1

Policy-Driven Information Governance Solutions

EDiscovery in an Information Governance WorldRecognizing eDiscovery as part of a complete information governance (IG) solution

This white paper will illustrate how eDiscovery actually relies on effective information governance policies for trouble-free collection, processing and production.

AuthorMarta Farensbach

Sherpa Software456 Washington Rd. Ste. 2

Bridgeville, PA 15017(800) 255-5155

www.sherpasoftware.com

Policy-Driven Information Governance Solutions

2

Policy-Driven Information Governance Solutions

When examining commentaries from various electronic discovery experts, it becomes apparent that there is an emphasis on recognizing eDiscovery as part of a complete information governance (IG) solution. Although this focus may be novel for eDiscovery specialists, the management of corporate information at an enterprise level is far from new; in fact, organizations of all sizes have been employing strategies to deal with data management well before electronically stored information (ESI) subsumed its hardcopy counterparts. Yet, despite its ubiquity, many professionals who have a solid grounding in electronic discovery struggle to understand how it falls into the broader world of information governance. This white paper will illustrate how eDiscovery actually relies on effective information governance policies for trouble-free collection, processing and production.

In the widely used Electronic Discovery Reference Model (EDRM), the far left step has always been information management. The EDRM assumes that an organization involved in eDiscovery has implemented at least minimal information governance principles, and has created its own Information Governance Reference Model framework to help clarify these principles.

This focus is important to the EDRM because the ease of electronic data discovery is highly dependent on a stable IG framework. The processes, tools and procedures in place for the effective administration of corporate information will also facilitate the identification and collection of data for litigation or investigation.

The initial steps of eDiscovery are the bread and butter of information governance. With effective management of information assets, updated data maps will be available to identify the location of key custodian data. Tools will be in place to collect data from known sources and filtering the data by date, addresses or keywords should be relatively straightforward. Analysis and processing tools that expedite information governance objectives can be easily established to further streamline the eDiscovery process. All other steps (review, production and presentation) should then follow seamlessly from a strong IG framework. In addition, much of the risk is taken out of the picture as policy-driven information governance is well-audited with strong preservation aspects,

further reducing the chances of spoliation.

Introduction

3

Policy-Driven Information Governance Solutions

Defining Information GovernanceTo help understand the relationship between eDiscovery and information governance, one must understand what is meant by information governance. Gartner defines IG as a “… the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Also known as information management, data governance and a host of other monikers, IG is simply a set of interdisciplinary policies and procedures used to regulate the electronic assets of an organization from creation to disposal. Looking at it another way, IG is the administration of the electronic information lifecycle. To quote Sherpa Software’s own Rick Wilson, “The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion.”

Information governance is not just about the bits and bytes, it is also about tying these information assets to appropriate actors within an organizational system and holding them accountable. For example, take a document created by the Human Resources department at a fictional company which has rather lax information governance policies in place. This file may be created on a laptop, edited on a mobile device, emailed to colleagues for comments, sent to a superior for approval and possibly legal department for endorsement. Finally the file is uploaded to the corporate servers and shared with employees via email, some of whom instant message the link to coworkers, download the file locally or email it to themselves outside of the company.

Who is responsible for this document? Who is answerable for the information contained therein? How long should the document be actively accessed? Should it be reviewed periodically? How do employees respond to or ask questions about it? Should it have been allowed outside the company? What happens if that document is responsive to litigation? With an ineffective or non-existent IG policy, none of these questions can be answered.

The confusion continues if one looks at all the chefs in the kitchen. The IT department may well manage the personal computers, email and file servers and policies regulating their usage. However, the accountability for the content resides in a completely different department, in this case HR. With the file now widely scattered, the liability implications grow as the document bounces from the creator through the rather chaotic distribution channels. From an eDiscovery perspective, early case assessment, custodian identification, attribution and collection would be very challenging in this hypothetical situation. Yet, this type of situation is far from uncommon. With good information governance policies, the roles, responsibilities and dissemination of data becomes regulated, making the system more efficient; questions can be easily answered; documents can be located and secured; all of the above, while clarifying accountability.

The ultimate goal of information governance is to recognize that information, generated by day-to-day operations of an organization, is a valuable corporate asset that must be managed and disposed of in a responsible fashion.

- Rick Wilson, Sherpa Software

“

”

4

Policy-Driven Information Governance Solutions

Information governance is more than just an extension of records management. In reality, it is the other way around – records management has become part of information governance. While data was mostly paper-based, the two were synonymous. These days, however, digital information is growing exponentially and physical records have decreased dramatically. Much as the Federal Rules of Civil Procedure were updated in 2007 to address electronically stored information,

professional organizations such as ARMA and AIIM have reorganized and expanded on best practices to educate and certify their members on the management of information well outside the traditional records management role.

