SlideShare a Scribd company logo

E Discovery Risks for Risk Managers

Fred Travis
Fred Travis
1 of 21
Download to read offline
Managing E-Discovery Risks: What You Know Can Hurt You! Practical Steps for Risk Managers to Gain Control of Electronically Stored Information Before and During Litigation 10/24/2007 Fred Travis, Principal Risk Management Consulting Fred.travis@riskmanagementconsulting.net
Scope of the ESI Problem • Thirty-six billion e-mails are sent worldwide on a daily basis; rising by 20% annually • 93% of information is now held in a digital format – Seventy percent of that data is never printed • Kroll Survey – 4th Qtr. 2007: – Only 25 percent of U.S. corporate in-house counsel claimed to be fully up to speed with all case-law developments and regulations relating to ESI – About half of the respondents said their organizations had a policy regarding ESI – 75 percent state they are losing time and money due to inefficient ESI processes
E-Discovery Challenges • Locate relevant information; • Preserve it and prevent it from being destroyed or modified; • Collect it and convert it into a form that can be reviewed by attorneys; • Have it reviewed by attorneys for relevance and privilege; and finally, • Turn it over to opposing counsel, a court or regulator Each of these steps poses problems and costs
ESI Spoilation & Sanctions • Courts are holding companies accountable for ESI spoliation, and imposing severe penalties: – In 2004, a federal judge punished a company for deleting relevant e-mails by instructing the jury that the contents of the e-mails would have been favorable to the opposing party • Failure to properly manage ESI can also result in increased litigation costs or regulatory penalties – A corporation will not be excused from the duty to preserve electronic evidence merely due to the size, complexity or expense of compliance
ESI Issues & Problems • Volume of Electronic Communications: – Email; Instant Messaging; Web Groups; etc. • Proliferation of Other Electronic Documents: – Personnel records; Scanned documents; Financial Records; etc. • Inadequate ESI Retention protocols: – Category retention & destruction periods – Ineffective “Legal Hold” policies & procedures – Lack of Auditing, Assessment & Enforcement • Inefficient ESI storage & retrieval systems • Key Issue: Lack of Planning
Key Risk Management Questions About e-Discovery • Does your company have full control over ESI in case of litigation? • Who in your organization is accountable for ESI and e-Discovery? Who is actually working on it? • Is your company prepared for e-Discovery? – Does your company have policies & procedures in place to deal with production of ESI when required? – Does your company have the ability to determine whether all relevant ESI has been located & produced?
RM Questions About ESI Controls & Assessments • Has your company done an electronic data accessibility assessment? • Is your company ready to answer your outside law firm’s questions about ESI retention policies and IT environment? • Does your company have ESI cost control measures in place?
ESI Risk Management Requirements • Clear, Concise and Widely Disseminated ESI Strategy, Plans, Policies & Procedures – Understood & approved by In-house & Outside Counsel and IT • Clear Designations of Accountability for ESI • Regular Assessments & Audits of Compliance • Periodic Measurement of ESI Volume & Number of Production Requests • Adequate Budgets for ESI Retention, Retrieval, Compliance, Destruction, Training & Technology
Risk Management Steps for ESI Compliance 1. Develop an ESI compliance strategy NOW -- before litigation makes it necessary – Select a task force comprising IT, Legal, Risk Management and a selection of key administrative & operations personnel to develop a strategy, policies and specific action plans – Risk Management should separately work with IT and legal departments to identify potential legal, technical, technological and financial issues – The strategy, policies and procedures must be communicated to, and approved by, Outside Counsel, Senior Management and/or the Board of Directors
Electronic Document Retention Policies & Procedures • Company must Prepare for, Implement, Manage and Assess Compliance of Reasonable ESI Retention Policies and Procedures – There is no one-size-fits-all approach that will satisfy the needs of every company – Unless some legal duty requires an organization to preserve the information, systematic destruction of ESI is both desirable and defensible – The key is to recognize when it is necessary to retain ESI and to take the appropriate measures to preserve and produce it
