Corporate Compliance And How It Relates To Litigation Data-Management

If we counted a penny for every general counsel, chief information officer or information-technology director who laments the passing of the regulatory-agency laissez faire policies of old, we'd give Donald Trump a run for his money.

The simple truth is, there is no going back — Sarbanes-Oxley, Gramm-Leach-Bliley, the Safe Harbor Protection Act and European Data Protection Directive — they're all here to stay.

It's a daunting task to have to interpret what's going on out there in terms of corporate compliance when you have to consider new regulations and requirements, compounding business data, information management and the storage issues that come along with managing all this information. Management information systems are at the point where the smart thing to do is to think of corporate compliance and litigation as relational information bases. Corporations should consider a proactive approach to managing data and documents as they pertain to corporate compliance and litigation.

At a minimum, officers and managers of all organizations that fall under the auspices of any regulatory framework should be asking themselves the following questions:

1. What industries (by SIC/DUNS code) are we in?

2. What are the applicable regulatory schemes that our business units fall into?

3. Where am I today and where will I be 18 months from now?

4. Are my document-retention and records-management policies consistent with the frameworks that govern the areas I operate in?

5. Do I have proactive response measures built into my policies?

6. Is my infrastructure capable of supporting the policy mandates?

7. Is my infrastructure set up to acquire, restore and convert data for review and production in the context of litigation, or a regulatory request?

8. Is outside counsel aware of and conversant with the issues that affect my compliance?

9. Are my people aware of and co-nversant with the issues that affect compliance in their business units?

10. What would my costs be if I had to produce data for a regulatory request – do I have a best-case and worst-case scenario from which I can extrapolate costs?

11. What are the implications with re-spect to my general liability insurance concerning coverage for actions that result from non-compliance?

While the list above is by no means exhaustive, the picture that begins to emerge from the checklist is a good starting point for a corporate-wide business-process album of snapshot and mural scenarios for many organizations that find themselves wondering how best to tackle often labyrinthine regulatory requirements.

Data Acquisition and Conversion Processes

Items 1 – 4 above are by and large strategic and operational considerations that vary with the industry and vertical market that comprises an organization's operational areas. Items 5 and 6 are “generic” in the sense that they are generally applicable to most organizations that fall under the purview of some regulatory scheme. Organizations that have proactive response measures in place have increased efficiencies in their data acquisition and conversion. This means their acquisition and conversion processes are more orderly, targeted, minimally disruptive and cost-effective. It also allows them to reduce the procedural distinctions between collection and conversion of data within the contexts of litigation and regulatory requests.

For large organizations that have grown by acquisition and have data in dispersed locations across the globe, data-collection and conversion can be a daunting proposition that can be lightened somewhat by bringing in experts like National Data Conversion (NDC). In a scenario where a far-flung organization has data in disparate locations that is stored on a variety of system platforms and different formats, it is imperative to work with an organization that has the technical experience and track record of dealing with the simplest to the most arcane data formats. It is even more important to have a consultative vendor that understands the context and impact of the situation that requires the acquisition, restoration and conversion of that data.

Such a consultative vendor should have an impressive track record and have accrued many years of experience in data collection, restoration and conversion to and from virtually every commercially available file format and system developed. The vendor should understand that the keys to collecting responsive information lie in a technical understanding of how the source data systems store, manage and manipulate data. Another key factor in selecting a consultative vendor is that the vendor have a detailed understanding of the requirements for loading the target-review system that will allow for the analysis, categorization and production of the responsive information. Having said that, the economies and efficiencies of scale that are derived from using a consultative vendor that gets the “big picture” translate directly to organizational bottom-line cost-savings and mitigation of risks associated with regulatory or legal sanctions.

Preparing Electronic Data for Discovery and Production

Data acquisition, restoration and conversion for review and production as conducted in the regulatory and litigation environment requires a level of attention to detail that most organizations (not for lack of trying) find very difficult to achieve on their own. Many internal IT departments are just not set up to deal with the challenges of discovery and productions, especially when faced with their own demanding normal day-to-day operational challenges. Having a partnership with an organization that fits the appropriate consultative-vendor profile can save an organization 30% to 40% of expenses associated in data-restoration costs. Another cost that is extremely important is conversion to a medium that allows general counsel and outside counsel to review the data prior to production. It is imperative – and this cannot be stated strongly enough – that the data to be produced be converted to a medium that allows for the rapid, thorough and concise review and analysis of risk, given the context of the scenario.

