• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Orange Legal Technologies Corporate Information Briefing   1108
 

Orange Legal Technologies Corporate Information Briefing 1108

on

  • 770 views

 

Statistics

Views

Total Views
770
Views on SlideShare
770
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Orange Legal Technologies Corporate Information Briefing   1108 Orange Legal Technologies Corporate Information Briefing 1108 Document Transcript

    • August 2008 Improving Results for the Legal Custody of Information IT Policy Compliance Group
    • Improving Results for the Legal Custody of Information Contents Executive Summary 3 Key Findings 3 Implications and Analysis 5 Recommendations for Action 6 Research Findings 7 Burden of Legal Requests: More Likely to Impact Large Enterprises 7 Large Enterprises: More Legal Summonses and Holds Related to Information 7 Maturity of Practices for Legal Hold 8 Confidence in Responding to Legal Requests for Information 9 Equal Opportunity Outcomes for Legal Holds 10 Average Financial Settlements and Expenses, by Size of Organization 10 Expenses Vary Significantly by the Maturity of Practices for Legal Holds 11 Who’s Involved in Finding, Producing and Protecting Information 11 Paper, Legacy Information and Electronically Stored Information 12 Most Time-Consuming and Expensive Information to Find, Protect, and Produce 13 Time and Expense in IT to Find, Protect, and Produce 13 Strategic Actions and Practices that Improve Maturity and Results 14 Practices and Capabilities in IT that Improve Maturity and Results 15 Most Helpful Technologies to Find, Protect and Produce Data 16 Discussions with the Lawyers 17 ESI and the Scope of Legal Discovery 17 ESI and the Impact of Age and Time 17 Legal Requests and Summonses for Information 17 Information Formats, Indexing and Costs 18 Recommendations from the Lawyers 18 Regulatory Drivers and Legal Custody of Information 18 Legal Custody and Controls Effectiveness 19 Maturity Impacts Legal Custody, Compliance, and Data Protection 20 Who Should Improve the Maturity of Practices for Legal Hold 20 Taking Action to Improve Results 21 About the Research 23 About IT Policy Compliance Group 24 © 2008 IT Policy Compliance Group
    • Improving Results for the Legal Custody of Information Executive Summary Key Findings Large enterprise spend more than other firms for legal holds The average financial costs of legal holds placed on information for firms with normative practices include: • Large enterprises: From $500,000 to more than $9 million annually. • Midsize organizations: From $300,000 to $500,000 each year. • Small businesses: Less than $300,000 per year. Costs for legal custody are driven by maturity of practices Organizations with the least mature practices are spending much more, as follows: • Large enterprises: From $1.5 million to more than $28 million annually. • Midsize organizations: From $800,000 to $1.5 million each year. • Small businesses: Less than $800,000 per year. Firms with the most mature practices are spending much less, as follows: • Large enterprises: From $120,000 to $2.6 million annually. • Midsize organizations: From $66,000 to $120,000 each year. • Small businesses: Less than $66,000 per year. Improvements to practices increase confidence and reduce expenses The realities are: Firms with the most confidence in the accessibility, completeness and accuracy of data have most mature practices and spend the least on legal holds. Firms with the least confidence in the accessibility, completeness and accuracy of data have the least mature practices and spend the most of legal holds. Large enterprises have a latent advantage that can be leveraged Accessibility, completeness and accuracy of data to support legal holds depend on how much information is electronically stored information (ESI). The numbers show: ESI among large enterprises: 50 to 70 percent. ESI among midsize firms: 35 percent to 50 percent. ESI among small businesses: 20 percent to 35 percent. However, this latent advantage can only be leveraged if information is indexed for rapid search, protection, preservation and production in response to legal requests. Strategic actions and practices that are improving results and reducing costs The strategic actions that are improving results include: Notifying affected employees of legal holds on information within one hour. Responding to legal requests within one day. Maintaining evidence of handling of data and delivering training to employees. Identifying business and financial risks and measuring results. Updating policies and procedures and updating records retention programs. Improving the quality of legal counsel and legal hold procedures and controls. Forming cross-functional teams to respond to requests within one day. © 2008 IT Policy Compliance Group, 3
    • Improving Results for the Legal Custody of Information Key Findings (continued) Practices in IT that are improving results and reducing costs The actions and practices in IT that are shown to improve results include: Identifying the gaps in procedural and technical controls. Converting information into electronic formats. Inventorying and indexing information for rapid search. Increasing the frequency of monitoring and measurements. Correcting gaps in procedural and technical controls. Updating policies and procedures. Improving technical and procedural controls. Most helpful technologies to improve results The technologies being employed by the firms with the most mature practices and the lowest expenses include: Backup and archive. Data capture and conversion tools. Data and record indexing tools. Records retention and destruction tools. Employee education and training tools. Information to target The information routinely indexed to search preserve and produce information in response to legal holds by the firms with the most mature practices and lowest costs, include: Email, office productivity files, and instant messaging. Industry-specific information. Product and financial information. Employee and customer related information. Improving the maturity of practices for data custody pays off Improving the maturity of practices for legal custody yields huge reductions to current expenses: Organizations with the least mature practices can reduce overall expenses for legal custody by a factor of 13 by improving practices. The majority of firms, those operating at the norm, can reduce expenses by a factor of 4 by improving practices. Improving the maturity of practices for the legal custody of information Reduces expenses for legal settlements and fees Reduces expenses in IT to find, produce, protect and preserve information on hold © 2008 IT Policy Compliance Group, 4
