Electronic Discovery

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Parts one, two and three were published last week, part four was published Monday, part five was published Tuesday and part six was published yesterday.  Here’s the seventh and final part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD next week in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

Concluding Remarks

An IG strategy will depend entirely upon the business practice of your client and their various needs, including but not limited to proactive handling of eDiscovery matters for litigation.

ARMA suggests five main guidelines for building out the IG strategy that provide terrific guidance for any organization looking to implement or improve its IG program.  They are:

1) Think big but start small: A good data governance process has three components: people, process and technology. Start by identifying and hiring the right people, then define a process, and finish by sourcing the technology to get the job done.

2) Build a business case: I had a client tell me once, “anyone can tell me what my problem is, Tom. You suggest solutions.”  What are your goals? What are you trying to improve and how will the IG policy do it? Show an ROI to drive the change.

3) Metrics: You must be able to measure progress and display success to make your plan succeed. And since the plan will most likely take time to implement, use metrics to set milestones and measure progress.

4) Communicate: Regular and consistent communication is essential to show progress and correct problems that may arise during implementation.  Include not just team members but all people in the organization with an emphasis on key players.

5) Get buy in: The project must become part of the business not something with a beginning and end date.  You are making changes, not a product. Get buy in from everyone.

With an increased concentration on the two-fold concerns of privacy and security, IG has become more important than ever.  These five guidelines can help your organization more efficiently and cost-effectively manage its data, enabling it to accomplish its organizational IG goals.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Parts one, two and three were published last week, part four was published Monday and part five was published Tuesday.  Here’s the sixth part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD next week in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

One Reason Why IG is Not More Popular

I have developed one theory for why formal IG policies and software have not been used more widely. It is that the increased improvements in and use of technology to analyze data and find patterns in Big Data has preempted more widespread use of IG applications.

This is not a new phenomenon.  Knowledge Management pioneers were doing this type of development years. People like Ron Friedmann, Partner at Fireman & Co. and Peter Krakaur, Vice President of Legal Business Solutions at United Lex, were building home-grown systems at their firms (Ron at Wilmer Cutler Perkins in the early 90’s and Peter at Brobeck Phleger & Harrison came in the early 2000’s) to share, use and manage internal information.  These KM systems were the first multidisciplinary approach to achieving organizational objectives by making the best use of enterprise wide knowledge

Search engines were not unique but later came blazingly fast search engines like X1.  Using indexing across more than 500 filetypes, X1 allowed unified searching through their local data indices across multiple data types with a user-friendly interface.

Then came Google with it’s equally fast web-based searching. Google wanted to index all the information they were collecting and then present meaningful results to users. There was nothing on the market that would do that, so they built their own platform which eventually came to be the open source project Nuch. Hadoop was spun-off from that and Yahoo then helped develop Hadoop for enterprise applications.

Both Google and then Hadoop were designed to search large amounts of data that didn’t fit into tables and could benefit from analytical searching. Further, Hadoop was designed to run on a large number of machines that don’t share either memory or disks, so users could buy their own servers, link them together and run Hadoop on each one. The result is you can have organizational data on multiple separate servers and Hadoop is good at dealing with data spread across multiple servers.

So, as the data environment became one where early systems in limited domains were struggling to find distributed data, the need arose for this new generation of knowledge management solutions using semantic and linguistic capabilities that could provide system wide information access in a non-structured way.

Ralph Losey made the point best when he observed that “AI-Enhanced Big Data Search Will Greatly Simplify Information Governance” (in this blog post here).  Why? Because as he put it,

In order to meet the basic goal of finding information, Information Governance focuses its efforts on the proper classification of information. Again, the idea was to make it simpler to find information by preserving some of it, the information you might need to access, and destroying the rest. That is where records classification comes in.