The software and hardware platforms that are used by most corporate entities are relatively standard. e-Mail and document-management systems have become the chief repositories from which responsive information is acquired. According to the Radicati Group, in 2004 Microsoft had 115 million seats of its products installed globally vs. 83 million seats for IBM. From an overall market-share perspective, this translates to Microsoft having an approximately 60% share of the business e-mail market vs. 25% for Lotus. Radicati also projects that by 2009, Microsoft will have 200 million seats installed vs. 103 million seats for Lotus Notes and other products combined. Given an average size of 0.10 MB per e-mail, a single user's weekly e-mail storage is about 75 MB. This translates into 1.2 GB per quarter and nearly 5 GB per user, per year, and this is just for e-mail, not documents created, instant-messaging archives or voice mail logs. When some CIOs and IT managers extrapolate the numbers relative to their organizations, they get the chills. The commonality of the platforms used to store organizational data notwithstanding, the sheer volume of information that must be sifted creates logistical complexities that require specialized skill sets.

Traditionally, the informational demands of regulatory compliance and the process by which the informational demands were satisfied were seen as separate and distinct from those of litigation, but that distinction is becoming increasingly blurred. The same methods and considerations that come into play in the regulatory context are now the same that come into play for litigation. Thus, a comprehensive organizational risk-mitigation and proactive-response strategy these days involves tighter coordination by previously unrelated organizational groups.

The Team That Boosts Compliance

In today's organizations, there are several disciplines and organizational roles whose skill sets should be drawn on to develop what can be referred to as the Davis PIRRT (Proactive Information Request Response Team) model. A well configured PIRRT has members from:

• General counsel's office, whose ro-le is to trigger the response plan, and to articulate parameters of discovery to target custodians, managers and IT;
• The information technology group, whose members execute the plan parameters to the extent the scope of the plan exceeds internal resources, are ideally suited to work as a liaison with the outside vendor;
• A strategic data-management partner who has the knowledge and experience to deal with issues beyond the scope of the IT department's abilities, including skill sets related to hardware, software and processes required to get the desired outcomes;
• Outside counsel;
• Experts with knowledge of and ex-pertise bearing on the matter at hand;
• Communications consultants to de-al with the media and investors on a case-by-case basis; and
• Insurance.

Different organizations will have different response-team profiles and it's useful to create a matrix that delineates the different roles and responsibilities of the parties involved.

The Training Level Needed

Training requirements rest largely on the requirement that everyone on the team have a working understanding of the processes that fall under the other team members' responsibilities — what we used to call cross-training. For example, the strategic data-management partner should have an understanding of the context of the request so that he or she can apply the appropriate levels of chain-of-custody and documentation to data-processing. To facilitate awareness of the role of the proactive litigation-response team, cross-functional training, combined with periodic internal certification, is a generally responsible and worthwhile approach. Directors and officers in organizations that follow this approach are more likely to exceed standards consistent with risk-mitigation than organizations that don't.

The internal information-technology group should have an understanding of how the responsive data in its custody should be protected or segregated from the organization's non-affected information. The group should also understand that it is the “organizational custodians” of data and have a sense of the responsibilities that go with that role beyond the traditional functions of implementing, maintaining and managing information systems.

It goes nearly without saying that outside counsel should have a firm grasp on the regulations or related law pertaining to the systems and processes their client organization has in place. This does not mean, however, that they should have a working knowledge of tape rotation and backups, but they should ensure that the processes comport with the letter and spirit of the law.

The member of the PIRRT who often finds herself in the hot seat is the expert. Depending on the matter at issue, the expert can be a testimonial expert or non-testimonial expert. A testimonial expert, as the description implies, is generally someone who testifies under oath on one or more substantive aspects of the matter under consideration. This person generally has some deep level of distinctive competence in a financial, technical or scientific arena, and may be asked questions about how the information about which she's testifying was created, stored, retrieved, managed or used by the organization on behalf of which she's testifying. It's important to make sure that the expert is prepared to answer these questions in a way that is credible and satisfies reasonable inquiries under direct or cross examination. The expert, along with counsel, must be prepared to deal with and control responses to questions that are outside the scope of the expert's technical competence because an innocent and accurate response to a technical question can be damaging to other aspects of the expert's testimony. In the context of this discussion, non-testimonial experts provide strategic advice on process and technology as it relates to acquisition, restoration and conversion of data that the subject of the litigation discovery or regulatory production requests.