    • Improving Results for the Legal Custody of Information Implications and Analysis Legal holds on information start when an organization learns of, or can reasonably anticipate current or pending litigation and regulatory investigations. The complexities involved in complying with legal requests for information are most prudently carried out under the direction of legal counsel. As such, whether a firm is named as a defendant, or is caught up in litigation as a third-party, the custody of information covered by a legal hold should be directed by legal counsel. Notifying employees, and potentially suppliers or customers, is just the start of a legal process governing holds on information. Large enterprises: Follow the money Despite a broad 50/50 chance of being served a court summons related to data and records, larger enterprises are bearing the brunt of such demands. For large enterprises, the likelihood of summonses start at two per year, and can exceed five or more events annually, while the number of annual legal requests for information are far higher. Legal settlement costs; legal expenses; and costs related to finding, protecting, preserving, Large enterprises with the and producing data in response to legal holds for information are far higher among larger least mature practices are enterprises than midsize organizations and small businesses. spending between $1.5 Among larger enterprises, average costs and expenses related to legal holds placed on million to more than $28 information range from $500,000 to more than $9 million annually, depending on the size million annually, depending of the organization. on the size of the organization. However, the maturity of practices for information governed by legal holds directly influence spending. Large enterprises with the most mature practices are spending only 25 percent of the amount firms with normative practices spend: from $120,000 to more than $2.6 million annually, depending on the size of the firm. Conversely, organizations with the least mature practices are spending much more than all other firms. Large enterprises with the least mature practices are spending three times more than firms with normative practices spend: from $1.5 million to more than $28 million annually, depending on the size of the organization. ESI: The wave has hit the beach Although paper-based records are identified as the most traditional format and the most time consuming and expensive for all organizations, the research conducted with attorneys shows that electronically stored information (ESI) requests are increasingly making up a larger proportion of the legal requests, especially for email and office productivity files among other forms of ESI. Unless ESI (email, office files, product design records, customer transaction data, instant messaging files, financial transactions, etc) is indexed for rapid search, protection and production, it offers no obvious benefit. For example, 10 Gigabytes of information is about 500,000 pages, close to 200 boxes of paper that would normally not be indexed while being stored off-site. Practice maturities dictate outcomes Neither the size of an organization nor the industry within which it competes is the arbiter of better or worse performance results, or of higher or lower costs. Rather, the practices implemented for legal custody are what distinguish how much is being spent, and how well or poorly organizations are able to respond to legal holds governing information. Organizations that respond more Strategic Actions and Practices making a Difference rapidly to holds governing The strategic actions distinguishing firms with the best results for legal custody include: information are also excelling at • Maintaining evidence of handling for records and data delivering training to regulatory compliance and the employees protection of sensitive data. • Identifying business and financial risks • Measuring results Practices in IT that are Making a Difference Leading firms are converting more information into indexed, searchable electronic formats that can more rapidly be found, preserved, protected, and produced in response to legal requests. Examples of the kind of information being converted into structured electronic records for rapid search, protection, and production include: © 2008 IT Policy Compliance Group, 5
    • Improving Results for the Legal Custody of Information • Email and attachments • Office documents • Instant messaging files • Audio files (telephone records) Organizations performing as leaders for legal custody are also excelling at regulatory compliance and the protection of sensitive data. Taking a holistic view of compliance, these firms are treating the legal custody of information as one aspect of managing information in an increasingly electronically interconnected World. Recommendations for Action Based on the quantitative results of the benchmarks and the qualitative research conducted with the lawyers, the principle recommendations include the following. Large enterprises Should take action: are clearly the primary targets of legal request for information Should aggressively improve the maturity of practices to limit financial pain Midsize organizations Should evaluate financial impact, past experience and industry setting Should be improving easier-to-implement practices with large paybacks Improve organizational practices Notify affected employees about a legal hold on information within one hour or less Respond to the initial request within one business day or less Update corporate policies and procedures Improve the quality of legal counsel Form a cross-functional response team Conduct employee training consistently Revise records retention policies and procedures Improve legal hold procedures and controls Measure results more frequently Improve practices and capabilities IT Target highly probable areas to convert into electronically indexed, searchable archives — especially email, invoices, telephone records, and financial data Use indexing tools to enable the rapid search of information covered by requests Archive and index paper-based records and data that are most likely targets Target additional types of data for conversion, based on industry-specific litigation Update IT policies and procedures for the retention and destruction of information Maintain evidence of handling and protection of data and records Correct gaps in IT procedures and controls Measure the effectiveness of controls more frequently © 2008 IT Policy Compliance Group, 6
