Information Governance – What Does a Modern Program Look Like?

© 2014 Winston & Strawn LLP
Information Governance:
What Does a Modern Program Look Like?

Today’s eLunch Presenters
Christopher Costello
Senior eDiscovery Attorney
New York
cccostello@winston.com
John Rosenthal
Chair, eDiscovery & Information Governance
Washington, D.C.
jrosenthal@winston.com
2

Agenda
• What is the problem?
• What is Information Governance?
• What are your objectives in implementing Information Governance?
• How do we create a Modern Information Governance Program?
• People
• Policies
• Toolsets
• Education
• Auditing and Compliance
• Advance Analytical Engines
• Questions
3

Electronic vs. Paper Records
4

Electronic Data is Increasing Exponentially
• Total amount of data predicted to
double every 1-2 years.
• 90% of the data in the world was
created in the last two years.
• More data means higher costs and
increased risk.
• Nearly 2/3 of medium- to large-
sized businesses have more than
25 legal and regulatory matters per
year.
5

Information Value Over Time
100%
0%
ProbabilityofReuse
Average Days Since Creation
0 days 15 days 30 days 90 days 1 year 5 years Forever
500 MB
1 GB
5 GB
25 GB
Defensible Disposal
Potential
6

Why Organizations Don’t Dispose of Data
7
12%
13%
11%
12%
12%
18%
22%
29%
36%
0% 5% 10% 15% 20% 25% 30% 35% 40%
Don't know
Other
No business need to dispose of data
No need
No IT need to dispose of data
Too difficult
Policy dictates that we keep all data
forever/indefinitely
Fear of inability to furnish data for business needs
(i.e., reference purposes)
Fear of inability to furnish data requested as part
of a legal or regulatory request
Why do you believe that your organization does not dispose of data?
(Percent of respondents, N=83, multiple responses accepted)
Source: ESG Research Report, Defensible Disposition in Practice: Perspectives from Business and IT, to be published in December 2012

Implications of the Explosion of Data
• Harder to locate and use the company’s data.
• More difficult to manage the data as it continues to grow.
• Expensive to continue to maintain and ultimately retrieve, review and
produce data.
• Decrease in productivity and response time when data needs to be
located for business and legal purposes.
• Increased risk exposure for non-compliance with regulatory, tax, and
legal holds.
8

Business Risk
• “Office workers can waste up to two hours a day looking for
misplaced paperwork—a total of 500 hours (62.5 days) per
year” (TN).
• “Computer users spend 7.5% of their time on a PC looking for
misplaced files” (Information Week).
• “Companies typically misfile 2% to 7% of their records” (ARMA
International).
• 90% of records are never referred to again (Secured Record
Management).
• Companies misfile from 3% to 5% of their records, with a cost of
$180 per document to recreate it and annual losses of a million
records per year at a cost of $5 million per year (Information
Week).
9

Drivers
• Compliance
• FOI
• DPA
• SOX
• HIPPA
• FSA
• Knowledge Management
• Staff turnover
• Reduce duplication
• Leveraging content
10

What is Information Governance?

Traditional Approaches to IG
• Traditional IG programs were primarily focused on records
management.
• The primary objective was to control the creation and storage of records
and were usually begun when the total volume of information became
unwieldy or prohibitively expensive.
• Records management was typically focused on the records lifecycle:
12

Definition of Information Governance (IG)
• Sedona Conference: “An organization’s coordinated,
interdisciplinary approach to satisfying information compliance
requirements and managing information risks while optimizing
value.”
• Gartner: “The specification of decision rights and an accountability
framework to ensure appropriate behavior in the valuation, creation,
storage, use, archiving and deletion of information. It includes the
processes, roles and policies, standards and metrics that ensure the
effective and efficient use of information in enabling an organization
to achieve its goals.”
• Information Governance Initiative: “The activities and technologies
that organizations employ to maximize the value of their information
while minimizing associated risks and costs.”
14

What Really Is IG?
• IG is the confluence of records management, e-discovery, IT security,
data privacy, and data protection, and the policies, procedures,
toolsets, and personnel that a business uses to control the creation,
use, retention, and disposition of its data.
• In essence, IG is the umbrella under which companies conduct their
business, pool their collective knowledge, prepare for the future, and
protect their existing business.
15

WWW.EDRM.NET
17

Elements to Modern Information Governance
Information
Governance
Business
Needs
Data
Security
RIM
Privacy
Compliance
E-Discovery
18

Strategic Issues
• Objective
• Political considerations
• Knowledge management
• Risk
• Budget
• Resources
• Sophistication of IT infrastructure
• Industry
• Maturity
• Level of regulation
19

Creating a Modern IG Program

Developing a Framework
• Identify a core team
• Identify your priorities
• Conduct an assessment
• Draft policies/schedules
• Identify tools sets
• Design implementation plan
• Education
• Compliance
21

Example – Records Retention Program
• Records Retention Policy
• General records policy
• E-mail management policy
• Records Retention Schedule
• Evaluation of Potential Records Management Tools
• Implementation
• Education
• Compliance
22

Record Retention Policy
• Key provisions:
• All records must be managed in accordance with the Record Retention Schedule.
• All records not subject to a restriction must be retired at the end of their retention
period.
• Restrictions to record retirement:
• Legal hold order
• Tax restrictions
• All personnel must perform a minimum of an annual review of all records and
process them for storage or retirement.
23

