SlideShare una empresa de Scribd logo
1 de 30
Descargar para leer sin conexión
August 2008




Improving Results for
the Legal Custody of
Information




                        IT Policy Compliance Group
Orange Legal Technologies Corporate Information Briefing   1108
Improving Results for the Legal Custody of
                                                                    Information




Contents
 Executive Summary                                                                                    3
     Key Findings                                                                                     3
     Implications and Analysis                                                                        5
     Recommendations for Action                                                                       6
 Research Findings                                                                                    7
     Burden of Legal Requests: More Likely to Impact Large Enterprises                                7
     Large Enterprises: More Legal Summonses and Holds Related to Information                         7
     Maturity of Practices for Legal Hold                                                             8
     Confidence in Responding to Legal Requests for Information                                       9
     Equal Opportunity Outcomes for Legal Holds                                                      10
     Average Financial Settlements and Expenses, by Size of Organization                             10
     Expenses Vary Significantly by the Maturity of Practices for Legal Holds                        11
     Who’s Involved in Finding, Producing and Protecting Information                                 11
     Paper, Legacy Information and Electronically Stored Information                                 12
     Most Time-Consuming and Expensive Information to Find, Protect, and Produce                     13
     Time and Expense in IT to Find, Protect, and Produce                                            13
     Strategic Actions and Practices that Improve Maturity and Results                               14
     Practices and Capabilities in IT that Improve Maturity and Results                              15
     Most Helpful Technologies to Find, Protect and Produce Data                                     16
 Discussions with the Lawyers                                                                        17
     ESI and the Scope of Legal Discovery                                                            17
     ESI and the Impact of Age and Time                                                              17
     Legal Requests and Summonses for Information                                                    17
     Information Formats, Indexing and Costs                                                         18
     Recommendations from the Lawyers                                                                18
 Regulatory Drivers and Legal Custody of Information                                                 18
 Legal Custody and Controls Effectiveness                                                            19
 Maturity Impacts Legal Custody, Compliance, and Data Protection                                     20
 Who Should Improve the Maturity of Practices for Legal Hold                                         20
 Taking Action to Improve Results                                                                    21
 About the Research                                                                                  23
 About IT Policy Compliance Group                                                                    24




                                                                      © 2008 IT Policy Compliance Group
Orange Legal Technologies Corporate Information Briefing   1108
Improving Results for the Legal Custody of
                                                                                   Information


Executive Summary

 Key Findings

 Large enterprise spend more than other firms for legal holds
 The average financial costs of legal holds placed on information for firms with
 normative practices include:
  • Large enterprises: From $500,000 to more than $9 million annually.
 • Midsize organizations: From $300,000 to $500,000 each year.
 • Small businesses: Less than $300,000 per year.

 Costs for legal custody are driven by maturity of practices
 Organizations with the least mature practices are spending much more, as follows:
 • Large enterprises: From $1.5 million to more than $28 million annually.
 • Midsize organizations: From $800,000 to $1.5 million each year.
  • Small businesses: Less than $800,000 per year.
 Firms with the most mature practices are spending much less, as follows:
 • Large enterprises: From $120,000 to $2.6 million annually.
 • Midsize organizations: From $66,000 to $120,000 each year.
 • Small businesses: Less than $66,000 per year.

 Improvements to practices increase confidence and reduce expenses
 The realities are:
   Firms with the most confidence in the accessibility, completeness and
    accuracy of data have most mature practices and spend the least on legal holds.
   Firms with the least confidence in the accessibility, completeness and accuracy
    of data have the least mature practices and spend the most of legal holds.

 Large enterprises have a latent advantage that can be leveraged
 Accessibility, completeness and accuracy of data to support legal holds depend
 on how much information is electronically stored information (ESI). The numbers show:
     ESI among large enterprises: 50 to 70 percent.
     ESI among midsize firms: 35 percent to 50 percent.
     ESI among small businesses: 20 percent to 35 percent.
 However, this latent advantage can only be leveraged if information is indexed for rapid
 search, protection, preservation and production in response to legal requests.
 Strategic actions and practices that are improving results and reducing costs
 The strategic actions that are improving results include:
     Notifying affected employees of legal holds on information within one hour.
     Responding to legal requests within one day.
     Maintaining evidence of handling of data and delivering training to employees.
     Identifying business and financial risks and measuring results.
     Updating policies and procedures and updating records retention programs.
     Improving the quality of legal counsel and legal hold procedures and controls.
     Forming cross-functional teams to respond to requests within one day.




                                                                                             © 2008 IT Policy Compliance Group, 3
Improving Results for the Legal Custody of
Information




                                             Key Findings (continued)
                                             Practices in IT that are improving results and reducing costs
                                             The actions and practices in IT that are shown to improve results include:
                                                  Identifying the gaps in procedural and technical controls.
                                                  Converting information into electronic formats.
                                                  Inventorying and indexing information for rapid search.
                                                  Increasing the frequency of monitoring and measurements.
                                                  Correcting gaps in procedural and technical controls.
                                                  Updating policies and procedures.
                                                  Improving technical and procedural controls.
                                             Most helpful technologies to improve results
                                             The technologies being employed by the firms with the most mature practices
                                             and the lowest expenses include:
                                                  Backup and archive.
                                                  Data capture and conversion tools.
                                                  Data and record indexing tools.
                                                  Records retention and destruction tools.
                                                  Employee education and training tools.
                                             Information to target
                                             The information routinely indexed to search preserve and produce information
                                             in response to legal holds by the firms with the most mature practices and
                                             lowest costs, include:
                                                  Email, office productivity files, and instant messaging.
                                                  Industry-specific information.
                                                  Product and financial information.
                                                  Employee and customer related information.
                                             Improving the maturity of practices for data custody pays off
                                             Improving the maturity of practices for legal custody yields huge reductions to
                                             current expenses:
                                                  Organizations with the least mature practices can reduce overall
                                                  expenses for legal custody by a factor of 13 by improving practices.
                                                  The majority of firms, those operating at the norm, can reduce expenses
                                                  by a factor of 4 by improving practices.
                                             Improving the maturity of practices for the legal custody of information
                                                  Reduces expenses for legal settlements and fees
                                                  Reduces expenses in IT to find, produce, protect and preserve information
                                                  on hold




© 2008 IT Policy Compliance Group, 4
Improving Results for the Legal Custody of
                                                                                      Information



Implications and Analysis
Legal holds on information start when an organization learns of, or can reasonably anticipate current
or pending litigation and regulatory investigations. The complexities involved in complying with
legal requests for information are most prudently carried out under the direction of legal counsel.
As such, whether a firm is named as a defendant, or is caught up in litigation as a third-party, the
custody of information covered by a legal hold should be directed by legal counsel. Notifying employees,
and potentially suppliers or customers, is just the start of a legal process governing holds on information.

Large enterprises: Follow the money
Despite a broad 50/50 chance of being served a court summons related to data and records, larger enterprises are
bearing the brunt of such demands. For large enterprises, the likelihood of summonses start at two per year, and can
exceed five or more events annually, while the number of annual legal requests for information are far higher.
Legal settlement costs; legal expenses; and costs related to finding, protecting, preserving,  Large enterprises with the
and producing data in response to legal holds for information are far higher among larger      least mature practices are
enterprises than midsize organizations and small businesses.                                   spending between $1.5
Among larger enterprises, average costs and expenses related to legal holds placed on          million to more than $28
information range from $500,000 to more than $9 million annually, depending on the size        million annually, depending
of the organization.                                                                           on the size of the
                                                                                               organization.
However, the maturity of practices for information governed by legal holds directly
influence spending. Large enterprises with the most mature practices are spending only 25
percent of the amount firms with normative practices spend: from $120,000 to more than $2.6 million annually, depending
on the size of the firm.
Conversely, organizations with the least mature practices are spending much more than all other firms. Large enterprises
with the least mature practices are spending three times more than firms with normative practices spend: from $1.5 million
to more than $28 million annually, depending on the size of the organization.

ESI: The wave has hit the beach
Although paper-based records are identified as the most traditional format and the most time consuming and expensive for
all organizations, the research conducted with attorneys shows that electronically stored information (ESI) requests are
increasingly making up a larger proportion of the legal requests, especially for email and office productivity files among
other forms of ESI. Unless ESI (email, office files, product design records, customer transaction data, instant messaging
files, financial transactions, etc) is indexed for rapid search, protection and production, it offers no obvious benefit. For
example, 10 Gigabytes of information is about 500,000 pages, close to 200 boxes of paper that would normally not be
indexed while being stored off-site.

Practice maturities dictate outcomes
Neither the size of an organization nor the industry within which it competes is the arbiter of better or worse performance
results, or of higher or lower costs. Rather, the practices implemented for legal custody are what distinguish how much is
being spent, and how well or poorly organizations are able to respond to legal holds governing information.
                                                                                                  Organizations that respond more
Strategic Actions and Practices making a Difference
                                                                                                  rapidly to holds governing
The strategic actions distinguishing firms with the best results for legal custody include:       information are also excelling at
 • Maintaining evidence of handling for records and data delivering training to                   regulatory compliance and the
   employees                                                                                      protection of sensitive data.
 • Identifying business and financial risks
 • Measuring results

Practices in IT that are Making a Difference
Leading firms are converting more information into indexed, searchable electronic formats that can more rapidly be found,
preserved, protected, and produced in response to legal requests. Examples of the kind of information being converted
into structured electronic records for rapid search, protection, and production include:

                                                                                        © 2008 IT Policy Compliance Group, 5
Improving Results for the Legal Custody of
Information

                                             • Email and attachments
                                             • Office documents
                                             • Instant messaging files
                                             • Audio files (telephone records)

                                             Organizations performing as leaders for legal custody are also excelling at
                                             regulatory compliance and the protection of sensitive data. Taking a holistic view of
                                             compliance, these firms are treating the legal custody of information as one aspect
                                             of managing information in an increasingly electronically interconnected World.

                                              Recommendations for Action

                                             Based on the quantitative results of the benchmarks and the qualitative research
                                             conducted with the lawyers, the principle recommendations include the following.
                                             Large enterprises
                                                    Should take action: are clearly the primary targets of legal request for
                                                    information
                                                    Should aggressively improve the maturity of practices to limit financial pain

                                             Midsize organizations
                                                    Should evaluate financial impact, past experience and industry setting
                                                    Should be improving easier-to-implement practices with large paybacks
                                             Improve organizational practices
                                                   Notify affected employees about a legal hold on information within one hour
                                                   or less
                                                   Respond to the initial request within one business day or less
                                                   Update corporate policies and procedures
                                                   Improve the quality of legal counsel
                                                   Form a cross-functional response team
                                                   Conduct employee training consistently
                                                   Revise records retention policies and procedures
                                                   Improve legal hold procedures and controls
                                                   Measure results more frequently
                                             Improve practices and capabilities IT
                                                   Target highly probable areas to convert into electronically indexed,
                                                   searchable archives — especially email, invoices, telephone records, and
                                                   financial data
                                                   Use indexing tools to enable the rapid search of information covered by
                                                   requests
                                                   Archive and index paper-based records and data that are most likely
                                                   targets
                                                   Target additional types of data for conversion, based on industry-specific
                                                   litigation
                                                   Update IT policies and procedures for the retention and destruction of
                                                   information
                                                   Maintain evidence of handling and protection of data and records
                                                   Correct gaps in IT procedures and controls
                                                   Measure the effectiveness of controls more frequently


© 2008 IT Policy Compliance Group, 6
Improving Results for the Legal Custody of
                                                                                       Information



Research Findings
Burden of Legal Requests: More Likely to Impact Large Enterprises
For most firms, there is a 50 percent chance that data and records will have to be found, protected, and produced in
response to legal requests or court summons. However, not all organizations are burdened with the need to find, protect
and produce information in response to legal requests and summonses equally. Rather, large enterprises are bearing the
brunt of responding to legal requests for data, with six out of ten large firms taking action to find, protect and produce data
in response to such demands (Figure 1).

Figure 1: Firms That Are Finding, Protecting, and Producing Information




                                                           Source: IT Policy Compliance Group, 2008

By comparison, only three out of ten small businesses with revenues below $50 million are spending time to find, produce
and protect records and data in response to legal requests and summonses. And, only five out of ten midsize
organizations are spending time to respond to these demands.

Large Enterprises: More Legal Summonses and Holds Related to Information
The number of legal summonses received each year is directly related to the size of an organization, with large
enterprises experiencing more such events annually.
However, according to the lawyers interviewed, actual court summonses represent but a small portion of the total number
of legal requests for data, in the range of 2 to 10 percent of all legal requests.
Organizations with annual revenues between $100 million and $1 billion should plan on at least one to two court actions
each year. Firms with $10 billion in annual revenue should plan for between two and five such events annually.
Organizations with more than $100 billion in revenue should plan for more than five summonses each year.
While far more legal holds on data occur than summons received, and large enterprises are experiencing more summons
related to legal holds placed on information, the findings deliver proof that “if you follow the money”, the action is clearly
focused on large enterprises (Figure 2).