This creates a basic problem for Information Governance because the whole system is based on a notion that the best way to find valuable information is to destroy worthless information. Much of Information Governance is devoted to trying to determine what information is a valuable needle, and what is worthless chaff. This is because everyone knows that the more information you have, the harder it is for you to find the information you need. The idea is that too much information will cut you off. These maxims were true in the pre-AI-Enhanced Search days, but are, IMO, no longer true today, or, at least, will not be true in the next five to ten years, maybe sooner.

The interesting point is that Ralph said this in 2014.  That’s right. Four years ago.  So maybe the issue with lack of IG deployment is that were undergoing the same realization that Ralph articulated and were drifting away from IG programs into more analytics-based programs that they could build themselves.

As I pointed out above, business data can be regulated by hundreds if not thousands of federal, state and local laws which require different types of information to be preserved for different lengths of time. Information governance thus became a very complicated legal analysis problem and building an IG policy around this “records life-cycle” paradigm to reflect those requirements might have made sense in a paper world.

But Big Data in the ESI world is cheap to store and easy to search, especially with the new analytic algorithms and the new paradigm is what Ralph calls “Save and Search v. Classify and Delete.”  Ralph also likes to call all this new analytic power “AI.” I myself think that’s an underdefined and over used label but is the name really important? If I can use a newer analytical search product such as Brainspace or Heureka to effectively comb through massive amounts of corporate data and then see trends and links among users and data types I’m not sure that it matters what we call it.

To sum up, Ralph sees three big advances in the field of search analytics that are dictating the new alternatives to IG: Big Data, cheap parallel computing and better algorithms. All three of those combine to make IG systems less important as clients learn to adopt aggressive search strategies with new technology that allow them to find data for both corporate strategy and litigation avoidance.

We’ll publish Part 7 – Concluding Remarks – tomorrow.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Parts one, two and three were published last week and part four was published yesterday.  Here’s the fifth part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD next week in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

Basic Information Governance Solutions

One option, as mentioned above, is to design your own IG structure. An interesting option in that regard is that if you already use the Office 365 operating system, Microsoft has a Compliance Manager add on for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers operating in a public clouds infrastructure.

Compliance Manager allows an organization to build a custom process to manage all compliance activities from one place with three key capabilities:

• Perform on-going risk assessments, now with Compliance Score

Compliance Manager is a cross-Microsoft Cloud services solution designed to help organizations meet complex compliance obligations, including the EU GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA[2].

• Provides actionable insights from a certification/regulation view

Compliance Manager builds a connection between data protection capabilities and regulatory requirements, enabling users to know which technology solutions they can leverage to meet certain compliance obligations. One centralized view shows customer actions for each certification or regulatory control, and the specific actions recommended for each control. This includes step-by-step guidance through implementing internal controls and developing business processes for the organization.

• Simplifies management of compliance activities with the capability to create multiple assessments for each standard and regulation

Compliance Manager enables assigning, tracking, and recording compliance activities to collaborate across teams and easily manage documents for creating audit reports.  This group functionality allows multiple assessments for any standard or regulation that is available in Compliance Manager by time, by teams, or by business units.

For example, you can create a GDPR assessment for the 2018 group and another one for the 2019 group. Similarly, you can create an ISO 27001 assessment for your business units located in the U.S. and another one for your business units located in Europe.

You can learn more about Compliance Manager in the white paper, Simplify your Compliance Journey with Service Trust Portal and Compliance Manager (downloadable here) or on the Compliance Manager support page.

A second method for creating an IG structure is to use the EDRM Information Governance Reference Model (IGRM).  As mentioned at the onset of this paper, IG was largely ignored when the EDRM started. That is not the case now as the updated EDRM wall poster diagram below illustrates.  

IGRM is one of 8 projects within the EDRM.net organization, and as such is specifically designed to help eDiscovery projects. While the well-known diagram of the EDRM illustrates a model for electronic discovery, the IGRM diagram (shown at the top of this blog post) illustrates a more detailed model for information management.

IGRM provides a framework for cross functional and executive dialogue and serves as a catalyst for defining a unified governance approach to information.  It is available to corporations, analyst firms, industry associations and other parties as a tool for communicating with and to organization stakeholders on responsibilities, processes and practices for information governance.