Critical ESI Principles 1. An organization cannot keep all information it creates and receives. 2. Purging information on an ad hoc basis can create serious business and legal consequences. 3. Storing information is not the equivalent of managing it. 4. Locally stored electronic mail (PST or NSF) files create technology expense and pose an e-discovery challenge. 5. Information that is not readily accessible is of questionable value. 6. Information that is difficult to access can be a source of significant liability. 7. Disaster recovery is not records retention. 8. Disaster recovery tapes are not an appropriate place for retaining company records. 9. The more information an organization has, the harder it is to find what is needed, when it is needed. 10. Records responsive to discovery requests can be found in e-mail, blogs, instant messaging and voice mail. 11. Records are different than evidence. 12. Non-records or drafts of records may otherwise need to be produced even if they did not need to be retained initially.
ESI Risk Management Steps 2. Develop & Enforce Formal Document Retention Policies and Procedures That Include ESI data – The policy should clearly explain what information must be retained, and for how long; and what information must be deleted according to a regularly followed schedule
ESI Preservation • All relevant ESI must be preserved upon notice of litigation – An attorney who is representing an opposing party may send a “litigation hold” letter that requires the company to preserve & continue to collect all related documents, including electronic data • Company must preserve e-mails and other electronic data when litigation is anticipated – The duty to preserve material evidence arises not only during litigation, but also extends to that period prior to litigation when a company knew, or reasonably should have known, that the ESI might be relevant to anticipated litigation
ESI Risk Management Steps 3. Plan & Implement “Legal Hold” Policies & Procedures that: – Address information on all relevant systems and devices – Assure, to the extent possible and reasonable, that all relevant documents are found and secured – Train all affected personnel – Assess, review and audit compliance regularly
“Legal Hold” Policy & Procedures • A “Legal Hold” retention policy must establish processes and procedures for preserving and producing documents, including ESI, relevant to current and anticipated litigation – At a minimum, the company must identify employees likely to possess relevant information and timely notify them of a “Legal Hold” situation – Those employees must be instructed to cease the deletion or destruction of relevant information, and to identify and preserve all relevant documents & records where they can be easily retrieved
“Legal Hold” Policy & Procedures – Key: All personnel with access to or responsibility for company documents, including ESI, must be identified and provided guidance and training in Legal Hold policies and procedures – When appropriate, Legal and Management must communicate a Legal Hold to all relevant personnel clearly, forcefully and promptly • Failure to do so will likely result in the loss of relevant documents, or the failure to identify all of them – Risk Management and Legal should regularly review, assess and document the effectiveness of Legal Hold procedures
ESI Risk Management Steps 4. Develop Efficient Processes and Procedures for Complying With e-Discovery Production Requests − Key: reasonable, defensible transparent process for compliance − Establish procedures that clearly define where to look and how to look for relevant information • Make sure that all possible systems are noted
ESI Risk Management Steps 5. Reduce the ESI document universe: – Assure eligible ESI is deleted on schedule – Re-inspect existing storage for material that can – and should – be eliminated – Catalogue back-up tapes and equipment to assure all copies are purged – Audit procedures and processes frequently
ESI Risk Management Steps 6. Leverage existing document collections – Monitor multiple cases & index discovery requests for similar items. – Catalogue and reuse prior discovery material. 7. Train & Educate: – Thoroughly train employees in ESI retention & destruction policies & procedures – Particularly emphasize their responsibilities to preserve unmodified all ESI on Legal Hold
The Bottom Line • Risk Management Must Take Ownership of This Issue to Create and Manage an ESI Team to: – Develop a strategy, policies and procedures – Obtain all necessary approvals from senior management and in-house & outside counsel – Enforce, assess, review and audit compliance • Otherwise, your company will find itself at the sharp end of regulation – Unnecessarily at a disadvantage in legal proceedings – Potentially under threat of severe legal damages – Subject to high discovery costs
QUESTIONS?

