Claims professionals, litigation counsel, and risk managers face more data challenges today than ever before. Volumes and locations of data grow at an exponential rate, driving up the cost of discovery and giving plaintiffs more leverage for favorable settlements. At the same time, data breaches threaten to expose confidential and sensitive information, opening companies to litigation, loss of market share, and other negative outcomes.
The revisions to the Federal Rules of Civil Procedure offer some relief related to preservation, but don’t offer remedies for the biggest problems impacting cost and risk. A proactive information governance strategy can effectively lower discovery costs; reduce your storage footprint while safeguarding information; and potentially reduce cybersecurity insurance costs, as well.
What Information Governance Is…and Isn’t
The term “information governance” is now being used broadly to describe everything from records management to data privacy to e-discovery. In general, all of these perspectives are correct. But they are also just individual parts of the overall information governance equation (and a clue as to why many governance efforts fail). Information governance is an enterprise-wide initiative that involves stakeholders from various disciplines.
The 2014-2015 annual report from the Information Governance Initiative includes a good definition of information governance, which has been agreed upon by 93 percent of survey respondents: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” Though this may not be granular enough for some organizations, there are some key facets worth noting.
The accent is placed on maximizing value while minimizing risk and cost. This is an important distinction because it shows that information governance is a strategy and involves more than just tactical plans associated with one or two components, such as data reduction or e-discovery cost containment. Done right, information governance initiatives involve the business to ensure needs are met and value is created while tying in privacy, security, information technology (IT), records, and legal to incorporate important risk and compliance considerations.
Why Information Governance Matters
Now that we have an idea of the scope of information governance, why even bother with it? Why not just launch tactical plans? Though you will see some localized success, there are a number of current trends and forces at work that add weight to tackling information governance in an organized, strategic fashion now.
1. The volume of data and locations continues to grow both internally and externally. Data growth rates are exponential, doubling every 18 months, with a compounded rate of 4,300 percent between 2012 and 2020. By 2020, 40 percent of the data will be moving through the cloud. The bulk of this growth is in unstructured content, accounting for over 80 percent of the total data volume. New data sources—such as mobile, instant messaging, and social media—now are commonly used in business.
2. We’re keeping too much data that has little to no value. According to the Compliance, Governance & Oversight Council, only one percent of enterprise information is subject to legal hold, five percent is related to regulatory record keeping, and 25 percent has real business utility. The remaining 69 percent is what drives up the cost of storage, e-discovery, and finding answers while also increasing risk and potential exposure of sensitive information. This also gives plaintiffs significant leverage and hackers increased potential reward.
3. Incidence of data breach attacks is increasing. Each week, we hear about new data breaches and the direct cost plus the aftermath of litigation and reputational damage. Though the majority of black-hat (criminal) hackers are interested in the money, the state-sponsored hackers want intellectual property, confidential and sensitive business information, and government secrets and identities. This makes corporations and the law firms that serve them prime targets if this type of data is accumulating in email systems and file shares.
4. Recent case law is leaning toward sensible disposition and proper retention. The upcoming changes to the Federal Rules of Civil Procedure strengthen this in Rule 37(e) and add a dose of proportionality in Rule 26(b). In Charvat v. Valente, the U.S. District Court for the Northern District of Illinois denied the plaintiff’s motion for spoliation sanctions, finding no evidence of bad faith in a “…routine deletion of former employees’ files in accordance with an established document retention policy….” Ralser v. Winn Dixie Stores Inc. in August 2015 and Gladue v. Saint Francis Medical Center in March 2015 found similarly.
5. Cyber insurance carriers are looking more closely at information governance policies. At recent industry conferences, carriers have revealed that they often review information governance plans and policies as part of the underwriting process to determine coverage and premiums, that they make those documents part of the cyber insurance policy, and that they refer back to those and auditing compliance, especially in the event of a claim. Data breach response plans and hardening of information security and privacy are only part of the equation now.
Dean Gonsowski, a well-known e-discovery attorney and data guru, sums it up well: “Organizations can attack the direct costs of e-discovery and storage as well as reduce the latent information risk from keeping too much data around and the risk of sanctions due to spoliation by simply managing data better.” Clearly, there are compelling reasons to take action and start a proactive information governance initiative.
Getting Started
As outlined above, the goal of information governance is to get rid of the data that has no business, legal, or compliance need and retain and mine the data that has business value in ways that will improve the company’s bottom line while shielding the company and its confidential information from risk. Since that requires a collaborative effort across the organization, you’ll need to start with the formation of an information governance committee followed by executive sponsorship.
Though the word “committee” usually strikes fear in the heart of anyone wanting to reach a goal, trying to implement proper information governance requires a cross-functional group to ensure that the usual silos that exist between groups are removed. The typical parties involved are legal, IT, information security/privacy, and records, but you have to be sure to include key business stakeholders for your mission to succeed. Identify the people who can get things done and have a bias for action from each of the groups to ensure your efforts don’t lose traction.
The next important step is to evolve your records retention schedules into a comprehensive information map. Not to be confused with the data mapping exercises of the last decade, this is more than “where is my data?” and should include these elements of the organization’s data landscape:
- Source of data (paper, electronic, structured/unstructured, cloud, mobile).
- Security classification and whether or not the data is sensitive (personally identifiable information, payment card industry, etc.).
- Retention period and disposal dates.
- Related regulations.
- Data flow, especially if international.
- Storage location and data steward.
In addition to being a reference document that all parties can use, it also serves to help identify where your gaps exist in records retention, privacy policy, potential application retirement, and data minimization. It also can help tighten up processes related to data in the cloud and bring-your-own-device (BYOD) policies and inform your breach response plans. Legal will especially appreciate the ability to find responsive data for discovery and investigations more readily.
Making It Stick
With your team in place and an information map, the best way to keep the momentum going is to create your overall strategy, road map, and implementation plans. Start with the gaps identified while creating your information map, and create your timeline working through to your final goals. It’s important to be able to show progress and small wins at first, as these will help you build the ongoing business case and show return on investment. It also will help build support with end users.
As outlined earlier, keep key stakeholders from the business involved and communicate value created, costs saved, and risks reduced on a regular basis. Do the same with executive sponsors. Understand that changing user behavior around data retention and the urge to save everything is important, but you’ll never reach perfection. You’re after a cultural change that reinforces better management of data so you don’t have to revisit your data minimization plans annually or continue to have “cleanup days.” Avoid having information governance turn into a perennial process by keeping your focus on the road map and value creation for the business.
The benefits for claims professionals, litigation counsel, and risk managers in getting started and implementing proactive information governance are significant. In addition to the cost, risk, and value factors discussed throughout this article, it can also impact your time to resolution, provide better transparency into actual case metrics and costs, and give you an edge over competitors. What do you have to lose?