Information governance is a huge issue for in-house lawyers. Our round table participants discuss the best way to manage e-documents
David Reed, founder of Data Governance Forum and chair of the round table: This discussion is centred around e-discovery and the journey towards information governance. It’s probably useful to start by thinking about what’s driving this, why we’ve tabled this idea and what factors we’re having to think about.
Neil Mirchandani, partner, Hogan Lovells: In the US and UK lawyers are focused on the cost of discovery and disclosure as part of the litigation process. The claimant side recognises that people say things in electronic communications and emails that they wouldn’t say if they were putting it in a letter or an agreement.
Particularly in the US, some lawyers have become adept at exploiting unfortunate comments or remarks taken out of context in electronic traffic and using that to beat corporate defendants with.
On the defence side we have to respond. The technologies that have come out, such as early-case assessment technology, have made going through and analysing data more cost-effective.
The regulators have got more savvy about it too. Everyone’s had to respond to both the exploding volume of data and the ability to analyse it. People who can analyse it quickly can prepare and pre-empt their clients or, indeed, bring claims off the back of it. That’s why I’ve become much more interested in it. It’s meant that we’ve had to re-engineer our processes for advising clients.
Reed: We have an expanded territory in terms of what might be considered disclosable and what needs to be discovered during that phase.
Mirchandani: What’s changed is the question of where your data is now – on mobile phones or USB sticks? Obviously, cloud computing is coming in, and that throws up challenges from a legal perspective too.
Some of the technologies available to interrogate data are more effective now, which means you can get an understanding of how strong your position is more quickly. If you don’t adopt these technologies, you could be left behind because the other side or your regulator may be doing it.
Reed: For a regulated industry I’d imagine one of the key drivers is that persistent regulatory push to change the way that you do business.
Christopher Barlow, head of corporate legal, Nomura: In the regulated environment we’re conscious we have an obligation to ensure we have systems and controls in place to look after our data and to make sure it’s dealt with correctly.
For an investment bank, data is its lifeline. We have to ensure our data is kept in a secure environment, and being able to access it is key as well.
Reed: The footprint of GlaxoSmithKline is substantially in the US – a very litigious territory. Presumably, this process of information governance is becoming more important in your business, trying to understand potential risks?
Tom Spencer, counsel, GlaxoSmithKline: Technology has been a massive force for good, particularly for us. Our records management group has grown along with the technology, particularly in the States where most of our litigations are and where, for the most part, you’re paying your own costs.
Where you have a product whose life cycle is 20 years, that generates a lot of data which plaintiffs’ counsel expect to have. You’ve got a ridiculous number of documents to deal with and technology has made it a lot easier for us. The sooner you know where you are in these things, the sooner you can form a view and that’s been a help to us and our outside counsel, particularly in the States.
Barlow: Educating people is important. The fact that you’ve got so much data helps, but it hinders too. You can’t see the wood for the trees. The aspect we focus on is getting the message out – what data are you producing? Why are you producing it? Is it needed?
Spencer: We have a programme that every employee has to go through and it’s effectively ‘think about what you’re writing’.
Reed: Some of us may feel that a media company is not under as much pressure as some more regulated industries.
Andrew Ryan, head of legal, Absolute Radio: When focusing on the creative industries, there’s not that mindset of ‘let’s not write it down on email because it might have ramifications down the track’.
One of the big challenges we’ve faced is making sure that each of our employees, no matter how junior they are or what type of work they undertake, knows that everything they write down is potentially subject to being brought up in court at a later date. That’s something that scares a lot of people.
As far as e-discovery goes, we’re a good example of what can happen in a small company. We’re divided into eight or nine divisions, but because of our small nature everyone’s got a handle on what’s happening across the company. When you eventually become part of a litigation, it’s surprising how difficult it is to retrospectively discover the relevant documentation. It’s an example of why people should consider document management systems as a priority, even for small or medium-sized enterprises.
Reed: It’s the kind of environment I imagine doesn’t always follow a structured process that has been in place for some time.
Ryan: We’ve got the issue of not only having to deal with written communications – email and the like – but also the fact that a lot of the material that would possibly bring us into a litigious situation is broadcast immediately both in the UK and around the world. There’s no way that any one person could keep track of all the material that’s produced.
A lot of what we have to do is to retrospectively review material that’s been broadcast. It’s been broadcast by people who are well-trained with regard to the broadcast code or in how to avoid defamation, but at the same time they’re doing a job that requires them to speak immediately and produce entertaining content. It’s difficult for them to keep working with those multiple tensions without bringing the company into a situation where someone might take action.
Reed: It sounds impossible for a shock jock to stay on air when you describe it like that.
What sort of issues are encountered in the areas of manufacturing and distribution?
Robert Goldsmith, corporate counsel, Wolseley: For us, it’s more the fact that so much more data is being produced electronically. We’re an organisation that’s a collection of businesses, so although we don’t operate in a regulated sector or a heavily litigious industry, we still find ourselves creating lots of data in an unstructured environment. There’s no central place where we have an understanding of all the data that’s created and all that’s retained. If we do end up in court or subject to an investigation, we need to be able to get hold of the information and data as quickly and efficiently as possible so we can respond properly.