    • Improving Results for the Legal Custody of Information Research Findings Burden of Legal Requests: More Likely to Impact Large Enterprises For most firms, there is a 50 percent chance that data and records will have to be found, protected, and produced in response to legal requests or court summons. However, not all organizations are burdened with the need to find, protect and produce information in response to legal requests and summonses equally. Rather, large enterprises are bearing the brunt of responding to legal requests for data, with six out of ten large firms taking action to find, protect and produce data in response to such demands (Figure 1). Figure 1: Firms That Are Finding, Protecting, and Producing Information Source: IT Policy Compliance Group, 2008 By comparison, only three out of ten small businesses with revenues below $50 million are spending time to find, produce and protect records and data in response to legal requests and summonses. And, only five out of ten midsize organizations are spending time to respond to these demands. Large Enterprises: More Legal Summonses and Holds Related to Information The number of legal summonses received each year is directly related to the size of an organization, with large enterprises experiencing more such events annually. However, according to the lawyers interviewed, actual court summonses represent but a small portion of the total number of legal requests for data, in the range of 2 to 10 percent of all legal requests. Organizations with annual revenues between $100 million and $1 billion should plan on at least one to two court actions each year. Firms with $10 billion in annual revenue should plan for between two and five such events annually. Organizations with more than $100 billion in revenue should plan for more than five summonses each year. While far more legal holds on data occur than summons received, and large enterprises are experiencing more summons related to legal holds placed on information, the findings deliver proof that “if you follow the money”, the action is clearly focused on large enterprises (Figure 2). © 2008 IT Policy Compliance Group, 7
    • Improving Results for the Legal Custody of Information Figure 2: Number of Annual Summonses by Revenue Source: IT Policy Compliance Group, 2008 Maturity of Practices for Legal Hold Not all firms notify affected employees and respond to legal requests for data and records in the same amount of time. In fact, the benchmark results show a normal distribution for these two key metrics (Figure 3). Figure 3: Distribution of Practices, Least to Most Mature © 2008 IT Policy Compliance Group, 8 Source: IT Policy Compliance Group, 2008
    • Improving Results for the Legal Custody of Information Most mature practices: About one in ten firms Roughly one in ten—12 percent—of all firms are performing at the most mature levels. These firms are notifying employees in less than one hour about a legal hold on records and data and are responding to legal requests for information within one day. Industry norm: About seven in ten firms About seven in ten—almost 71 percent—of all organizations are performing at the industry norm: one to eight hours to notify employees and between one and eight days to respond to legal requests for information. Least mature: Almost two in ten firms Almost two in ten—nearly 18 percent—of all firms are performing at the least mature levels, taking more than eight hours to notify employees and more than eight days to respond to legal requests for data and records. Confidence in Responding to Legal Requests for Information According to the legal counsels interviewed, their confidence in cases involving the request of data and records depends on the accessibility, accuracy, completeness, and trustworthiness of data and records, after considering existing law and prior rulings. The research findings reveal that the firms with the most mature practice indicators, those notifying employees within one hour about a legal hold on data and responding within one day, are more confident than all other organizations. Moreover, these firms have greater confidence in the accessibility, integrity, accuracy and trustworthiness of data and records: key considerations, according to the lawyers, when dealing with legal requests for data and records (Figure 4). Figure 4: Confidence in Capabilities Source: IT Policy Compliance Group, 2008 Firms with up to one legal request for data each year are the least confident in the trustworthiness, completeness, accuracy, and accessibility of data and records. These are the same firms that are not actively finding, protecting, and producing data. If “practice makes perfect,” it may take organizations several legal requests to develop the wisdom to notify affected employees immediately and the practices needed to respond to within one day. Firms with the best results are doing things very differently than all other organizations. Whether confidence in measured by the trustworthiness, completeness, accuracy, and accessibility of data, or confidence in the legal case, the results of the benchmark indicate confidence in the procedures for data holds are necessary enablers for succeeding with the legal case. © 2008 IT Policy Compliance Group, 9
    • Improving Results for the Legal Custody of Information Equal Opportunity Outcomes for Legal Holds Despite a much higher incidence rate for the number of summonses and legal requests received among larger enterprises, the performance of large firms is in line with the overall maturity of practices across firms of all sizes. This finding proves that despite more experience among large firms, firm size does not dictate outcomes (Table 1). Table 1: Different Experiences, Same Results Least Normative Most mature results mature Firms with no plans 18.2% 71.1% 10.7% and no activity Firms actively finding, 16.8% 69.9% 13.3% protecting, and producing data All firms 17.5% 70.5% 12.0% Source: IT Policy Compliance Group, 2008 Average Financial Settlements and Expenses, by Size of Organization Large enterprises operating with normative practice maturities for legal data hold are spending much more on legal settlements, legal expenses, and internal costs to find, protect and produce data than midsize organizations and small businesses (Figure 5). Figure 5: Financial Expenses of Legal Data Holds Among Normative Firms Source: IT Policy Compliance Group, 2008 A minimum of 50 percent all expenses are for legal settlements and legal expenses. Internal expenses for finding, protecting and producing data in response to legal holds range from 25 percent to 50 percent of all costs, based on the organization size. Large enterprises are spending 60 times more than small businesses and 25 times more than midsize firms on legal expenses and expenses to find, protect, and produce data. © 2008 IT Policy Compliance Group, 10
