If there is one cause of consternation among law firms, consultants, and service providers — those who mostly collect and process ESI — it is a project in which the client organization has poor information governance practices. I am reminded of this because last week at The Master’s Conference in Washington, D.C., I told the audience that information governance practices are easily the foundation upon which successful discovery projects are built. Without question, projects run more smoothly when the client has strong information governance practices in place.
Records Management on Steroids
Information governance involves managing the creation, use, storage, and disposition of data, records, and information maintained by an organization. It encompasses ideas, concepts, and practices involving but not exclusively relating to electronic discovery. And it involves managing not only paper and electronic records, but all information maintained by an organization. It also implicates compliance with laws and regulations pertaining to records retention, information security, and the privacy, confidentiality and disposition of information.
And just in case it is not clear to anyone, all of this becomes critically important because the records of an organization provide insight into the past and sometimes future activities of that organization, and frequently records become evidence — the information used to tell a story.
Long before we had eDiscovery, we had records management. ARMA International is the largest information management organization in the world and has been around for 60+ years. But things have changed and almost all information is now created on a computer. As a result, today, we have or should have a more holistic view of the value and the efficient, collaborative use of information, particularly as it relates to legal matters.
But let’s be clear, information governance is not a technology or a tool. And it is not just policies and practices, either, or the management of risks or costs or security. It is an enterprise-wide undertaking and organizational mind-set designed to organize information for the benefit of the company. Information governance is the new records management — on steroids.
Whose Job Is It, Anyway?
One may ask, then, what are the IG responsibilities of legal operations professionals. For starters, it is essential to understand records and information management generally. One needs to have knowledge of IT infrastructure, data security, compliance regulations, and data management systems. It is necessary to know how the organization creates, stores, and disposes of information.
One objective of IG for organizations is to prepare for litigation. This means knowing (or being able to easily determine) what information it has, where that information resides, and what needs to be done to access it or preserve it for discovery. At the outset of a discovery project, attorneys should assess the organization’s IG maturity. If formal policies exist, what is the nature and substance of the policies? What is the extent of compliance with the policies? If no policies exist, how does that impact the preservation of information?
Regardless of whether policies are in place, it is important to understand the types of hardware, software, data processing, and storage devices the client uses. This includes the client’s network configuration, operating systems, workstations, laptops, file and email servers, smartphone and mobile device policies, and its backup systems. Knowing these things will help to efficiently identify relevant ESI.
One Best Practice: Ask Questions (Lots of Them)!
One good practice is to use a data map, questionnaire, or checklist to identify systems and assets that may contain potentially relevant information. Doing so not only memorializes the process, but also enables stakeholders to make informed decisions regarding the best course of action for preserving and later collecting ESI in any given legal matter. A good questionnaire might make inquiry about the following:
- Network configuration, storage, and operating systems in use;
- Types and number of file servers in use and the contents of each;
- Email applications, number of servers, mail store size and retention;
- Software applications, databases, or proprietary applications in use;
- Types of workstations and/or laptops in use;
- Remote access, home use, and personal and smartphone device polices;
- Backup systems in use, backup policies, frequency, and retention;
- Legacy or retired systems no longer in use;
- Policies on former employees, retention, and disposition;
- External media, hard drives, CDs or DVDs, and flash drives;
- Internal or external websites, intranets, shared drives, and social media pages; and
- Text messaging programs and unified voicemail systems.
Good Faith is a Good Thing in Legal
Remember, too, that the adoption of and consistent adherence to sound IG policies can demonstrate reasonable and good faith compliance with discovery obligations. If, for instance, documents or ESI are no longer available because they were disposed of pursuant to a formal policy before any obligation arose to retain them, then an organization may in theory be insulated from any penalty related to the obligation to preserve that information. Defensible disposition like this will also ultimately reduce the volume of ESI and result in savings, both in general and on eDiscovery projects. It is not improper to dispose of ESI if there is no legal or other obligation to retain it.
Good IG policies can result in more efficient and cost-effective discovery projects. When an organization knows the information it has, where it is, and how best to preserve or collect it, the initial stages of the eDiscovery process will be more efficient. Likewise, an organization with sound IG practices is less likely to over-collect ESI in discovery, which further reduces cost.
The information governance stage of a discovery project — learning how a client creates, stores, and manages its information — provides the foundational underpinnings for many decisions that will be made later in the case. Ultimately, it is the client organization that is responsible for implementing effective IG policies. Organizations that do not have such policies should consider leveraging outside counsel or a consultant to guide the development of sound IG policies.
Mike Quartararo is the managing director of eDPM Advisory Services, a consulting firm providing e-discovery, project management and legal technology advisory and training services to the legal industry. He is also the author of the 2016 book Project Management in Electronic Discovery. Mike has many years of experience delivering e-discovery, project management, and legal technology solutions to law firms and Fortune 500 corporations across the globe and is widely considered an expert on project management, e-discovery and legal matter management. You can reach him via email at [email protected]. Follow him on twitter @edpmadvisory.