Iron Mountain’s Ernest Cloutier and Chris Thomas are keen to centralise the firm’s legal function, bringing global cohesion to the teams of internal and external lawyers
After being appointed to the European panel of information management company Iron Mountain, DLA Piper, Eversheds and Shoosmiths were asked to attend a panel day to learn more about the company and about each other.
The aim was to make the company’s external legal advisers aligned as closely to Iron Mountain as its central legal function.
Things could not have been more different prior to the appointment of Ernest Cloutier as global general counsel in the US in December 2007.
“It was a decentralised legal team, it was far too US-centric,” Cloutier recalls. “The priority of the past two to three years has been to make it a central function.”
This began in the US, where Iron Mountain has cut its roster of external firms from 100 to 30 over the past five years. Next on the priority list was to grow an internal legal team working on a global basis.
“The strategy of the team is to be geographically decentralised,” Cloutier says. “When I joined we were undersupported by the team outside the US.”
A little more than a year after Cloutier was appointed, Chris Thomas arrived as director of legal, Western Europe with the remit of building a European legal team capable of dealing with the most pressing legal matters. It was Thomas who was responsible for the European panel shake-up and who, in January, invited the 10 appointed firms in to meet the company and each other.
Getting to know you
“At the start of the day everyone had nervous looks on their faces,” says Thomas, conscious of the fact that it is extremely rare for panel firms to come together in this way. “By the end of the day they had the opportunity to get to know what we’re about. The feedback was positive; now it’s about us moving that forward, driving performance and giving them the opportunity to get to know us.”
This proactive attitude is something about which Cloutier and Thomas are both passionate. It clearly resonates from the top, and the lawyers working across Iron Mountain’s 35 jurisdictions are encouraged to buy into that culture.
“The number of times I’ve said ‘no’ is very few; it’s about how to achieve the objective,” says Cloutier.
“We need to be proactively looking for the solutions rather than being a reactive function,” chimes Thomas.
The legal team needs to comprise trusted advisers to the business.
“It’s important to understand the business,” stresses Thomas. “To offer our support we need to build relationships with the team. When you’re working in multiple jurisdictions you need to be able to trust the legal department.”
This is particularly true when you are working in the ever-changing legal minefield that is data protection. Thomas is responsible for making sure his team is up to speed with any legal changes – and when that entails working across multiple jurisdictions, it is no mean feat.
Protect and servers
“Data protection’s one of the biggest issues we have to keep an eye on, not only from a business perspective, but also from a client perspective – how can we provide guidance for our clients?” says Thomas. “When you’re dealing with seven or eight jurisdictions, each will have a different approach. It’s about trying to identify what the priorities are in different jurisdictions.”
Cloutier is dealing with similar issues in the US, where he says there are currently 17 privacy bills being mooted on Capitol Hill.
In Europe, meanwhile there are plans to introduce data protection security breach notification rules that would require organisations to notify data protection authorities and affected data subjects within 24 hours of an alleged breach.
“Security breach notification exists in the US, but it doesn’t really work,” Cloutier says. “It’s very expensive, and it’s an issue around the world.”
Thomas says the key is to stay ahead of the legislators and anticipate what is coming down the line and how it will affect the business and its customers. The company has a lawyer based in Brussels who is responsible for monitoring developments, but it does not end there.
As an information management company, Iron Mountain has access to some of the most sensitive and confidential legal documents.
Consequently, all staff have to be aware of potential data breaches.
Thomas says potential employees are vetted thoroughly before they are appointed and the security training begins on the first day on the job.
“Our people need to follow a certain standard – our integrity remains paramount,” he adds.
Employees will be trained not to snoop in sensitive boxes, but should they see something they are uncomfortable with a whistle-blowingstructure is in place.
“If there’s an issue they can take it up with their line manager,” Thomas explains. “They’re able to raise an issue on a confidential basis.”
The global legal team is home to 37 lawyers around the world, each dealing with similar issues at varying levels. Cloutier wants the team working together, and earlier this year held a conference to bring them all under one roof. He has an idealised version of the future andpossibly the belief to pull it off.
“One of things we’ve enforced is that the team within is more important than the individual,” he states. “Lawyers can be competitive, but what we need to celebrate is the team.”
The aim is to have a team of lawyers working internally with a team of lawyers from various firms working externally in a business where it is essential for the legal function to be central.
While Cloutier and Thomas have achieved the internal aim, the challenge now is to repeat it externally.
Ernest Cloutier and Chris Thomas
Position: Senior vice-president, secretary and general counsel (Cloutier); director of legal, Western Europe (Thomas)
Reporting to: Chairman and CEO Richard Rees
Legal capability: 37
Revenue: $3.1bn (£1.94bn)
Main external law firms: DLA Piper, Eversheds, Shoosmiths Lorenz Law (Belgium), Schmalz Rechtsanwalte (Germany), Berthet Husson Associés (France), Boekel De Nerée (Netherlands), De Brauw Blackstone Westbroek (Benelux)
chairman and chief strategy officer, ZyLAB
Cross-border proceedings in unfamiliar territories, in combination with the complex European privacy rules, can be risky and costly for multinational organisations today.
A US eDiscovery can force companies to provide all kinds of data, including personal data, to a court, while most European courts forbid the transfer of personal data to other legal entities, as well as to countries that do not provide an adequate level of data protection.
Knowing what data you hold, where it resides and how best to manage it proactively is the best defensible position to have.
Using a custom-designed tool to search, tag, classify and exclude what is considered ’privileged’ information is one way of mitigating risk.
We advise companies that, in order to remain compliant with regulations, they needs to enforce information management and data retention policies and educate staff about the rules of the business.
They need to making sure the policies include the widest range of materials, such as SharePoint, blogs, social media, unified messaging, voice files, video, Salesforce and other CRM systems. A robust and scalable software solution can assist them with this.
It is important to remember that the benefits go far beyond just risk aversion and legal preparedness and that proactive discovery can add real ’value’ back to the business.
business development manager, Continental Europe, legal technologies, Kroll Ontrack
Lawyers involved in cross-border litigation are under pressure to meet the discovery obligations of one country without violating the local data protection laws of another. This conflict arises when data located in the EU needs to be collected and transferred to the US. Technology is, however, available and assists with the transfer of data in legally compliant ways.
Many firms rely on specialised data-filtering technology to restrict the data set to be transferred to those documents strictly relevant to the issues in dispute.
Data can be processed in Europe by a discovery provider at a central facility in another country, such as the UK. The data processing infrastructure can also be set up in-country or onsite. Another approach is to export the data to the US for processing under a data transfer agreement.
The documents can also be reviewed by lawyers to help identify personal data and remove it from the data set. This might be carried out by reviewers in a specific country before data is transferred elsewhere, or remotely by lawyers accessing the database in Europe via the internet.
Alternatively, lawyers can ask individuals to identify responsive and private documents prior to data collection and transfer, although this approach has inherent dangers. Proactive companies can ask employees to mark private emails using keywords that allow searches to be run to exclude these documents from data transfers.