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...Health, Education, Social Protection and Labor World Bank
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 

Recommended

Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...
Pensions Core Course 2013: Pension Supervision - Global Capital Markets Non-b...Health, Education, Social Protection and Labor World Bank
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityNada G.Youssef
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
IT governance and Information System Security
IT governance and Information System SecurityIT governance and Information System Security
IT governance and Information System SecurityCSSRL PUNE
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance programSiddharth Janakiram
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...Health IT Conference – iHT2
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
HNBA Boston - eDiscovery
HNBA Boston - eDiscoveryHNBA Boston - eDiscovery
HNBA Boston - eDiscoveryAbel Cruz
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
A2 ICT Policies
A2 ICT PoliciesA2 ICT Policies
A2 ICT PoliciesBen Williams
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 
Discovering The Pivotal Point Consumer
Discovering The Pivotal Point ConsumerDiscovering The Pivotal Point Consumer
Discovering The Pivotal Point ConsumerJoão Lemos Diogo
 
Bridging The P & C Gap
Bridging The P & C GapBridging The P & C Gap
Bridging The P & C Gapamie2007
 

More Related Content

What's hot

Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance programSiddharth Janakiram
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementNada G.Youssef
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...Health IT Conference – iHT2
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Factsresourceone
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk GovernanceDan Michaluk
 
HNBA Boston - eDiscovery
HNBA Boston - eDiscoveryHNBA Boston - eDiscovery
HNBA Boston - eDiscoveryAbel Cruz
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policiesmrmwood
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources SecurityNada G.Youssef
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Aladdin Dandis
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramTammy Clark
 

What's hot (20)

Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
CHIME LEAD Fourm Houston - "Creating an Effective Cyber Security Strategy: Ke...
 
You and HIPAA - Get the Facts
You and HIPAA - Get the FactsYou and HIPAA - Get the Facts
You and HIPAA - Get the Facts
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
Information classification
Information classificationInformation classification
Information classification
 
Security policy
Security policySecurity policy
Security policy
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Cybersecurity Risk Governance
Cybersecurity Risk GovernanceCybersecurity Risk Governance
Cybersecurity Risk Governance
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
HNBA Boston - eDiscovery
HNBA Boston - eDiscoveryHNBA Boston - eDiscovery
HNBA Boston - eDiscovery
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
A2 ICT Policies
A2 ICT PoliciesA2 ICT Policies
A2 ICT Policies
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0Module 2 information security risk management student slides ver 1.0
Module 2 information security risk management student slides ver 1.0
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 

Viewers also liked

Discovering The Pivotal Point Consumer
Discovering The Pivotal Point ConsumerDiscovering The Pivotal Point Consumer
Discovering The Pivotal Point ConsumerJoão Lemos Diogo
 
Bridging The P & C Gap
Bridging The P & C GapBridging The P & C Gap
Bridging The P & C Gapamie2007
 
Bridging The P & C Gap
Bridging The P & C GapBridging The P & C Gap
Bridging The P & C Gapamie2007
 
Insta cart (1)
Insta cart (1)Insta cart (1)
Insta cart (1)Pallav L
 
Defection Dilemma Final
Defection Dilemma FinalDefection Dilemma Final
Defection Dilemma Finalguest0aa935
 
Risk management 101
Risk management 101Risk management 101
Risk management 101Fred Travis
 
The Consumer Defection Dilemma
The Consumer Defection DilemmaThe Consumer Defection Dilemma
The Consumer Defection DilemmaJoão Lemos Diogo
 

Viewers also liked (8)

Discovering The Pivotal Point Consumer
Discovering The Pivotal Point ConsumerDiscovering The Pivotal Point Consumer
Discovering The Pivotal Point Consumer
 