While not members of the PIRRT, the general user population in the target organization needs a baseline of awareness, too, and, so it's important to include them in some sort of training that describes the role of the PIRRT and what is expected of them, should they become the target of a document request.

Conclusion

For the most part, in the United States and, to a lesser degree, in other Western and Western-style economies, professionals are more litigation-conscious than in many areas of the world. Consequently, the practices discussed above can be implemented with greater buy-in from all parties in these styles of societies than in countries that are less litigious or have no sweeping regulatory schemes with teeth. While the concept is somewhat at odds with itself, the United States and the European Union are some of the most heavily regulated free-market systems in the world. As such, the accountability, transparency, privacy, security, reporting and fiscal responsibility demanded of organizations by measures such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Safe Harbor Protection Act and European Data Protection Directive will continue to drive expenditures to the tune of billions per year, and to shape organizational polices for decades to come.

At the end of the day, documented holistic data-management polices covering and incorporating the following points will form a basic framework to provide pervasive risk mitigation across organizations:

• Unified records-retention and document-lifecycle management;
• Existence of viable, tested disaster-recovery and business-continuity plans;
• Clear interpretation of relevant sta-tutory guidelines and best-business practices;
• Cross-functionally trained Proactive Information Request Response Teams; and
• An enterprise-wide IT infrastruct-ure designed for the organization that takes into account all of the above.

This approach also makes it easier for outside vendors to deal with organizations from a restoration and data-conversion perspective, because it allows them to leverage their expertise on behalf of clients earlier in the game. To the extent that outside vendors are part of the PIRRT development process, they partner effectively — and proactively — with clients, and the relationship affords them unparalleled cost and time efficiencies.

Start planning, begin executing and feel compliant.

If we counted a penny for every general counsel, chief information officer or information-technology director who laments the passing of the regulatory-agency laissez faire policies of old, we'd give Donald Trump a run for his money.

The simple truth is, there is no going back — Sarbanes-Oxley, Gramm-Leach-Bliley, the Safe Harbor Protection Act and European Data Protection Directive — they're all here to stay.

It's a daunting task to have to interpret what's going on out there in terms of corporate compliance when you have to consider new regulations and requirements, compounding business data, information management and the storage issues that come along with managing all this information. Management information systems are at the point where the smart thing to do is to think of corporate compliance and litigation as relational information bases. Corporations should consider a proactive approach to managing data and documents as they pertain to corporate compliance and litigation.

At a minimum, officers and managers of all organizations that fall under the auspices of any regulatory framework should be asking themselves the following questions:

1. What industries (by SIC/DUNS code) are we in?

2. What are the applicable regulatory schemes that our business units fall into?

3. Where am I today and where will I be 18 months from now?

4. Are my document-retention and records-management policies consistent with the frameworks that govern the areas I operate in?

5. Do I have proactive response measures built into my policies?

6. Is my infrastructure capable of supporting the policy mandates?

7. Is my infrastructure set up to acquire, restore and convert data for review and production in the context of litigation, or a regulatory request?

8. Is outside counsel aware of and conversant with the issues that affect my compliance?

9. Are my people aware of and co-nversant with the issues that affect compliance in their business units?

10. What would my costs be if I had to produce data for a regulatory request – do I have a best-case and worst-case scenario from which I can extrapolate costs?

11. What are the implications with re-spect to my general liability insurance concerning coverage for actions that result from non-compliance?

While the list above is by no means exhaustive, the picture that begins to emerge from the checklist is a good starting point for a corporate-wide business-process album of snapshot and mural scenarios for many organizations that find themselves wondering how best to tackle often labyrinthine regulatory requirements.

