e-Discovery In An Information Governance World

Electronic discovery experts continue to put an emphasis on recognizing e-discovery as part of a complete information governance (IG) solution. Although this focus may be novel for e-discovery specialists, the management of corporate information at an enterprise level is far from new; in fact, organizations of all sizes have been employing strategies to deal with data management well before electronically stored information (ESI) subsumed its hardcopy counterparts. Yet, despite its ubiquity, many professionals who have a solid grounding in electronic discovery struggle to understand how it falls into the broader world of information governance. e-Discovery actually relies on effective information governance policies for trouble-free collection, processing and production.

In the widely used Electronic Discovery Reference Model (EDRM), the far left step has always been information management. The EDRM assumes that an organization involved in e-discovery has implemented at least minimal information governance principles, and has created its own Information Governance Reference Model (IGRM) framework to help clarify these principles.

This focus is important to the EDRM because the ease of electronic data discovery is highly dependent on a stable IG framework. The processes, tools and procedures in place for the effective administration of corporate information will also facilitate the identification and collection of data for litigation or investigation.

The initial steps of e-discovery are the bread and butter of information governance. With effective management of information assets, updated data maps will be available to identify the location of key custodian data. Tools will be in place to collect data from known sources and filtering the data by date, addresses or keywords should be relatively straightforward. Analysis and processing tools that expedite information governance objectives can be easily established to further streamline the e-discovery process. All other steps (review, production and presentation) should then follow seamlessly from a strong IG framework. In addition, much of the risk is taken out of the picture as policy-driven information governance is well-audited with strong preservation aspects, further reducing the chances of spoliation.

Defining Information Governance

To help understand the relationship between e-discovery and information governance, one must understand what is meant by information governance. Gartner defines IG as “' the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Also known as information management, data governance and a host of other monikers, IG is simply a set of interdisciplinary policies and procedures used to regulate the electronic assets of an organization from creation to disposal. Looking at it another way, IG is the administration of the electronic information lifecycle. To quote my colleague Rick Wilson: “The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion.” See, “Elements of an Effective Information Governance Strategy,” Sherpa Software Blog.

Information governance is not just about the bits and bytes; it is also about tying these information assets to appropriate actors within an organizational system and holding them accountable. For example, take a document created by the human resources department at a fictional company which has rather lax information governance policies. This file may be created on a laptop, edited on a mobile device, e-mailed to colleagues for comments, sent to a superior for approval and possibly to the legal department for endorsement. Finally, the file is uploaded to the corporate servers and shared with employees via e-mail, some of whom instant message the link to coworkers, download the file locally or e-mail it to themselves outside of the company.

Who is responsible for this document? Who is answerable for the information contained therein? How long should the document be actively accessed? Should it be reviewed periodically? How do employees respond to or ask questions about it? Should it have been allowed outside the company? What happens if that document is responsive to litigation? With an ineffective or non-existent IG policy, none of these questions can be answered.

The confusion continues if one looks at all the chefs in the kitchen. The IT department may well manage the personal computers, e-mail and file servers and policies regulating their usage. However, the accountability for the content resides in a completely different department, in this case HR. With the file now widely scattered, the liability implications grow as the document bounces from the creator through the rather chaotic distribution channels. From an e-discovery perspective, early case assessment, custodian identification, attribution and collection would be very challenging in this hypothetical situation. Yet, this type of situation is far from uncommon. With good information governance policies, the roles, responsibilities and dissemination of data becomes regulated, making the system more efficient; questions can be easily answered; documents can be located and secured; all of the above, while clarifying accountability.

The Role of Information Governance

Information governance is not an extension of records management. In reality, it is the other way around ' records management is part of information governance. When data was mostly paper-based, these terms would be more synonymous. These days, however, digital information is growing exponentially and physical records have decreased dramatically. To this end, the Federal Rules of Civil Procedure were updated in 2007 to address electronically stored information. And professional organizations such as ARMA and AIIM have reorganized and expanded on best practices to educate and certify their members on the management of information well outside the traditional records management role.