Bridging The P & C Gap
Bridging The P & C GapBridging The P & C Gap
Bridging The P & C Gap
 
Brawny Fieldguide
Brawny FieldguideBrawny Fieldguide
Brawny Fieldguide
 
Bridging The P & C Gap
Bridging The P & C GapBridging The P & C Gap
Bridging The P & C Gap
 
Insta cart (1)
Insta cart (1)Insta cart (1)
Insta cart (1)
 
Defection Dilemma Final
Defection Dilemma FinalDefection Dilemma Final
Defection Dilemma Final
 
Risk management 101
Risk management 101Risk management 101
Risk management 101
 
The Consumer Defection Dilemma
The Consumer Defection DilemmaThe Consumer Defection Dilemma
The Consumer Defection Dilemma
 

Similar to E Discovery Risks for Risk Managers

E Discovery V2.Pdf
E Discovery V2.PdfE Discovery V2.Pdf
E Discovery V2.PdfFred Travis
 
records management workshop updated 20141112.pptx
records management workshop updated 20141112.pptxrecords management workshop updated 20141112.pptx
records management workshop updated 20141112.pptxErmiyas33
 
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docx
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docxCHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docx
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docxmccormicknadine86
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to KnowBoyarMiller
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Asad Zaman
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001PECB
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt20214Mohan
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentBill Lisse
 
Using Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your BusinessUsing Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your BusinessOsterman Research, Inc.
 
Health care charities seminar, November 2018, Manchester
Health care charities seminar, November 2018, ManchesterHealth care charities seminar, November 2018, Manchester
Health care charities seminar, November 2018, ManchesterBrowne Jacobson LLP
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdf
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdfPrepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdf
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdfarjuntiwari586
 

Similar to E Discovery Risks for Risk Managers (20)

E Discovery V2.Pdf
E Discovery V2.PdfE Discovery V2.Pdf
E Discovery V2.Pdf
 
records management workshop updated 20141112.pptx
records management workshop updated 20141112.pptxrecords management workshop updated 20141112.pptx
records management workshop updated 20141112.pptx
 
HIPAA omnibus rule update
HIPAA omnibus rule updateHIPAA omnibus rule update
HIPAA omnibus rule update
 
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docx
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docxCHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docx
CHAPTER 8INFORMATION GOVERNANCEInformation Governance & .docx
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
SNW Fall 2009
SNW Fall 2009SNW Fall 2009
SNW Fall 2009
 
What IT Needs to Consider for Legal Hold
What IT Needs to Consider for Legal HoldWhat IT Needs to Consider for Legal Hold
What IT Needs to Consider for Legal Hold
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
 
insider threat research
insider threat researchinsider threat research
insider threat research
 
Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1Multi-faceted Cyber Security v1
Multi-faceted Cyber Security v1
 
EDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records ManagementEDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records Management
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach risk
 
ISSA Data Retention Policy Development
ISSA Data Retention Policy DevelopmentISSA Data Retention Policy Development
ISSA Data Retention Policy Development
 
Using Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your BusinessUsing Email, File, Social Media and Mobile Archiving to Grow Your Business
Using Email, File, Social Media and Mobile Archiving to Grow Your Business
 
Lesson2.pptx
Lesson2.pptxLesson2.pptx
Lesson2.pptx
 
Health care charities seminar, November 2018, Manchester
Health care charities seminar, November 2018, ManchesterHealth care charities seminar, November 2018, Manchester
Health care charities seminar, November 2018, Manchester
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdf
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdfPrepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdf
Prepare a 3-4 page, double-spaced paper (cite 3-4 reliable sources) .pdf
 