The IGRM diagram is a responsibility model rather than a document or case life cycle model and as such, can be used in a variety of industries and companies.  It helps to identify the stakeholders, define their respective “stake” in information, and highlights the intersection and dependence across these stakeholders.

The diagram was developed from multiple key inputs, including:

• Interested parties with expertise in RIM, Discovery, and Information Management
• Community effort
• Series of bi-weekly sessions over more than 12 months
• Socialized with more than 350 Compliance, Governance and Oversight Council (CGOC) corporate member practitioners in several CGOC meetings, and broadly distributed to over 750 CGOC member practitioners

The CGOC also issued a survey of corporate practitioners which showed:

• 100% of respondents stating that defensible disposal was the purpose of information governance practice
• Two-thirds of IT and one-half of RIM respondents said their current responsibility model for information governance didn’t work
• 80% of respondents across legal, IT, and RIM said they had little or very weak linkage between legal obligations for information and records management and data management

You can link to the survey’s preliminary results here: http://www.cgoc.com/webinars/introduction-to-imrm

As you can see at the top of this blog post, the IGRM model has an outer ring of stakeholder groups including business users who need information to operate the organization, IT departments who must implement the mechanics of information management, and legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value.  In the center of the diagram is a workflow, or lifecycle diagram.  The information basics are distilled out, with the notable inclusion of “dispose” as the end state of information. Note the “information gates” in the middle, where information accumulates.

You can read more about how to use the IGRM model here.

Once comfortable with the components of the IGRM diagram, there are tools that provide the “next level” detail from the IGRM. One example is the CGOC’s process maturity model which outlines 13 key processes in eDiscovery and information management. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation.

We’ll publish Part 6 – One Reason Why Information Governance is Not More Popular – on Thursday.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Part one was published last Monday, part two was published last Wednesday and part three was published last Friday.  Here’s the fourth part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD next week in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

Who Uses Information Governance?

The first problem with IG policies is that not everyone has one. A 2014 Rand study found that 44% of companies didn’t have any formal data governance policy and 22% of firms without a data policy had no plans to implement one.

This situation has not changed substantially since then.  In November 2017, data governance company erwin partnered with survey company UBM to ask business technology professionals at large organizations about their attitudes on data governance.

Their report was based on a survey of North American companies with more than 1,000 employees across more than 16 industries and included CIOs, CTOs, data center managers and directors, IT staff, and consultants. While the respondents agreed that IG is an important issue, nearly four in 10 of them said they do not have a separate budget for data governance and 46% do not have a formal strategy for it. So, while organizations continue to show awareness of the importance of data governance within their company, nearly half are not acting on that awareness.

The result of this inactivity? Inefficiency. According to the Thomson Reuters report, Cost of Compliance 2017, 32 percent of companies spend more than 4 hours per week creating and amending audit reports. Just audit reports. Imagine the time spent on other issues such as privacy or potential litigation.

SPECIFIC EXAMPLES

Statutes of Limitation

“Statute of limitations” or “limitation of action” are, of course, laws prescribing the time periods during which legal actions or lawsuits may be initiated. And once the statute of limitations time has passed, no future legal action may be brought related to the incident in question.

Once a legal action has commenced, either party may uncover relevant information which may be in the possession of the other party under the applicable rules of discovery. But if the statute of limitations has tolled, a business may delete relevant records and thus the SOL acts as a simple de facto IG policy.

Some types of matters may have special statutes of limitations. EG, most states specify that the statute of limitations related to personal injury begins at the time the actual injury occurs. Since this could be years after the product was brought to market, the manufacturer and/or distributor may be responsible for an extended period of time for product defects of various types.

Architects, engineers, and contractors may have similar concerns related to construction projects, although only in those locations where the construction occurred.  The requirements for those specific states need to be reviewed in detail before making an IG decision with regards to construction related records.