                                                                                             © 2008 IT Policy Compliance Group, 7
Improving Results for the Legal Custody of Information

Figure 2: Number of Annual Summonses by Revenue




                                                         Source: IT Policy Compliance Group, 2008


Maturity of Practices for Legal Hold
Not all firms notify affected employees and respond to legal requests for data and records in the same amount of time. In
fact, the benchmark results show a normal distribution for these two key metrics (Figure 3).
Figure 3: Distribution of Practices, Least to Most Mature




   © 2008 IT Policy Compliance Group, 8                   Source: IT Policy Compliance Group, 2008
Improving Results for the Legal Custody of
                                                                                     Information


Most mature practices: About one in ten firms
Roughly one in ten—12 percent—of all firms are performing at the most mature levels. These firms are notifying
employees in less than one hour about a legal hold on records and data and are responding to legal requests for
information within one day.
Industry norm: About seven in ten firms
About seven in ten—almost 71 percent—of all organizations are performing at the industry norm: one to eight hours to
notify employees and between one and eight days to respond to legal requests for information.

Least mature: Almost two in ten firms
Almost two in ten—nearly 18 percent—of all firms are performing at the least mature levels, taking more than eight hours
to notify employees and more than eight days to respond to legal requests for data and records.

Confidence in Responding to Legal Requests for Information
According to the legal counsels interviewed, their confidence in cases involving the request of data and records depends
on the accessibility, accuracy, completeness, and trustworthiness of data and records, after considering existing law and
prior rulings.
The research findings reveal that the firms with the most mature practice indicators, those notifying employees within one
hour about a legal hold on data and responding within one day, are more confident than all other organizations. Moreover,
these firms have greater confidence in the accessibility, integrity, accuracy and trustworthiness of data and records: key
considerations, according to the lawyers, when dealing with legal requests for data and records (Figure 4).
Figure 4: Confidence in Capabilities




                                                       Source: IT Policy Compliance Group, 2008

Firms with up to one legal request for data each year are the least confident in the trustworthiness, completeness,
accuracy, and accessibility of data and records. These are the same firms that are not actively finding, protecting, and
producing data. If “practice makes perfect,” it may take organizations several legal requests to develop the wisdom to
notify affected employees immediately and the practices needed to respond to within one day. Firms with the best results
are doing things very differently than all other organizations. Whether confidence in measured by the trustworthiness,
completeness, accuracy, and accessibility of data, or confidence in the legal case, the results of the benchmark indicate
confidence in the procedures for data holds are necessary enablers for succeeding with the legal case.
                                                                                            © 2008 IT Policy Compliance Group, 9
Improving Results for the Legal Custody of Information



Equal Opportunity Outcomes for Legal Holds
Despite a much higher incidence rate for the number of summonses and legal requests received among larger
enterprises, the performance of large firms is in line with the overall maturity of practices across firms of all sizes. This
finding proves that despite more experience among large firms, firm size does not dictate outcomes (Table 1).
Table 1: Different Experiences, Same Results
                                                             Least         Normative            Most
                                                             mature         results            mature
                                   Firms with no plans       18.2%            71.1%             10.7%
                                   and no activity
                                   Firms actively finding,   16.8%            69.9%             13.3%
                                   protecting, and
                                   producing data
                                   All firms                 17.5%            70.5%             12.0%
                                                                     Source: IT Policy Compliance Group, 2008

Average Financial Settlements and Expenses, by Size of Organization
Large enterprises operating with normative practice maturities for legal data hold are spending much more on legal
settlements, legal expenses, and internal costs to find, protect and produce data than midsize organizations and small
businesses (Figure 5).

Figure 5: Financial Expenses of Legal Data Holds Among Normative Firms




                                                              Source: IT Policy Compliance Group, 2008

A minimum of 50 percent all expenses are for legal settlements and legal expenses. Internal expenses for finding,
protecting and producing data in response to legal holds range from 25 percent to 50 percent of all costs, based on the
organization size. Large enterprises are spending 60 times more than small businesses and 25 times more than midsize
firms on legal expenses and expenses to find, protect, and produce data.



  © 2008 IT Policy Compliance Group, 10
Improving Results for the Legal Custody of
                                                                                        Information


Expenses Vary Significantly by the Maturity of Practices for Legal Holds
However, financial expense among the firms with normative practices is deceiving. Total expenses are driven higher by
about three-fold among firms operating with the least mature practices for legal data holds. In contrast, firms with the most
mature practices are benefiting from much lower spending: about 25 percent of the expenses being borne by firms with
normative practices for legal data hold (Figure 6).

Figure 6: Average Annual Expenses, by Maturity of Practices




                                                               Source: IT Policy Compliance Group, 2008

For example, firms with $10 billion in annual revenues are spending more, or less on legal data holds, depending on the
maturity of the practices. Firms of this size with the least mature practices are spending, on average, $6.4 million; while
the normative among these firms are spending about $2.1 million. Those with the most mature practices are spending
much less: slightly less than $480,000 annually. The difference, more than 13 times larger among the least mature and
more than 4 times larger among the majority of firms in the norm is sufficient financial incentive to improve practices for
legal data holds. The maturity of practices governing legal data holds among firms is resulting in different spending
experiences that include:
 • Spending on legal data custody that is more than 13 times larger among firms with the least mature practices
• Spending on legal data custody that is more than four times larger among firms with normative practices
Spending on legal and internal costs to find, protect and produce data in response to legal requests for data is reduced by
more confidence: made possible by more mature practices.

Who’s Involved in Finding, Producing and Protecting Information
The receipt of legal requests for data is a drain on the time and focus of many different functions in the organization,
including legal counsel, IT, senior managers, human resources and affected employees (Figure 7).
Consistent with interviews conducted with legal counsels, the use of contractors to find, protect and produce data in
response to legal requests for information is marginal, and often limited to the initial incident. The relatively high level of
involvement of senior managers in finding, protecting and producing data in response to legal requests indicates either
specifically named legal discovery inquiries, topical relevance such as requests related to financial filings, or a
combination of these. Legal requests for information are occupying a significant amount of time that could otherwise be
put to more productive purposes for servicing and retaining customers, and creating improved shareholder value.
                                                                                              © 2008 IT Policy Compliance Group, 11
Improving Results for the Legal Custody of Information


Figure 7: Who’s Involved in Finding, Protecting and Producing Information




                                                                 Source: IT Policy Compliance Group, 2008

Paper, Legacy Data and Electronically Stored Information
The ability to respond to a legal request quickly and with more confidence depends on two factors: the scope of the legal
request for information, and whether or not the data is stored electronically. The first factor is negotiated by legal counsel,
while the second factor depends on the format of the data. In alignment with fewer requests received annually, firms with
the least amount of data and records stored electronically are small businesses, while the most electronically formatted
data is found among larger enterprises (Figure 8).
Figure 8: Electronically Stored Information, by Revenue




  © 2008 IT Policy Compliance Group, 12                  Source: IT Policy Compliance Group, 2008
Improving Results for the Legal Custody of
                                                                                       Information


Based on interviews conducted with legal counsels, accessibility is a key factor in determining the costs of responding to
legal requests for information. For example, almost all of the lawyers interviewed say the cost of acquiring, protecting and
producing information stored on older paper and electronic tape formats is much higher, and depends on being able to
prove undue hardship due to inaccessibility of the data. Furthermore, the lawyers all cited a common experience of
spending time and money to find relevant data on electronically stored tape formats only to find much of the information
illegible due to a degradation that normally occurs to information stored on magnetic tapes over time. While it may be
trickier arguing “inaccessibility” for older paper and magnetic tape formatted data, almost all the lawyers interviewed say
that third-party litigants will likely prevail in having defendants or plaintiffs pay expenses related to legal holds on data.
The research shows that a prevalence of electronically formatted and indexed data increases confidence in outcomes,
reduces costs, and mitigates financial exposure from legal claims supported by holds on data and records. All of the
lawyers interviewed say that in their experience, electronically indexed data is far easier and much less expensive to find,
produce, preserve and protect. And, several of the lawyers interviewed stated, “we’re now adding a lot of other data to the
(electronically stored and indexed) mix”, beyond email and office productivity documents.

Most Time-Consuming and Expensive Information to Find, Protect, and Produce
The most time-consuming and expensive data for organizations to find, protect, and produce are paper-based records, as
well as electronically formatted data and records that are not indexed or are stored in un-indexed tape archives (Figure 9).

Figure 9: Most Expensive Data to Find, Protect and Produce




                                                       Source: IT Policy Compliance Group, 2008

After paper and simply archived tape archives, the evidence shows that email, financial records, customer records, and
office productivity files and records are the most time-consuming and expensive information to find, protect, and produce.
Given the explosive use of email and office productivity applications during the past 20 years, it is not surprising that
these rank in the top tier as most time consuming and expensive.

Time and Expense in IT to Find, Protect, and Produce
The time required by firms to find, protect, and produce data and records in response to legal requests for data ranges
from 10 percent to 25 percent of the available time in IT, depending on the size of an organization.
However, not all firms of the same size are spending the same amount of time or money to find, protect and produce data.
Although the time spent in IT on these activities averages almost 18 percent, actual spend on labor varies by maturity of
practices: from a high exceeding 24 percent of the time in IT to a low just under 10 percent of the time in IT (Figure 10).
                                                                                             © 2008 IT Policy Compliance Group, 13
Improving Results for the Legal Custody of Information

Figure 10: Time Spent in IT to Find, Protect, and Produce




                                                         Source: IT Policy Compliance Group, 2008

A majority of organizations, those operating at the norm, can improve results without increasing labor costs in IT by
leveraging retention, indexing and storage tools to better find, protect, and produce records and data in response to a
legal requests.

Strategic Actions and Practices that Improve Maturity and Results
How quickly employees are notified and legal requests are responded to, depends on the strategic actions taken by
organizations (Figure 11).
The key actions taken by the firms with the most mature practices include:
        Updating policies and procedures
        Maintaining evidence of handling for records and data
        Identifying business and financial risks
        Delivering training to employees covering legal hold procedures and controls
However, these are not the only actions being taken by leading firms. Others include revising records retention programs,
measuring results, improving the quality of legal counsel, identifying gaps in procedural and technical controls, improving
legal hold procedures and controls, and forming cross-functional teams to respond to legal holds on data.
Moreover, the distinct differences in actions taken by the most mature firms include:
    • Maintaining evidence of handling for data and records
    • Improving the quality of legal counsel
    • Delivering training to employees
    • Identifying business and financial risks
     • Measuring results.
In addition to strategic actions, specific actions and practices within IT to rapidly find, protect, preserve and produce data
in response to legal requests for data are strongly influencing results.


   © 2008 IT Policy Compliance Group, 14
Improving Results for the Legal Custody of Information


Figure 11: Strategic Actions and Practices That Improve Results




                                                         Source: IT Policy Compliance Group, 2008

Practices and Capabilities in IT that Improve Maturity and Results
The findings clearly show that among the most mature firms, IT is prominently involved in a wide range of activities
related to finding, protecting, and producing data in response to legal requests (Figure 12).

Figure 12: Practices and Capabilities in IT that Improve Results




                                                         Source: IT Policy Compliance Group, 2008
                                                                                           © 2008 IT Policy Compliance Group, 15
Improving Results for the Legal Custody of Information


The notable practices and capabilities within IT among the most mature firms include:
          Updating policies and procedures
          Increasing the frequency of monitoring and measurements
          Inventorying records and data
          Improving technical and procedural controls
Moreover, the actions and practices within IT that most distinguish the most mature firms from all others include: 1)
indexing data for rapid search, 2) increasing the frequency of monitoring and measurements, 3) correcting gaps in
controls, and 4) updating policies and procedures.

Most Helpful Technologies to Find, Protect and Produce Data
The technologies found most helpful to find, protect, and produce data and records in response to the Legal Custody of
Information include:
 • Tools that convert data into electronic formats
 • Tools that store data in electronic formats
 • Tools for training employees
However, this list is just the start of what may be needed, because among the most mature firms, the tools found to be
most helpful are those for backup and archive, training, data and indexing of information, data capture and conversion,
records retention and destruction, and the identification of records and data (Figure 13).

Figure 13: Most Helpful Technologies to Find Protect, and Produce Data




                                                           Source: IT Policy Compliance Group, 2008

The findings clearly show that firms with the most mature practices, and the lowest costs for legal data holds, are
converting data into electronically indexed formats for more rapid search, discovery, production, preservation and
protection.

    © 2008 IT Policy Compliance Group, 16
Improving Results for the Legal Custody of
                                                                                       Information


Discussions with Lawyers
In addition to the benchmark, lawyers in the U.S. were interviewed to provide a qualitative sense of how they and their
organizations are overcoming challenges associated with legal hold requests. All of the U.S.-based lawyers say that due
to changes to the Federal Rules of Civil Procedure (FRCP), almost all legal requests for information now include
discovery motions involving email formats and office productivity files.
ESI and the Scope of Legal Discovery
All of the lawyers acting on behalf of plaintiffs say that they purposely strive for the widest possible scope of discovery in
order to find evidence that will bolster the case for their clients. And, all of these lawyers say that the new electronic
discovery rules of the FRCP are assisting their efforts. While most of these layers admit that the scope of discovery is
independent of the format of the information, and that old-fashioned paper-based records were the most common format
employed in the past, almost all legal requests for information now include email, office productivity files and documents.
In contrast to the “more is better” approach of litigants, lawyers acting to defend their
                                                                                                 Almost all legal requests for
clients state that the primary objective is to limit the scope of inquiry, for several reasons,
                                                                                                 information now include email, and
including costs, organizational churn and productivity losses, as well as a normal
                                                                                                 office productivity files.
defense tactic to limit evidence. All of these attorneys say that their clients are now
routinely being served with requests that include email and office documents as a matter
of course. All of these attorneys say that while paper-based reports had been the norm, and continue to drive requests
from older-line specialist litigation firms, the new rules governing electronic discovery have resulted in requests that also
include database information, audio recordings, Web-based data, instant messaging, and other forms of electronically
stored information (ESI): well beyond email and office productivity files or documents.

