From the April 2011 issue of Treasury & Risk magazine

Data, Data Everywhere

Mark Diamond is founder and CEO of Contoural, which provides records information management and litigation readiness consulting services to more than 20% of the Fortune 500, as well as smaller companies and public sector organizations.

Companies are drowning in e-mail, files and other types of electronic information, and the flood of data is driving up both costs and risk related to the discovery process during litigation. Yet many organizations are frustrated as their attempts to address this problem get bogged down. Fixing this issue requires a group effort among a number of different stakeholders within the company, as well as letting go of well-intended but ineffective strategies.

T&R: Why is accumulating too much electronic data a problem now?
Diamond:
Companies are creating more electronic documents than ever. The average employee sends and receives more than 167 e-mails per day, and saves many of those on the e-mail server or on his or her desktop. Unstructured data, such as loose files and images, are growing at a pace of more than 40% per year. Worse, organizations are doing a poor job of deleting older information. Electronic information accumulates like snow on a glacier, with a new layer added every year.

T&R: What part does regulation play?
Diamond:
Companies have long been required to retain business records. What has changed is regulators' interest in those records. The Obama administration has increased regulatory inquiries and government investigations. Government investigators have broad powers to subpoena not only records, but also documents and social media postings. Given the accumulation of paper and especially electronic documents, the likelihood of finding something damaging is high. Regulators found embarrassing or damaging documents at Toyota, BP and Goldman Sachs. Often, the most damaging documents were not even considered official business records by the companies.

T&R: E-discovery costs have been onerous for a while. Are they getting worse?
Diamond:
Yes. There were more settlements of civil lawsuits last year than any other time. We believe that when faced with e-discovery costs that are higher than the claims themselves, many companies decide to settle claims. Last year, more than 38% of all settlements in civil litigation were either influenced, or strongly influenced, by the potential discovery costs, according to a study by the Federal Judicial Center. The danger is that companies that settle all the time build a reputation as soft targets.

T&R: What about WikiLeaks?
Diamond:
Both governments and corporations face a new information security and public relations threat: large-scale leaks of e-mails, files and other sensitive electronic documents intended to embarrass, harass or damage an organization. Governments have already been the victims of leaks from sites such as the WikiLeaks document archive, and, at the time of this writing, WikiLeaks was rumored to be readying a "megaleak" from a U.S. bank. Some fear that "WikiLeaking" may become a common tactic to hurt companies and other organizations. It appears that most of the documents come from disgruntled employees or other individuals with access to large amounts of information. What makes WikiLeaking different is the sheer quantity of documents published. WikiLeaking thrives on quantity over quality.

T&R: Some companies delete all e-mail after 30 days. Does this work?
Diamond:
Nearly all companies retain too many older, unneeded documents that have no business value or regulatory retention requirement. But aggressive deletion strategies often backfire. When employees know e-mails will be deleted, they engage in underground archiving, saving e-mails on USB drives, printing them out or even sending work e-mails to their home accounts. This increases the cost of e-discovery, forcing companies to search in more places. An employee came up to me after a seminar and bragged that he forwarded all the e-mail he received and sent at work to his home computer and every three months put it on a CD. Regulators are savvy to this and often widen their search. For example, incriminating e-mails from Lehman Brothers traders were found on the traders' wives' e-mail accounts.

T&R: How can companies improve the management of their data before an inquiry?
Diamond:
Companies are beefing up their record retention programs, implementing technology to better store and control their electronic information, educating employees on appropriate use of company information and developing defensible, ongoing data deletion programs. Paper-based record retention programs focused on how long documents should be saved. The new approach is to strive to control information while allowing employees to access it. E-mails that are captured and controlled in an archive, for example, are available to search during discovery, and most important, enable easier deletion when the e-mails no longer have business value.

T&R: Is there a return on investment for these efforts?
Diamond:
Yes, but ROI can be difficult to measure. Companies see a reduction in data storage costs, for example, when they delete older data. But the largest savings come from avoiding expensive discovery costs or compliance risks. Some companies have a predictable enough litigation stream to calculate a specific ROI. But most companies face variable amounts of litigation, so no one knows for certain the number or size of next year's lawsuits, for example, in order to project the cost savings on e-discovery. Many in-house counsel understand that their company is at risk and should invest in better records compliance and litigation readiness, but they are frustrated because they cannot forecast a specific ROI. CFOs should take a big-picture view of these risks and costs.

T&R: Which groups typically run these programs?
Diamond:
In many companies, everyone wants to see these programs executed, but no group actually wants to own them. Often the projects are tossed like a hot potato from legal to IT to compliance to audit. Department heads fear they will be stuck with an unfunded mandate. CFOs play an important role in recognizing that this is an enterprise-wide issue that requires collaboration. The best approach is to create a steering committee jointly managed and chaired by legal and IT. Successful approaches build a consensus across the organization.

T&R: What are the biggest mistakes?
Diamond:
Trying to create the perfect policy and the perfect process and obtain the perfect technology. The problem is that records compliance and e-discovery are inherently imperfect. The good news is that the courts and the regulators do not expect perfection. They are looking for reasonable, good faith efforts. Don't let perfect be the enemy of good.

T&R: What level of data control and deletion is achievable?
Diamond:
It depends on the particular company, but we have seen organizations over time defensibly delete more than 40% of their structured data and get rid of 60% of their e-mail. This can drive a 30% to 60% decrease in discovery costs. Companies have done this while maintaining or increasing records compliance. It takes some real work, but the right approach can yield real benefits.

Comments