Records Retention

Typically, when asked about IG, attorneys will say it is a records retention policy. And traditionally, lawyers have advised their clients to “retain records forever in case they are sued”. As a result, the development of effective records retention programs has sometimes been thwarted based upon the mistaken belief that records must be kept for long periods in case they may be needed in litigation.

Records can often effectively be destroyed under an approved records retention program prior to the culmination of the statute of limitations period. When records have been destroyed prior to the start of litigation, they will not be available to the adverse party and so court rules prohibit record destruction while litigation or government investigation related to those records are imminent or pending.

The disadvantages then, of not having records that may be needed in litigation must also be balanced against the cost and inefficiencies associated with maintaining valueless records. Some questions related to these determinations include the following:

• What are the chances of litigation?
• In case of litigation, which party would have the burden of proof?
• When does the statute of limitations take effect?

Regulations

Some statutes, such as those mentioned above, may result in extended liability for an organization since a legal action may be brought at any time. Think, for example, of a construction defect case, where the action may not arise until the defect becomes apparent and/or someone is injured. In addition, industry specific regulations in areas such as gaming or insurance can vary from state to state. An interesting example is an opinion by a member of the ARMA Board of Directors that new California Privacy Act is, in fact, a de facto American GDPR.  See https://www.arma.org/news/409199/

Healthcare Records

When it comes to IG standards for a specific profession, health care leads the way, under the guidance of the American Health Information Management Association (AHIMA).   AHIMA defines information governance as an “organization-wide framework for managing information throughout its lifecycle and for supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

Their Information Governance Principles for Healthcare (IGPHC) provide a framework for healthcare organizations to enhance their ability to leverage information in order to achieve the organization’s goals and conduct their operations effectively while ensuring compliance with legal requirements and other duties and responsibilities.

IGPHC is a set of eight principles that are intended to inform an organization’s information governance strategy.  The eight principles, which incorporate the seven principles of ARMA mentioned above, are:

• Accountability
• Transparency
• Integrity
• Protection
• Compliance
• Availability
• Retention
• Disposition

They are described in great detail in the publication Evaluating the Information Governance Principles for Healthcare by Galina Datskovsky, PhD; Sofia Empel, PhD  and Ron Hedges, JD. (Ron of course is well known to people in the ESI arena as the former MJ from New Jersey and accomplished speaker and writer in the eDiscovery field.)

We’ll publish Part 5 – Basic Information Governance Solutions – tomorrow.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Part one was published on Monday and part two was published on Wednesday.  Here’s the third part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD later this month in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

General Principles for Information Governance

Assuming a company wanted to begin an IG initiative, are there any general principles to follow? The leading organization in this area is ARMA. Originally, ARMA was the acronym for the Association of Records Managers and Administrators. Over the years, the board of directors realized that records management had become a recognized and integral part of information governance, which is key to doing business. To reflect this change, they decided to discontinue using ARMA as an acronym and adopted “ARMA International” as a general descriptor of the association.

ARMA has 7 core principles it believes are the basis for any IG strategy. These Generally Accepted Recordkeeping Principles® (Principles) constitute a generally accepted global standard that identifies the critical hallmarks and a high-level framework of good practices for information governance – defined by ARMA International as a “strategic, cross-disciplinary framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable for the proper handling of information assets. Information governance helps organizations achieve business objectives, facilitates compliance with external requirements, and minimizes risk posed by sub-standard information-handling practices. Note: Information management is an essential building block of an information governance program.”

Published by ARMA International in 2009 and updated in 2017, the Principles are grounded in practical experience and based on extensive consideration and analysis of legal doctrine and information theory. They are meant to provide organizations with a standard of conduct for governing information and guidelines by which to judge that conduct and are, in fact, all contained with the eithht HIMA principles mentioned above.

Principle of Accountability: A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for information management to appropriate individuals.

Principle of Transparency: An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate, interested parties.