    • Improving Results for the Legal Custody of Information Expenses Vary Significantly by the Maturity of Practices for Legal Holds However, financial expense among the firms with normative practices is deceiving. Total expenses are driven higher by about three-fold among firms operating with the least mature practices for legal data holds. In contrast, firms with the most mature practices are benefiting from much lower spending: about 25 percent of the expenses being borne by firms with normative practices for legal data hold (Figure 6). Figure 6: Average Annual Expenses, by Maturity of Practices Source: IT Policy Compliance Group, 2008 For example, firms with $10 billion in annual revenues are spending more, or less on legal data holds, depending on the maturity of the practices. Firms of this size with the least mature practices are spending, on average, $6.4 million; while the normative among these firms are spending about $2.1 million. Those with the most mature practices are spending much less: slightly less than $480,000 annually. The difference, more than 13 times larger among the least mature and more than 4 times larger among the majority of firms in the norm is sufficient financial incentive to improve practices for legal data holds. The maturity of practices governing legal data holds among firms is resulting in different spending experiences that include: • Spending on legal data custody that is more than 13 times larger among firms with the least mature practices • Spending on legal data custody that is more than four times larger among firms with normative practices Spending on legal and internal costs to find, protect and produce data in response to legal requests for data is reduced by more confidence: made possible by more mature practices. Who’s Involved in Finding, Producing and Protecting Information The receipt of legal requests for data is a drain on the time and focus of many different functions in the organization, including legal counsel, IT, senior managers, human resources and affected employees (Figure 7). Consistent with interviews conducted with legal counsels, the use of contractors to find, protect and produce data in response to legal requests for information is marginal, and often limited to the initial incident. The relatively high level of involvement of senior managers in finding, protecting and producing data in response to legal requests indicates either specifically named legal discovery inquiries, topical relevance such as requests related to financial filings, or a combination of these. Legal requests for information are occupying a significant amount of time that could otherwise be put to more productive purposes for servicing and retaining customers, and creating improved shareholder value. © 2008 IT Policy Compliance Group, 11
    • Improving Results for the Legal Custody of Information Figure 7: Who’s Involved in Finding, Protecting and Producing Information Source: IT Policy Compliance Group, 2008 Paper, Legacy Data and Electronically Stored Information The ability to respond to a legal request quickly and with more confidence depends on two factors: the scope of the legal request for information, and whether or not the data is stored electronically. The first factor is negotiated by legal counsel, while the second factor depends on the format of the data. In alignment with fewer requests received annually, firms with the least amount of data and records stored electronically are small businesses, while the most electronically formatted data is found among larger enterprises (Figure 8). Figure 8: Electronically Stored Information, by Revenue © 2008 IT Policy Compliance Group, 12 Source: IT Policy Compliance Group, 2008
    • Improving Results for the Legal Custody of Information Based on interviews conducted with legal counsels, accessibility is a key factor in determining the costs of responding to legal requests for information. For example, almost all of the lawyers interviewed say the cost of acquiring, protecting and producing information stored on older paper and electronic tape formats is much higher, and depends on being able to prove undue hardship due to inaccessibility of the data. Furthermore, the lawyers all cited a common experience of spending time and money to find relevant data on electronically stored tape formats only to find much of the information illegible due to a degradation that normally occurs to information stored on magnetic tapes over time. While it may be trickier arguing “inaccessibility” for older paper and magnetic tape formatted data, almost all the lawyers interviewed say that third-party litigants will likely prevail in having defendants or plaintiffs pay expenses related to legal holds on data. The research shows that a prevalence of electronically formatted and indexed data increases confidence in outcomes, reduces costs, and mitigates financial exposure from legal claims supported by holds on data and records. All of the lawyers interviewed say that in their experience, electronically indexed data is far easier and much less expensive to find, produce, preserve and protect. And, several of the lawyers interviewed stated, “we’re now adding a lot of other data to the (electronically stored and indexed) mix”, beyond email and office productivity documents. Most Time-Consuming and Expensive Information to Find, Protect, and Produce The most time-consuming and expensive data for organizations to find, protect, and produce are paper-based records, as well as electronically formatted data and records that are not indexed or are stored in un-indexed tape archives (Figure 9). Figure 9: Most Expensive Data to Find, Protect and Produce Source: IT Policy Compliance Group, 2008 After paper and simply archived tape archives, the evidence shows that email, financial records, customer records, and office productivity files and records are the most time-consuming and expensive information to find, protect, and produce. Given the explosive use of email and office productivity applications during the past 20 years, it is not surprising that these rank in the top tier as most time consuming and expensive. Time and Expense in IT to Find, Protect, and Produce The time required by firms to find, protect, and produce data and records in response to legal requests for data ranges from 10 percent to 25 percent of the available time in IT, depending on the size of an organization. However, not all firms of the same size are spending the same amount of time or money to find, protect and produce data. Although the time spent in IT on these activities averages almost 18 percent, actual spend on labor varies by maturity of practices: from a high exceeding 24 percent of the time in IT to a low just under 10 percent of the time in IT (Figure 10). © 2008 IT Policy Compliance Group, 13