After all, with information assets overwhelmingly digital in nature, managers can no longer rely on methods originally designed for paper recordkeeping. Record managers, therefore, are becoming involved with areas touched by technology such as device management, email retention, disaster recovery, storage control, electronic discovery and more. Furthermore, while records management is undoubtedly the key component in any framework, IG has a far-reaching impact across all corporate disciplines. Since IG is about managing risk while making the most of information assets, teams of stakeholders and planning personnel should include representatives from business, legal, risk, compliance, and IT in addition to the records management team.

One very important component of information governance is the Generally Accepted Recordkeeping

Principles (GARP) created and promulgated by ARMA International. Using these principles, the goal of companies is to become transformational, in other words, to have ‘integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine...’ In this model, the key steps of collection and production for eDiscovery become seamlessly integrated into the entire process.

Unfortunately, this ideal is far from realized. Instead, for many organizations, this note from the

preface of the Sedona Conference’s Commentary on Information Governance is more apt- ‘the litigation risk management tail might be wagging the information management dog.’ For many organizations, critical policies and procedures are implemented as a reaction to the threat of litigation, rather than with an eye to further the goals of the business, agency or non-profit that is tasked with their creation.

In an ideal world, it should be the opposite. EDiscovery tasks should flow naturally as a subset of a strong overall information governance framework. With an effective IG implementation, risk decreases as automation in collection, culling and processing make the process quicker, less costly and more defensible. If eDiscovery is the tail that is wagging the dog, as hinted above, then the many benefits of a strong IG policy are lost, as the responses to risk and needs of eDiscovery may outweigh the requirements of other stakeholders.

The Role of Information Governance

5

Policy-Driven Information Governance Solutions

Even if organizations create policies with an eye primarily towards facilitating eDiscovery, they will put themselves at risk in a number of areas, including:

• Loss of information assets, due to lack of oversight and management, which could directly result in lost revenue• Unmanaged content creation leading to system slowdowns and redundant efforts, as data cannot be found leading to added expenses to keep bloated systems running effectively • Non-compliance for the many industry regulations including HIPAA, Sarbanes Oxley, Dodd-Frank and others that have stringent information management components • Lack of defensible deletion or proactive retention, opening up further liability in litigation• Security as unofficial use of software and company resources causes data breaches or introduction of malware• Obscured data analysis with no clear path to gain insight on corporate information assets or reporting on aggregated statistics

From the eDiscovery point of view, the worst risk of not having effective information governance is adverse judgment due to spoliation of data. Additionally, early case assessment and collections end up taking far more time and costing far more money than they should. This could be caused by the inability to locate data, lack of understanding of corporate systems, non-existent automation and worse –simple negligence. Even basic information governance policies can have a direct, positive influence on the management of electronic discovery, not to mention its own intrinsic value.

To function in the modern world, organizations need to manage their information assets. The effectiveness of management programs depend on expending effort up-front to establish strategies that will have real-world results. Similar to creating effective eDiscovery policies, establishing good information governance practices takes a team with clear goals. There are many online resources to aid in this effort. A very helpful white paper series from Sherpa Software, for example, helps organizations to plan and build a road map implementing an effective framework using a Corporate Information Governance Program (see below).

6

Policy-Driven Information Governance Solutions

Major software companies are well on their way to actively creating and supporting information governance frameworks in their own ecosystems. Roadmaps from IBM, Microsoft, Oracle and others have long included integrating offerings to help customers manage their information assets. Now, integrating IG is being made a priority, with full marketing muscle behind the efforts. Products

that are source-neutral such as Sherpa Altitude IG, are carving new paths as well by by providing source neutral policy-driven information governance solutions. In addition, anyone following the major eDiscovery providers can’t help but notice that they have pulled out all the stops highlighting the role of their products in information governance solutions.

As we’ve seen, sound information governance practices are the key to the smooth management of data assets. With effective IG policies and procedure in place, risk is mitigated throughout the company and eDiscovery becomes a manageable task.

If your organization needs additional assistance or has questions about the role of eDiscovery in your overall information governance model, please take a look at the solutions and resources Sherpa Software has available to help address your needs.

Marta oversees the development and growth of Sherpa’s on-premises products for the Microsoft environment and is responsible for ensuring customer satisfaction. Since joining Sherpa in 2003, she has done extensive research on eDiscovery while expanding her expertise in litigation preparedness, compliance and content management. Prior to joining Sherpa Software, Marta oversaw the management of the information technology department for a leading logistics firm. During her tenure, Marta was instrumental in increasing profitability and efficiency of real-time data inventory reporting, while guiding the deployment of a number of web-based applications.

mfarensbach@sherpasoftware.com | 412.206.0005 x214

Conclusion

Marta Farensbach, Author

Establishing Information Governance Policies