ESI and the Impact of Age and Time
The information being sought by legal requests depends on the type of litigation. For example, the lawyers involved in
product liability litigation say that the normal age of information being sought dates back about five to six years. However,
lawyers involved in financial reporting and fraud, benefits, pensions, life insurance, capital property and casualty claims,
and those involved with longer-term workplace injuries (asbestos claims) say the information being sought dates in age
from five years to many decades.
According to the lawyers interviewed, information older than five years is often viewed as practically inaccessible, even if
it is legally viewed as accessible. For example: almost all the lawyers interviewed cited horror stories about information
stored on magnetic tapes that were found to be illegible due to a normal aging process associated with magnetic tape
media formats.
In addition to age and time associated with legal requests, and the format of the information, the lawyers cited an
interesting twist associated with the age of attorneys acting on behalf of plaintiffs. All of the defense attorneys noted that
when they are dealing with older-line plaintiff firms with primarily older attorneys, the standard formats being requested
are the old stand-bys involving paper-based reports, telephone records, and more recently email and office productivity
files. Only as a result of the changes to the FRCP are these older-line firms starting to more routinely request other forms
of ESI.
However, the profile of the requests for information changes markedly when younger
                                                                                                   ESI is not only the wave of the
lawyers with younger plaintiff firms are involved. More familiar with computers and
                                                                                                   future: the ESI wave is hitting the
technology, these younger firms and attorneys are serving more requests for a wider
                                                                                                   beach.
variety of ESI beyond email and office productivity files.
The defense attorneys all say they are noticing a direct correlation between age,
technology familiarity, and an increasing number of requests for information involving a wider range of ESI data beyond
email and office productivity information. According to the lawyers interviewed, ESI is not the wave of the future: the ESI
wave is hitting the beach.

Legal Requests and Summonses for Information
Not all legal requests for information result in a court summons. Lawyers contacted just prior to publication say that in
their experience, there is no typical rate for how many legal requests are resulting in a summons. Several of the lawyers
quoted anecdotal experiences ranging from “1 in 10” to as few as “1 in 50” legal requests resulting in a summons. Despite
an inability to quantify the relationship between legal requests and summons, all of the lawyers say that their firm receives
far more legal requests for data than summons, and that all such legal requests are resulting in legal holds being placed
on data.


                                                                                             © 2008 IT Policy Compliance Group, 17
Improving Results for the Legal Custody of Information


The benchmark asked participants how many summons for data their firm had experienced in the past year. As a result of
the anecdotal information regarding the number of legal requests received each year, it is difficult to reliably quantify the
number of legal requests organizations can expect to receive, other than the broad ranges provided by participating legal
counsels: from 1 in 10 to as few as 1 in 50 legal requests for data resulting are resulting in court summons. This
anecdotal information would place the rate of summons resulting from legal requests at between 2 percent (1 in 50), to as
much as 10 percent (1 in 10). These broad anecdotal ranges indicate the number of legal requests for information could
range from a low of 10 each year among small businesses, to a high of 250 per year among larger enterprises. Whether
the rate of requests to summons is 1 in 10, 1 in 25, or 1 in 50, it is clear that there are far more requests being received
each year than summons, and that the process of legal hold on information is being initiated upon the reasonable
anticipation of a legal request for information, not the receipt of a summons related to information that should have been
placed on hold long before a summons arrived.
Information Formats, Indexing, and Costs
Paper-based formats were almost universally viewed as the most expensive to find and produce by the defense attorneys
who were interviewed. However, costs for finding, producing and protecting ESI covered by legal holds spans quite a
range according to the lawyers interviewed. The highest costs for finding, producing and protecting ESI governed by legal
holds involves data stored on magnetic tape and other simpler, un-indexed, archived data. The lowest costs for finding,
producing and protecting data were among the attorneys whose firms are employing automated solutions that
immediately store copies of ESI into protected and indexed storage systems, almost all of them involving disks, CDs and
other formats not involving magnetic tape.
All of the defense attorneys say their initial attempts to respond to legal hold in their firm
                                                                                                 Doing the work in-house to find,
involved costly manual procedures augmented by external third parties that converted
                                                                                                 protect and produce data on legal
differently formatted data into standard forms for searching and responding to legal
                                                                                                 hold is less expensive, and it
holds. However, all of these attorneys say that due to the costs of such outsourced
                                                                                                 reduces the risks related to errors
services and the number of legal holds governing ESI, doing the work in-house to find,
                                                                                                 that could be challenged.
protect and produce data on legal hold is less expensive, while reducing the risks
related to errors that could be challenged.

Recommendations from the Lawyers
The participating lawyers recommend the following:
 • Establish the ground rules for what constitutes reasonable anticipation of litigation
 • Consistently review policies and controls for the retention and destruction of information
 • Establish and implement a consistent notification system
 • Respond to requests as soon as possible, even if the response is only for clarification
 • Communicate detailed instructions for finding, protecting, preserving and producing covered information
 • Index as much data as is reasonable, to drive down costs
 • Maintain the integrity of information on hold
 • Monitor information and the controls governing information that are on hold
 • Implement standard procedures for releasing information that were on hold

Regulatory Drivers and Legal Custody of Information
The primary regulatory mandates responsible for driving legal data hold requests include:
 • Sarbanes-Oxley
 • Specific industry regulations
 • Laws governing data and records
 • Laws governing data protection, retention, and privacy
After these, the important regulatory drivers include health care data privacy laws, SEC guidelines and rules, and Federal
Rules of Civil Procedure in the United States governing data and records (Figure 14).
Although FRCP and e-discovery in the U.S. do not jump to the top of the list for regulatory drivers, this may be due to less
familiarity with the legal requirements, or that as a legal mandate FRCP is not perceived to be regulatory mandate. The
laws governing data privacy among the largely U.S.-based sample for this benchmark rank highly among organizations of
all sizes, while the European data privacy laws rank highly only among large enterprises. The results indicate an overlap
between the practices and capabilities needed to succeed with legal holds placed on information, and those needed for
data protection, privacy, financial reporting and other legal and regulatory compliance mandates.
    © 2008 IT Policy Compliance Group, 18
Improving Results for the Legal Custody of
                                                                                     Information


Figure 14: Regulatory Pressures for Legal Custody of Information




                                                         Source: IT Policy Compliance Group, 2008

Legal Custody and Controls Effectiveness
One such overlap is the frequency with which organizations assess the effectiveness of controls and the alignment of
results between the legal data custody, the protection of sensitive data, and regulatory compliance. Firms with the most
mature practices for legal data hold measure controls effectiveness once every 15 days (Figure 15).
Figure 15: Frequency of Controls Assessments




                                                                                             © 2008 IT Policy Compliance Group, 19

                                                         Source: IT Policy Compliance Group, 2008
Improving Results for the Legal Custody of Information

In contrast, a majority of firms at the norm are only measuring once every 172 days. Finally, the least mature are
measuring controls effectiveness once every year. Firms with the least loss or theft of customer data and the least
problems with regulatory compliance implement continuous controls assessment programs by assessing the
effectiveness of controls once every 18 to 19 days. The benchmark shows that firms doing well in legal data custody,
regulatory compliance, and data protection are implementing the same action: continuous assessment of controls
effectiveness.

Maturity Impacts Legal Custody, Compliance, and Data Protection
Perhaps the most striking finding from the benchmark is the relationship between the maturity of practices between legal
holds on data, and how well firms perform for regulatory compliance, and the protection of sensitive customer data. Firms
that excel at the Legal Custody of Information are also the same firms that exhibit leadership for regulatory compliance
and the protection of sensitive data (Figure 16).
Ninety-seven percent of firms with the most mature profiles for handling legal holds on data are the exact same
organizations with two or fewer regulatory compliance deficiencies that must be corrected to pass audit. Similarly, 93
percent of these leading firms are the exact same organizations with two or fewer losses of sensitive data each year.
Figure 16: Regulatory Compliance, Data Protection, and Legal Custody of Information




                                                         Source: IT Policy Compliance Group, 2008

The skew in these findings clearly show that the maturity of practices for regulatory compliance, data protection, and legal
practices within organizations are aligned with outcomes, and that the firms with more mature practices are repurposing
practices around controls for regulatory compliance, as well as controls for how sensitive data is handled, accessed,
protected, preserved, searched, and produced for multiple initiatives.

Who Should Improve the Maturity of Practices for Legal Hold
The external pressures for most organizations to find protect, and produce data in response to a legal request for data
include:
     • Legal, government, and regulatory mandates
     • Findings and recommendations from auditors
     • Public reputation
    • Evolving case law
In an age where information is paramount to success and legal requests to support litigation now routinely involve
electronically stored information, pragmatic management of business, financial, and market risk dictates the need to
improve existing practices.
    © 2008 IT Policy Compliance Group, 20
Improving Results for the Legal Custody of
                                                                                       Information

Aside from the financial burden of legal settlements and expenses, larger enterprises not improving better practices for
legal data holds may experience other consequences not measured by this benchmark, including fines and penalties,
elevated reputational risk, and more difficulty with customer and partner expectations. The external pressures for
improving the practices for legal data hold unfortunately indicate that experience is currently the best teacher (Figure 17).
Figure 17: Pressures to Take Action




                                                           Source: IT Policy Compliance Group, 2008

Larger enterprises are primarily responding to legal and government findings, followed by claims settlements, public
reputation, and direction from senior managers. What distinguishes the higher response rate among large enterprise
includes finding and recommendations from auditors, and worry about public and brand reputation.
The primary internal pressures to respond and take action include:
• Direction from senior managers
• Prior experience with legal requests for data
• The cost of claims settlements and financial exposure.


Taking Action to Improve Results
In some circumstances, the primary course of action is going to be spending more money to improve legal services. But, after
improving legal counsel the research shows it is essential to improve the maturity of practices for handling legal holds for
information.
The results of the research clearly show that for midsize and large enterprises, it makes
                                                                                                       The benchmark clearly shows that
sense to:
                                                                                                       for all large enterprises, and many
        Strive for practice maturity leadership, for legal data hold and custody                       midsize firms, improving the
                                                                                                       maturity of practices for legal data
        Take the strategic actions shown to improve results                                            holds will pay off.
        Implement the actions and practices within IT that are shown to improve the
        ability to find, protect, and produce data subject to legal hold
        Improve the maturity of organizational and IT practices
        Implement the technologies shown to improve results
        Treat the legal hold of data like other compliance activities                        © 2008 IT Policy Compliance Group, 21
Improving Results for the Legal Custody of Information


Small businesses
Small businesses are not suffering from a large number of legal requests or summons related to information, and the rate
of spend on legal data hold among small businesses is much less than all other organizations. As they say: “the pickings
are slim”, among small businesses.
Unless the firm has specific experience with large numbers of legal holds on information, or faces severe regulatory and
legal penalties, there is no indication of huge financial pain or financial reward among most small business, to justify large
spending to improve the maturity of practices for legal data custody, at this time.

Midsize and large enterprises
The benchmark clearly shows that for all large enterprises and many midsize organizations, improving the maturity of
practices for legal data custody will pay off, with obvious financial benefits that include:
 •   Significant reductions in overall expenses, by factors of 4 to more than 13
 •   Lower financial settlement expenses
 •   Lower expenses for legal services
 •   Lower expenses to find and produce information subject to legal hold
 • Lower expenses to preserve and protect data subject to legal hold

Not quantified by the benchmark is the opportunity-cost for a wide variety of people involved with and responding to legal
holds on information, especially among senior managers. Presumably, more mature practices would result in reductions
in the amount of time senior managers are spending on this activity: allowing these people to focus on more fruitful
activities.

The non-financial benefits of improving the maturity of practices for legal requests for information — improved brand
equity, trust, and customer retention — are beyond the results quantified by this research. For most, these could prove to
be far more beneficial than the reduction of costs for legal settlements and internal expenses that will occur by improving
the practices for legal custody of information.




 © 2008 IT Policy Compliance Group, 22
Improving Results for the Legal Custody of
                                                                                          Information


About the Research
Topics researched by the IT Policy Compliance Group (IT PCG) benchmarks are part of an ongoing research calendar established by
input from supporting members, advisory members, and findings compiled from recent research.
The most recent benchmark covering the Legal Custody of Information, which is the basis for this report, was conducted between
October and November 2007 with 235 qualifying respondents in different organizations. The error for this benchmark research is plus
or minus 6 percent. The majority of the organizations (90 percent) participating in this benchmark are located in the United States.
The other 10 percent come from other countries, including Australia, Brazil, Canada, France, Germany, Ireland, Japan, the
Netherlands, Poland, Singapore, Spain, the United Arab Emirates, and the United Kingdom among others. In addition to specific
tracking questions common to each benchmark, the research is designed to discover answers to specific topics. The primary topic of
the most recent benchmark was the experience of organizations concerning legal holds for records and data.