    • Improving Results for the Legal Custody of Information Figure 10: Time Spent in IT to Find, Protect, and Produce Source: IT Policy Compliance Group, 2008 A majority of organizations, those operating at the norm, can improve results without increasing labor costs in IT by leveraging retention, indexing and storage tools to better find, protect, and produce records and data in response to a legal requests. Strategic Actions and Practices that Improve Maturity and Results How quickly employees are notified and legal requests are responded to, depends on the strategic actions taken by organizations (Figure 11). The key actions taken by the firms with the most mature practices include: Updating policies and procedures Maintaining evidence of handling for records and data Identifying business and financial risks Delivering training to employees covering legal hold procedures and controls However, these are not the only actions being taken by leading firms. Others include revising records retention programs, measuring results, improving the quality of legal counsel, identifying gaps in procedural and technical controls, improving legal hold procedures and controls, and forming cross-functional teams to respond to legal holds on data. Moreover, the distinct differences in actions taken by the most mature firms include: • Maintaining evidence of handling for data and records • Improving the quality of legal counsel • Delivering training to employees • Identifying business and financial risks • Measuring results. In addition to strategic actions, specific actions and practices within IT to rapidly find, protect, preserve and produce data in response to legal requests for data are strongly influencing results. © 2008 IT Policy Compliance Group, 14
    • Improving Results for the Legal Custody of Information Figure 11: Strategic Actions and Practices That Improve Results Source: IT Policy Compliance Group, 2008 Practices and Capabilities in IT that Improve Maturity and Results The findings clearly show that among the most mature firms, IT is prominently involved in a wide range of activities related to finding, protecting, and producing data in response to legal requests (Figure 12). Figure 12: Practices and Capabilities in IT that Improve Results Source: IT Policy Compliance Group, 2008 © 2008 IT Policy Compliance Group, 15
    • Improving Results for the Legal Custody of Information The notable practices and capabilities within IT among the most mature firms include: Updating policies and procedures Increasing the frequency of monitoring and measurements Inventorying records and data Improving technical and procedural controls Moreover, the actions and practices within IT that most distinguish the most mature firms from all others include: 1) indexing data for rapid search, 2) increasing the frequency of monitoring and measurements, 3) correcting gaps in controls, and 4) updating policies and procedures. Most Helpful Technologies to Find, Protect and Produce Data The technologies found most helpful to find, protect, and produce data and records in response to the Legal Custody of Information include: • Tools that convert data into electronic formats • Tools that store data in electronic formats • Tools for training employees However, this list is just the start of what may be needed, because among the most mature firms, the tools found to be most helpful are those for backup and archive, training, data and indexing of information, data capture and conversion, records retention and destruction, and the identification of records and data (Figure 13). Figure 13: Most Helpful Technologies to Find Protect, and Produce Data Source: IT Policy Compliance Group, 2008 The findings clearly show that firms with the most mature practices, and the lowest costs for legal data holds, are converting data into electronically indexed formats for more rapid search, discovery, production, preservation and protection. © 2008 IT Policy Compliance Group, 16
    • Improving Results for the Legal Custody of Information Discussions with Lawyers In addition to the benchmark, lawyers in the U.S. were interviewed to provide a qualitative sense of how they and their organizations are overcoming challenges associated with legal hold requests. All of the U.S.-based lawyers say that due to changes to the Federal Rules of Civil Procedure (FRCP), almost all legal requests for information now include discovery motions involving email formats and office productivity files. ESI and the Scope of Legal Discovery All of the lawyers acting on behalf of plaintiffs say that they purposely strive for the widest possible scope of discovery in order to find evidence that will bolster the case for their clients. And, all of these lawyers say that the new electronic discovery rules of the FRCP are assisting their efforts. While most of these layers admit that the scope of discovery is independent of the format of the information, and that old-fashioned paper-based records were the most common format employed in the past, almost all legal requests for information now include email, office productivity files and documents. In contrast to the “more is better” approach of litigants, lawyers acting to defend their Almost all legal requests for clients state that the primary objective is to limit the scope of inquiry, for several reasons, information now include email, and including costs, organizational churn and productivity losses, as well as a normal office productivity files. defense tactic to limit evidence. All of these attorneys say that their clients are now routinely being served with requests that include email and office documents as a matter of course. All of these attorneys say that while paper-based reports had been the norm, and continue to drive requests from older-line specialist litigation firms, the new rules governing electronic discovery have resulted in requests that also include database information, audio recordings, Web-based data, instant messaging, and other forms of electronically stored information (ESI): well beyond email and office productivity files or documents. ESI and the Impact of Age and Time The information being sought by legal requests depends on the type of litigation. For example, the lawyers involved in product liability litigation say that the normal age of information being sought dates back about five to six years. However, lawyers involved in financial reporting and fraud, benefits, pensions, life insurance, capital property and casualty claims, and those involved with longer-term workplace injuries (asbestos claims) say the information being sought dates in age from five years to many decades. According to the lawyers interviewed, information older than five years is often viewed as practically inaccessible, even if it is legally viewed as accessible. For example: almost all the lawyers interviewed cited horror stories about information stored on magnetic tapes that were found to be illegible due to a normal aging process associated with magnetic tape media formats. In addition to age and time associated with legal requests, and the format of the information, the lawyers cited an interesting twist associated with the age of attorneys acting on behalf of plaintiffs. All of the defense attorneys noted that when they are dealing with older-line plaintiff firms with primarily older attorneys, the standard formats being requested are the old stand-bys involving paper-based reports, telephone records, and more recently email and