Groundbreaking case cracked down on companies’ e-data management
On September 4, 2008 a federal judge sanctioned Oracle for failing to preserve thousands of CEO Larry Ellison’s emails as well as audio recordings made by Ellison as part of research for a book. The ruling hammered home the message that courts take an increasingly dim view of companies and boards that fail to manage their electronic records properly.
‘If [Ellison’s situation is] not an object lesson to the board of directors, it really should be,’ says Craig Ball, an attorney and computer forensics examiner based in Austin, Texas, and a columnist for Law Technology News.
No one’s saying that e-discovery snafus aren’t understandable. The problem is, ‘There’s so much data and it’s hard to find relevant records in the mass of data out there,’ explains Jeff Parmet, founder of Jeff Parmet and Associates, a Maryland-based consulting firm specializing in e-discovery.
In addition, an August 2008 study by Deloitte Financial Advisory Services (FAS) supports what everyone has long suspected: companies are struggling to come to grips with their mushrooming collections of records and data. Two out of five executives polled by Deloitte feel that data volumes within their organizations have increased in size and become unmanageable.
Tony Reid, a principal in the analytic and forensic technology practice of Deloitte Financial Advisory Services, is surprised that the ranks of the overwhelmed aren’t larger. ‘Companies are a little more proactive in addressing some of their issues up front as opposed to waiting until they get hit with a lawsuit or a regulatory question,’ he says.
But what causes fingers to wag is that far too many companies still simply don’t get it, blithely letting employees manage their emails and data any way they like. In the Deloitte study, 17.5 percent of executives surveyed say their companies are not ready to handle complex discovery requests. And 11.8 percent admit that they have no policy in place for sharing clear guidance with the IT department and the employees at large on document retention and destruction.
All this comes 18 months after the Federal Rules of Civil Procedure were amended, requiring companies to have the ability to quickly access various electronically stored information in the event of litigation.
Grasping the problem
Like Star Trek’s Tribbles, those reproductively gifted furry aliens, the amount of email and corporate data in circulation is increasing rapidly, doubling in volume every 18 to 24 months, according to one widely cited statistic. ‘Companies are really struggling these days to keep up with the volumes from a maintenance perspective, let alone a discovery perspective,’ says Reid.
Solving the problem hinges on creating the proper policies for retaining – and perhaps equally importantly, discarding – documents. The two most important policy documents for accomplishing this are a records retention schedule and a set of legal holds policies and procedures, says John Isaza, partner with Pasadena, California-based Howett Isaza Law Group and outgoing president of the greater Los Angeles chapter of Authority on Managing Records and Information International (ARMA).
Having written policies is important, emphasizes Isaza. ‘The records retention schedule is the first line of defense for explaining to a court why certain documents don’t exist in your system anymore,’ he says.
Complicating the problem is identifying what type of data is considered a record for e-discovery purposes. In a nutshell, a record may be anything from instant messages to voicemails to emails to cell phone files to stream-of-consciousness jottings preserved in electronic form.
There are numerous hard choices in creating records management policies. First, it isn’t always apparent what documents to keep. Isaza estimates that the treatment of only around 30 percent of all documents is regulated by statute. The remaining 70 percent might be retained as part of sound records management practices. Without specific guidelines, it’s up to individual companies to decide.
Next, destroying documents is central to an effective information management program. ‘Most people let their emails accumulate,’ says Parmet. ‘A lot of attorneys will tell you that if you hold onto emails too long, it creates risk.’ But there’s a Catch-22. Should a company delete the wrong data, it might be charged with spoliation or destroying documents that are the subject of a pending federal investigation or lawsuit, explains Isaza.
And finally, having a written retention schedule and then ignoring it might someday land a company in hot water. ‘When it comes to a written retention schedule, you’re damned if you do and damned if you don’t,’ says Isaza. ‘But damned if you don’t is worse.’
Once records management policies are in place, companies need to catalogue the information retained so that it can later be located, says Reid. Lacking good records management practices, companies won’t be able to find those records that should, say, be kept three years and then destroyed.
But even with exemplary practices, e-discovery isn’t swift or easy. ‘If you can go through hundreds of documents in a day, and there are millions of records that have to be dealt with, do the math,’ says Parmet. He observes that it’s not unusual for a law firm to assign ‘a team of five or ten paralegals working for months to get through all the material for a single case.’
The board’s role
Given that the preservation of documents for e-discovery falls under both the ‘risk management’ and ‘corporate governance’ rubrics, boards should at least possess some knowledge of how a company treats its data.
That said, there’s evidence that few directors truly understand the enterprise risks posed by shoddy records management. In the ‘Chief legal officer 2008 strategic planning survey’ by Lexakos, only 7 percent of officers and boards deemed records management critical compared to the 40 percent of legal departments that considered managing records a top priority.