After all, with information assets overwhelmingly digital in nature, managers can no longer rely on methods originally designed for paper recordkeeping. Record managers, therefore, are becoming involved with areas touched by technology such as device management, e-mail retention, disaster recovery, storage control, electronic discovery and more. Furthermore, while records management is undoubtedly a key component in any framework, IG has a far-reaching impact across all corporate disciplines. Since IG is about managing risk while making the most of information assets, teams of stakeholders and planning personnel should include representatives from business, legal, risk, compliance, and IT in addition to the records management team.

One very important component of information governance is the Generally Accepted Recordkeeping Principles (GARP) created and promulgated by ARMA International. Using these principles, the goal of companies is to become transformational, in other words, to have “integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine '.” See, http://bit.ly/1KP5x2C. In this model, the key steps of collection and production for e-discovery become seamlessly integrated into the entire process.

Unfortunately, this ideal is far from realized. Instead, for many organizations, this note from the preface of the Sedona Conference's Commentary on Information Governance (available for download at http://bit.ly/1Prp7md) is more apt: “[T]he litigation risk management tail might be wagging the information management dog.” For many organizations, critical policies and procedures are implemented as a reaction to the threat of litigation, rather than with an eye to furthering the goals of the business, agency or non-profit that is tasked with their creation.

In an ideal world, it should be the opposite. e-Discovery tasks should flow naturally as a subset of a strong overall information governance framework. With an effective IG implementation, risk decreases as automation in collection, culling and processing make the process quicker, less costly and more defensible. If e-discovery is the tail that is wagging the dog, as hinted above, then the many benefits of a strong IG policy are lost, as the responses to risk and needs of e-discovery may outweigh the requirements of other stakeholders.

Even if organizations create policies with an eye primarily toward facilitating e-discovery, they will put themselves at risk in a number of areas, including:

• Loss of information assets, due to lack of oversight and management, which could directly result in lost revenue;
• Unmanaged content creation leading to system slowdowns and redundant efforts, as data cannot be found leading to added expenses to keep bloated systems running effectively;
• Non-compliance for the many industry regulations, including the Health Insurance Portability and Accountability Act (HIPAA; http://1.usa.gov/1jSFZpy), Sarbanes Oxley, Dodd-Frank and others that have stringent information management components;
• Lack of defensible deletion or proactive retention, opening up further liability in litigation;
• Security, as unofficial use of software and company resources causes data breaches or introduction of malware; and
• Obscured data analysis with no clear path to gain insight on corporate information assets or reporting on aggregated statistics.

From the e-discovery point of view, the worst risk of not having effective information governance is adverse judgment due to spoliation of data. Additionally, early case assessment and collections end up taking far more time and costing far more money than they should. This could be caused by the inability to locate data, lack of understanding of corporate systems, non-existent automation and worse ' simple negligence. Even basic information governance policies can have a direct, positive influence on the management of electronic discovery, not to mention its own intrinsic value.

Establishing Information Governance Polices

To function in the modern world, organizations need to manage their information assets. The effectiveness of management programs depend on expending effort up-front to establish strategies that will have real-world results. Similar to creating effective e-discovery policies, establishing good information governance practices takes a team with clear goals. It's important for organizations to plan and build a roadmap implementing an effective framework using a Corporate Information Governance Framework.

While the ARMA Principles and IGRM offer a sound structural framework, the CIGP methodology also factors in real-world expertise in execution, a perspective earned through over a decade of working on complex information management projects. Sherpa has combined all of these influences to formulate the CIGP. The progression outlined in the CIGP Framework below is intended to serve as a template that will guide you through the process of implementing a formalized information governance program within your own organization.

[IMGCAP(1)]

Major software companies are well on their way to actively creating and supporting information governance frameworks in their own ecosystems. Roadmaps from IBM, Microsoft, Oracle and others have long included integrating offerings to help customers manage their information assets. Now, integrating IG is being made a priority, with full marketing muscle behind their efforts. New products are carving new paths as well by providing source neutral policy-driven information governance solutions. In addition, anyone following the major e-discovery providers can't help but notice that they have pulled out all the stops highlighting the role of their products in information governance.

As we've seen, sound information governance practices are the key to the smooth management of data assets. With effective IG policies and procedure in place, risk is mitigated throughout the company and e-discovery becomes a manageable task.

Marta Farensbach is director of product services for Sherpa Software.