With the increase in electronic data and the additional impetus the courts are putting on e-discovery, we’re finding it a growing risk. It’s not necessarily one that’s come to bite us yet, but it’s something that’s out there and various people in the organisation need to look out for it.
It’s an interesting matter that’s got a lot of people talking. It’s one of the areas that’s difficult because it’s bringing the IT guys and the legal people into conversations. It’s sometimes a difficult match-up getting the interests of both teams aligned.
Reed: And in the services sector, what’s the driver for getting involved in e-discovery and information governance?
Dermot Maguire, head of IP, Fujitsu Services: As information professionals we need to be taking control of this. At the end of the last century people were moving things around on floppy discs. We now have passport drives of 500MB or even a terabyte. Most of our processes are still aligned with the 1MB disc. We haven’t really dealt with gigabytes and we’re now in a terabyte world. By the time we’ve worked out what to do with a petabyte we won’t have the ability to catch up. At some point I think we’re going to realise that.
What’s most important is the investigation. Discovery and disclosure of documentation is an additional thing, but if you’ve got a big dispute you need to know some of the information and how you go about getting that information. What’s happened now, because everything’s digitised, is that we’re able to capture moments in time that were transient in the past. The question is, philosophically, what are we going to do? Are we going to start building more and more systems to try and analyse to the nth degree? What you get is snapshots of what systems and investigations have been able to grab.
There’s a bit too much certainty over what you think these things are giving you and there isn’t enough understanding about the uncertainty. The fact is that you’ve looked into a vast array of information, you’ve used some fantastic tools to get things that are very responsive, but you can’t say much about what you haven’t got. We’re going to have to work out how we deal with that sort of uncertainty and the fact that we can’t get access to this information.
While you’re trying to work this out your organisations are generating vast amounts of documentation. At the moment organisations can’t see the cost of not properly organising their records so they’ll do it at a later stage. Memory’s cheap, you just buy more and more memory and at some point you’ll work it out. Will we ever get to the stage where we say – this is a wacky number, we could do with working out how we store these things properly? That’s quite a costly process – bringing in information professionals to look at information governance, to look at the workflows and what information you capture and what you don’t.
Goldsmith: Is there a way that if you categorise and classify data when it’s created, you can manage it and store it in a cost-efficient manner?
Nick Patience, director of product strategy, Recommind: We have an example at the US Department of Energy [DoE] whereby every email that comes into the department is automatically captured using our software.
Admittedly, it’s only email we’re talking about here – we’re not talking about every single piece of information that comes in, but obviously an awful lot of information is generated by and comes into the DoE.
It’s one of these areas where for some people there’s a perception that this can’t be done. That’s completely understandable because it’s overwhelming. The only way to tackle those volumes is by relying on automatic software, which in some cases has existed for quite a long time. What’s prevented its use is that the computer power was not there to cope with it.
We’re now at a stage of unstructured information whereby the stuff does exist, computer power is cheap enough and automatic categorisation can be done – you can get information into a form whereby it can be used and fed into various policy engines or applications on top. I can understand trepidation, but I think we’re on top.
Reed: Is there a concern and debate about how we can best cope with what feels like a changing environment – a changing scale of requirement?
Rupert Collins-White, head of content and community, Legal Support Network: The industries that legal serves at the top end have reached a point where they’ve got to understand they can’t keep dumping stuff into this bucket. You can make the bucket large – there’s a cost-benefit equation with the relative cheapness of saving information – but you’re just storing up an enormous problem.
I’d be interested to hear what clients think about how much information law firms can give them about how to handle information.
Goldsmith: We don’t look to law firms for advice on governance necessarily. We’ve looked to them for specific issues such as categorisation and classification because we don’t want to find ourselves buying technology, deleting all the information after six months and then finding ourselves in court two years later and being massively rapped on the knuckles by a judge for having got rid of a whole load of data.
Reed: Tom, you said earlier that you have this training programme and I think a lot of people would be interested in that – both what it is and where you looked to decide what it should feel like, what the content should be.
Spencer: This is something that was in place before I arrived at GlaxoSmithKline eight years ago. What we tend to do when we train on the programme is use litigation as a kind of deterrent and a stick, to make people think that things can be interpreted in different ways, particularly in the US where it’s all jury trials. Juries are swayed by an email, particularly from a senior employee, so it’s really just discipline.
We’re lucky in a sense that a lot of the data we deal with is sensitive, personal data. It’s patient data so people are already attuned to data management and what it means. People have got a lot more attuned to it, but it’s very much in the psyche of all our employees because of the nature of the data that we deal with day to day.
Reed: Rob, I think you mentioned that you’ve been looking into this area, trying to understand the technology and how it could help. Would that be something that you and your function are driving, or is corporate deciding it’s got to get across this?
Goldsmith: It would be better if there was a benefit to the business to have it, because then it would be easier to push it through. If you want to put any costs or burdens on the businesses to do with implementing some kind of IT system, you need to show either that it will advantage the business and therefore it’s worth it or that it’s a big risk area to the group that needs addressing.