Industries represented
A wide range of industries participated in the benchmark including advertising; aerospace; agriculture; automotive; banking;
chemicals; computer equipment and peripherals; computer software and services; construction, architecture, and engineering
services; consumer electronics, consumer packaged goods; distribution, education, financial, and accounting services; food and
beverage services, general business and repair services; government—public administration; government—defense and
intelligence; health, medical, and dental services; insurance, legal services; management, scientific, and consulting services;
manufacturing; medical devices; metals and metal products; mining, oil, and gas; pharmaceuticals; publishing, media, and
entertainment; real estate, rental and leasing services; retail trade; telecommunication services; transportation and warehousing;
travel, accommodation, and hospitality services; and utilities and wholesale trade. Manufacturing accounted for 13 percent of
participating organizations. All other industries accounted for less than 10 percent of the benchmark sample.

Revenue of participating organizations
Thirty-five percent of the organizations participating in the benchmark have annual revenues, assets under management, or budgets
that are less than $50 million. Another 23 percent have annual revenues, assets under management, or budgets that are between $50
million and $999 million. The remaining 41 percent have annual revenues, assets under management, or budgets that are $1 billion or
more.

Number of people employed by participating organizations
Thirty-six percent of the participating organizations employ fewer than 250 people. Twenty-two percent employ between 250 and
2,499 people. The remaining 42 percent employ 2,500 or more people.

Job titles of participants
Thirty-two percent of the participants in the benchmark are senior managers (CEO, CFO, CIO, etc.), 14 percent are vice presidents, 25
percent are managers or directors, 27 percent are staff, and 2 percent are internal consultants.

Roles of participants
Twenty-nine percent of the participants work in IT; another 29 percent work in finance and internal controls; 14 percent work in
customer service; 9 percent work in legal and compliance; 7 percent work in product design and development; 7 percent work in
sales and marketing; and the remaining 5 percent are distributed across other job functions, including manufacturing, procurement,
purchasing, and logistics.




                                                                                            © 2008 IT Policy Compliance Group, 23
Improving Results for the Legal Custody of Information



About IT Policy Compliance Group
The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations
meet their policy and regulatory compliance goals. It focuses on assisting member organizations in improving results based on
fact-based benchmarks.
The IT Policy Compliance Group Web site at www.itpolicycompliance.com features content created by leading experts in the world of
compliance and published reports containing primary research. Research and benchmarks sponsored by the Group produce
fact-based insight and recommendations about what is working and why.
The results of Group-sponsored research are designed to help legal, financial, internal controls, IT audit, IT security, and compliance
professionals to:
• Benchmark IT policy compliance efforts against peers and best-in-class performers
•    Identify key drivers, challenges and responses to implement successful IT policy and compliance initiatives
•    Determine the applicability and use of automation tools to assist, streamline and improve results
• Identify best practices for IT policy and compliance programs
The Group relies upon its supporting members, advisory members, and significant benchmark findings to drive its research and
editorial calendars.




    © 2008 IT Policy Compliance Group, 24
Improving Results for the Legal Custody of Information


IT Policy Compliance Group Supporters




Symantec Corporation            The Institute of Internal     Information Systems Audit and
                                Auditors                      Control Association
20330 Stevens Creek Boulevard   247 Maitland Avenue           3701 Algonquin Road, Suite 1010
Cupertino, CA 95014             Altamonte Springs, FL 32701   Rolling Meadows, IL 60008
+1 (408) 517 8000               +1 (407) 937 1100             +1 (847) 253 1545
www.symantec.com                www.theiia.org                www.isaca.org
info@symantec.com               iia@theiia.org                info@isaca.org




Computer Security Institute     Protiviti                     IT Governance Institute
600 Harrison Street             1290 Avenue of the            3701 Algonquin Road, Suite 1010
                                Americas, 5th Floor
San Francisco, CA 94107                                       Rolling Meadows, IL 60008
+1 (415) 947 6320               New York, New York 10104      +1 (847) 660 5600
www.gocsi.com                   +1 (212) 603 8300             www.itgi.org
csi@cmp.com                     www.protiviti.com             info@itgi.org
                                info@protiviti.com




                                                                              © 2008 IT Policy Compliance Group, 25
Improving Results for the Legal Custody of
Information




© 2008 IT Policy Compliance Group, 26
Improving Results for the Legal Custody of
Information




  © 2008 IT Policy Compliance Group, 27
Founded in 2005, the IT Policy Compliance Group conducts
benchmarks that are focused on delivering fact-based guidance
on the steps that can be taken to improve results. Benchmark
results are reported through www.itpolicycompliance.com for the
benefit of members.




IT Policy Compliance Group

Contact:
Managing Director, Jim Hurley
Telephone: +1 (216) 321 7864
jhurley@itpolicycompliance.com
www.itpolicycompliance.com
August 2008




The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not
guaranteed. Research publications reflect current conditions that are subject to change without notice.

Copyright © 2008 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners.
All rights reserved. 8/08    14524678

Más contenido relacionado

La actualidad más candente

What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information GovernanceAtle Skjekkeland
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Winston & Strawn LLP
 
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...Information Analytics: Know What Is In Your E-files To Save Millions and Mana...
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...Paragon Solutions
 
Cybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataCybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataRocket Matter, LLC
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessRich Medina
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEryk Budi Pratama
 
Michael Josephs
Michael JosephsMichael Josephs
Michael JosephsdaveGBE
 
Records management overview - InFuture
Records management overview - InFutureRecords management overview - InFuture
Records management overview - InFutureGreg Reid
 
Microsoft Server Infrastructure Optimization White Paper
Microsoft Server Infrastructure Optimization White PaperMicrosoft Server Infrastructure Optimization White Paper
Microsoft Server Infrastructure Optimization White PaperZAG Technical Services
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT GovernanceSUNIL KUMAR KOHLI, IDAS ndc
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyAIIM International
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 

La actualidad más candente (20)

What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...Information Analytics: Know What Is In Your E-files To Save Millions and Mana...
Information Analytics: Know What Is In Your E-files To Save Millions and Mana...
 
Cybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm DataCybersecurity: How To Protect Your Law Firm Data
Cybersecurity: How To Protect Your Law Firm Data
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation Readiness
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data QualityEnabling Data Governance - Data Trust, Data Ethics, Data Quality
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
 
Principles of Holistic Information Governance
Principles of Holistic Information GovernancePrinciples of Holistic Information Governance
Principles of Holistic Information Governance
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Real Time Risk Management
Real Time Risk ManagementReal Time Risk Management
Real Time Risk Management
 
IP 101 for Emerging Companies
IP 101 for Emerging Companies IP 101 for Emerging Companies
IP 101 for Emerging Companies
 
Records management overview - InFuture
Records management overview - InFutureRecords management overview - InFuture
Records management overview - InFuture
 
Microsoft Server Infrastructure Optimization White Paper
Microsoft Server Infrastructure Optimization White PaperMicrosoft Server Infrastructure Optimization White Paper
Microsoft Server Infrastructure Optimization White Paper
 
July 2010 Cover Story
July 2010 Cover StoryJuly 2010 Cover Story
July 2010 Cover Story
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
Ekwensi ACC article
Ekwensi ACC articleEkwensi ACC article
Ekwensi ACC article
 
SLVA - Developing an IT GRC Strategy
SLVA - Developing an IT GRC StrategySLVA - Developing an IT GRC Strategy
SLVA - Developing an IT GRC Strategy
 
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance“Rebuilding Corporate Trust: The Essential Role Of IT Governance
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your Company
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 

Destacado

Pre-Cal 30S January 5, 2009
Pre-Cal 30S January 5, 2009Pre-Cal 30S January 5, 2009
Pre-Cal 30S January 5, 2009Darren Kuropatwa
 
Value analysis and value engineering
Value analysis and value engineeringValue analysis and value engineering
Value analysis and value engineeringAyush dixit
 
Value Engineering And Value Analysis
Value Engineering And Value AnalysisValue Engineering And Value Analysis
Value Engineering And Value Analysisthombremahesh
 
9 Learning Strategies from Knowledge to Know-How
9 Learning Strategies from Knowledge to Know-How9 Learning Strategies from Knowledge to Know-How
9 Learning Strategies from Knowledge to Know-HowLinkedIn Learning Solutions
 
11 Things Healthy People Do Every Morning
11 Things Healthy People Do Every Morning11 Things Healthy People Do Every Morning
11 Things Healthy People Do Every MorningEason Chan
 

Destacado (7)

Pre-Cal 30S January 5, 2009
Pre-Cal 30S January 5, 2009Pre-Cal 30S January 5, 2009
Pre-Cal 30S January 5, 2009
 
IPR NDA and ANDA
IPR NDA and ANDAIPR NDA and ANDA
IPR NDA and ANDA
 
Value Engineering
Value EngineeringValue Engineering
Value Engineering
 
Value analysis and value engineering
Value analysis and value engineeringValue analysis and value engineering
Value analysis and value engineering
 
Value Engineering And Value Analysis
Value Engineering And Value AnalysisValue Engineering And Value Analysis
Value Engineering And Value Analysis
 
9 Learning Strategies from Knowledge to Know-How
9 Learning Strategies from Knowledge to Know-How9 Learning Strategies from Knowledge to Know-How
9 Learning Strategies from Knowledge to Know-How
 
11 Things Healthy People Do Every Morning
11 Things Healthy People Do Every Morning11 Things Healthy People Do Every Morning
11 Things Healthy People Do Every Morning
 

Similar a Orange Legal Technologies Corporate Information Briefing 1108

Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...The Economist Media Businesses
 
Convergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocConvergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocDavid Haines
 
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxvrickens
 
The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...Rabelani Dagada
 
The top trends changing the landscape of Information Management
The top trends changing the landscape of Information ManagementThe top trends changing the landscape of Information Management
The top trends changing the landscape of Information ManagementVelrada
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How to turn GDPR into a Strategic Advantage using Connected Data
How to turn GDPR into a Strategic Advantage using Connected DataHow to turn GDPR into a Strategic Advantage using Connected Data
How to turn GDPR into a Strategic Advantage using Connected DataNeo4j
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgePerficient, Inc.
 
Bridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionBridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionInfoGoTo
 
A Practical Guide To Information Governance
A Practical Guide To Information GovernanceA Practical Guide To Information Governance
A Practical Guide To Information GovernanceMichael Curcio
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
GDPR and Data Quality - A Service Objects webinar
GDPR and Data Quality - A Service Objects webinarGDPR and Data Quality - A Service Objects webinar
GDPR and Data Quality - A Service Objects webinarRob Manser
 
The Sarbanes Oxley ( Sox ) Act
The Sarbanes Oxley ( Sox ) ActThe Sarbanes Oxley ( Sox ) Act
The Sarbanes Oxley ( Sox ) ActDana Boo
 
EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know Sarah Crabb
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
 

Similar a Orange Legal Technologies Corporate Information Briefing 1108 (20)

Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...
 
Convergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.DocConvergence Compliance E Discovery Rim.Doc
Convergence Compliance E Discovery Rim.Doc
 
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docxITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
ITS 833 – INFORMATION GOVERNANCEChapter 1 – The Onslaught of.docx
 
EDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records ManagementEDI 2009 Controlling E-Discovery Costs through Records Management
EDI 2009 Controlling E-Discovery Costs through Records Management
 
The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...The integration of legal aspects in Information Security: Is your organisatio...
The integration of legal aspects in Information Security: Is your organisatio...
 
It Budget Tips
It Budget TipsIt Budget Tips
It Budget Tips
 
The top trends changing the landscape of Information Management
The top trends changing the landscape of Information ManagementThe top trends changing the landscape of Information Management
The top trends changing the landscape of Information Management
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How to turn GDPR into a Strategic Advantage using Connected Data
How to turn GDPR into a Strategic Advantage using Connected DataHow to turn GDPR into a Strategic Advantage using Connected Data
How to turn GDPR into a Strategic Advantage using Connected Data
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital AgeManaging Privacy Risk and Promoting Ethical Culture in the Digital Age
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
 
Bridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionBridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and Retention
 
ch02.pdf
ch02.pdfch02.pdf
ch02.pdf
 
A Practical Guide To Information Governance
A Practical Guide To Information GovernanceA Practical Guide To Information Governance
A Practical Guide To Information Governance
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
GDPR and Data Quality - A Service Objects webinar
GDPR and Data Quality - A Service Objects webinarGDPR and Data Quality - A Service Objects webinar
GDPR and Data Quality - A Service Objects webinar
 
The Sarbanes Oxley ( Sox ) Act
The Sarbanes Oxley ( Sox ) ActThe Sarbanes Oxley ( Sox ) Act
The Sarbanes Oxley ( Sox ) Act
 
EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 

Más de legalinfo

Notice Appealable Decisions; Legal Notice Plumas National Forest, Ca
Notice Appealable Decisions; Legal Notice Plumas National Forest, CaNotice Appealable Decisions; Legal Notice Plumas National Forest, Ca
Notice Appealable Decisions; Legal Notice Plumas National Forest, Calegalinfo
 
The Legalities Of All Capital Letters Names (Your Drivers License)
The Legalities Of All Capital Letters Names (Your Drivers License)The Legalities Of All Capital Letters Names (Your Drivers License)
The Legalities Of All Capital Letters Names (Your Drivers License)legalinfo
 
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...legalinfo
 
Rule Legal Assistance Eligibility; Maximum Income Guidelines
Rule Legal Assistance Eligibility; Maximum Income GuidelinesRule Legal Assistance Eligibility; Maximum Income Guidelines
Rule Legal Assistance Eligibility; Maximum Income Guidelineslegalinfo
 
Rfi Ds Report Legality
Rfi Ds Report LegalityRfi Ds Report Legality
Rfi Ds Report Legalitylegalinfo
 
