. It’s too big, too expensive, and the company ends up grinding to a halt because it can no longer efficiently use its data. Moreover, it increases the risk. It’s not a matter of who is going to get hacked, it’s a matter ofwhen you’re going to get hacked. Having all of that data just increases your risk and your liability.
Craparo: In the last few years, we’ve seen a shift in how organizations look at data and data management. For years, the philosophy was to keep everything. That was partially because of litigation risk and the fear of spoliation. The view was that storage is cheap. Now companies are realizing there is a greater risk in retaining large volumes of unneeded data, in part because of potential data security and data breach risks. Regulators, including the FTC, are looking at organizations where there is a security incident and asking why they are retaining all this data. Most regulators recognize that organizations are doing what they can to prevent data breaches, but when you have so many entry points it’s difficult to seal them all. While they may not hold an organization responsible for a particular data breach, they may hold an organization responsible if it is retaining data that shouldn’t be retained and there is a security incident related to that data.
Kim: Consider the Target hack. That was caused by an HVAC subcontractor who didn’t change an administrative password. You have to control data access, internal and external. With every access point, your risk grows.
Craparo: Data privacy is another area driving this. Typically, data privacy has been much more of a focus overseas, particularly in the EU. We’re starting to see more and more attention given to what personal data you are retaining and why you are retaining it. Are you keeping personal data only as long as necessary? Other regions, including Asia and South America, are increasingly focused on data privacy. While the U.S. has a different perspective on data privacy, we are still seeing a focus on securing the personal information of customers and employees. We’re seeing events from data privacy to data security converging into a recognition that the risks are genuine and growing, and that it’s something organizations need to address from a corporate governance perspective.
MCC: Where and how does records and information management (RIM) come into play, if at all, in information governance?
Craparo: We’re seeing changes in the process. Historically, RIM was focused on paper and managing the storage of boxes onsite and offsite. With digitization, we’re seeing the focus of RIM evolve into electronic data. You might have thought this would have happened more quickly, but it’s a fairly recent phenomenon. RIM is starting to look at the management of digital records. Today, RIM and information management and governance should be synonymous. IT is focused on the system, not the content. Compliance is focused on certain retention issues, but not the broader idea of how the organization is managing data across functions. That’s why you need cross-functional teams, and why you also need someone who’s responsible for managing your records.
It’s easier with paper records to distinguish between what you need and what are duplicates that you don’t need. It’s not as easy with electronic data. You have multiple systems that may feed into one another. You have data in email, on shared drives, in other collaborative applications. When you are talking about what you need to retain, it’s not a straightforward answer because there is so much interrelatedness. So the RIM function is becoming critical to digital data management.
Kim: IT understands where the data lives and how long it’s been living there. The different functional groups understand what is being kept there. But RIM understands why the data is being kept. They also have to understand what the system of record is. In the digital world, I can make 100 copies of a Word document and it doesn’t take up any more space and I can keep them in many different locations – my email on the Exchange server, my iPhone, and a local copy on my laptop. I have Web access through Office 365 and it’s stored in the cloud. That’s four different copies of the same email in four different locations. Understanding which is the system of record can greatly reduce your discovery costs down the road. RIM and IT have to work hand in hand with the different functional and business groups, and with compliance, to get an information governance program up and running.
Craparo: RIM is also getting the rather unenviable job of trying to affect cultural change within their organizations. That’s a tough role. We’ve had a “keep this” culture for so long, and that’s what employees are used to. Now you’re saying we should strictly apply retention periods and be more careful about where we keep data. One of the difficulties of implementing an information governance program is that you need the cooperation and the participation of your employees. There’s too much data in too many areas to have one person or one group find and organize it all. You need the buy-in of your employees and of executive management, which has to say it’s important and something the organization wants to do. The directive needs to come from the top, but somebody needs to work with people to implement it. Frequently, that’s falling to RIM. We will see this role growing and changing in very interesting ways.
Kim: It’s definitely a paradigm shift, and it has to start at the top and flow down. Everyone has to agree and understand why we don’t want to keep all of our data for all time – not only from a cost and storage perspective, but from a liability and risk perspective.
MCC: What are some common mistakes organizations make in data remediation projects? How can they be avoided?
Kim: The biggest mistake is doing nothing. An organization should not say, “We’re not going to go through the data remediation process. It’s going to be too much, and it will take too long.” Data remediation shouldhappen. If there’s no regulatory or legal reason to hold onto data, you should dispose of it. The biggest mistake is doing nothing.
