Corporate Data Assessments: The New Game Changer?

Tuesday, January 31, 2:15-3:15pm

legalweekshow.com | legaltechshow.com | #Legalweek17 | #Legaltech

Panel

Judy S. Lao, Chief Legal Office, Blackstone Group

Jason C. Stearns CRM IGP, Director, BlackRock

Ben Robbins, E-Discovery and Information

Governance, LinkedIn

Jenya Moshkovich, Partner, Barnes & Thornburg

Jake Frazier, Senior Managing Director, FTI

Technology

Have you or your company conducted a

corporate data assessment?

1. Yes

2. No

Audience Poll 1

3

Corporate Challenges

4

Corporate Challenges

5

SOURCE: http://www.ironmountain.com/Knowledge-Center/Reference-Library/

View-by-Document-Type/White-Papers-Briefs/C/Compliance-Benchmark-Report.aspx

56%Information that is eligible to be destroyed cannot be readily separated from legal holds at 56% of organizations.

70%More information than necessary is typically retained due to how legal holds are written or applied at 70% of organizations

1/2Half of organizations over-preserve e-mails, IMs and electronic communications

>50%More than half of organizations over-preserve information pursuant to a legal holds

78%Important/official ESI cannot be located and used when needed at 78% of organizations

61%61% of organizations do not regularly delete eligible ESI using standardized processes

68% over-preserve content/documents from ECM

53% from collaboration tools (SharePoint)

65% network files

56% desktop/laptop files

62% from backup tapes

Which roadblocks have prevented you from

implementing a comprehensive data

governance and security program?

1. Don’t know where to begin

2. No budget

3. No executive buy-in

4. Too many owners = no owner

5. Other

Audience Poll 2

6

Ethical Obligations

ABA Model Rules of Professional Conduct

Client-Lawyer Relationship

Rule 1.1: A lawyer shall provide competent representation to a client. Competent representation

requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the

representation.

Duty of Competent Representation

Play Visions v. Dollar Stores, Inc.

California Standing Committee on Professional Responsibility and Conduct: Opinion 2010-179

(2010)

The use of a public wireless connection without using precautions, such as encryption or a personal

firewall, risks violating the attorney’s duties of confidentiality and competence because the lack of

security features provided in most public wireless access locations. But the attorney’s personal

wireless system would not violate the attorney’s duties if the system were configured with

appropriate security features

New York State Bar Association Committee on Professional Ethics Opinion 842 (2008)

The Committee found that a lawyer could use cloud computing to store files if “the lawyer takes

reasonable care to ensure that the system is secure and that client confidentiality will be maintained.”

7

HOLD, DISCOVER

Legal holds are precisely scoped based on both custodial and data source attributes

Smaller datasets up-stream result in smaller, quicker per-matter collections

Smaller produced datasets result in lower costs for outside processing and review

RETAIN, ARCHIVE

Policy includes business value and regulatory duty

Inventory linked to data source, value and cost

Transparent, executable record codes include privacy and legal rules

Automated policy execution for archive and disposal

STORE, SECURE, PROTECT

Store, optimize and dispose by value

IG execution capability and enablement (holds, retention, disposal, collection) for data

Data hygiene and governance

Catalog global data privacy procedures and protocols

PROCESS TRANSPARENCY

Common governance data model and enterprise map

Linkage of duties, value to information assets and business processes

Governance analytics

Transparency across stakeholder processes

Information Lifecycle Management (ILM)

8Note: Diagram is the IGRM

(http://www.edrm.net/resources/guides/igrm)

AD HOC, INCONSISTENT

Inconsistent activity

Informal or incomplete

Facts isolated to an individual

Can’t easily be compared, reconciled or monitored

ILM Process Maturity Levels and Indicators

1

2

3

4

SILO’ED, MANUAL

SILO’ED, CONSISTENT & INSTRUMENTED

INTEGRATED, INSTRUMENTED ENTERPRISE PROCESSESTarget maturity level needed for defensible disposal,

lower risk and cost

Typical maturity level today, cause of excess data, cost and risk

Facts are difficult to retrieve but available; isolated to dept

People in the group use the same method

Spreadsheets are stored in common place or in shared email

People in the group use the same method

Process is automated

Process facts are routinely incorporated in departmental process

Process is repeatable, consistent

Process and facts are isolated in department

People in the group use the same method

Process is automated and facts are routinely incorporated in process

Process is repeatable, consistent and reliable in dynamic enterprise

Facts from adjacent stakeholders are routinely incorporated in process

Process provides enterprise transparency

Process dependencies and risks are systematically detected, communicated across processes

HIGH

RISK,

COST

HIGH

TRANSPARENCY

& CONTROL

Level 1: Ad Hoc, Manual

ILM Process Maturity RankingILM Process Description 1 2 3 4

A Employees on Legal Holds Determining employees with information potentially relevant to an actual/anticipated lawsuit or investigation

B Data on Legal Hold Determining information and data sources potentially relevant to an actual/anticipated lawsuit or investigation

C Hold publication Communicating and executing legal holds to people, systems and data sources for execution and compliance

D Evidence Collection Fact finding and inquiry with employees; Collecting potential evidence in response to a request.

E Evidence Analysis & Cost Controls Assessing information to understand dispute for determining, controlling the costs of outside review

F Legal Record Documenting custodians and data sources identified, legal hold and collection activities over matter lifecycle

G Master Retention Schedule & Taxonomy Defining an information classification schema to determine regulatory record keeping obligations

H Departmental Information Practices Cataloging which information each business organization values, generates or stores by class & location

I Realize Information Value Gaining timely access to information to maximize the enterprise value of information.