Regulation Of The Legal Profession
Regulation Of The Legal ProfessionRegulation Of The Legal Profession
Regulation Of The Legal Professionlegalinfo
 
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...legalinfo
 
Proposed Rule Legal Assistance Eligibility; Maximum Income
Proposed Rule Legal Assistance Eligibility; Maximum IncomeProposed Rule Legal Assistance Eligibility; Maximum Income
Proposed Rule Legal Assistance Eligibility; Maximum Incomelegalinfo
 
Pre Paid Legal Power Point
Pre Paid Legal Power PointPre Paid Legal Power Point
Pre Paid Legal Power Pointlegalinfo
 
Numerals In Legal Or Financial Documents
Numerals In Legal Or Financial DocumentsNumerals In Legal Or Financial Documents
Numerals In Legal Or Financial Documentslegalinfo
 
Notice Meetings Legal Division
Notice Meetings Legal DivisionNotice Meetings Legal Division
Notice Meetings Legal Divisionlegalinfo
 
Making Your E Biz Legal
Making Your E Biz LegalMaking Your E Biz Legal
Making Your E Biz Legallegalinfo
 
Legal Research Skills How Competent Are Our Lawyers
Legal Research Skills   How Competent Are Our LawyersLegal Research Skills   How Competent Are Our Lawyers
Legal Research Skills How Competent Are Our Lawyerslegalinfo
 
Legal Research And Law Library Management
Legal Research And Law Library ManagementLegal Research And Law Library Management
Legal Research And Law Library Managementlegalinfo
 
Legal Lines Wills And Trusts
Legal Lines   Wills And TrustsLegal Lines   Wills And Trusts
Legal Lines Wills And Trustslegalinfo
 
Legal Information Buyers Guide And Reference Manual 2006
Legal Information Buyers Guide And Reference Manual 2006Legal Information Buyers Guide And Reference Manual 2006
Legal Information Buyers Guide And Reference Manual 2006legalinfo
 
Legal Ethics On The Web
Legal Ethics On The WebLegal Ethics On The Web
Legal Ethics On The Weblegalinfo
 
Legal Ethics And Professional Conduct
Legal Ethics And Professional ConductLegal Ethics And Professional Conduct
Legal Ethics And Professional Conductlegalinfo
 
Legal Corporate Drafting (India)
Legal Corporate Drafting (India)Legal Corporate Drafting (India)
Legal Corporate Drafting (India)legalinfo
 

Más de legalinfo (20)

Notice Appealable Decisions; Legal Notice Plumas National Forest, Ca
Notice Appealable Decisions; Legal Notice Plumas National Forest, CaNotice Appealable Decisions; Legal Notice Plumas National Forest, Ca
Notice Appealable Decisions; Legal Notice Plumas National Forest, Ca
 
The Legalities Of All Capital Letters Names (Your Drivers License)
The Legalities Of All Capital Letters Names (Your Drivers License)The Legalities Of All Capital Letters Names (Your Drivers License)
The Legalities Of All Capital Letters Names (Your Drivers License)
 
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...
Rule Of Law In Singapore Independence Of The Judiciary And The Legal Professi...
 
Rule Legal Assistance Eligibility; Maximum Income Guidelines
Rule Legal Assistance Eligibility; Maximum Income GuidelinesRule Legal Assistance Eligibility; Maximum Income Guidelines
Rule Legal Assistance Eligibility; Maximum Income Guidelines
 
Rfi Ds Report Legality
Rfi Ds Report LegalityRfi Ds Report Legality
Rfi Ds Report Legality
 
Regulation Of The Legal Profession
Regulation Of The Legal ProfessionRegulation Of The Legal Profession
Regulation Of The Legal Profession
 
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...
Real Estate India Legal Deed Formats By Assetventures.In Indiaproperties4u.Co...
 
Proposed Rule Legal Assistance Eligibility; Maximum Income
Proposed Rule Legal Assistance Eligibility; Maximum IncomeProposed Rule Legal Assistance Eligibility; Maximum Income
Proposed Rule Legal Assistance Eligibility; Maximum Income
 
Pre Paid Legal Power Point
Pre Paid Legal Power PointPre Paid Legal Power Point
Pre Paid Legal Power Point
 
Numerals In Legal Or Financial Documents
Numerals In Legal Or Financial DocumentsNumerals In Legal Or Financial Documents
Numerals In Legal Or Financial Documents
 
Notice Meetings Legal Division
Notice Meetings Legal DivisionNotice Meetings Legal Division
Notice Meetings Legal Division
 
Making Your E Biz Legal
Making Your E Biz LegalMaking Your E Biz Legal
Making Your E Biz Legal
 
Legal
LegalLegal
Legal
 
Legal Research Skills How Competent Are Our Lawyers
Legal Research Skills   How Competent Are Our LawyersLegal Research Skills   How Competent Are Our Lawyers
Legal Research Skills How Competent Are Our Lawyers
 
Legal Research And Law Library Management
Legal Research And Law Library ManagementLegal Research And Law Library Management
Legal Research And Law Library Management
 
Legal Lines Wills And Trusts
Legal Lines   Wills And TrustsLegal Lines   Wills And Trusts
Legal Lines Wills And Trusts
 
Legal Information Buyers Guide And Reference Manual 2006
Legal Information Buyers Guide And Reference Manual 2006Legal Information Buyers Guide And Reference Manual 2006
Legal Information Buyers Guide And Reference Manual 2006
 
Legal Ethics On The Web
Legal Ethics On The WebLegal Ethics On The Web
Legal Ethics On The Web
 
Legal Ethics And Professional Conduct
Legal Ethics And Professional ConductLegal Ethics And Professional Conduct
Legal Ethics And Professional Conduct
 
Legal Corporate Drafting (India)
Legal Corporate Drafting (India)Legal Corporate Drafting (India)
Legal Corporate Drafting (India)
 

Último

ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJF
ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJFASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJF
ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJFJulia Kaye
 
10 Things That Will Shape the Future of Education.pdf
10 Things That Will Shape the Future of Education.pdf10 Things That Will Shape the Future of Education.pdf
10 Things That Will Shape the Future of Education.pdfEducationView
 
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptx
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptxSTORY OF SUSAN & JUDY - CEREBRAL PALSY.pptx
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptxsheenam bansal
 
Fireman Resume Strikuingly Text............................
Fireman Resume Strikuingly Text............................Fireman Resume Strikuingly Text............................
Fireman Resume Strikuingly Text............................calvinjamesmappala
 
127. Reviewer Certificate in BP International
127. Reviewer Certificate in BP International127. Reviewer Certificate in BP International
127. Reviewer Certificate in BP InternationalManu Mitra
 
asdfasdiofujasloidfoia nslkflsdkaf jljffs
asdfasdiofujasloidfoia nslkflsdkaf jljffsasdfasdiofujasloidfoia nslkflsdkaf jljffs
asdfasdiofujasloidfoia nslkflsdkaf jljffsJulia Kaye
 
reStartEvents March 28th TS/SCI & Above Employer Directory.pdf
reStartEvents March 28th TS/SCI & Above Employer Directory.pdfreStartEvents March 28th TS/SCI & Above Employer Directory.pdf
reStartEvents March 28th TS/SCI & Above Employer Directory.pdfKen Fuller
 
Audhina Nur Afifah Resume & Portofolio_2024.pdf
Audhina Nur Afifah Resume & Portofolio_2024.pdfAudhina Nur Afifah Resume & Portofolio_2024.pdf
Audhina Nur Afifah Resume & Portofolio_2024.pdfaudhinafh1
 
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptx
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptxkids gpaddfghtggvgghhhuuuuuhhhgggggy.pptx
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptxJagrutiSononee
 
Moaaz Hassan El-Shayeb - Projects Portfolio
Moaaz Hassan El-Shayeb - Projects PortfolioMoaaz Hassan El-Shayeb - Projects Portfolio
Moaaz Hassan El-Shayeb - Projects Portfoliomoaaz el-shayeb
 
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, Conventions
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, ConventionsChapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, Conventions
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, ConventionsMd Shaifullar Rabbi
 
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Md Shaifullar Rabbi
 
wealth_spend_bharatpeVerse_Analysis .pptx
wealth_spend_bharatpeVerse_Analysis .pptxwealth_spend_bharatpeVerse_Analysis .pptx
wealth_spend_bharatpeVerse_Analysis .pptxAnuragBhakuni4
 
Nashon Holloway - Media/Press Kit - Priv
Nashon Holloway - Media/Press Kit - PrivNashon Holloway - Media/Press Kit - Priv
Nashon Holloway - Media/Press Kit - PrivNashonHolloway
 
How to Host a Successful Webinar for Success?
How to Host a Successful Webinar for Success?How to Host a Successful Webinar for Success?
How to Host a Successful Webinar for Success?StrengthsTheatre
 
Blockchain_TezosDeveloperCommunitySNSCE.pdf
Blockchain_TezosDeveloperCommunitySNSCE.pdfBlockchain_TezosDeveloperCommunitySNSCE.pdf
Blockchain_TezosDeveloperCommunitySNSCE.pdfVISHNURAJSSNSCEAD
 
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...FaHaD .H. NooR
 

Último (17)

ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJF
ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJFASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJF
ASDFSDFASDFASDFASDFOUIASHDFOIASUD FOIJSADO;IFJOISADJF
 
10 Things That Will Shape the Future of Education.pdf
10 Things That Will Shape the Future of Education.pdf10 Things That Will Shape the Future of Education.pdf
10 Things That Will Shape the Future of Education.pdf
 
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptx
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptxSTORY OF SUSAN & JUDY - CEREBRAL PALSY.pptx
STORY OF SUSAN & JUDY - CEREBRAL PALSY.pptx
 
Fireman Resume Strikuingly Text............................
Fireman Resume Strikuingly Text............................Fireman Resume Strikuingly Text............................
Fireman Resume Strikuingly Text............................
 
127. Reviewer Certificate in BP International
127. Reviewer Certificate in BP International127. Reviewer Certificate in BP International
127. Reviewer Certificate in BP International
 
asdfasdiofujasloidfoia nslkflsdkaf jljffs
asdfasdiofujasloidfoia nslkflsdkaf jljffsasdfasdiofujasloidfoia nslkflsdkaf jljffs
asdfasdiofujasloidfoia nslkflsdkaf jljffs
 
reStartEvents March 28th TS/SCI & Above Employer Directory.pdf
reStartEvents March 28th TS/SCI & Above Employer Directory.pdfreStartEvents March 28th TS/SCI & Above Employer Directory.pdf
reStartEvents March 28th TS/SCI & Above Employer Directory.pdf
 
Audhina Nur Afifah Resume & Portofolio_2024.pdf
Audhina Nur Afifah Resume & Portofolio_2024.pdfAudhina Nur Afifah Resume & Portofolio_2024.pdf
Audhina Nur Afifah Resume & Portofolio_2024.pdf
 
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptx
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptxkids gpaddfghtggvgghhhuuuuuhhhgggggy.pptx
kids gpaddfghtggvgghhhuuuuuhhhgggggy.pptx
 
Moaaz Hassan El-Shayeb - Projects Portfolio
Moaaz Hassan El-Shayeb - Projects PortfolioMoaaz Hassan El-Shayeb - Projects Portfolio
Moaaz Hassan El-Shayeb - Projects Portfolio
 
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, Conventions
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, ConventionsChapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, Conventions
Chapter-1 IATA, UFTAA, ICAO, FAA, CAA, ATAB, Conventions
 
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
Chapter-4 Introduction to Global Distributions System and Computerized Reserv...
 
wealth_spend_bharatpeVerse_Analysis .pptx
wealth_spend_bharatpeVerse_Analysis .pptxwealth_spend_bharatpeVerse_Analysis .pptx
wealth_spend_bharatpeVerse_Analysis .pptx
 
Nashon Holloway - Media/Press Kit - Priv
Nashon Holloway - Media/Press Kit - PrivNashon Holloway - Media/Press Kit - Priv
Nashon Holloway - Media/Press Kit - Priv
 
How to Host a Successful Webinar for Success?
How to Host a Successful Webinar for Success?How to Host a Successful Webinar for Success?
How to Host a Successful Webinar for Success?
 
Blockchain_TezosDeveloperCommunitySNSCE.pdf
Blockchain_TezosDeveloperCommunitySNSCE.pdfBlockchain_TezosDeveloperCommunitySNSCE.pdf
Blockchain_TezosDeveloperCommunitySNSCE.pdf
 
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...
FAHAD HASSAN NOOR || UCP Business School Data Analytics Head Recommended | MB...
 