Electronic discovery experts continue to put an emphasis on recognizing e-discovery as part of a complete information governance (IG) solution. Although this focus may be novel for e-discovery specialists, the management of corporate information at an enterprise level is far from new; in fact, organizations of all sizes have been employing strategies to deal with data management well before electronically stored information (ESI) subsumed its hardcopy counterparts. Yet, despite its ubiquity, many professionals who have a solid grounding in electronic discovery struggle to understand how it falls into the broader world of information governance. e-Discovery actually relies on effective information governance policies for trouble-free collection, processing and production.

In the widely used Electronic Discovery Reference Model (EDRM), the far left step has always been information management. The EDRM assumes that an organization involved in e-discovery has implemented at least minimal information governance principles, and has created its own Information Governance Reference Model (IGRM) framework to help clarify these principles.

This focus is important to the EDRM because the ease of electronic data discovery is highly dependent on a stable IG framework. The processes, tools and procedures in place for the effective administration of corporate information will also facilitate the identification and collection of data for litigation or investigation.

The initial steps of e-discovery are the bread and butter of information governance. With effective management of information assets, updated data maps will be available to identify the location of key custodian data. Tools will be in place to collect data from known sources and filtering the data by date, addresses or keywords should be relatively straightforward. Analysis and processing tools that expedite information governance objectives can be easily established to further streamline the e-discovery process. All other steps (review, production and presentation) should then follow seamlessly from a strong IG framework. In addition, much of the risk is taken out of the picture as policy-driven information governance is well-audited with strong preservation aspects, further reducing the chances of spoliation.

Defining Information Governance

To help understand the relationship between e-discovery and information governance, one must understand what is meant by information governance. Gartner defines IG as “' the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Also known as information management, data governance and a host of other monikers, IG is simply a set of interdisciplinary policies and procedures used to regulate the electronic assets of an organization from creation to disposal. Looking at it another way, IG is the administration of the electronic information lifecycle. To quote my colleague Rick Wilson: “The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion.” See, “Elements of an Effective Information Governance Strategy,” Sherpa Software Blog.

Information governance is not just about the bits and bytes; it is also about tying these information assets to appropriate actors within an organizational system and holding them accountable. For example, take a document created by the human resources department at a fictional company which has rather lax information governance policies. This file may be created on a laptop, edited on a mobile device, e-mailed to colleagues for comments, sent to a superior for approval and possibly to the legal department for endorsement. Finally, the file is uploaded to the corporate servers and shared with employees via e-mail, some of whom instant message the link to coworkers, download the file locally or e-mail it to themselves outside of the company.

Who is responsible for this document? Who is answerable for the information contained therein? How long should the document be actively accessed? Should it be reviewed periodically? How do employees respond to or ask questions about it? Should it have been allowed outside the company? What happens if that document is responsive to litigation? With an ineffective or non-existent IG policy, none of these questions can be answered.

The confusion continues if one looks at all the chefs in the kitchen. The IT department may well manage the personal computers, e-mail and file servers and policies regulating their usage. However, the accountability for the content resides in a completely different department, in this case HR. With the file now widely scattered, the liability implications grow as the document bounces from the creator through the rather chaotic distribution channels. From an e-discovery perspective, early case assessment, custodian identification, attribution and collection would be very challenging in this hypothetical situation. Yet, this type of situation is far from uncommon. With good information governance policies, the roles, responsibilities and dissemination of data becomes regulated, making the system more efficient; questions can be easily answered; documents can be located and secured; all of the above, while clarifying accountability.

The Role of Information Governance

Information governance is not an extension of records management. In reality, it is the other way around ' records management is part of information governance. When data was mostly paper-based, these terms would be more synonymous. These days, however, digital information is growing exponentially and physical records have decreased dramatically. To this end, the Federal Rules of Civil Procedure were updated in 2007 to address electronically stored information. And professional organizations such as ARMA and AIIM have reorganized and expanded on best practices to educate and certify their members on the management of information well outside the traditional records management role.

