By BETSY ATKINS
Information governance — historically a bottom-up practice and now the responsibility of Governance, Risk and Compliance (GRC) managers — has been pushing its way into boardrooms around the world. Sarbanes-Oxley, HIPAA, The Basel II accords and similar regulations have triggered this trend. The problem is that the concerned parties rarely speak the same technical language. Modern enterprise information management systems are helping to address the problem but there are still a few secrets to success. Here are some things to keep in mind during your initiatives.
The terms “corporate governance” and “information governance” no doubt sound similar. Many people focus only on the “governance” aspect of both, and assume that they are different names for the same discipline.
But for too long those who specialize in both fields have paid too little attention to each other — a disinterest that courts and regulators are now forcing to an end. Corporate governance — the role of boards and top management in overseeing, administering and monitoring a company, is very much of a “top-down” field. Information governance, which oversees the performance and risk management of information technology (IT) systems, would seem to be a very “bottom-up,” tactical item at the bottom of a board’s agenda. Yet IT and data management have been pushing their way up on that boardroom agenda for some time.
How Technology Became the Board’s Business
The first IT moves we saw in the boardroom came a decade ago, when the technology costs and potential dangers of Y2K problems became a boardroom concern. But the costs and legal liability for managing (or mismanaging) electronic data did not fade with the Millennium, and have in fact spiked higher over the past several years.
The federal Sarbanes-Oxley Act of 2002, particularly its Section 404, mandated a strong internal control environment, including the electronic data needed to prove it. The Health Insurance Portability and Accountability Act (HIPAA), which became effective in 2003, imposed tough data privacy and protection mechanisms for any businesses related to health care. The Basel II accords on banking in 2004 required robust data storage and retrieval capability. The Personal Data Privacy and Security Act, and its subsequent updates, set complex information security rules for government agencies and their private contractors.
Legal requirements on how companies must preserve and produce data also grew rapidly. In late 2006, new amendments to the Federal Rules of Civil Procedure (FRCP) regarding electronic discovery of evidence became effective. These codified, and in some ways simplified, electronic evidence discovery matters. But the new FRCP rules also forced companies to better organize their data management processes.
The High Cost of Information “Mis-Governance”
Corporations have learned the hard way that these requirements have teeth. In 2008, non-compliance with FRCP data discovery demands in litigation cost UBS Warburg $29 million, and Merck a whopping $253 million. But even playing by the new data governance rules can cost a company if the information is badly retained and organized. Recently, a Fortune 100 corporation, in seeking to acquire a competitor, learned a hard lesson on information governance when it scrambled to meet government antitrust disclosure demands. Over 150 workers spent 10 weeks reviewing material, including 1.5 million emails alone.
Organizations not directly involved in an investigation also suffer nowadays if they lack modern information governance processes. A small government agency had only peripheral involvement in the investigation of Freddie Mac. The general counsel of this small, under-funded office had signed off on an e-discovery request to search their email and files, assuming the cost would be minor. But the inaccessibility of the data required an army of attorneys and staff to perform a hands-on physical review — all billed by the hour. The “minor” cost came to $6 million, and this for a non-party to the litigation. By the way, this agency sought relief for this crippling cost, but was turned down by an appeals court. The court’s reasoning? The general counsel should have known what he was letting the agency in for when he approved an open-ended e-discovery process.
“Should have known” is an apt description of the evolving philosophy driving information governance and corporate governance into the same room. Regulators have established that well-organized, well-preserved, accessible electronic data is now expected as fundamental to any well-governed company. Courts and plaintiff attorneys have followed this lead. They now routinely demand thorough, timely review and disclosure of discoverable electronic evidence. The question today for corporate boards is whether their company’s e-discovery infrastructure is able to deliver.
IT and Corporate Governance: Similar Concerns, But Different Languages
Among the greatest problems facing the board on information governance (and especially e-discovery issues) are the differing perspectives of the company departments involved. The IT staff is often directed toward its specific priorities. Reliability, practicality, cost efficiency, and the ability of new software to interact with legacy technology are among these touchstones of good information governance.
The IT staff, of necessity, has its own technical language to explain these processes, components, and priorities. For years, board meetings have seen “Dilbert” cartoon moments of tech staff briefing directors in their own, specialized techie language, while the board members’ eyes slowly glaze over. One data management vendor (who will remain nameless) boasts that its “scale-out grid architecture” offers “a single-instance indexed repository and supports delta versioning.” With a sales pitch like this, it’s no wonder that board members just approve IT budgets and hope for the best.