Orange Legal Technologies Corporate Information Briefing 1108

  • 1. August 2008 Improving Results for the Legal Custody of Information IT Policy Compliance Group
  • 3. Improving Results for the Legal Custody of Information Contents Executive Summary 3 Key Findings 3 Implications and Analysis 5 Recommendations for Action 6 Research Findings 7 Burden of Legal Requests: More Likely to Impact Large Enterprises 7 Large Enterprises: More Legal Summonses and Holds Related to Information 7 Maturity of Practices for Legal Hold 8 Confidence in Responding to Legal Requests for Information 9 Equal Opportunity Outcomes for Legal Holds 10 Average Financial Settlements and Expenses, by Size of Organization 10 Expenses Vary Significantly by the Maturity of Practices for Legal Holds 11 Who’s Involved in Finding, Producing and Protecting Information 11 Paper, Legacy Information and Electronically Stored Information 12 Most Time-Consuming and Expensive Information to Find, Protect, and Produce 13 Time and Expense in IT to Find, Protect, and Produce 13 Strategic Actions and Practices that Improve Maturity and Results 14 Practices and Capabilities in IT that Improve Maturity and Results 15 Most Helpful Technologies to Find, Protect and Produce Data 16 Discussions with the Lawyers 17 ESI and the Scope of Legal Discovery 17 ESI and the Impact of Age and Time 17 Legal Requests and Summonses for Information 17 Information Formats, Indexing and Costs 18 Recommendations from the Lawyers 18 Regulatory Drivers and Legal Custody of Information 18 Legal Custody and Controls Effectiveness 19 Maturity Impacts Legal Custody, Compliance, and Data Protection 20 Who Should Improve the Maturity of Practices for Legal Hold 20 Taking Action to Improve Results 21 About the Research 23 About IT Policy Compliance Group 24 © 2008 IT Policy Compliance Group
  • 5. Improving Results for the Legal Custody of Information Executive Summary Key Findings Large enterprise spend more than other firms for legal holds The average financial costs of legal holds placed on information for firms with normative practices include: • Large enterprises: From $500,000 to more than $9 million annually. • Midsize organizations: From $300,000 to $500,000 each year. • Small businesses: Less than $300,000 per year. Costs for legal custody are driven by maturity of practices Organizations with the least mature practices are spending much more, as follows: • Large enterprises: From $1.5 million to more than $28 million annually. • Midsize organizations: From $800,000 to $1.5 million each year. • Small businesses: Less than $800,000 per year. Firms with the most mature practices are spending much less, as follows: • Large enterprises: From $120,000 to $2.6 million annually. • Midsize organizations: From $66,000 to $120,000 each year. • Small businesses: Less than $66,000 per year. Improvements to practices increase confidence and reduce expenses The realities are: Firms with the most confidence in the accessibility, completeness and accuracy of data have most mature practices and spend the least on legal holds. Firms with the least confidence in the accessibility, completeness and accuracy of data have the least mature practices and spend the most of legal holds. Large enterprises have a latent advantage that can be leveraged Accessibility, completeness and accuracy of data to support legal holds depend on how much information is electronically stored information (ESI). The numbers show: ESI among large enterprises: 50 to 70 percent. ESI among midsize firms: 35 percent to 50 percent. ESI among small businesses: 20 percent to 35 percent. However, this latent advantage can only be leveraged if information is indexed for rapid search, protection, preservation and production in response to legal requests. Strategic actions and practices that are improving results and reducing costs The strategic actions that are improving results include: Notifying affected employees of legal holds on information within one hour. Responding to legal requests within one day. Maintaining evidence of handling of data and delivering training to employees. Identifying business and financial risks and measuring results. Updating policies and procedures and updating records retention programs. Improving the quality of legal counsel and legal hold procedures and controls. Forming cross-functional teams to respond to requests within one day. © 2008 IT Policy Compliance Group, 3
  • 6. Improving Results for the Legal Custody of Information Key Findings (continued) Practices in IT that are improving results and reducing costs The actions and practices in IT that are shown to improve results include: Identifying the gaps in procedural and technical controls. Converting information into electronic formats. Inventorying and indexing information for rapid search. Increasing the frequency of monitoring and measurements. Correcting gaps in procedural and technical controls. Updating policies and procedures. Improving technical and procedural controls. Most helpful technologies to improve results The technologies being employed by the firms with the most mature practices and the lowest expenses include: Backup and archive. Data capture and conversion tools. Data and record indexing tools. Records retention and destruction tools. Employee education and training tools. Information to target The information routinely indexed to search preserve and produce information in response to legal holds by the firms with the most mature practices and lowest costs, include: Email, office productivity files, and instant messaging. Industry-specific information. Product and financial information. Employee and customer related information. Improving the maturity of practices for data custody pays off Improving the maturity of practices for legal custody yields huge reductions to current expenses: Organizations with the least mature practices can reduce overall expenses for legal custody by a factor of 13 by improving practices. The majority of firms, those operating at the norm, can reduce expenses by a factor of 4 by improving practices. Improving the maturity of practices for the legal custody of information Reduces expenses for legal settlements and fees Reduces expenses in IT to find, produce, protect and preserve information on hold © 2008 IT Policy Compliance Group, 4
  • 7. Improving Results for the Legal Custody of Information Implications and Analysis Legal holds on information start when an organization learns of, or can reasonably anticipate current or pending litigation and regulatory investigations. The complexities involved in complying with legal requests for information are most prudently carried out under the direction of legal counsel. As such, whether a firm is named as a defendant, or is caught up in litigation as a third-party, the custody of information covered by a legal hold should be directed by legal counsel. Notifying employees, and potentially suppliers or customers, is just the start of a legal process governing holds on information. Large enterprises: Follow the money Despite a broad 50/50 chance of being served a court summons related to data and records, larger enterprises are bearing the brunt of such demands. For large enterprises, the likelihood of summonses start at two per year, and can exceed five or more events annually, while the number of annual legal requests for information are far higher. Legal settlement costs; legal expenses; and costs related to finding, protecting, preserving, Large enterprises with the and producing data in response to legal holds for information are far higher among larger least mature practices are enterprises than midsize organizations and small businesses. spending between $1.5 Among larger enterprises, average costs and expenses related to legal holds placed on million to more than $28 information range from $500,000 to more than $9 million annually, depending on the size million annually, depending of the organization. on the size of the organization. However, the maturity of practices for information governed by legal holds directly influence spending. Large enterprises with the most mature practices are spending only 25 percent of the amount firms with normative practices spend: from $120,000 to more than $2.6 million annually, depending on the size of the firm. Conversely, organizations with the least mature practices are spending much more than all other firms. Large enterprises with the least mature practices are spending three times more than firms with normative practices spend: from $1.5 million to more than $28 million annually, depending on the size of the organization. ESI: The wave has hit the beach Although paper-based records are identified as the most traditional format and the most time consuming and expensive for all organizations, the research conducted with attorneys shows that electronically stored information (ESI) requests are increasingly making up a larger proportion of the legal requests, especially for email and office productivity files among other forms of ESI. Unless ESI (email, office files, product design records, customer transaction data, instant messaging files, financial transactions, etc) is indexed for rapid search, protection and production, it offers no obvious benefit. For example, 10 Gigabytes of information is about 500,000 pages, close to 200 boxes of paper that would normally not be indexed while being stored off-site. Practice maturities dictate outcomes Neither the size of an organization nor the industry within which it competes is the arbiter of better or worse performance results, or of higher or lower costs. Rather, the practices implemented for legal custody are what distinguish how much is being spent, and how well or poorly organizations are able to respond to legal holds governing information. Organizations that respond more Strategic Actions and Practices making a Difference rapidly to holds governing The strategic actions distinguishing firms with the best results for legal custody include: information are also excelling at • Maintaining evidence of handling for records and data delivering training to regulatory compliance and the employees protection of sensitive data. • Identifying business and financial risks • Measuring results Practices in IT that are Making a Difference Leading firms are converting more information into indexed, searchable electronic formats that can more rapidly be found, preserved, protected, and produced in response to legal requests. Examples of the kind of information being converted into structured electronic records for rapid search, protection, and production include: © 2008 IT Policy Compliance Group, 5
  • 8. Improving Results for the Legal Custody of Information • Email and attachments • Office documents • Instant messaging files • Audio files (telephone records) Organizations performing as leaders for legal custody are also excelling at regulatory compliance and the protection of sensitive data. Taking a holistic view of compliance, these firms are treating the legal custody of information as one aspect of managing information in an increasingly electronically interconnected World. Recommendations for Action Based on the quantitative results of the benchmarks and the qualitative research conducted with the lawyers, the principle recommendations include the following. Large enterprises Should take action: are clearly the primary targets of legal request for information Should aggressively improve the maturity of practices to limit financial pain Midsize organizations Should evaluate financial impact, past experience and industry setting Should be improving easier-to-implement practices with large paybacks Improve organizational practices Notify affected employees about a legal hold on information within one hour or less Respond to the initial request within one business day or less Update corporate policies and procedures Improve the quality of legal counsel Form a cross-functional response team Conduct employee training consistently Revise records retention policies and procedures Improve legal hold procedures and controls Measure results more frequently Improve practices and capabilities IT Target highly probable areas to convert into electronically indexed, searchable archives — especially email, invoices, telephone records, and financial data Use indexing tools to enable the rapid search of information covered by requests Archive and index paper-based records and data that are most likely targets Target additional types of data for conversion, based on industry-specific litigation Update IT policies and procedures for the retention and destruction of information Maintain evidence of handling and protection of data and records Correct gaps in IT procedures and controls Measure the effectiveness of controls more frequently © 2008 IT Policy Compliance Group, 6
  • 9. Improving Results for the Legal Custody of Information Research Findings Burden of Legal Requests: More Likely to Impact Large Enterprises For most firms, there is a 50 percent chance that data and records will have to be found, protected, and produced in response to legal requests or court summons. However, not all organizations are burdened with the need to find, protect and produce information in response to legal requests and summonses equally. Rather, large enterprises are bearing the brunt of responding to legal requests for data, with six out of ten large firms taking action to find, protect and produce data in response to such demands (Figure 1). Figure 1: Firms That Are Finding, Protecting, and Producing Information Source: IT Policy Compliance Group, 2008 By comparison, only three out of ten small businesses with revenues below $50 million are spending time to find, produce and protect records and data in response to legal requests and summonses. And, only five out of ten midsize organizations are spending time to respond to these demands. Large Enterprises: More Legal Summonses and Holds Related to Information The number of legal summonses received each year is directly related to the size of an organization, with large enterprises experiencing more such events annually. However, according to the lawyers interviewed, actual court summonses represent but a small portion of the total number of legal requests for data, in the range of 2 to 10 percent of all legal requests. Organizations with annual revenues between $100 million and $1 billion should plan on at least one to two court actions each year. Firms with $10 billion in annual revenue should plan for between two and five such events annually. Organizations with more than $100 billion in revenue should plan for more than five summonses each year. While far more legal holds on data occur than summons received, and large enterprises are experiencing more summons related to legal holds placed on information, the findings deliver proof that “if you follow the money”, the action is clearly focused on large enterprises (Figure 2). © 2008 IT Policy Compliance Group, 7
  • 10. Improving Results for the Legal Custody of Information Figure 2: Number of Annual Summonses by Revenue Source: IT Policy Compliance Group, 2008 Maturity of Practices for Legal Hold Not all firms notify affected employees and respond to legal requests for data and records in the same amount of time. In fact, the benchmark results show a normal distribution for these two key metrics (Figure 3). Figure 3: Distribution of Practices, Least to Most Mature © 2008 IT Policy Compliance Group, 8 Source: IT Policy Compliance Group, 2008
  • 11. Improving Results for the Legal Custody of Information Most mature practices: About one in ten firms Roughly one in ten—12 percent—of all firms are performing at the most mature levels. These firms are notifying employees in less than one hour about a legal hold on records and data and are responding to legal requests for information within one day. Industry norm: About seven in ten firms About seven in ten—almost 71 percent—of all organizations are performing at the industry norm: one to eight hours to notify employees and between one and eight days to respond to legal requests for information. Least mature: Almost two in ten firms Almost two in ten—nearly 18 percent—of all firms are performing at the least mature levels, taking more than eight hours to notify employees and more than eight days to respond to legal requests for data and records. Confidence in Responding to Legal Requests for Information According to the legal counsels interviewed, their confidence in cases involving the request of data and records depends on the accessibility, accuracy, completeness, and trustworthiness of data and records, after considering existing law and prior rulings. The research findings reveal that the firms with the most mature practice indicators, those notifying employees within one hour about a legal hold on data and responding within one day, are more confident than all other organizations. Moreover, these firms have greater confidence in the accessibility, integrity, accuracy and trustworthiness of data and records: key considerations, according to the lawyers, when dealing with legal requests for data and records (Figure 4). Figure 4: Confidence in Capabilities Source: IT Policy Compliance Group, 2008 Firms with up to one legal request for data each year are the least confident in the trustworthiness, completeness, accuracy, and accessibility of data and records. These are the same firms that are not actively finding, protecting, and producing data. If “practice makes perfect,” it may take organizations several legal requests to develop the wisdom to notify affected employees immediately and the practices needed to respond to within one day. Firms with the best results are doing things very differently than all other organizations. Whether confidence in measured by the trustworthiness, completeness, accuracy, and accessibility of data, or confidence in the legal case, the results of the benchmark indicate confidence in the procedures for data holds are necessary enablers for succeeding with the legal case. © 2008 IT Policy Compliance Group, 9