If you’re in a regulated industry or an industry where you find yourself in litigation quite a lot, you can see why you need to have some kind of technology there for your electronic data and why you can probably save money. You only have to go through a couple of big court cases to realise that, with the amount of legal fees you could have saved if you’d had the technology in place and had some kind of e-discovery capability in-house, it pays for itself on the second or third court case.
If you’re not in those industries, don’t find yourself in litigation or are not heavily regulated, calling it a corporate overhead would be difficult.
Mirchandani: We found that when some of the technologies to interrogate data were coming out and were looking interesting, we’d take them to clients as a way of handling the disclosure process and get pushback. In-house counsel would generally be supportive but would say: ‘I’m not sure my board will sanction this expense.’ That was particularly the case if it was proactive – as risk prevention rather than mitigation.
There were two areas of development where that changed a bit. One was Sarbanes-Oxley, when I think people, particularly multinationals with US connections, became aware of the risks to directors of not having managed or be seen to have managed their risk processes.
The other, more recently, is bribery and corruption. If you’re running 20 operations around the world in possibly high-risk jurisdictions, if things are being done electronically you may be able to track that – pick up that risk more quickly. Technology gives you something you’d never have had other than perhaps tens of paralegals reviewing documents. It’s business-threatening. You could be shut down.
Goldsmith: Do you find that people are taking measures to see what’s out there in their own business?
Mirchandani: Technology allows you to be much more responsive and to interrogate quickly, and I think that’s the advantage of it. If you’ve got board members who are facing investigation it’s probably an easier sell, but it may still be slightly too late.
Reed: If you were giving someone advice on how to succeed in this process of e-discovery and the journey towards information governance, what would it be?
Patience: It has to be led by the business or regulatory driver. There’s no point in trying to throw software at it first. I’d say base it on whatever the key driver is in your industry, whether it’s litigation or investigation, then focus on understanding what technology exists and understand it’s out there and it can be done.
Maguire: There’s money in information. The companies and organisations that get hold of, control and manage their information better, and get the value out of it, are the ones that will thrive. The ones that can’t will die.
Barlow: It’s about getting top-level buy-in. The lawyers are not necessarily shaping it, but we can be there to drive it. It’s to raise and flag the issues to the business and help them understand why it benefits them.
Spencer: I’d adopt a holistic approach to this. If you’ve got a good records management department and lots of strands buying into the same thing, that’s a lot easier than a disparate group trying to have effective e-discovery. A lot of effective e-discovery depends to a degree on your general information governance. Look at it in a broader sense.
Goldsmith: If there’s been a burning platform it’s a pretty easy sell – if you’ve gone through a nasty competition investigation for example and you haven’t been able to produce the information you need, you can be sure that in the six months following the dawn raid the top people will be asking why it took so long, why it’s so painful.
Ryan: It goes back to the golden nugget I was told when I started as a legal trainee of picking up the phone and having a quick chat with someone. It’s sometimes a lot better than putting every single thing down on an email or paper.
But in terms of driving it through management and getting buy-in, while it’s not necessarily best to have the lawyer driving that process we’re conscious of the ramifications of not having a particularly good document retention policy or the ramifications of failing to take reasonable measures in relation to Bribery Act procedures.
While we may not be the people who are really driving it through, we can put it on the agenda and be a good sounding-board for top management to take proactive steps to at least analyse where document retention is at in the company.
Mirchandani: One thing that we say to people is never write something in an email or a communication that you wouldn’t want your mother to see on the front page of
the Financial Times. Another thing I practise is never ‘reply all’ without considering.
You don’t have to be in the vanguard of data collection, but you want to be as good as your peers.
Pain and gain
The technology explosion has been both a boon and a headache for businesses. Organisations are generating growing amounts of data and having to grapple with how to store and access it. In a round table event hosted by The Lawyer in association with information management specialist Recommind, panellists debated the issues surrounding information governance.
The provider’s view
Nick Patience, senior market analyst, Recommind
We create more information every few days now than was created in the period from the beginning of time to 2003 – but for businesses it’s not just a case of how to store these growing volumes of data, but rather how to manage it effectively and efficiently, especially in the face of an increasingly strict global regulatory environment.
The challenge in this environment is three-fold and involves capturing, organising and analysing electronic information and data in order to surface any potential risks and issues as early as possible. Data is the lifeblood of an organisation, particularly in regulated industries such as financial services and healthcare. So are too many organisations adopting a ‘hope for the best attitude’?
The Round Table discussion is additional proof that that the issues surrounding proactive information governance are now a board-level concern for many organisations. From the introduction of Sarbanes-Oxley in the US a decade ago through to the UK Bribery Act of 2011 – and with the sheer volume of data being created and stored by organisations today – the shortcomings of a reactive approach are clear. Instead, organisations need to ensure they have effective email management and information analytics in place, and perhaps most importantly, the ability to apply policies to that information in order to mitigate and proactively manage risk and identify any potential breaches as quickly as possible. Organisations that haven’t begun putting policies and procedures in place need to get smarter and act proactively in order to avoid unnecessary fines, which are only going to increase in severity. Putting effective risk management procedures in place before an incident occurs is a lot easier than trying to pick up the pieces afterwards.