Principle of Integrity: An information governance program shall be constructed so the information assets generated by or managed for the organization have a reasonable guarantee of authenticity and reliability.

Principle of Protection: An information governance program shall be constructed to ensure an appropriate level of protection to information assets that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Principle of Compliance: An information governance program shall be constructed to comply with applicable laws, other binding authorities, and the organization’s policies. Principle of Availability: An organization shall maintain its information assets in a manner that ensures their timely, efficient, and accurate retrieval.

Principle of Retention: An organization shall maintain its information assets for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

Principle of Disposition: An organization shall provide secure and appropriate disposition for information assets no longer required to be maintained, in compliance with applicable laws and the organization’s policies.

We’ll publish Part 4 – Who Uses Information Governance? – next Monday.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

It’s timely that we are currently running Tom O’Connor’s paper on Information Governance (first two parts here and here, more to come tomorrow and next week) because The Sedona Conference® (TSC) has just published a paper on defensible disposition, which is a significant component of any good Information Governance program.

On Tuesday, TSC and its Working Group 1 on Electronic Document Retention & Production (WG1) announced the publication of the Public Comment Version of The Sedona Conference Principles and Commentary on Defensible Disposition. While updating the 2014 Commentary on Information Governance, WG1 recognized there was a need to provide guidance to organizations and counsel on the adequate and proper disposition of information that is no longer subject to a legal hold and has exceeded the applicable legal, regulatory, and business retention requirements.

The Commentary is introduced by reciting Principle 6 of The Sedona Conference Commentary on Information Governance, which provides the following guidance to organizations:

The effective, timely, and consistent disposal of physical and electronic information that no longer needs to be retained should be a core component of any Information Governance program.

Despite this advice, and similar advice from other sources, many organizations continue to struggle with making and executing effective disposition decisions. That struggle is often caused by many factors, including the incorrect belief that organizations will be forced to “defend” their disposition actions if they later become involved in litigation.

As a result, this Commentary attempts to address these three factors and provide guidance to organizations, and the professionals who counsel organizations, on developing and implementing an effective disposition program.  As is the case with any “Principles” guide from the TSC, the core of this guide are its three principles, as follows:

• PRINCIPLE 1. Absent a legal retention or preservation obligation, organizations may dispose of their information.
• PRINCIPLE 2. When designing and implementing an information disposition program, organizations should identify and manage the risks of over-retention.
• PRINCIPLE 3. Disposition should be based on Information Governance policies that reflect and harmonize with an organization’s information, technological capabilities, and objectives.

Each principle includes two or more “comments” that provide additional guidance regarding defensible disposition best practices (you could call them “sub-principles”) and the guide concludes with a section on “Information Disposition Challenges” which addresses considerations such as unstructured information, mergers and acquisitions, departed, separated or former employees (here’s a blog post we did covering that subject), shared file sites, personally identifiable information (“PII”), regulations, cultural change and training and parties such as law firms, eDiscovery vendors (who us?), adversaries, in-house legal departments and data “hoarders” (you know who you are).

The Commentary weighs in at a tidy 34 page PDF file, so it’s an easy read.

The Sedona Conference Principles and Commentary on Defensible Disposition is open for public comment through October 10, 2018. As always, questions and comments regarding the Commentary may be sent to comments@sedonaconference.org and the drafting team will carefully consider all comments received and determine what edits are appropriate for the final version.  You can download a free copy here.

So, what do you think?  Does your organization struggle with defensible disposition of information?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Part one was published on Monday.  Here’s the second part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD later this month in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

What is Information Governance?

The most basic explanation, and one I have used for years, is that IG is the flip side of the ED coin. But before we define it, let’s take a look at what it is NOT.

Much like other discussions in other areas of eDiscovery, IG is not a product. It is, rather, a process that may incorporate several products depending upon the business type and their workflow.