J Secure Information of Value Determining a schema for information importance and corresponding security needed.

K Privacy & Data Protection Assessing privacy duties by data subject and location; communicating these requirements to people & systems

L Data Source Catalog & Stewardship Establishing an enterprise ILM catalog of information and corresponding stewardship and governance procedures

M System Provisioning Standardize new information sources ensuring legal, regulatory, privacy & security considerations are defined

N Active Data Management Differentiating high value actively used data from aging data of value to regulators only or less frequently accessed data

O Disposal & Decommissioning Disposing data and decommissioning applications when their legal duties & business utility have elapsed

P Legacy Data Management Methodologies by which orphaned data is remediated and data without legal duty or business value is disposed.

Q Storage Alignment Aligning storage capacity and cost to information business value and retention requirements

R Audit Testing to assess the effectiveness of ILM processes and establishing corresponding procedures for governing information

Level 2: Manual structure, Silo’ed Level 3: Instrumented, Silo’ed Level 4: Instrumented, Integrated 10

High risk Requires constant monitoring and review, immediate escalation on failure or impending failure. 50% likelihood

ILM Risk Heat Map

Low risk Does not require constant monitoring and is easy to prevent, detect, correct, defend. Less than 10% likelihood

Moderate risk Requires frequent monitoring to prevent and detect; costly to correct or mitigate. Between 10% -50% likelihood

A

F

B

ILM Process

A Employees on Legal Holds

B Data on Legal Hold

C Hold publication

D Evidence Collection

E Evidence Analysis & Cost Controls

F Legal Record

G Master Retention Schedule & Taxonomy

H Departmental Information Practices

I Realize Information Value

J Secure Information of Value

K Privacy & Data Protection

L Data Source Catalog & Stewardship

M System Provisioning

N Active Data Management

O Disposal & Decommissioning

P Legacy Data Management

Q Storage Alignment

R Audit

C

E

D

Po

ten

tia

l Im

pa

ct

Likelihood to occur

HG

I

KJ

L

M

N

OP

QR

11

Process A: Employees on Legal Holds

12

A

1 2 3 4

Maturity Scale

Risk Assessment

1 2 3 4

Maturity Scale

Risk Assessment

CURRENT STATE: Capability LEVEL 3

Observations and Current State Assessment

Systematic tracking of all custodians in all holds via Atlas, with capability to track instances of multiple holds per custodians.

Employees selected based on current and historical organizational data and individual questionnaire responses

Questionnaires are sent with hold notices and responses are reviewed and hold scope revisited as needed

Integration of HR system data (currently from PeopleSoft, may be transitioning to workday in the future) in Atlas allows for automated notification of employee departures and transfers

Brief Description

Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation

Potential Risk from Process Failure

Custodians are not identified and potentially relevant information is inadvertently modified or deleted.

Potential Future State Capabilities: Capability LEVEL 4

Real-time update of custodian roles

Automatic notices of employee transfers made by matter and attorney

Copy or cross reference custodian lists across similar matters

Scope revisited and refined at least quarterly to release or include custodians.

Methodology

1. Assess: Your organization’s

particular needs are evaluated and

relevant data sources are mapped.

2. Plan: An identification, review and

remediation strategy is developed for

each specific data source.

3. Approve: All necessary

approvals and “buy in” are secured.

4. Execute: Leverage your

company’s in-house collection and

analytics tools, or utilizes industry-

leading tools (StoredIQ, NUIX, etc.), to

conduct the tactical day-to-day work and

execute the agreed-upon data

remediation plan.

5. Document: Document the full

project; and make sure experts are

available to testify in court about the

methods used for any remediation

project.

6. Equip: Install and maintain

technology solutions to ensure “go

forward” compliance.

13

In order to dispose of data, you have to:

Identify what must be retained / how long Establish retention policies

Be able to enforce retention Data management & disposal

Support legal requirements Legal holds and data collection

Apply retention policies Enterprise governance & rollout

Ability to Audit processes Defend Governance Program

Remediation = Cost Reduction + Risk Mitigation

Keep Everything

(& many copies)

Predominant Behavior Future State

Keep

Dispose

Subject to

Legal Hold

Has Business

Utility

Regulatory

Record Keeping

Non Responsive

To regulatory /

Legal & no data

security issues

Which of the following will impact your company within the next 1-3 years ?

1. Migration to Microsoft Office 365

2. GDPR

3. Updating legal hold or e-discovery technology/process

4. Industry regulations (healthcare, financial services, etc.)

Audience Poll 3

15

Additional Considerations

16

“The GDPR authorizes maximum fines of 20

million euros ($22.5 million), or up to 4 percent

of a company's global revenue. To illustrate the

severity of the fines, Alphabet Inc.'s Google had

$60.6 billion in revenues in fiscal year 2015,

Bloomberg data show. A fine of 4 percent

means Google could get a bill from the EU

exceeding $2.4 billion for a single infraction.” “EU Data Transfer Updates May Be Boon for Multinationals.” Bloomberg Law, January 7, 2017

37% of corporations have already migrated to

Microsoft Office 365, and another 54% plan

to migrate within the next one to three years. “Survey Analysis: Microsoft Dominates Cloud Email in Large Public Companies but Shares the Rest

With Google,” January 2016, by Nikos Drakos and Jeffrey Mann.

Thank You

17

Find information Governance

& compliance resources from

FTI Technology available on our website:

www.ftitechnology.com