  • 12. Improving Results for the Legal Custody of Information Equal Opportunity Outcomes for Legal Holds Despite a much higher incidence rate for the number of summonses and legal requests received among larger enterprises, the performance of large firms is in line with the overall maturity of practices across firms of all sizes. This finding proves that despite more experience among large firms, firm size does not dictate outcomes (Table 1). Table 1: Different Experiences, Same Results Least Normative Most mature results mature Firms with no plans 18.2% 71.1% 10.7% and no activity Firms actively finding, 16.8% 69.9% 13.3% protecting, and producing data All firms 17.5% 70.5% 12.0% Source: IT Policy Compliance Group, 2008 Average Financial Settlements and Expenses, by Size of Organization Large enterprises operating with normative practice maturities for legal data hold are spending much more on legal settlements, legal expenses, and internal costs to find, protect and produce data than midsize organizations and small businesses (Figure 5). Figure 5: Financial Expenses of Legal Data Holds Among Normative Firms Source: IT Policy Compliance Group, 2008 A minimum of 50 percent all expenses are for legal settlements and legal expenses. Internal expenses for finding, protecting and producing data in response to legal holds range from 25 percent to 50 percent of all costs, based on the organization size. Large enterprises are spending 60 times more than small businesses and 25 times more than midsize firms on legal expenses and expenses to find, protect, and produce data. © 2008 IT Policy Compliance Group, 10
  • 13. Improving Results for the Legal Custody of Information Expenses Vary Significantly by the Maturity of Practices for Legal Holds However, financial expense among the firms with normative practices is deceiving. Total expenses are driven higher by about three-fold among firms operating with the least mature practices for legal data holds. In contrast, firms with the most mature practices are benefiting from much lower spending: about 25 percent of the expenses being borne by firms with normative practices for legal data hold (Figure 6). Figure 6: Average Annual Expenses, by Maturity of Practices Source: IT Policy Compliance Group, 2008 For example, firms with $10 billion in annual revenues are spending more, or less on legal data holds, depending on the maturity of the practices. Firms of this size with the least mature practices are spending, on average, $6.4 million; while the normative among these firms are spending about $2.1 million. Those with the most mature practices are spending much less: slightly less than $480,000 annually. The difference, more than 13 times larger among the least mature and more than 4 times larger among the majority of firms in the norm is sufficient financial incentive to improve practices for legal data holds. The maturity of practices governing legal data holds among firms is resulting in different spending experiences that include: • Spending on legal data custody that is more than 13 times larger among firms with the least mature practices • Spending on legal data custody that is more than four times larger among firms with normative practices Spending on legal and internal costs to find, protect and produce data in response to legal requests for data is reduced by more confidence: made possible by more mature practices. Who’s Involved in Finding, Producing and Protecting Information The receipt of legal requests for data is a drain on the time and focus of many different functions in the organization, including legal counsel, IT, senior managers, human resources and affected employees (Figure 7). Consistent with interviews conducted with legal counsels, the use of contractors to find, protect and produce data in response to legal requests for information is marginal, and often limited to the initial incident. The relatively high level of involvement of senior managers in finding, protecting and producing data in response to legal requests indicates either specifically named legal discovery inquiries, topical relevance such as requests related to financial filings, or a combination of these. Legal requests for information are occupying a significant amount of time that could otherwise be put to more productive purposes for servicing and retaining customers, and creating improved shareholder value. © 2008 IT Policy Compliance Group, 11
  • 14. Improving Results for the Legal Custody of Information Figure 7: Who’s Involved in Finding, Protecting and Producing Information Source: IT Policy Compliance Group, 2008 Paper, Legacy Data and Electronically Stored Information The ability to respond to a legal request quickly and with more confidence depends on two factors: the scope of the legal request for information, and whether or not the data is stored electronically. The first factor is negotiated by legal counsel, while the second factor depends on the format of the data. In alignment with fewer requests received annually, firms with the least amount of data and records stored electronically are small businesses, while the most electronically formatted data is found among larger enterprises (Figure 8). Figure 8: Electronically Stored Information, by Revenue © 2008 IT Policy Compliance Group, 12 Source: IT Policy Compliance Group, 2008
  • 15. Improving Results for the Legal Custody of Information Based on interviews conducted with legal counsels, accessibility is a key factor in determining the costs of responding to legal requests for information. For example, almost all of the lawyers interviewed say the cost of acquiring, protecting and producing information stored on older paper and electronic tape formats is much higher, and depends on being able to prove undue hardship due to inaccessibility of the data. Furthermore, the lawyers all cited a common experience of spending time and money to find relevant data on electronically stored tape formats only to find much of the information illegible due to a degradation that normally occurs to information stored on magnetic tapes over time. While it may be trickier arguing “inaccessibility” for older paper and magnetic tape formatted data, almost all the lawyers interviewed say that third-party litigants will likely prevail in having defendants or plaintiffs pay expenses related to legal holds on data. The research shows that a prevalence of electronically formatted and indexed data increases confidence in outcomes, reduces costs, and mitigates financial exposure from legal claims supported by holds on data and records. All of the lawyers interviewed say that in their experience, electronically indexed data is far easier and much less expensive to find, produce, preserve and protect. And, several of the lawyers interviewed stated, “we’re now adding a lot of other data to the (electronically stored and indexed) mix”, beyond email and office productivity documents. Most Time-Consuming and Expensive Information to Find, Protect, and Produce The most time-consuming and expensive data for organizations to find, protect, and produce are paper-based records, as well as electronically formatted data and records that are not indexed or are stored in un-indexed tape archives (Figure 9). Figure 9: Most Expensive Data to Find, Protect and Produce Source: IT Policy Compliance Group, 2008 After paper and simply archived tape archives, the evidence shows that email, financial records, customer records, and office productivity files and records are the most time-consuming and expensive information to find, protect, and produce. Given the explosive use of email and office productivity applications during the past 20 years, it is not surprising that these rank in the top tier as most time consuming and expensive. Time and Expense in IT to Find, Protect, and Produce The time required by firms to find, protect, and produce data and records in response to legal requests for data ranges from 10 percent to 25 percent of the available time in IT, depending on the size of an organization. However, not all firms of the same size are spending the same amount of time or money to find, protect and produce data. Although the time spent in IT on these activities averages almost 18 percent, actual spend on labor varies by maturity of practices: from a high exceeding 24 percent of the time in IT to a low just under 10 percent of the time in IT (Figure 10). © 2008 IT Policy Compliance Group, 13
  • 16. Improving Results for the Legal Custody of Information Figure 10: Time Spent in IT to Find, Protect, and Produce Source: IT Policy Compliance Group, 2008 A majority of organizations, those operating at the norm, can improve results without increasing labor costs in IT by leveraging retention, indexing and storage tools to better find, protect, and produce records and data in response to a legal requests. Strategic Actions and Practices that Improve Maturity and Results How quickly employees are notified and legal requests are responded to, depends on the strategic actions taken by organizations (Figure 11). The key actions taken by the firms with the most mature practices include: Updating policies and procedures Maintaining evidence of handling for records and data Identifying business and financial risks Delivering training to employees covering legal hold procedures and controls However, these are not the only actions being taken by leading firms. Others include revising records retention programs, measuring results, improving the quality of legal counsel, identifying gaps in procedural and technical controls, improving legal hold procedures and controls, and forming cross-functional teams to respond to legal holds on data. Moreover, the distinct differences in actions taken by the most mature firms include: • Maintaining evidence of handling for data and records • Improving the quality of legal counsel • Delivering training to employees • Identifying business and financial risks • Measuring results. In addition to strategic actions, specific actions and practices within IT to rapidly find, protect, preserve and produce data in response to legal requests for data are strongly influencing results. © 2008 IT Policy Compliance Group, 14
  • 17. Improving Results for the Legal Custody of Information Figure 11: Strategic Actions and Practices That Improve Results Source: IT Policy Compliance Group, 2008 Practices and Capabilities in IT that Improve Maturity and Results The findings clearly show that among the most mature firms, IT is prominently involved in a wide range of activities related to finding, protecting, and producing data in response to legal requests (Figure 12). Figure 12: Practices and Capabilities in IT that Improve Results Source: IT Policy Compliance Group, 2008 © 2008 IT Policy Compliance Group, 15
  • 18. Improving Results for the Legal Custody of Information The notable practices and capabilities within IT among the most mature firms include: Updating policies and procedures Increasing the frequency of monitoring and measurements Inventorying records and data Improving technical and procedural controls Moreover, the actions and practices within IT that most distinguish the most mature firms from all others include: 1) indexing data for rapid search, 2) increasing the frequency of monitoring and measurements, 3) correcting gaps in controls, and 4) updating policies and procedures. Most Helpful Technologies to Find, Protect and Produce Data The technologies found most helpful to find, protect, and produce data and records in response to the Legal Custody of Information include: • Tools that convert data into electronic formats • Tools that store data in electronic formats • Tools for training employees However, this list is just the start of what may be needed, because among the most mature firms, the tools found to be most helpful are those for backup and archive, training, data and indexing of information, data capture and conversion, records retention and destruction, and the identification of records and data (Figure 13). Figure 13: Most Helpful Technologies to Find Protect, and Produce Data Source: IT Policy Compliance Group, 2008 The findings clearly show that firms with the most mature practices, and the lowest costs for legal data holds, are converting data into electronically indexed formats for more rapid search, discovery, production, preservation and protection. © 2008 IT Policy Compliance Group, 16
  • 19. Improving Results for the Legal Custody of Information Discussions with Lawyers In addition to the benchmark, lawyers in the U.S. were interviewed to provide a qualitative sense of how they and their organizations are overcoming challenges associated with legal hold requests. All of the U.S.-based lawyers say that due to changes to the Federal Rules of Civil Procedure (FRCP), almost all legal requests for information now include discovery motions involving email formats and office productivity files. ESI and the Scope of Legal Discovery All of the lawyers acting on behalf of plaintiffs say that they purposely strive for the widest possible scope of discovery in order to find evidence that will bolster the case for their clients. And, all of these lawyers say that the new electronic discovery rules of the FRCP are assisting their efforts. While most of these layers admit that the scope of discovery is independent of the format of the information, and that old-fashioned paper-based records were the most common format employed in the past, almost all legal requests for information now include email, office productivity files and documents. In contrast to the “more is better” approach of litigants, lawyers acting to defend their Almost all legal requests for clients state that the primary objective is to limit the scope of inquiry, for several reasons, information now include email, and including costs, organizational churn and productivity losses, as well as a normal office productivity files. defense tactic to limit evidence. All of these attorneys say that their clients are now routinely being served with requests that include email and office documents as a matter of course. All of these attorneys say that while paper-based reports had been the norm, and continue to drive requests from older-line specialist litigation firms, the new rules governing electronic discovery have resulted in requests that also include database information, audio recordings, Web-based data, instant messaging, and other forms of electronically stored information (ESI): well beyond email and office productivity files or documents. ESI and the Impact of Age and Time The information being sought by legal requests depends on the type of litigation. For example, the lawyers involved in product liability litigation say that the normal age of information being sought dates back about five to six years. However, lawyers involved in financial reporting and fraud, benefits, pensions, life insurance, capital property and casualty claims, and those involved with longer-term workplace injuries (asbestos claims) say the information being sought dates in age from five years to many decades. According to the lawyers interviewed, information older than five years is often viewed as practically inaccessible, even if it is legally viewed as accessible. For example: almost all the lawyers interviewed cited horror stories about information stored on magnetic tapes that were found to be illegible due to a normal aging process associated with magnetic tape media formats. In addition to age and time associated with legal requests, and the format of the information, the lawyers cited an interesting twist associated with the age of attorneys acting on behalf of plaintiffs. All of the defense attorneys noted that when they are dealing with older-line plaintiff firms with primarily older attorneys, the standard formats being requested are the old stand-bys involving paper-based reports, telephone records, and more recently email and office productivity files. Only as a result of the changes to the FRCP are these older-line firms starting to more routinely request other forms of ESI. However, the profile of the requests for information changes markedly when younger ESI is not only the wave of the lawyers with younger plaintiff firms are involved. More familiar with computers and future: the ESI wave is hitting the technology, these younger firms and attorneys are serving more requests for a wider beach. variety of ESI beyond email and office productivity files. The defense attorneys all say they are noticing a direct correlation between age, technology familiarity, and an increasing number of requests for information involving a wider range of ESI data beyond email and office productivity information. According to the lawyers interviewed, ESI is not the wave of the future: the ESI wave is hitting the beach. Legal Requests and Summonses for Information Not all legal requests for information result in a court summons. Lawyers contacted just prior to publication say that in their experience, there is no typical rate for how many legal requests are resulting in a summons. Several of the lawyers quoted anecdotal experiences ranging from “1 in 10” to as few as “1 in 50” legal requests resulting in a summons. Despite an inability to quantify the relationship between legal requests and summons, all of the lawyers say that their firm receives far more legal requests for data than summons, and that all such legal requests are resulting in legal holds being placed on data. © 2008 IT Policy Compliance Group, 17