office productivity files. Only as a result of the changes to the FRCP are these older-line firms starting to more routinely request other forms of ESI. However, the profile of the requests for information changes markedly when younger ESI is not only the wave of the lawyers with younger plaintiff firms are involved. More familiar with computers and future: the ESI wave is hitting the technology, these younger firms and attorneys are serving more requests for a wider beach. variety of ESI beyond email and office productivity files. The defense attorneys all say they are noticing a direct correlation between age, technology familiarity, and an increasing number of requests for information involving a wider range of ESI data beyond email and office productivity information. According to the lawyers interviewed, ESI is not the wave of the future: the ESI wave is hitting the beach. Legal Requests and Summonses for Information Not all legal requests for information result in a court summons. Lawyers contacted just prior to publication say that in their experience, there is no typical rate for how many legal requests are resulting in a summons. Several of the lawyers quoted anecdotal experiences ranging from “1 in 10” to as few as “1 in 50” legal requests resulting in a summons. Despite an inability to quantify the relationship between legal requests and summons, all of the lawyers say that their firm receives far more legal requests for data than summons, and that all such legal requests are resulting in legal holds being placed on data. © 2008 IT Policy Compliance Group, 17
    • Improving Results for the Legal Custody of Information The benchmark asked participants how many summons for data their firm had experienced in the past year. As a result of the anecdotal information regarding the number of legal requests received each year, it is difficult to reliably quantify the number of legal requests organizations can expect to receive, other than the broad ranges provided by participating legal counsels: from 1 in 10 to as few as 1 in 50 legal requests for data resulting are resulting in court summons. This anecdotal information would place the rate of summons resulting from legal requests at between 2 percent (1 in 50), to as much as 10 percent (1 in 10). These broad anecdotal ranges indicate the number of legal requests for information could range from a low of 10 each year among small businesses, to a high of 250 per year among larger enterprises. Whether the rate of requests to summons is 1 in 10, 1 in 25, or 1 in 50, it is clear that there are far more requests being received each year than summons, and that the process of legal hold on information is being initiated upon the reasonable anticipation of a legal request for information, not the receipt of a summons related to information that should have been placed on hold long before a summons arrived. Information Formats, Indexing, and Costs Paper-based formats were almost universally viewed as the most expensive to find and produce by the defense attorneys who were interviewed. However, costs for finding, producing and protecting ESI covered by legal holds spans quite a range according to the lawyers interviewed. The highest costs for finding, producing and protecting ESI governed by legal holds involves data stored on magnetic tape and other simpler, un-indexed, archived data. The lowest costs for finding, producing and protecting data were among the attorneys whose firms are employing automated solutions that immediately store copies of ESI into protected and indexed storage systems, almost all of them involving disks, CDs and other formats not involving magnetic tape. All of the defense attorneys say their initial attempts to respond to legal hold in their firm Doing the work in-house to find, involved costly manual procedures augmented by external third parties that converted protect and produce data on legal differently formatted data into standard forms for searching and responding to legal hold is less expensive, and it holds. However, all of these attorneys say that due to the costs of such outsourced reduces the risks related to errors services and the number of legal holds governing ESI, doing the work in-house to find, that could be challenged. protect and produce data on legal hold is less expensive, while reducing the risks related to errors that could be challenged. Recommendations from the Lawyers The participating lawyers recommend the following: • Establish the ground rules for what constitutes reasonable anticipation of litigation • Consistently review policies and controls for the retention and destruction of information • Establish and implement a consistent notification system • Respond to requests as soon as possible, even if the response is only for clarification • Communicate detailed instructions for finding, protecting, preserving and producing covered information • Index as much data as is reasonable, to drive down costs • Maintain the integrity of information on hold • Monitor information and the controls governing information that are on hold • Implement standard procedures for releasing information that were on hold Regulatory Drivers and Legal Custody of Information The primary regulatory mandates responsible for driving legal data hold requests include: • Sarbanes-Oxley • Specific industry regulations • Laws governing data and records • Laws governing data protection, retention, and privacy After these, the important regulatory drivers include health care data privacy laws, SEC guidelines and rules, and Federal Rules of Civil Procedure in the United States governing data and records (Figure 14). Although FRCP and e-discovery in the U.S. do not jump to the top of the list for regulatory drivers, this may be due to less familiarity with the legal requirements, or that as a legal mandate FRCP is not perceived to be regulatory mandate. The laws governing data privacy among the largely U.S.-based sample for this benchmark rank highly among organizations of all sizes, while the European data privacy laws rank highly only among large enterprises. The results indicate an overlap between the practices and capabilities needed to succeed with legal holds placed on information, and those needed for data protection, privacy, financial reporting and other legal and regulatory compliance mandates. © 2008 IT Policy Compliance Group, 18
    • Improving Results for the Legal Custody of Information Figure 14: Regulatory Pressures for Legal Custody of Information Source: IT Policy Compliance Group, 2008 Legal Custody and Controls Effectiveness One such overlap is the frequency with which organizations assess the effectiveness of controls and the alignment of results between the legal data custody, the protection of sensitive data, and regulatory compliance. Firms with the most mature practices for legal data hold measure controls effectiveness once every 15 days (Figure 15). Figure 15: Frequency of Controls Assessments © 2008 IT Policy Compliance Group, 19 Source: IT Policy Compliance Group, 2008
