Mitigating the eDiscovery risks due to the explosion of electronic data in your business through a structured programme of preparedness.
I’m sure most people are familiar with the expression “prevention is better than cure”. It sounds like generally sound advice to me and I’m sure most would probably agree. But in truth, to what extent do we apply the principle? The reality is that preventative measures certainly aren’t always free, so can unwittingly end up being considered insurance products. And when it comes to insurance, if we don’t have to spend money, often we won’t. Which introduces the concept of risk and risk appetite…
As individuals, we all have a different attitude to risk, with some more risk-averse than others. But whatever our personal appetite, how should we consider risks to our businesses, where the potential impact requires broader consideration for all the stakeholders – employees, customers, suppliers and shareholders? We probably owe it to them to be better protected and prepared. Obviously, risk factors to a business are many and diverse but as providers of eDiscovery services, this article focuses on those associated with our domain of expertise.
So, what does risk mitigation have to do with eDiscovery? It’s fair to say that historically, eDiscovery has been an entirely reactive discipline, used to investigate actual or suspected misdeeds, and also once matters have become litigious or there is a reasonable expectation thereof. It’s not unusual for situations to arise without warning, leaving organisations to rush around trying to source suitable professional advice, skills and resources to address the matter at hand, often both at short notice and under duress. And as a result, it’s likely to be a more costly and disruptive exercise than perhaps it need be.
One might argue that the eDiscovery industry has been somewhat parasitic, feeding as it does on the problems that corporates encounter. But to my mind, eDiscovery and Information Governance are intrinsically linked; it is the data, which corporations own, which is always the subject of the eDiscovery exercise, so rather than trying to shut the stable door after the horse has bolted, why not adopt an attitude of preparedness? And not just in terms of how you are going to respond to events, but how you manage the data under your control. With data privacy legislation becoming an ever more prominent consideration, it is not only prudent to do so, but in many jurisdictions is now mandated by law.
Preparedness doesn’t have to cost the earth. To a certain extent, it’s a question of understanding process and procedure.
As with any improvement process, the first step is to establish a baseline from which to measure; understanding where your organisation would place on the continuum of chaos to enlightenment, so to speak! And to do that, it is essential to get a solid understanding of all the issues. Which requires us to identify what the issues are.
Remember that we’re considering the mitigation of risks in so far as they relate to eDiscovery processes. What does that really mean? Let’s start by defining eDiscovery.
One such definition would be that eDiscovery is the electronic aspect of identifying, collecting and producing electronically stored information (ESI) in response to a request for production in a lawsuit or investigation. ESI includes, but is not limited to, emails, documents, presentations, databases, voicemail, audio and video files, social media, and websites.
Having defined what it is, the oracle on the eDiscovery process itself has historically been the Electronic Data Reference Model (EDRM).
A good holistic approach, therefore, would be to assess your company’s ability to perform across all the stages of the process, as shown in the reference model below, in terms of process, resources and responsibilities, and technology.
There has been plenty of focus over the years, driven largely by technology vendors one might argue, on the processes of ingesting, processing and reviewing content; the traditionally reactive approach as mentioned before. But one’s capacity to respond effectively and rapidly to any event is dictated more by the ability to identify, locate, preserve and collect the correct information, and all of that is typically the by-product of good Information Governance. Hence my observation is that eDiscovery and Information Governance are intrinsically linked.
Industry analysts are recognising this trend, with Gartner, for example, in their April 2021 report  observing that “Organizations are using e-discovery software vendor and service provider offerings that ‘extend left’ in the Electronic Discovery Reference Model to establish proactive information governance”. Perhaps that is driven by increased regulation, but whatever, it remains solid practice to get one’s house in order. But having established a benchmark and depending on where you are on the maturity spectrum, that may be easier said than done, as it requires far more than a purely technical response.
Having suggested that technology is not necessarily the silver bullet, it certainly does have a part to play. But there are probably two main remediation paths to consider, with some quick wins to be had but also some longer-term initiatives that require concerted and sustained effort, with senior management buy-in.
I would categorise them as the eDiscovery and the Information Governance paths. Once the link between the two is appreciated, they can be followed independently or in parallel, with the key proviso that actions are undertaken with full visibility of the overall journey. Such an approach clearly requires a top-down mandate and is not something where individual aspects can be addressed in isolation if you want to achieve a joined-up result.
