corporate data assessments: the new game changer? · million euros ($22.5 million), or up to 4...
TRANSCRIPT
Corporate Data Assessments: The New Game Changer?
Tuesday, January 31, 2:15-3:15pm
legalweekshow.com | legaltechshow.com | #Legalweek17 | #Legaltech
Panel
Judy S. Lao, Chief Legal Office, Blackstone Group
Jason C. Stearns CRM IGP, Director, BlackRock
Ben Robbins, E-Discovery and Information
Governance, LinkedIn
Jenya Moshkovich, Partner, Barnes & Thornburg
Jake Frazier, Senior Managing Director, FTI
Technology
Have you or your company conducted a
corporate data assessment?
1. Yes
2. No
Audience Poll 1
3
Corporate Challenges
4
Corporate Challenges
5
SOURCE: http://www.ironmountain.com/Knowledge-Center/Reference-Library/
View-by-Document-Type/White-Papers-Briefs/C/Compliance-Benchmark-Report.aspx
56%Information that is eligible to be destroyed cannot be readily separated from legal holds at 56% of organizations.
70%More information than necessary is typically retained due to how legal holds are written or applied at 70% of organizations
1/2Half of organizations over-preserve e-mails, IMs and electronic communications
>50%More than half of organizations over-preserve information pursuant to a legal holds
78%Important/official ESI cannot be located and used when needed at 78% of organizations
61%61% of organizations do not regularly delete eligible ESI using standardized processes
68% over-preserve content/documents from ECM
53% from collaboration tools (SharePoint)
65% network files
56% desktop/laptop files
62% from backup tapes
Which roadblocks have prevented you from
implementing a comprehensive data
governance and security program?
1. Don’t know where to begin
2. No budget
3. No executive buy-in
4. Too many owners = no owner
5. Other
Audience Poll 2
6
Ethical Obligations
ABA Model Rules of Professional Conduct
Client-Lawyer Relationship
Rule 1.1: A lawyer shall provide competent representation to a client. Competent representation
requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the
representation.
Duty of Competent Representation
Play Visions v. Dollar Stores, Inc.
California Standing Committee on Professional Responsibility and Conduct: Opinion 2010-179
(2010)
The use of a public wireless connection without using precautions, such as encryption or a personal
firewall, risks violating the attorney’s duties of confidentiality and competence because the lack of
security features provided in most public wireless access locations. But the attorney’s personal
wireless system would not violate the attorney’s duties if the system were configured with
appropriate security features
New York State Bar Association Committee on Professional Ethics Opinion 842 (2008)
The Committee found that a lawyer could use cloud computing to store files if “the lawyer takes
reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”
7
HOLD, DISCOVER
Legal holds are precisely scoped based on both custodial and data source attributes
Smaller datasets up-stream result in smaller, quicker per-matter collections
Smaller produced datasets result in lower costs for outside processing and review
RETAIN, ARCHIVE
Policy includes business value and regulatory duty
Inventory linked to data source, value and cost
Transparent, executable record codes include privacy and legal rules
Automated policy execution for archive and disposal
STORE, SECURE, PROTECT
Store, optimize and dispose by value
IG execution capability and enablement (holds, retention, disposal, collection) for data
Data hygiene and governance
Catalog global data privacy procedures and protocols
PROCESS TRANSPARENCY
Common governance data model and enterprise map
Linkage of duties, value to information assets and business processes
Governance analytics
Transparency across stakeholder processes
Information Lifecycle Management (ILM)
8Note: Diagram is the IGRM
(http://www.edrm.net/resources/guides/igrm)
AD HOC, INCONSISTENT
Inconsistent activity
Informal or incomplete
Facts isolated to an individual
Can’t easily be compared, reconciled or monitored
ILM Process Maturity Levels and Indicators
1
2
3
4
SILO’ED, MANUAL
SILO’ED, CONSISTENT & INSTRUMENTED
INTEGRATED, INSTRUMENTED ENTERPRISE PROCESSESTarget maturity level needed for defensible disposal,
lower risk and cost
Typical maturity level today, cause of excess data, cost and risk
Facts are difficult to retrieve but available; isolated to dept
People in the group use the same method
Spreadsheets are stored in common place or in shared email
People in the group use the same method
Process is automated
Process facts are routinely incorporated in departmental process
Process is repeatable, consistent
Process and facts are isolated in department
People in the group use the same method
Process is automated and facts are routinely incorporated in process
Process is repeatable, consistent and reliable in dynamic enterprise
Facts from adjacent stakeholders are routinely incorporated in process
Process provides enterprise transparency
Process dependencies and risks are systematically detected, communicated across processes
HIGH
RISK,
COST
HIGH
TRANSPARENCY
& CONTROL
Level 1: Ad Hoc, Manual
ILM Process Maturity RankingILM Process Description 1 2 3 4
A Employees on Legal Holds Determining employees with information potentially relevant to an actual/anticipated lawsuit or investigation
B Data on Legal Hold Determining information and data sources potentially relevant to an actual/anticipated lawsuit or investigation
C Hold publication Communicating and executing legal holds to people, systems and data sources for execution and compliance
D Evidence Collection Fact finding and inquiry with employees; Collecting potential evidence in response to a request.
E Evidence Analysis & Cost Controls Assessing information to understand dispute for determining, controlling the costs of outside review
F Legal Record Documenting custodians and data sources identified, legal hold and collection activities over matter lifecycle
G Master Retention Schedule & Taxonomy Defining an information classification schema to determine regulatory record keeping obligations
H Departmental Information Practices Cataloging which information each business organization values, generates or stores by class & location
I Realize Information Value Gaining timely access to information to maximize the enterprise value of information.