    • Improving Results for the Legal Custody of Information In contrast, a majority of firms at the norm are only measuring once every 172 days. Finally, the least mature are measuring controls effectiveness once every year. Firms with the least loss or theft of customer data and the least problems with regulatory compliance implement continuous controls assessment programs by assessing the effectiveness of controls once every 18 to 19 days. The benchmark shows that firms doing well in legal data custody, regulatory compliance, and data protection are implementing the same action: continuous assessment of controls effectiveness. Maturity Impacts Legal Custody, Compliance, and Data Protection Perhaps the most striking finding from the benchmark is the relationship between the maturity of practices between legal holds on data, and how well firms perform for regulatory compliance, and the protection of sensitive customer data. Firms that excel at the Legal Custody of Information are also the same firms that exhibit leadership for regulatory compliance and the protection of sensitive data (Figure 16). Ninety-seven percent of firms with the most mature profiles for handling legal holds on data are the exact same organizations with two or fewer regulatory compliance deficiencies that must be corrected to pass audit. Similarly, 93 percent of these leading firms are the exact same organizations with two or fewer losses of sensitive data each year. Figure 16: Regulatory Compliance, Data Protection, and Legal Custody of Information Source: IT Policy Compliance Group, 2008 The skew in these findings clearly show that the maturity of practices for regulatory compliance, data protection, and legal practices within organizations are aligned with outcomes, and that the firms with more mature practices are repurposing practices around controls for regulatory compliance, as well as controls for how sensitive data is handled, accessed, protected, preserved, searched, and produced for multiple initiatives. Who Should Improve the Maturity of Practices for Legal Hold The external pressures for most organizations to find protect, and produce data in response to a legal request for data include: • Legal, government, and regulatory mandates • Findings and recommendations from auditors • Public reputation • Evolving case law In an age where information is paramount to success and legal requests to support litigation now routinely involve electronically stored information, pragmatic management of business, financial, and market risk dictates the need to improve existing practices. © 2008 IT Policy Compliance Group, 20
    • Improving Results for the Legal Custody of Information Aside from the financial burden of legal settlements and expenses, larger enterprises not improving better practices for legal data holds may experience other consequences not measured by this benchmark, including fines and penalties, elevated reputational risk, and more difficulty with customer and partner expectations. The external pressures for improving the practices for legal data hold unfortunately indicate that experience is currently the best teacher (Figure 17). Figure 17: Pressures to Take Action Source: IT Policy Compliance Group, 2008 Larger enterprises are primarily responding to legal and government findings, followed by claims settlements, public reputation, and direction from senior managers. What distinguishes the higher response rate among large enterprise includes finding and recommendations from auditors, and worry about public and brand reputation. The primary internal pressures to respond and take action include: • Direction from senior managers • Prior experience with legal requests for data • The cost of claims settlements and financial exposure. Taking Action to Improve Results In some circumstances, the primary course of action is going to be spending more money to improve legal services. But, after improving legal counsel the research shows it is essential to improve the maturity of practices for handling legal holds for information. The results of the research clearly show that for midsize and large enterprises, it makes The benchmark clearly shows that sense to: for all large enterprises, and many Strive for practice maturity leadership, for legal data hold and custody midsize firms, improving the maturity of practices for legal data Take the strategic actions shown to improve results holds will pay off. Implement the actions and practices within IT that are shown to improve the ability to find, protect, and produce data subject to legal hold Improve the maturity of organizational and IT practices Implement the technologies shown to improve results Treat the legal hold of data like other compliance activities © 2008 IT Policy Compliance Group, 21
    • Improving Results for the Legal Custody of Information Small businesses Small businesses are not suffering from a large number of legal requests or summons related to information, and the rate of spend on legal data hold among small businesses is much less than all other organizations. As they say: “the pickings are slim”, among small businesses. Unless the firm has specific experience with large numbers of legal holds on information, or faces severe regulatory and legal penalties, there is no indication of huge financial pain or financial reward among most small business, to justify large spending to improve the maturity of practices for legal data custody, at this time. Midsize and large enterprises The benchmark clearly shows that for all large enterprises and many midsize organizations, improving the maturity of practices for legal data custody will pay off, with obvious financial benefits that include: • Significant reductions in overall expenses, by factors of 4 to more than 13 • Lower financial settlement expenses • Lower expenses for legal services • Lower expenses to find and produce information subject to legal hold • Lower expenses to preserve and protect data subject to legal hold Not quantified by the benchmark is the opportunity-cost for a wide variety of people involved with and responding to legal holds on information, especially among senior managers. Presumably, more mature practices would result in reductions in the amount of time senior managers are spending on this activity: allowing these people to focus on more fruitful activities. The non-financial benefits of improving the maturity of practices for legal requests for information — improved brand equity, trust, and customer retention — are beyond the results quantified by this research. For most, these could prove to be far more beneficial than the reduction of costs for legal settlements and internal expenses that will occur by improving the practices for legal custody of information. © 2008 IT Policy Compliance Group, 22