E Discovery Risks for Risk Managers

  • 1. Managing E-Discovery Risks: What You Know Can Hurt You! Practical Steps for Risk Managers to Gain Control of Electronically Stored Information Before and During Litigation 10/24/2007 Fred Travis, Principal Risk Management Consulting Fred.travis@riskmanagementconsulting.net
  • 2. Scope of the ESI Problem • Thirty-six billion e-mails are sent worldwide on a daily basis; rising by 20% annually • 93% of information is now held in a digital format – Seventy percent of that data is never printed • Kroll Survey – 4th Qtr. 2007: – Only 25 percent of U.S. corporate in-house counsel claimed to be fully up to speed with all case-law developments and regulations relating to ESI – About half of the respondents said their organizations had a policy regarding ESI – 75 percent state they are losing time and money due to inefficient ESI processes
  • 3. E-Discovery Challenges • Locate relevant information; • Preserve it and prevent it from being destroyed or modified; • Collect it and convert it into a form that can be reviewed by attorneys; • Have it reviewed by attorneys for relevance and privilege; and finally, • Turn it over to opposing counsel, a court or regulator Each of these steps poses problems and costs
  • 4. ESI Spoilation & Sanctions • Courts are holding companies accountable for ESI spoliation, and imposing severe penalties: – In 2004, a federal judge punished a company for deleting relevant e-mails by instructing the jury that the contents of the e-mails would have been favorable to the opposing party • Failure to properly manage ESI can also result in increased litigation costs or regulatory penalties – A corporation will not be excused from the duty to preserve electronic evidence merely due to the size, complexity or expense of compliance
  • 5. ESI Issues & Problems • Volume of Electronic Communications: – Email; Instant Messaging; Web Groups; etc. • Proliferation of Other Electronic Documents: – Personnel records; Scanned documents; Financial Records; etc. • Inadequate ESI Retention protocols: – Category retention & destruction periods – Ineffective “Legal Hold” policies & procedures – Lack of Auditing, Assessment & Enforcement • Inefficient ESI storage & retrieval systems • Key Issue: Lack of Planning
  • 6. Key Risk Management Questions About e-Discovery • Does your company have full control over ESI in case of litigation? • Who in your organization is accountable for ESI and e-Discovery? Who is actually working on it? • Is your company prepared for e-Discovery? – Does your company have policies & procedures in place to deal with production of ESI when required? – Does your company have the ability to determine whether all relevant ESI has been located & produced?
  • 7. RM Questions About ESI Controls & Assessments • Has your company done an electronic data accessibility assessment? • Is your company ready to answer your outside law firm’s questions about ESI retention policies and IT environment? • Does your company have ESI cost control measures in place?
  • 8. ESI Risk Management Requirements • Clear, Concise and Widely Disseminated ESI Strategy, Plans, Policies & Procedures – Understood & approved by In-house & Outside Counsel and IT • Clear Designations of Accountability for ESI • Regular Assessments & Audits of Compliance • Periodic Measurement of ESI Volume & Number of Production Requests • Adequate Budgets for ESI Retention, Retrieval, Compliance, Destruction, Training & Technology
  • 9. Risk Management Steps for ESI Compliance 1. Develop an ESI compliance strategy NOW -- before litigation makes it necessary – Select a task force comprising IT, Legal, Risk Management and a selection of key administrative & operations personnel to develop a strategy, policies and specific action plans – Risk Management should separately work with IT and legal departments to identify potential legal, technical, technological and financial issues – The strategy, policies and procedures must be communicated to, and approved by, Outside Counsel, Senior Management and/or the Board of Directors
  • 10. Electronic Document Retention Policies & Procedures • Company must Prepare for, Implement, Manage and Assess Compliance of Reasonable ESI Retention Policies and Procedures – There is no one-size-fits-all approach that will satisfy the needs of every company – Unless some legal duty requires an organization to preserve the information, systematic destruction of ESI is both desirable and defensible – The key is to recognize when it is necessary to retain ESI and to take the appropriate measures to preserve and produce it