Data Acquisition and Conversion Processes

Items 1 – 4 above are by and large strategic and operational considerations that vary with the industry and vertical market that comprises an organization's operational areas. Items 5 and 6 are “generic” in the sense that they are generally applicable to most organizations that fall under the purview of some regulatory scheme. Organizations that have proactive response measures in place have increased efficiencies in their data acquisition and conversion. This means their acquisition and conversion processes are more orderly, targeted, minimally disruptive and cost-effective. It also allows them to reduce the procedural distinctions between collection and conversion of data within the contexts of litigation and regulatory requests.

For large organizations that have grown by acquisition and have data in dispersed locations across the globe, data-collection and conversion can be a daunting proposition that can be lightened somewhat by bringing in experts like National Data Conversion (NDC). In a scenario where a far-flung organization has data in disparate locations that is stored on a variety of system platforms and different formats, it is imperative to work with an organization that has the technical experience and track record of dealing with the simplest to the most arcane data formats. It is even more important to have a consultative vendor that understands the context and impact of the situation that requires the acquisition, restoration and conversion of that data.

Such a consultative vendor should have an impressive track record and have accrued many years of experience in data collection, restoration and conversion to and from virtually every commercially available file format and system developed. The vendor should understand that the keys to collecting responsive information lie in a technical understanding of how the source data systems store, manage and manipulate data. Another key factor in selecting a consultative vendor is that the vendor have a detailed understanding of the requirements for loading the target-review system that will allow for the analysis, categorization and production of the responsive information. Having said that, the economies and efficiencies of scale that are derived from using a consultative vendor that gets the “big picture” translate directly to organizational bottom-line cost-savings and mitigation of risks associated with regulatory or legal sanctions.

Preparing Electronic Data for Discovery and Production

Data acquisition, restoration and conversion for review and production as conducted in the regulatory and litigation environment requires a level of attention to detail that most organizations (not for lack of trying) find very difficult to achieve on their own. Many internal IT departments are just not set up to deal with the challenges of discovery and productions, especially when faced with their own demanding normal day-to-day operational challenges. Having a partnership with an organization that fits the appropriate consultative-vendor profile can save an organization 30% to 40% of expenses associated in data-restoration costs. Another cost that is extremely important is conversion to a medium that allows general counsel and outside counsel to review the data prior to production. It is imperative – and this cannot be stated strongly enough – that the data to be produced be converted to a medium that allows for the rapid, thorough and concise review and analysis of risk, given the context of the scenario.

The software and hardware platforms that are used by most corporate entities are relatively standard. e-Mail and document-management systems have become the chief repositories from which responsive information is acquired. According to the Radicati Group, in 2004 Microsoft had 115 million seats of its products installed globally vs. 83 million seats for IBM. From an overall market-share perspective, this translates to Microsoft having an approximately 60% share of the business e-mail market vs. 25% for Lotus. Radicati also projects that by 2009, Microsoft will have 200 million seats installed vs. 103 million seats for Lotus Notes and other products combined. Given an average size of 0.10 MB per e-mail, a single user's weekly e-mail storage is about 75 MB. This translates into 1.2 GB per quarter and nearly 5 GB per user, per year, and this is just for e-mail, not documents created, instant-messaging archives or voice mail logs. When some CIOs and IT managers extrapolate the numbers relative to their organizations, they get the chills. The commonality of the platforms used to store organizational data notwithstanding, the sheer volume of information that must be sifted creates logistical complexities that require specialized skill sets.

Traditionally, the informational demands of regulatory compliance and the process by which the informational demands were satisfied were seen as separate and distinct from those of litigation, but that distinction is becoming increasingly blurred. The same methods and considerations that come into play in the regulatory context are now the same that come into play for litigation. Thus, a comprehensive organizational risk-mitigation and proactive-response strategy these days involves tighter coordination by previously unrelated organizational groups.

The Team That Boosts Compliance

In today's organizations, there are several disciplines and organizational roles whose skill sets should be drawn on to develop what can be referred to as the Davis PIRRT (Proactive Information Request Response Team) model. A well configured PIRRT has members from:

• General counsel's office, whose ro-le is to trigger the response plan, and to articulate parameters of discovery to target custodians, managers and IT;
• The information technology group, whose members execute the plan parameters to the extent the scope of the plan exceeds internal resources, are ideally suited to work as a liaison with the outside vendor;
• A strategic data-management partner who has the knowledge and experience to deal with issues beyond the scope of the IT department's abilities, including skill sets related to hardware, software and processes required to get the desired outcomes;
• Outside counsel;
• Experts with knowledge of and ex-pertise bearing on the matter at hand;
• Communications consultants to de-al with the media and investors on a case-by-case basis; and
• Insurance.