    • Improving Results for the Legal Custody of Information About the Research Topics researched by the IT Policy Compliance Group (IT PCG) benchmarks are part of an ongoing research calendar established by input from supporting members, advisory members, and findings compiled from recent research. The most recent benchmark covering the Legal Custody of Information, which is the basis for this report, was conducted between October and November 2007 with 235 qualifying respondents in different organizations. The error for this benchmark research is plus or minus 6 percent. The majority of the organizations (90 percent) participating in this benchmark are located in the United States. The other 10 percent come from other countries, including Australia, Brazil, Canada, France, Germany, Ireland, Japan, the Netherlands, Poland, Singapore, Spain, the United Arab Emirates, and the United Kingdom among others. In addition to specific tracking questions common to each benchmark, the research is designed to discover answers to specific topics. The primary topic of the most recent benchmark was the experience of organizations concerning legal holds for records and data. Industries represented A wide range of industries participated in the benchmark including advertising; aerospace; agriculture; automotive; banking; chemicals; computer equipment and peripherals; computer software and services; construction, architecture, and engineering services; consumer electronics, consumer packaged goods; distribution, education, financial, and accounting services; food and beverage services, general business and repair services; government—public administration; government—defense and intelligence; health, medical, and dental services; insurance, legal services; management, scientific, and consulting services; manufacturing; medical devices; metals and metal products; mining, oil, and gas; pharmaceuticals; publishing, media, and entertainment; real estate, rental and leasing services; retail trade; telecommunication services; transportation and warehousing; travel, accommodation, and hospitality services; and utilities and wholesale trade. Manufacturing accounted for 13 percent of participating organizations. All other industries accounted for less than 10 percent of the benchmark sample. Revenue of participating organizations Thirty-five percent of the organizations participating in the benchmark have annual revenues, assets under management, or budgets that are less than $50 million. Another 23 percent have annual revenues, assets under management, or budgets that are between $50 million and $999 million. The remaining 41 percent have annual revenues, assets under management, or budgets that are $1 billion or more. Number of people employed by participating organizations Thirty-six percent of the participating organizations employ fewer than 250 people. Twenty-two percent employ between 250 and 2,499 people. The remaining 42 percent employ 2,500 or more people. Job titles of participants Thirty-two percent of the participants in the benchmark are senior managers (CEO, CFO, CIO, etc.), 14 percent are vice presidents, 25 percent are managers or directors, 27 percent are staff, and 2 percent are internal consultants. Roles of participants Twenty-nine percent of the participants work in IT; another 29 percent work in finance and internal controls; 14 percent work in customer service; 9 percent work in legal and compliance; 7 percent work in product design and development; 7 percent work in sales and marketing; and the remaining 5 percent are distributed across other job functions, including manufacturing, procurement, purchasing, and logistics. © 2008 IT Policy Compliance Group, 23
    • Improving Results for the Legal Custody of Information About IT Policy Compliance Group The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations meet their policy and regulatory compliance goals. It focuses on assisting member organizations in improving results based on fact-based benchmarks. The IT Policy Compliance Group Web site at www.itpolicycompliance.com features content created by leading experts in the world of compliance and published reports containing primary research. Research and benchmarks sponsored by the Group produce fact-based insight and recommendations about what is working and why. The results of Group-sponsored research are designed to help legal, financial, internal controls, IT audit, IT security, and compliance professionals to: • Benchmark IT policy compliance efforts against peers and best-in-class performers • Identify key drivers, challenges and responses to implement successful IT policy and compliance initiatives • Determine the applicability and use of automation tools to assist, streamline and improve results • Identify best practices for IT policy and compliance programs The Group relies upon its supporting members, advisory members, and significant benchmark findings to drive its research and editorial calendars. © 2008 IT Policy Compliance Group, 24
    • Improving Results for the Legal Custody of Information IT Policy Compliance Group Supporters Symantec Corporation The Institute of Internal Information Systems Audit and Auditors Control Association 20330 Stevens Creek Boulevard 247 Maitland Avenue 3701 Algonquin Road, Suite 1010 Cupertino, CA 95014 Altamonte Springs, FL 32701 Rolling Meadows, IL 60008 +1 (408) 517 8000 +1 (407) 937 1100 +1 (847) 253 1545 www.symantec.com www.theiia.org www.isaca.org info@symantec.com iia@theiia.org info@isaca.org Computer Security Institute Protiviti IT Governance Institute 600 Harrison Street 1290 Avenue of the 3701 Algonquin Road, Suite 1010 Americas, 5th Floor San Francisco, CA 94107 Rolling Meadows, IL 60008 +1 (415) 947 6320 New York, New York 10104 +1 (847) 660 5600 www.gocsi.com +1 (212) 603 8300 www.itgi.org csi@cmp.com www.protiviti.com info@itgi.org info@protiviti.com © 2008 IT Policy Compliance Group, 25
    • Improving Results for the Legal Custody of Information © 2008 IT Policy Compliance Group, 26
    • Improving Results for the Legal Custody of Information © 2008 IT Policy Compliance Group, 27
    • Founded in 2005, the IT Policy Compliance Group conducts benchmarks that are focused on delivering fact-based guidance on the steps that can be taken to improve results. Benchmark results are reported through www.itpolicycompliance.com for the benefit of members. IT Policy Compliance Group Contact: Managing Director, Jim Hurley Telephone: +1 (216) 321 7864 jhurley@itpolicycompliance.com www.itpolicycompliance.com August 2008 The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not guaranteed. Research publications reflect current conditions that are subject to change without notice. Copyright © 2008 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners. All rights reserved. 8/08 14524678