Record Retention Schedule
• A practical and tested Records Retention Schedule is the key to any program.
• What does the Schedule do?
• Provides the departments and staff with clear guidance as to the time period that
specific records must be retained
• Who does the Schedule apply to?
• All departments and personnel
• All specified categories of records, regardless of their status (active or inactive),
location or type (paper, electronic, or imaged)
24

Records Retention Schedule
• The Schedule will consist of several columns of information: (i) retention
code; (ii) subject/description; (iii) retention period for official records; and (iv)
retention period for unofficial records/copies:
25
Code Subjects/Description Legal User Total Unofficial
Retention
ACC-50-12 Accounting
Payroll
Payroll Records
Records documenting payments
for payroll for a specified pay
period including dates, employee
names, withholding amounts and
purpose, final check amount and
other related information
6 3 6 Max 3

Records Management Tools
• Key to successful records management is the classification of records (i.e.,
ability to identify records with applicable “records code” to a record).
• Classification is the first step in records management.
• Tools can mandate and facilitate classification at the time of creation or
identification.
• In absence of tools, it is difficult to mandate classification at the time of the
record’s creation or identification, which makes records management
compliance not impossible, but difficult for your workforce.
26

Classification Process
27
Low High
High
Low
Cost Savings
Productivity
Accuracy
Manual
Classification
Authoring
Templates
Rules Based
Classification
Context Based
Classification
Multiple
Methods
Simple
Rules
Complex
Policies
Consistent Participation & Enforcement

Critical Dimensions of Classification
28
Cost (per doc)
Accuracy
Consistency
Manual Automated
92% 50 – 80%
$ 0.17
< $ 0.01
<50% 100%
46%

Implications of Classification
29
Every manual classification forced on
your users will cost your organization 17
cents in productivity
4
3
2
Records management in your
organization can lead to large,
measurable productivity loss if not done
correctly
4
Compliance professionals hold the
incorrect assumption that humans are
the best option for piece by piece
decision-making
3
Results of human-reliant filing are
inconsistent and inaccurate, resulting in
effective accuracy of 50%, at best2
ImplicationsFacts
Unstructured content makes up 80% of
the volume of information in the
average enterprise and that segment is
growing 30% annually
1
Business users find forced manually
classification “burdensome” and at
least 50% will not participate
Deploying an archiving or records
management initiative is increasingly
important, large scale and difficult
problem
1
Humans provide, at best, marginally
better accuracy in executing
classification, in controlled tests

Significant Product Attributes
• Supports event and time based retention rules
• Structured file plan organizes records and manages, enforces complex
policies/rules
• Enables legal holds; facilitates audit and electronic evidence discovery
• All processes are audited and managed
• Ensures record authenticity, integrity, and contextual relationships
• Ensures record access, retrieval, and usefulness
• Prevents unauthorized deletion
• Ensures timely disposition and complete record expungement
• Ensures privacy and record security policy management
30

Potential Types of EMC Tools
• Enterprise content approaches (Oracle, IBM, Autonomy)
• Traditional records management tools (Open Text, Documentum)
• E-mail archivers (Autonomy EAS)
• Hybrid type tools (e.g., expanded use of EAS archive as a records repository)
• MS SharePoint
• Web content management
• Social content
• Image-processing applications
31

Traditional Records Management Tools
32
E-Mail Archives
Physical Content
Database
File Servers
Enterprise
Applications
Legacy
Applications
Content Mgmt
Move content from
local and network file
shares into a records
repository, which
forces classification
and management of
records during their
lifecycle

Record Repository
Email
ECM
ERP
Other
File
Shares
Local
Drives
Legal
Systems
Traditional Records Management Tools
33
…
Keep 10 Yrs
then Destroy

2014 Gartner – Enterprise Content Management
Systems
34

2004 Gartner – ECM Magic Quadrant
35

Implementation
• Implementation = project management
• Design a plan
• Identify a pilot group
• Run pilot
• Re-evaluate based upon pilot
• Implement across enterprise (consider phased approach)
36

Education and Compliance
• Record management initiative is a complex and long-term issue.
• Asking employees to change their work-flow process, going from a keep
everything mentality to keep only what is business critical.
• Implementation, education, and communication are the key to any program.
• Compliance is a longer-term issue.
37

A Word About Use of
Advance Analytical Engines

Winston Case Study
• Background:
• Highly regulated industry
• 20,000 plus e-mail users
• Significant number of legal and business holds
• Archiving solutions:
• Result in significant over-preservation
• Costly to manage over time
• Challenge – how can TAR be used to automate legal and business hold
decisions?
39

Prior State
40
Archive solution
Firewall
Exchange Server
User
Storage
100%
Journaled

TAR Solution
41
Archive solution
Firewall
Exchange Server
User
Storage
TAR Engine
Yes
No

How Did We Get There?
• Multiple training exercises:
• Legal holds
• Business holds
• Tagging / coding strategy
• Validation and defensibility:
• Launch
• Periodic
42

Information Governance – What Does a Modern Program Look Like?

More Related Content

What's hot (20)

Similar to Information Governance – What Does a Modern Program Look Like? (20)

More from Winston & Strawn LLP (20)

Recently uploaded (20)

Information Governance – What Does a Modern Program Look Like?