But this “best” may not be the best for good governance oversight of data, or the current demands of e-discovery. Corporate governance has data oversight priorities that often parallel those of IT, but differ in some key aspects. The board role here is shaped by the needs of company compliance and legal staff. The latter are aware that the vast amount of data generated by a modern corporation serves an ongoing purpose. It can prove that oversight and corporate compliance have been properly handled in vital areas, such as regulatory rules, accounting, tax law, M&A, risk management and the board itself.
But company counsel and governance, risk and compliance (GRC) staff have further specific IT demands. First are smart, best-practice data retention policies. IT measures itself in part by how safely it can store away all those emails, documents, memos and so on. More data to be stored means adding more storage capability. Yet this is not only costly, but adds needless legal risk. Even with the best information management system, the more material you cache the more you have to inventory, evaluate — and possibly mismanage. An e-discovery demand that prompts a general “data dump” could include sensitive, compromising material that legally need not have been retained — but as long as it’s in the servers, you have to produce it.
Why We Call it a “Data Retention,” Policy, Not “Data Deletion”
Good corporate governance of IT, then, demands a comprehensive, uniform, legally-savvy retention policy that deletes as much nonessential material as quickly as possible. But notice that we call it a data “retention” policy — not data “deletion.” A wise corporate governance approach focuses on the data you need to keep as much as that you should toss. Work with counsel to establish protocols on where and how different types of data will be stored (and how it should not be stored); classification and segregation of data based on legal retention schedules, sensitivity, and operational needs; and proper procedures for deletion. Also, a “legal hold” policy must be able to kick in immediately should a court or regulatory action be launched (too often a memo from counsel saying “Don’t delete X data” brings replies like “what x data?” or “too late.”).
Shaping Board-Friendly Information Governance
Conventional data management and information governance, thus, don’t fit well with the board’s corporate oversight role. Manually wrestling with things like database management, classification protocols, purging schedules, and tracking various email and text message platforms is no task for the lay business folks in the boardroom. The immersion in time and tech demanded just isn’t practical.
This mismatch grows even worse when dealing with the e-discovery requirements of litigation. Directors will want to know if legal holds on data are effectively in place, and whether material not covered under the hold, or legally privileged, is properly segregated. They’ll want to know how much time and cost will be involved in the e-discovery review (and probably respond with groans). And the board will want to know why it’s spent so much money on fancy data management tech, only to have e-discovery require hours of manual, costly, erratic data chasing. Traditional IT systems do a good job of warehousing data, but are poor at easily finding and retrieving data to meet the demands of e-discovery.
I’ve found that there is a way to combine the needs of information governance and corporate governance for the benefit of both — modern electronic information management systems. These new tools not only streamline, cut costs, and improve results, but also give the board the “dashboard” tools it needs for effective IT oversight. One of the biggest governance demands in recent years has been for simple, but revealing indicators that allow busy board members to gain a good read on complex functions. Audit, finance, risk management, and internal controls are some of the intimidating, technical fields being boiled down to a usable “dashboard” of measures the board can use for oversight. Now, it’s the turn of information governance.
Requirements for a Modern e-Discovery Platform
New “intelligent” information management platforms, such as StoredIQ, PSS Systems and Symantec Enterprise Vault are meeting these governance objectives. These products must meet several vital goals:
According to Laura Lukaczyk, venture investor in StoredIQ, “The need for non-manual discovery is clear. Just about every company faces investigation and the shear growth of information pushes the tipping point for transitioning to an automated data collection process. In addition, forward leaning information technology groups are already deploying storage in the cloud where a solution to digitally manage information in discovery is key. The StoredIQ solution is fast to deploy and delivers a fast ROI according to our company case studies.”
These next generation products meet these demands in another way — by offering effective interface between those in the company involved in information governance and e-discovery. As noted, IT staff, corporate counsel, risk and compliance staff traditionally kept to their own silos, with the board often not even in the same farmyard. The intelligent data management platforms of today are designed to meet the needs of all these parties, and to be uniformly accessible to them. For example, litigation staff may want to run “pre-e-discovery” on a potential litigation, checking to see what data is hidden away before opposing counsel actually makes its demands. A solution like StoredIQ makes this possible. It can run early, query-based analyses of discoverable material from a broad database, quickly, easily and thoroughly. This is a powerful litigation tool for the firm, saving time and cost, and helping counsel, management and the board better gauge the company’s exposure.
Boards of directors will likely never have the time and skills required to become technical information governance experts. But with the new world of intelligent data management, and the tools it offers, directors shouldn’t need to.