For companies uncertain about how to proceed in organizing data, Isaza suggests that a needs assessment, which generally costs $25,000 to $100,000, is a sensible first step. George Socha, president of St Paul, Minnesota-based Socha Consulting, agrees: ‘It all begins with a needs assessment. If you come away from that with some version of Oh my God!, then you need to be doing something.’
Multinationals, companies heavily committed to a merger-and-acquisition path, and decentralized organizations typically face the greatest challenges when it comes to records management. ‘Global corporations have global problems,’ says Isaza, noting that, for instance, strict privacy regulations in France and the European Union affect how documents there are preserved. Isaza points out that in lesser developed nations, ‘the regulations aren’t even codified. You may have to walk up to the local authorities and ask what the regulations are for records retention.’
There’s no question that companies need to invest in training. ‘Ideally,’ says Isaza, ‘you’ll train every single person within the company that’s in contact with records, which is just about everybody.’ He continues: ‘The key to a successful records and information management program is training, training, training.’
Companies should also perform periodic audits to ensure that what’s preached is actually practiced. Are employees uploading information from their personal laptops on a daily basis? Are they properly classifying the documents that they’re creating? ‘If you identify a gap and don’t do anything about it, that could get you into trouble,’ warns Isaza.
Technology can also help. Increasingly, employees use sophisticated search tools to cull a specific email from inboxes in disarray. What’s more, some companies have implemented technology that requires employees to classify each document as it’s created, rather than waiting until the backlog is too daunting.
Not only must the board ask the right questions about records management and e-discovery, but directors would benefit from a good tutorial on managing their own documents.
Ideally, all directors should be briefed on a company’s retention policies so they don’t knowingly or unknowingly delete the wrong data. ‘People who would never dream of going over to a paper shredder will start deleting information on their computers,’ says Ball. ‘But if they do successfully delete something, the crater left behind by the absence of information is usually far more damaging’ than the contents of the original document, he says. ‘In other words, the cover-up is always worse than the crime.’
In surveying 520 executives, Deloitte found that the single greatest concern about e-discovery was the expense of going through large volumes of files. Indeed, 47.5 percent of those surveyed expressed concern over both vendor and in-house costs.
That said, many experts point out that failing to manage data properly is expensive, too. ‘The benefits far outweigh the costs of getting control of your electronic data,’ avers Tom Barnett, managing partner at AlixPartners. ‘The failure to deal with electronic data can lose a case for you in spite of the merits of the case.’
Socha agrees. When it comes to an information-management overhaul, ‘you shouldn’t count on getting away with anything below the mid-six figures and it can easily run up into seven figures,’ he cautions. ‘On the other hand, a single lawsuit can cost you that much.’
What can we take from e-discovery disasters like those at UBS and Morgan Stanley? (See ‘E-discovery debacles’, left.) It’s that companies need to act. Ball emphasizes that the difficulty of achieving perfection shouldn’t stop executives from striving to do better. ‘This doesn’t need to bankrupt the company,’ he asserts. ‘We need to manage the risk, not eliminate the risk.’
In the long run, getting your records management in order isn’t just an unpleasant chore – it offers the potential for enormous benefits. ‘Everyone’s worried about the smoking gun that can kill them,’ says Socha. ‘But they tend not to think about the life-saving document that’s going to get you off the hook.’
What’s more, having the systems in place to efficiently retrieve information enables a company to access potentially brilliant ideas – or even helpful suggestions – that might otherwise have fallen by the wayside. Avoiding an e-discovery debacle is compelling, but so is the possibility of accessing institutional knowledge that has gone untapped for too long. ‘If you efficiently manage these terabytes and terabytes of information, you’re going to make your organization as a whole far more effective,’ concludes Isaza.
According to this new report from NAVEX Global, there has been a rise in employees reporting compliance and ethics problems in recent years, and the percentage of repeat reports has more than doubled over the last five years.
Find out why and discover a range of other key statistics to benchmark your compliance program against industry standards by downloading this free report today.
This briefing contains statistics and analysis on employee reports of problems via a range of helpline methods, including:
This data comes from more than 8,000 NAVEX Global clients and provides actionable insights for policy management, training, awareness, and more.
Helpline data that is carefully tracked, reviewed, benchmarked and presented with context often provides the early warning signs needed to detect, prevent and resolve problems.
Our free weekly email newsletters are an essential bulletin of GRC updates, insight and information.
Our experienced journalists provide relevant, timely information and analysis that will keep you at the forefront of industry developments and best practice.
Sign-up to receive your copy when you register with the Corporate Secretary website for free.