After all, with information assets overwhelmingly digital in nature, managers can no longer rely on methods originally designed for paper recordkeeping. Record managers, therefore, are becoming involved with areas touched by technology such as device management, e-mail retention, disaster recovery, storage control, electronic discovery and more. Furthermore, while records management is undoubtedly a key component in any framework, IG has a far-reaching impact across all corporate disciplines. Since IG is about managing risk while making the most of information assets, teams of stakeholders and planning personnel should include representatives from business, legal, risk, compliance, and IT in addition to the records management team.

One very important component of information governance is the Generally Accepted Recordkeeping Principles (GARP) created and promulgated by ARMA International. Using these principles, the goal of companies is to become transformational, in other words, to have “integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine '.” See, http://bit.ly/1KP5x2C. In this model, the key steps of collection and production for e-discovery become seamlessly integrated into the entire process.

Unfortunately, this ideal is far from realized. Instead, for many organizations, this note from the preface of the Sedona Conference's Commentary on Information Governance (available for download at http://bit.ly/1Prp7md) is more apt: “[T]he litigation risk management tail might be wagging the information management dog.” For many organizations, critical policies and procedures are implemented as a reaction to the threat of litigation, rather than with an eye to furthering the goals of the business, agency or non-profit that is tasked with their creation.

In an ideal world, it should be the opposite. e-Discovery tasks should flow naturally as a subset of a strong overall information governance framework. With an effective IG implementation, risk decreases as automation in collection, culling and processing make the process quicker, less costly and more defensible. If e-discovery is the tail that is wagging the dog, as hinted above, then the many benefits of a strong IG policy are lost, as the responses to risk and needs of e-discovery may outweigh the requirements of other stakeholders.

Even if organizations create policies with an eye primarily toward facilitating e-discovery, they will put themselves at risk in a number of areas, including:

• Loss of information assets, due to lack of oversight and management, which could directly result in lost revenue;
• Unmanaged content creation leading to system slowdowns and redundant efforts, as data cannot be found leading to added expenses to keep bloated systems running effectively;
• Non-compliance for the many industry regulations, including the Health Insurance Portability and Accountability Act (HIPAA; http://1.usa.gov/1jSFZpy), Sarbanes Oxley, Dodd-Frank and others that have stringent information management components;
• Lack of defensible deletion or proactive retention, opening up further liability in litigation;
• Security, as unofficial use of software and company resources causes data breaches or introduction of malware; and
• Obscured data analysis with no clear path to gain insight on corporate information assets or reporting on aggregated statistics.

From the e-discovery point of view, the worst risk of not having effective information governance is adverse judgment due to spoliation of data. Additionally, early case assessment and collections end up taking far more time and costing far more money than they should. This could be caused by the inability to locate data, lack of understanding of corporate systems, non-existent automation and worse ' simple negligence. Even basic information governance policies can have a direct, positive influence on the management of electronic discovery, not to mention its own intrinsic value.

Establishing Information Governance Polices

To function in the modern world, organizations need to manage their information assets. The effectiveness of management programs depend on expending effort up-front to establish strategies that will have real-world results. Similar to creating effective e-discovery policies, establishing good information governance practices takes a team with clear goals. It's important for organizations to plan and build a roadmap implementing an effective framework using a Corporate Information Governance Framework.

While the ARMA Principles and IGRM offer a sound structural framework, the CIGP methodology also factors in real-world expertise in execution, a perspective earned through over a decade of working on complex information management projects. Sherpa has combined all of these influences to formulate the CIGP. The progression outlined in the CIGP Framework below is intended to serve as a template that will guide you through the process of implementing a formalized information governance program within your own organization.

[IMGCAP(1)]

Major software companies are well on their way to actively creating and supporting information governance frameworks in their own ecosystems. Roadmaps from IBM, Microsoft, Oracle and others have long included integrating offerings to help customers manage their information assets. Now, integrating IG is being made a priority, with full marketing muscle behind their efforts. New products are carving new paths as well by providing source neutral policy-driven information governance solutions. In addition, anyone following the major e-discovery providers can't help but notice that they have pulled out all the stops highlighting the role of their products in information governance.

As we've seen, sound information governance practices are the key to the smooth management of data assets. With effective IG policies and procedure in place, risk is mitigated throughout the company and e-discovery becomes a manageable task.

Marta Farensbach is director of product services for Sherpa Software.