Since IG is not a product, then it clearly cannot be a DMS.  Yet the most common response I received when I asked someone if they had an IG solution was, “yes, we use iManage/NetDocuments/Worldox”. A simple IG solution may include a Document Management System (DMS) product but the DMS itself is designed for the organization and search of only certain types of documents. It may have limitations on document types it can work with and almost always has a document size limit. Craig Bayer, the principal of legal document management firm Optiable, put it best when he said to me that “A DMS is not an enterprise data organization solution.”

And as a side note, for these same reasons and several others, the most important reason being that a DMS will change metadata when documents from outside the DMS are imported into it, a DMS is also not a good eDiscovery tool.  Again, it can be part of the ED workflow process but typically at the front end of that process. Thanks to Paul Unger, managing partner of the Columbus Ohio office of the Affinity Consulting Group for this tip.

So, now that we’ve discussed what is not IG, let’s talk about what it is.

IG, or as it’s also known data governance, is basically a set of rules and policies that have to do with a company’s data. These rules and policies can cover issues such as:

• Security
• Privacy
• Data access
• Data storage & maintenance
• Data backup and/or disposal
• Accountability for employees handling data

But the benefits of data governance don’t stop there. It can also help with:

• Preventing isolated unregulated data storage
• Making data accessible across the enterprise
• Providing accurate, consistent data
• Ensuring compliance with laws and regulations that govern data, such as the Sarbanes-Oxley Actor HIPAA

IG will also almost always involve some form of unstructured data, that is, information that either is not in a fielded form in databases or is annotated or otherwise semantically tagged in documents. Unstructured data is typically text-heavy but may contain other data such as dates and numbers. A 1998 Merrill Lynch study cited a rule of thumb that somewhere around 80-90% of all potentially usable business information may originate in unstructured form and this figure is still generally accepted as valid.

IG will always be proactive in dealing with corporate data, unlike eDiscovery which is reactive in nature But, because “data” can refer to so many different items, from email and word processing documents to A/V files and unique file types such as CAD drawing or x-rays, is it possible to have standardized best practices for all types of data usage or it is most likely that rules will be built for different business types?

In fact, different IG rules do exist for different professions and industries and some have their own data management tools. Examples include:

• Health
• Education
• Business
• Nursing
• Manufacturing
• Non-Profits

Other IG rules may spring up because they are imposed by entities outside the business. From something as simple as a statute of limitations to general records retention statutes or industry specific regulations and even statutory controls in areas such as privacy, external pressures on a company may force a need for a cohesive IG policy.

We’ll publish Part 3 – General Principles for Information Governance – on Friday.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th).  Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into seven(!) parts, so we’ll cover each part separately.  Here’s the first part.

BTW, in addition to exhibiting at ILTACON in National Harbor, MD later this month in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register).  Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform!  We want to see you!

Introduction

Information Governance (IG) has always been part of the eDiscovery landscape but not always a large part. Although it appears on one of the first Electronic Discovery Reference Model (EDRM) charts it was not discussed in any of the standards models and was typically not included in any detailed EDRM discussion.  Here is the early EDRM model chart from 2009 that became the initial standard – note how it wasn’t even called “Information Governance” back then, it was called “Information Management”.

IG was originally important for reducing the population of potentially responsive electronically stored information (ESI) that might be subject to litigation by helping organizations adopt best practices for keeping their information “house in order”.  But now with an increased concentration on the two-fold concerns of privacy and security, IG has become more important.  Good IG best practices and technologies can allow organizations to conduct data discovery on their organizations data, keep it secure, protect privacy and help lower potential litigation costs by archiving or disposing of records in a repeatable defensible manner.

We’ll explore the implementation of Information Governance best practices to help organizations better prepare for litigation before it happens, as follows:

1. What is Information Governance?
2. General Principles for Information Governance
3. Who Uses Information Governance?
4. Basic Information Governance Solutions
5. One Reason Why Information Governance is Not More Popular
6. Concluding Remarks

We’ll publish Part 2 – What is Information Governance? – on Wednesday.

So, what do you think?  Does your organization have a plan for preparing for litigation before it happens?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.