  • 11. Critical ESI Principles 1. An organization cannot keep all information it creates and receives. 2. Purging information on an ad hoc basis can create serious business and legal consequences. 3. Storing information is not the equivalent of managing it. 4. Locally stored electronic mail (PST or NSF) files create technology expense and pose an e-discovery challenge. 5. Information that is not readily accessible is of questionable value. 6. Information that is difficult to access can be a source of significant liability. 7. Disaster recovery is not records retention. 8. Disaster recovery tapes are not an appropriate place for retaining company records. 9. The more information an organization has, the harder it is to find what is needed, when it is needed. 10. Records responsive to discovery requests can be found in e-mail, blogs, instant messaging and voice mail. 11. Records are different than evidence. 12. Non-records or drafts of records may otherwise need to be produced even if they did not need to be retained initially.
  • 12. ESI Risk Management Steps 2. Develop & Enforce Formal Document Retention Policies and Procedures That Include ESI data – The policy should clearly explain what information must be retained, and for how long; and what information must be deleted according to a regularly followed schedule
  • 13. ESI Preservation • All relevant ESI must be preserved upon notice of litigation – An attorney who is representing an opposing party may send a “litigation hold” letter that requires the company to preserve & continue to collect all related documents, including electronic data • Company must preserve e-mails and other electronic data when litigation is anticipated – The duty to preserve material evidence arises not only during litigation, but also extends to that period prior to litigation when a company knew, or reasonably should have known, that the ESI might be relevant to anticipated litigation
  • 14. ESI Risk Management Steps 3. Plan & Implement “Legal Hold” Policies & Procedures that: – Address information on all relevant systems and devices – Assure, to the extent possible and reasonable, that all relevant documents are found and secured – Train all affected personnel – Assess, review and audit compliance regularly
  • 15. “Legal Hold” Policy & Procedures • A “Legal Hold” retention policy must establish processes and procedures for preserving and producing documents, including ESI, relevant to current and anticipated litigation – At a minimum, the company must identify employees likely to possess relevant information and timely notify them of a “Legal Hold” situation – Those employees must be instructed to cease the deletion or destruction of relevant information, and to identify and preserve all relevant documents & records where they can be easily retrieved
  • 16. “Legal Hold” Policy & Procedures – Key: All personnel with access to or responsibility for company documents, including ESI, must be identified and provided guidance and training in Legal Hold policies and procedures – When appropriate, Legal and Management must communicate a Legal Hold to all relevant personnel clearly, forcefully and promptly • Failure to do so will likely result in the loss of relevant documents, or the failure to identify all of them – Risk Management and Legal should regularly review, assess and document the effectiveness of Legal Hold procedures
  • 17. ESI Risk Management Steps 4. Develop Efficient Processes and Procedures for Complying With e-Discovery Production Requests − Key: reasonable, defensible transparent process for compliance − Establish procedures that clearly define where to look and how to look for relevant information • Make sure that all possible systems are noted
  • 18. ESI Risk Management Steps 5. Reduce the ESI document universe: – Assure eligible ESI is deleted on schedule – Re-inspect existing storage for material that can – and should – be eliminated – Catalogue back-up tapes and equipment to assure all copies are purged – Audit procedures and processes frequently
  • 19. ESI Risk Management Steps 6. Leverage existing document collections – Monitor multiple cases & index discovery requests for similar items. – Catalogue and reuse prior discovery material. 7. Train & Educate: – Thoroughly train employees in ESI retention & destruction policies & procedures – Particularly emphasize their responsibilities to preserve unmodified all ESI on Legal Hold
  • 20. The Bottom Line • Risk Management Must Take Ownership of This Issue to Create and Manage an ESI Team to: – Develop a strategy, policies and procedures – Obtain all necessary approvals from senior management and in-house & outside counsel – Enforce, assess, review and audit compliance • Otherwise, your company will find itself at the sharp end of regulation – Unnecessarily at a disadvantage in legal proceedings – Potentially under threat of severe legal damages – Subject to high discovery costs