  • 20. Improving Results for the Legal Custody of Information The benchmark asked participants how many summons for data their firm had experienced in the past year. As a result of the anecdotal information regarding the number of legal requests received each year, it is difficult to reliably quantify the number of legal requests organizations can expect to receive, other than the broad ranges provided by participating legal counsels: from 1 in 10 to as few as 1 in 50 legal requests for data resulting are resulting in court summons. This anecdotal information would place the rate of summons resulting from legal requests at between 2 percent (1 in 50), to as much as 10 percent (1 in 10). These broad anecdotal ranges indicate the number of legal requests for information could range from a low of 10 each year among small businesses, to a high of 250 per year among larger enterprises. Whether the rate of requests to summons is 1 in 10, 1 in 25, or 1 in 50, it is clear that there are far more requests being received each year than summons, and that the process of legal hold on information is being initiated upon the reasonable anticipation of a legal request for information, not the receipt of a summons related to information that should have been placed on hold long before a summons arrived. Information Formats, Indexing, and Costs Paper-based formats were almost universally viewed as the most expensive to find and produce by the defense attorneys who were interviewed. However, costs for finding, producing and protecting ESI covered by legal holds spans quite a range according to the lawyers interviewed. The highest costs for finding, producing and protecting ESI governed by legal holds involves data stored on magnetic tape and other simpler, un-indexed, archived data. The lowest costs for finding, producing and protecting data were among the attorneys whose firms are employing automated solutions that immediately store copies of ESI into protected and indexed storage systems, almost all of them involving disks, CDs and other formats not involving magnetic tape. All of the defense attorneys say their initial attempts to respond to legal hold in their firm Doing the work in-house to find, involved costly manual procedures augmented by external third parties that converted protect and produce data on legal differently formatted data into standard forms for searching and responding to legal hold is less expensive, and it holds. However, all of these attorneys say that due to the costs of such outsourced reduces the risks related to errors services and the number of legal holds governing ESI, doing the work in-house to find, that could be challenged. protect and produce data on legal hold is less expensive, while reducing the risks related to errors that could be challenged. Recommendations from the Lawyers The participating lawyers recommend the following: • Establish the ground rules for what constitutes reasonable anticipation of litigation • Consistently review policies and controls for the retention and destruction of information • Establish and implement a consistent notification system • Respond to requests as soon as possible, even if the response is only for clarification • Communicate detailed instructions for finding, protecting, preserving and producing covered information • Index as much data as is reasonable, to drive down costs • Maintain the integrity of information on hold • Monitor information and the controls governing information that are on hold • Implement standard procedures for releasing information that were on hold Regulatory Drivers and Legal Custody of Information The primary regulatory mandates responsible for driving legal data hold requests include: • Sarbanes-Oxley • Specific industry regulations • Laws governing data and records • Laws governing data protection, retention, and privacy After these, the important regulatory drivers include health care data privacy laws, SEC guidelines and rules, and Federal Rules of Civil Procedure in the United States governing data and records (Figure 14). Although FRCP and e-discovery in the U.S. do not jump to the top of the list for regulatory drivers, this may be due to less familiarity with the legal requirements, or that as a legal mandate FRCP is not perceived to be regulatory mandate. The laws governing data privacy among the largely U.S.-based sample for this benchmark rank highly among organizations of all sizes, while the European data privacy laws rank highly only among large enterprises. The results indicate an overlap between the practices and capabilities needed to succeed with legal holds placed on information, and those needed for data protection, privacy, financial reporting and other legal and regulatory compliance mandates. © 2008 IT Policy Compliance Group, 18
  • 21. Improving Results for the Legal Custody of Information Figure 14: Regulatory Pressures for Legal Custody of Information Source: IT Policy Compliance Group, 2008 Legal Custody and Controls Effectiveness One such overlap is the frequency with which organizations assess the effectiveness of controls and the alignment of results between the legal data custody, the protection of sensitive data, and regulatory compliance. Firms with the most mature practices for legal data hold measure controls effectiveness once every 15 days (Figure 15). Figure 15: Frequency of Controls Assessments © 2008 IT Policy Compliance Group, 19 Source: IT Policy Compliance Group, 2008
  • 22. Improving Results for the Legal Custody of Information In contrast, a majority of firms at the norm are only measuring once every 172 days. Finally, the least mature are measuring controls effectiveness once every year. Firms with the least loss or theft of customer data and the least problems with regulatory compliance implement continuous controls assessment programs by assessing the effectiveness of controls once every 18 to 19 days. The benchmark shows that firms doing well in legal data custody, regulatory compliance, and data protection are implementing the same action: continuous assessment of controls effectiveness. Maturity Impacts Legal Custody, Compliance, and Data Protection Perhaps the most striking finding from the benchmark is the relationship between the maturity of practices between legal holds on data, and how well firms perform for regulatory compliance, and the protection of sensitive customer data. Firms that excel at the Legal Custody of Information are also the same firms that exhibit leadership for regulatory compliance and the protection of sensitive data (Figure 16). Ninety-seven percent of firms with the most mature profiles for handling legal holds on data are the exact same organizations with two or fewer regulatory compliance deficiencies that must be corrected to pass audit. Similarly, 93 percent of these leading firms are the exact same organizations with two or fewer losses of sensitive data each year. Figure 16: Regulatory Compliance, Data Protection, and Legal Custody of Information Source: IT Policy Compliance Group, 2008 The skew in these findings clearly show that the maturity of practices for regulatory compliance, data protection, and legal practices within organizations are aligned with outcomes, and that the firms with more mature practices are repurposing practices around controls for regulatory compliance, as well as controls for how sensitive data is handled, accessed, protected, preserved, searched, and produced for multiple initiatives. Who Should Improve the Maturity of Practices for Legal Hold The external pressures for most organizations to find protect, and produce data in response to a legal request for data include: • Legal, government, and regulatory mandates • Findings and recommendations from auditors • Public reputation • Evolving case law In an age where information is paramount to success and legal requests to support litigation now routinely involve electronically stored information, pragmatic management of business, financial, and market risk dictates the need to improve existing practices. © 2008 IT Policy Compliance Group, 20
  • 23. Improving Results for the Legal Custody of Information Aside from the financial burden of legal settlements and expenses, larger enterprises not improving better practices for legal data holds may experience other consequences not measured by this benchmark, including fines and penalties, elevated reputational risk, and more difficulty with customer and partner expectations. The external pressures for improving the practices for legal data hold unfortunately indicate that experience is currently the best teacher (Figure 17). Figure 17: Pressures to Take Action Source: IT Policy Compliance Group, 2008 Larger enterprises are primarily responding to legal and government findings, followed by claims settlements, public reputation, and direction from senior managers. What distinguishes the higher response rate among large enterprise includes finding and recommendations from auditors, and worry about public and brand reputation. The primary internal pressures to respond and take action include: • Direction from senior managers • Prior experience with legal requests for data • The cost of claims settlements and financial exposure. Taking Action to Improve Results In some circumstances, the primary course of action is going to be spending more money to improve legal services. But, after improving legal counsel the research shows it is essential to improve the maturity of practices for handling legal holds for information. The results of the research clearly show that for midsize and large enterprises, it makes The benchmark clearly shows that sense to: for all large enterprises, and many Strive for practice maturity leadership, for legal data hold and custody midsize firms, improving the maturity of practices for legal data Take the strategic actions shown to improve results holds will pay off. Implement the actions and practices within IT that are shown to improve the ability to find, protect, and produce data subject to legal hold Improve the maturity of organizational and IT practices Implement the technologies shown to improve results Treat the legal hold of data like other compliance activities © 2008 IT Policy Compliance Group, 21
  • 24. Improving Results for the Legal Custody of Information Small businesses Small businesses are not suffering from a large number of legal requests or summons related to information, and the rate of spend on legal data hold among small businesses is much less than all other organizations. As they say: “the pickings are slim”, among small businesses. Unless the firm has specific experience with large numbers of legal holds on information, or faces severe regulatory and legal penalties, there is no indication of huge financial pain or financial reward among most small business, to justify large spending to improve the maturity of practices for legal data custody, at this time. Midsize and large enterprises The benchmark clearly shows that for all large enterprises and many midsize organizations, improving the maturity of practices for legal data custody will pay off, with obvious financial benefits that include: • Significant reductions in overall expenses, by factors of 4 to more than 13 • Lower financial settlement expenses • Lower expenses for legal services • Lower expenses to find and produce information subject to legal hold • Lower expenses to preserve and protect data subject to legal hold Not quantified by the benchmark is the opportunity-cost for a wide variety of people involved with and responding to legal holds on information, especially among senior managers. Presumably, more mature practices would result in reductions in the amount of time senior managers are spending on this activity: allowing these people to focus on more fruitful activities. The non-financial benefits of improving the maturity of practices for legal requests for information — improved brand equity, trust, and customer retention — are beyond the results quantified by this research. For most, these could prove to be far more beneficial than the reduction of costs for legal settlements and internal expenses that will occur by improving the practices for legal custody of information. © 2008 IT Policy Compliance Group, 22
  • 25. Improving Results for the Legal Custody of Information About the Research Topics researched by the IT Policy Compliance Group (IT PCG) benchmarks are part of an ongoing research calendar established by input from supporting members, advisory members, and findings compiled from recent research. The most recent benchmark covering the Legal Custody of Information, which is the basis for this report, was conducted between October and November 2007 with 235 qualifying respondents in different organizations. The error for this benchmark research is plus or minus 6 percent. The majority of the organizations (90 percent) participating in this benchmark are located in the United States. The other 10 percent come from other countries, including Australia, Brazil, Canada, France, Germany, Ireland, Japan, the Netherlands, Poland, Singapore, Spain, the United Arab Emirates, and the United Kingdom among others. In addition to specific tracking questions common to each benchmark, the research is designed to discover answers to specific topics. The primary topic of the most recent benchmark was the experience of organizations concerning legal holds for records and data. Industries represented A wide range of industries participated in the benchmark including advertising; aerospace; agriculture; automotive; banking; chemicals; computer equipment and peripherals; computer software and services; construction, architecture, and engineering services; consumer electronics, consumer packaged goods; distribution, education, financial, and accounting services; food and beverage services, general business and repair services; government—public administration; government—defense and intelligence; health, medical, and dental services; insurance, legal services; management, scientific, and consulting services; manufacturing; medical devices; metals and metal products; mining, oil, and gas; pharmaceuticals; publishing, media, and entertainment; real estate, rental and leasing services; retail trade; telecommunication services; transportation and warehousing; travel, accommodation, and hospitality services; and utilities and wholesale trade. Manufacturing accounted for 13 percent of participating organizations. All other industries accounted for less than 10 percent of the benchmark sample. Revenue of participating organizations Thirty-five percent of the organizations participating in the benchmark have annual revenues, assets under management, or budgets that are less than $50 million. Another 23 percent have annual revenues, assets under management, or budgets that are between $50 million and $999 million. The remaining 41 percent have annual revenues, assets under management, or budgets that are $1 billion or more. Number of people employed by participating organizations Thirty-six percent of the participating organizations employ fewer than 250 people. Twenty-two percent employ between 250 and 2,499 people. The remaining 42 percent employ 2,500 or more people. Job titles of participants Thirty-two percent of the participants in the benchmark are senior managers (CEO, CFO, CIO, etc.), 14 percent are vice presidents, 25 percent are managers or directors, 27 percent are staff, and 2 percent are internal consultants. Roles of participants Twenty-nine percent of the participants work in IT; another 29 percent work in finance and internal controls; 14 percent work in customer service; 9 percent work in legal and compliance; 7 percent work in product design and development; 7 percent work in sales and marketing; and the remaining 5 percent are distributed across other job functions, including manufacturing, procurement, purchasing, and logistics. © 2008 IT Policy Compliance Group, 23
  • 26. Improving Results for the Legal Custody of Information About IT Policy Compliance Group The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations meet their policy and regulatory compliance goals. It focuses on assisting member organizations in improving results based on fact-based benchmarks. The IT Policy Compliance Group Web site at www.itpolicycompliance.com features content created by leading experts in the world of compliance and published reports containing primary research. Research and benchmarks sponsored by the Group produce fact-based insight and recommendations about what is working and why. The results of Group-sponsored research are designed to help legal, financial, internal controls, IT audit, IT security, and compliance professionals to: • Benchmark IT policy compliance efforts against peers and best-in-class performers • Identify key drivers, challenges and responses to implement successful IT policy and compliance initiatives • Determine the applicability and use of automation tools to assist, streamline and improve results • Identify best practices for IT policy and compliance programs The Group relies upon its supporting members, advisory members, and significant benchmark findings to drive its research and editorial calendars. © 2008 IT Policy Compliance Group, 24
  • 27. Improving Results for the Legal Custody of Information IT Policy Compliance Group Supporters Symantec Corporation The Institute of Internal Information Systems Audit and Auditors Control Association 20330 Stevens Creek Boulevard 247 Maitland Avenue 3701 Algonquin Road, Suite 1010 Cupertino, CA 95014 Altamonte Springs, FL 32701 Rolling Meadows, IL 60008 +1 (408) 517 8000 +1 (407) 937 1100 +1 (847) 253 1545 www.symantec.com www.theiia.org www.isaca.org info@symantec.com iia@theiia.org info@isaca.org Computer Security Institute Protiviti IT Governance Institute 600 Harrison Street 1290 Avenue of the 3701 Algonquin Road, Suite 1010 Americas, 5th Floor San Francisco, CA 94107 Rolling Meadows, IL 60008 +1 (415) 947 6320 New York, New York 10104 +1 (847) 660 5600 www.gocsi.com +1 (212) 603 8300 www.itgi.org csi@cmp.com www.protiviti.com info@itgi.org info@protiviti.com © 2008 IT Policy Compliance Group, 25
  • 28. Improving Results for the Legal Custody of Information © 2008 IT Policy Compliance Group, 26
  • 29. Improving Results for the Legal Custody of Information © 2008 IT Policy Compliance Group, 27
  • 30. Founded in 2005, the IT Policy Compliance Group conducts benchmarks that are focused on delivering fact-based guidance on the steps that can be taken to improve results. Benchmark results are reported through www.itpolicycompliance.com for the benefit of members. IT Policy Compliance Group Contact: Managing Director, Jim Hurley Telephone: +1 (216) 321 7864 jhurley@itpolicycompliance.com www.itpolicycompliance.com August 2008 The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not guaranteed. Research publications reflect current conditions that are subject to change without notice. Copyright © 2008 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners. All rights reserved. 8/08 14524678