J Secure Information of Value Determining a schema for information importance and corresponding security needed.
K Privacy & Data Protection Assessing privacy duties by data subject and location; communicating these requirements to people & systems
L Data Source Catalog & Stewardship Establishing an enterprise ILM catalog of information and corresponding stewardship and governance procedures
M System Provisioning Standardize new information sources ensuring legal, regulatory, privacy & security considerations are defined
N Active Data Management Differentiating high value actively used data from aging data of value to regulators only or less frequently accessed data
O Disposal & Decommissioning Disposing data and decommissioning applications when their legal duties & business utility have elapsed
P Legacy Data Management Methodologies by which orphaned data is remediated and data without legal duty or business value is disposed.
Q Storage Alignment Aligning storage capacity and cost to information business value and retention requirements
R Audit Testing to assess the effectiveness of ILM processes and establishing corresponding procedures for governing information
Level 2: Manual structure, Silo’ed Level 3: Instrumented, Silo’ed Level 4: Instrumented, Integrated 10
High risk Requires constant monitoring and review, immediate escalation on failure or impending failure. 50% likelihood
ILM Risk Heat Map
Low risk Does not require constant monitoring and is easy to prevent, detect, correct, defend. Less than 10% likelihood
Moderate risk Requires frequent monitoring to prevent and detect; costly to correct or mitigate. Between 10% -50% likelihood
A
F
B
ILM Process
A Employees on Legal Holds
B Data on Legal Hold
C Hold publication
D Evidence Collection
E Evidence Analysis & Cost Controls
F Legal Record
G Master Retention Schedule & Taxonomy
H Departmental Information Practices
I Realize Information Value
J Secure Information of Value
K Privacy & Data Protection
L Data Source Catalog & Stewardship
M System Provisioning
N Active Data Management
O Disposal & Decommissioning
P Legacy Data Management
Q Storage Alignment
R Audit
C
E
D
Po
ten
tia
l Im
pa
ct
Likelihood to occur
HG
I
KJ
L
M
N
OP
QR
11
Process A: Employees on Legal Holds
12
A
1 2 3 4
Maturity Scale
Risk Assessment
1 2 3 4
Maturity Scale
Risk Assessment
CURRENT STATE: Capability LEVEL 3
Observations and Current State Assessment
Systematic tracking of all custodians in all holds via Atlas, with capability to track instances of multiple holds per custodians.
Employees selected based on current and historical organizational data and individual questionnaire responses
Questionnaires are sent with hold notices and responses are reviewed and hold scope revisited as needed
Integration of HR system data (currently from PeopleSoft, may be transitioning to workday in the future) in Atlas allows for automated notification of employee departures and transfers
Brief Description
Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation
Potential Risk from Process Failure
Custodians are not identified and potentially relevant information is inadvertently modified or deleted.
Potential Future State Capabilities: Capability LEVEL 4
Real-time update of custodian roles
Automatic notices of employee transfers made by matter and attorney
Copy or cross reference custodian lists across similar matters
Scope revisited and refined at least quarterly to release or include custodians.
Methodology
1. Assess: Your organization’s
particular needs are evaluated and
relevant data sources are mapped.
2. Plan: An identification, review and
remediation strategy is developed for
each specific data source.
3. Approve: All necessary
approvals and “buy in” are secured.
4. Execute: Leverage your
company’s in-house collection and
analytics tools, or utilizes industry-
leading tools (StoredIQ, NUIX, etc.), to
conduct the tactical day-to-day work and
execute the agreed-upon data
remediation plan.
5. Document: Document the full
project; and make sure experts are
available to testify in court about the
methods used for any remediation
project.
6. Equip: Install and maintain
technology solutions to ensure “go
forward” compliance.
13
In order to dispose of data, you have to:
Identify what must be retained / how long Establish retention policies
Be able to enforce retention Data management & disposal
Support legal requirements Legal holds and data collection
Apply retention policies Enterprise governance & rollout
Ability to Audit processes Defend Governance Program
Remediation = Cost Reduction + Risk Mitigation
Keep Everything
(& many copies)
Predominant Behavior Future State
Keep
Dispose
Subject to
Legal Hold
Has Business
Utility
Regulatory
Record Keeping
Non Responsive
To regulatory /
Legal & no data
security issues
Which of the following will impact your company within the next 1-3 years ?
1. Migration to Microsoft Office 365
2. GDPR
3. Updating legal hold or e-discovery technology/process
4. Industry regulations (healthcare, financial services, etc.)
Audience Poll 3
15
Additional Considerations
16
“The GDPR authorizes maximum fines of 20
million euros ($22.5 million), or up to 4 percent
of a company's global revenue. To illustrate the
severity of the fines, Alphabet Inc.'s Google had
$60.6 billion in revenues in fiscal year 2015,
Bloomberg data show. A fine of 4 percent
means Google could get a bill from the EU
exceeding $2.4 billion for a single infraction.” “EU Data Transfer Updates May Be Boon for Multinationals.” Bloomberg Law, January 7, 2017
37% of corporations have already migrated to
Microsoft Office 365, and another 54% plan
to migrate within the next one to three years. “Survey Analysis: Microsoft Dominates Cloud Email in Large Public Companies but Shares the Rest
With Google,” January 2016, by Nikos Drakos and Jeffrey Mann.
Thank You
17
Find information Governance
& compliance resources from
FTI Technology available on our website:
www.ftitechnology.com