e-Commerce Best Practices

All companies today need a plan to manage the massive amounts of electronically stored information (“ESI”) created in the course of ongoing business ' and e-commerce activities, all of which rely heavily on technology, are certainly no exception.

In fact, organizations that operate in an electronic environment need these plans perhaps more than any other type of enterprise due to the significant volumes of electronic records being produced by every transaction.

This article addresses how e-commerce companies can get a handle on managing organizational information, and outlines processes for retaining and managing key business information that could be salient in legal proceedings, regulatory matters or compliance issues. Additional discussion examines the evolving data-privacy and information-security landscapes, as well as general organizational risk factors that tech-heavy e-commerce companies need to consider in managing business operations.

Not If, But When

In today's business climate, litigation and investigation is not a question of if but when. Companies of all sizes are facing greater litigation risks and higher costs than ever before.

According to a recent survey, the average number of lawsuits for companies that generate more than $1 billion a year in revenue has increased to more than 500 cases each year. At the same time, government investigations continue to grow. The U.S. Department of Justice investigated 490 corporate-fraud cases in 2007 alone, resulting in 171 indictments and 124 convictions.

The electronic discovery process is a critical part of these challenges. Legal teams want to keep their organization out of the media spotlight by ensuring that government fines, court sanctions and negative verdicts do not occur because of internal failures in managing the e-discovery process. They also want to make better, faster decisions on legal strategy and tactics based on real-time information about the documents and e-mail in their enterprise systems. In addition, every organization needs to contain costs by finding better methods to improve the predictability of electronic discovery while reducing its cost.

“Reactive” e-discovery means waiting until you face a legal matter and then scrambling to find what you need scattered around the organization. “Proactive” e-discovery means putting processes in place in advance that can be used to classify, organize and manage (retain/delete) information so that when faced with a discovery request, the parties concerned can respond quickly, easily and at a much reduced cost. A crucial component, one that significantly reduces a company's risk and cost, is to dispose of old and obsolete data that the company is no longer required to retain.

Information Management

Good information management requires the ability to classify and index all data, especially unstructured ESI. The goal is to quickly identify and retrieve relevant information.

The first part of smart records management is to establish retention and deletion policies in line with corporate or industry-specific compliance mandates as part of an intelligent information-management technology strategy for the entire company. The ideal next step is to leverage that technology to establish data-topology reports and to automate policy enforcement across all data sources, enterprise-wide. This might be something as simple as a policy about when to delete records so that they no longer become a corporate liability and incur costs downstream.

Companies need good records-management policies that systematically expire and purge obsolete documents. Reducing the overall storage content not only reduces storage cost, but it has a direct cost-savings impact on e-discovery tasks that arise later.

Some of the key issues an organization should consider include:

• How to identify, classify and store information;
• The types of systems and tools that can be used to manage and archive information; and
• What data should be targeted for protection, retention-policy development and how/when to trigger a hold on information if/when a legal matter arises.

Knowing What You Have and Where It Is

Every organization should prepare an auditable data map of active ESI, including IT architecture and an examination of how information flows throughout the company. Network servers, e-mail servers, content management systems, storage systems and PCs are all key elements of a data map, and help IT and legal departments understand what information exists, how it flows through the organization and which custodians are implicated in these information conduits.

A data map is a visual reproduction of the ways that ESI moves throughout an organization, from the point it is created to its ultimate destruction as part of the company's document-retention program. At its heart, a data map addresses how people within the organization communicate with one another, and with others outside the organization.

A comprehensive data map provides the legal and IT departments with a guide to the employees, processes, technology, types of data and business areas, along with physical and virtual locations of data throughout a company. It includes information about data-retention policies and enterprise content-management programs, as well as identifying servers that contain data for various departments or functional areas within the organization. This highly effective form of information organization also takes into account high-risk issues such as the type of litigation a company is facing or is likely to face. e-Commerce companies, more so than many others, need a clear picture of how data from transactions moves through the system and where it resides once the transaction or contract is completed, in case a dispute arises from that transaction and/or contract.

Data maps can help organizations better prepare for legal-discovery conferences, which will improve their ability to negotiate with opposing counsel. Organizations can also control litigation costs through the ability to plan strategies based on accurate, timely information. Equally important, organizations can protect sensitive business information to help ensure the support of regulatory-compliance and corporate-information governance policies.

Optimized Records Management And Destruction

Faced with possible liabilities, many organizations fall back on a “save everything” approach, resulting in soaring storage costs and increased difficulties in accessing the right information at the right time.

In order to proactively prepare while still maintaining cost control, record storage needs to be optimized according to corporate, legal and regulatory requirements. Organizations can properly discover, classify and retain all information according to business value and risk. ESI is culled to the minimum subset of potentially responsive data, reducing costs, from review-tool loading through legal review. Information should be retained only as required by retention rules and schedules, and old records should automatically be deleted, based on records-management policies.

Solutions for Protecting Information

Keep sensitive data where people who need it want it to be ' within the enterprise to support information-protection and compliance requirements. This will mean that the number of data hand-offs will be reduced, which will minimize potential chain-of-custody issues. Organizations also need an audit trail of all actions performed during collection, preservation, culling and production.

Developing Retention Policies

All too often, businesses discover the need for a document-retention policy only when it is least convenient to implement. Particularly in today's litigious society, when any and all document types can be used in litigation, being proactive in this regard can save an organization from headaches and excessive costs. A document-retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. A policy should identify those documents that must be maintained and contain guidelines for how long certain documents should be kept, and how they should be destroyed after the keep date has passed.

Steps in Developing Retention Policy