The first step on the Information Governance path is to understand the compliance landscape within which you are operating; both the generic and any industry-specific regulations that may exist, which may well dictate much of your planning. It is not uncommon to seek the services of an independent advisory service, be that a law firm or other risk advisor.
Once you understand the parameters of the regulatory environment, the second most valuable action is to be able to qualify and quantify your data estate. What data do you hold? Where do you keep it within the estate? What does it represent? How secure is it? Are you keeping it for the correct duration? Do you ever delete it? And so on. Having such a data map is not only crucial to being able to respond to events in a timely fashion but is also key to measuring and ensuring compliance.
Considerations around security, storage and data classification may well stimulate broader and more fundamental discussions in the business, such as strategies for cloud hosting versus on-premises, which are unlikely to result in knee-jerk decisions; there are many aspects to be explored and aligned, with corporate policies and direction to be considered.
However, there are perhaps some shorter-term gains to be had in the eDiscovery remediation path, where some simple preparedness can rapidly improve the status quo.
Establishing universal processes, identifying resources (both internal and external) and confirming responsibilities enables you to react efficiently at a time of pressure. Obviously, there is some effort required to establish those processes and you may choose to seek external guidance to complete the exercise, but it shouldn’t be a major outlay.
From an eDiscovery delivery perspective, deciding whether to build an in-house capability, to outsource the requirement or build a hybrid model is the next consideration but if you do decide to use external specialists, selecting competent providers can both provide you with flexibility as well as access to the latest developments in the fast-changing technology landscape. And building longer-term partnerships with those vendors rather than adopting an ad-hoc ‘gun for hire’ approach, enables them to better understand your business and practices, as well as potentially delivering economies of scale.
When a situation arises, being able to rapidly identify where potentially responsive data resides through the use of a current data map, is vital. Not only does it improve your ability to correctly preserve that data, but in so doing also reduces the risk of spoliation and the potential penalties or adverse impact that that may have on the outcome.
Many organisations are guilty of applying simplistic retention policies to their data, with blanket retention periods adopted to ensure compliance with certain regulations. Or in some cases, all data is retained indefinitely, where in reality that may not be necessary. There is also a commonly held belief that electronic content represents company assets, containing potentially valuable intellectual property. Whilst that may be superficially true, the reality is often more complex. Information tends to devalue over time – regulations change, trends and market forces alter – rendering an analysis from a decade ago unlikely to represent the current best position, as an example. The asset slowly becomes a liability.
Remember that the more you retain, the more becomes subject to eDiscovery, so the costs grow proportionally.
So, unless you are mandated to retain information for extended periods, establishing a realistic retention policy that balances the potential asset value against the risks and cost of storing and having to disclose data, is another important remedial step. As is enforcing the subsequent disposition of expired content!
However, if you are obliged to retain data for the long term, doing so in line-of-business systems can be very costly. Such data is rarely, if ever accessed, so moving it to a more cost-effective, yet immutable and discoverable storage facility can be a valuable strategy. But again, with reference to earlier Information Governance comments, the process of archiving such data in the first place, would be simplified if you were able to reliably categorise it first.
Modern cloud platforms such as Microsoft 365, are increasingly implementing integrated capabilities in the platform to support the categorisation, labelling and archiving of content for structured, semi-structured and unstructured data, which can make the tasks of archiving, preserving and applying legal holds less onerous. But these are not overnight fixes; they’re more of a journey and require management commitment.
I’ll conclude by bringing the discussion back to the opening premise that prevention is better than cure. Certainly by moving up the maturity spectrum I’ve outlined through better Information Governance, establishing clearly defined policies and processes and knowing how you will resource challenges technically, improves preparedness.
But what of prevention? Clearly, it’s unrealistic to suggest you can eliminate all risk, but what if you were to apply the same technologies you use to investigate events after the fact, speculatively in advance? Such proactive information governance (or Proactive eDiscovery) might surface potentially fraudulent activity during a bid process or highlight incidences of data leakage, as examples, and enable preventative measures to be taken. Perhaps not quite the ‘Precogs’ depicted in Spielberg’s Minority Report of 2002, but the ability to avoid potentially damaging events to the business should not be dismissed, particularly as it can be achieved using the same methodologies.
That said, there are some obstacles to navigate from a data privacy perspective, but we’ll explore these and the rest of the topics in this piece in more depth over the coming weeks.
In the meantime, if you’d like to find out more about Discovery Risk Management, feel free to get in touch here. We’d be delighted to assist.