Craparo: There’s also a misconception that doing nothing is “safe” and means nobody is getting rid of data. Doing nothing is making a decision. You think you are making a decision to keep data, but you are also allowing the indiscriminate deletion of data without an organized process. If you think you have everything and nothing is being deleted, that’s a false premise. It’s being deleted in a way that you don’t know about and that you’re not controlling. That is much riskier than engaging in a structured program and making informed, defensible decisions about what you’re keeping and what you’re not keeping. Doing nothing is doing something, and maybe in a disorganized way that is inconsistent with what the corporation wants to achieve.
The second biggest mistake is to try to boil the ocean. When you take that approach, you are setting yourself up to fail. You’re looking at a lot of data across the organization, and it’s not reasonable to think you are going to fix it all in one project or in a few months or even in a few years. This is a long-term program, a shift in how you manage your data. We tell people to start with something easy. Show some success and build momentum. It gets people used to the idea of deleting information that you no longer need. If you try to do everything, people get paralyzed because doing everything is too much.
The third biggest mistake is to view data remediation or information governance only as a one-off project as opposed to a corporate program. I don’t think there’s anything wrong with having projects within your program, but if you build the foundational components of a program, as opposed to looking at it as a one-off project, it makes it much easier to make decisions about how you’re going to manage particular data. Do you have RIM policies and procedures? Do you have record retention schedules? Do you have a legal hold policy and procedure? Do you have employee training? Do you have the processes in place to explain to employees where they should store their data and how they should store your data? If you have those foundational components, it makes it much easier to make decisions about disposal or management or use of data.
MCC: What is the impact of legal holds on information governance?
Craparo: The legal holds question is important because they are often one of the biggest challenges to data remediation. Most organizations rely on legal hold notices to employees to make sure data is retained. They follow up and do a good job of educating people. But when the question is whether a particular non-custodian data source is on legal hold, the answer often is “I don’t know” and then to ask the custodians what specific shared drives or specific systems are on legal hold. We’re relying on people to make sure that data is retained and, from a legal perspective, there is nothing wrong with that. From a data remediation perspective, however, it creates challenges because if you don’t know if a particular source is on hold, it makes it very difficult to make a quick decision to get rid of that data. As we go forward, we’re going to see discussions around how to better identify and manage legal holds on non-custodial data and record it so that when we make decisions down the road we can rely on that early assessment of what non-custodial sources are on hold. That’s a difficult thing to do, particularly for organizations that are serial litigants and have hundreds of lawsuits or subpoenas a year.
Kim: Therese and I agree it has to be a measured approach. If you don’t develop the program and the organizational habit of not keeping all data for all time, then in five or 10 years – or even sooner based on how much data is generated – you are going to be in the same spot and have to do everything all over again. You have to build those habits within the organization to have an effective information governance policy. It then becomes a much easier pill to swallow over time. It can’t be, “We’ll just keep everything because we’re getting sued.” We actually have to look into the lawsuit and the data. There’s going to be a paradigm shift among outside and inside counsel.
MCC: Do the changes in the federal rules impact information governance?
Craparo: They are having an impact, particularly on what needs to be preserved by organizations in connection with litigation. Rule 26 emphasizes proportionality in discovery – the relative weight of the benefits and burdens of production. In Rule 37, you see changes in the sanction language for spoliation. Also, the comments to the federal rules expressly state that proportionality should be considered in connection with preservation. There is this recognition that you cannot save everything. You have to be reasonable. Yes, you have affirmative obligations to make sure you are keeping information that may be needed for litigation, but it is not a “have to keep everything” approach. It has started to empower and inform the courts, lawyers and corporations to think about preservation in different terms. What is proportional? What do I really need? It takes a little bit of the fear out of making a reasoned decision but making a mistake. That is giving corporations some comfort around making decisions about remediation.
Kim: Rules 26 and 37 tie into each other. I don’t want to say the proportionality aspect of Rule 26 rewards those with good information governance plans, but it certainly makes things easier for organizations that have an IG plan because those organizations understand what and where their data is. They can discover and produce materials relatively quickly. Rule 37 takes away the fear of being sanctioned for not keeping everything. Having an information governance plan reduces the cost of discovery. You have a better negotiating stance because you know where everything is without having to dive into every system and do hours, weeks, even months of research. You already know and you can bring that to the table at a much lower cost.
Therese Craparo is counsel in Reed Smith’s New York office and a member of the firm’s Intellectual Property, Information and Innovation Group. She can be reached at tcraparo@reedsmith.com. Brian Kim is a senior managing consultant in the Washington, D.C. office of iDiscovery Solutions. He can be reached at bkim@idiscoverysolutions.com.