Different organizations will have different response-team profiles and it's useful to create a matrix that delineates the different roles and responsibilities of the parties involved.

The Training Level Needed

Training requirements rest largely on the requirement that everyone on the team have a working understanding of the processes that fall under the other team members' responsibilities — what we used to call cross-training. For example, the strategic data-management partner should have an understanding of the context of the request so that he or she can apply the appropriate levels of chain-of-custody and documentation to data-processing. To facilitate awareness of the role of the proactive litigation-response team, cross-functional training, combined with periodic internal certification, is a generally responsible and worthwhile approach. Directors and officers in organizations that follow this approach are more likely to exceed standards consistent with risk-mitigation than organizations that don't.

The internal information-technology group should have an understanding of how the responsive data in its custody should be protected or segregated from the organization's non-affected information. The group should also understand that it is the “organizational custodians” of data and have a sense of the responsibilities that go with that role beyond the traditional functions of implementing, maintaining and managing information systems.

It goes nearly without saying that outside counsel should have a firm grasp on the regulations or related law pertaining to the systems and processes their client organization has in place. This does not mean, however, that they should have a working knowledge of tape rotation and backups, but they should ensure that the processes comport with the letter and spirit of the law.

The member of the PIRRT who often finds herself in the hot seat is the expert. Depending on the matter at issue, the expert can be a testimonial expert or non-testimonial expert. A testimonial expert, as the description implies, is generally someone who testifies under oath on one or more substantive aspects of the matter under consideration. This person generally has some deep level of distinctive competence in a financial, technical or scientific arena, and may be asked questions about how the information about which she's testifying was created, stored, retrieved, managed or used by the organization on behalf of which she's testifying. It's important to make sure that the expert is prepared to answer these questions in a way that is credible and satisfies reasonable inquiries under direct or cross examination. The expert, along with counsel, must be prepared to deal with and control responses to questions that are outside the scope of the expert's technical competence because an innocent and accurate response to a technical question can be damaging to other aspects of the expert's testimony. In the context of this discussion, non-testimonial experts provide strategic advice on process and technology as it relates to acquisition, restoration and conversion of data that the subject of the litigation discovery or regulatory production requests.

While not members of the PIRRT, the general user population in the target organization needs a baseline of awareness, too, and, so it's important to include them in some sort of training that describes the role of the PIRRT and what is expected of them, should they become the target of a document request.

Conclusion

For the most part, in the United States and, to a lesser degree, in other Western and Western-style economies, professionals are more litigation-conscious than in many areas of the world. Consequently, the practices discussed above can be implemented with greater buy-in from all parties in these styles of societies than in countries that are less litigious or have no sweeping regulatory schemes with teeth. While the concept is somewhat at odds with itself, the United States and the European Union are some of the most heavily regulated free-market systems in the world. As such, the accountability, transparency, privacy, security, reporting and fiscal responsibility demanded of organizations by measures such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Safe Harbor Protection Act and European Data Protection Directive will continue to drive expenditures to the tune of billions per year, and to shape organizational polices for decades to come.

At the end of the day, documented holistic data-management polices covering and incorporating the following points will form a basic framework to provide pervasive risk mitigation across organizations:

• Unified records-retention and document-lifecycle management;
• Existence of viable, tested disaster-recovery and business-continuity plans;
• Clear interpretation of relevant sta-tutory guidelines and best-business practices;
• Cross-functionally trained Proactive Information Request Response Teams; and
• An enterprise-wide IT infrastruct-ure designed for the organization that takes into account all of the above.

This approach also makes it easier for outside vendors to deal with organizations from a restoration and data-conversion perspective, because it allows them to leverage their expertise on behalf of clients earlier in the game. To the extent that outside vendors are part of the PIRRT development process, they partner effectively — and proactively — with clients, and the relationship affords them unparalleled cost and time efficiencies.

Start planning, begin executing and feel compliant.