Rimon’s John Isaza Interviewed for TechTarget Article on Data Management Policy and e-Discovery

Insights August 28, 2014

Rimon’s John Isaza is featured in an article on data management policy and e-discovery by TechTarget editor Ben Cole. John is quoted on Rimon’s information governance work: “For third-party vendors, we are encouraging our clients to have contractual provisions to obligate them to follow your records management procedures and your needs as an organization when it comes to e-discovery.”

You can read the article at its original source here.

By Ben Cole, Site Editor of TechTarget

Data management policy is vital as businesses try to ensure systems and processes can quickly produce legal information for e-discovery purposes.

Big data complicates numerous aspects of data management. Questions around information access, security controls and data retention and deletion schedules all become more pressing when there is a seemingly endless amount of data to sift through.

Without a thorough data management policy, it’s also very difficult to access relevant e-discovery data during a court case. And even the organizations that do have a policy in place often don’t take into account the complexity of big data, said Garth Landers, a research director at Gartner Inc.

“These policies have not largely been adopted and applied to big data or activated data that may sit in depositories like Hadoop and data warehouses,” Landers said during a presentation at the 2014 Gartner Security and Risk Management Summit. “Access enablement and control become increasingly important.”

Of course, information governance policy development is no picnic in the big data era. Every crucial aspect of the organization — finance, security, IT, etc. — will have its own data-related governance, risk and compliance and legal mandates. Determining exactly what data needs to be kept and for how long will become convoluted quickly when all of these departments provide input.

When developing a data management policy, a key aspect is to identify the crucial areas that drive retention, such as regulatory compliance mandatesand potential legal issues, Landers said. There must be organization-wide communication, cooperation and cross-training about information governance responsibilities.

Representatives from the legal, IT and compliance departments should also be able to refine the processes when the regulatory landscape inevitably changes.

“You want to have those rules and policies come from the people that know; the people that understand the regulation; the people that understand the legal requirements of the organization, that are involved in litigation,” Landers said.

Of course, strategic information management programs should also decrease e-discovery challenges while helping to lower storage costs and mitigate risks. The plan should take into account the nature of the impending litigation, the people involved, the systems in play, and the processes needed to respond to the discovery request in a timely and cost-effective manner, said Marshall Hoel, a managing consultant at Berkeley Research Group LLC.

“Too often, organizations are caught flat-footed by a discovery or other legal request, and this usually leads to significant strain on resources and costs,” Hoel said. “Proactive management of these issues is the most effective way to mitigate both cost and risk.”

Service provider data management

As big data continues to complicate data management policy and strategies, organizations are increasingly turning to third parties to help. Tools that help manage unstructured data can be invaluable to ensure legal and regulatory compliance, for example. Predictive coding solutions have also become necessary to help scan millions of documents for legal proceedings.

It’s important to remember that information governance policy doesn’t end at the company doors.

“For third-party vendors, we are encouraging our clients to have contractual provisions to obligate them to follow your records management procedures and your needs as an organization when it comes to e-discovery,” said John Isaza, who leads the information governance and records management practice at law firm Rimon PC.

Companies also should take into account the potential for lag time for requests to cull data from third-party systems, Hoel said, and factor that into their vendor information management strategy to avoid missing e-discovery deadlines.

He suggested conducting periodic testing that extracts small amounts of data with random identification parameters.

“This will give you a good idea of how to respond and work with your providers when it comes time to respond to an actual discovery request,” Hoel said.

Mobile data creates another information management hurdle. As organizations increasingly allow employees to create and store company data on personal mobile devices, companies must establish guidelines that clearly depict what types of data are allowed on these devices. Any location where electronically stored information (ESI) exists — whether in the cloud or on social media or mobile devices — could be culled for litigation, Hoel said.

Companies have to remain vigilant and take into account vendors’ business strategy as well, especially when it comes to discovering legal data. In many cases, third-party data management and storage providers pool their clients’ information into massive data sets to make the technology more efficient.

“While this is a great way to reduce upfront costs, it can present an additional hurdle when it comes to the process of preservation and collection of potentially relevant ESI,” Hoel said.

This adds to the importance of consistent, documented processes that are regularly audited. Companies seem to be paying attention: Gartner predicted that by 2018, 25% of progressive organizations will manage their unstructured data using information governance and storage management policies, up from less than 1% today.

But of course, just having policy isn’t enough.

“When we talk about organizations being prepared and responding to events like audits, investigations and litigation, it’s not just about having a policy,” Landers said. “It’s about executing it, being consistent, and making sure that it’s demonstrable to litigators, auditors or any regulatory body that makes an inquiry.”