Visualizing Hawaii: A GC’s Perspective or the Case of the Silent Wife


ABC Systems is a mid-size technology company based in the U.S. that designs and manufactures wireless routers…

Its 1:52 pm on the Friday before you leave on a much anticipated 2 week vacation in Hawaii. You’re having difficulty not thinking about what the next two weeks hold. You talk yourself into powering through the 176 emails you received since yesterday when you notice your administrative assistant has put an actual letter on your desk while you were daydreaming…

It’s a letter from the law offices of Lewis, Lewis & Tolson informing you that their client, ACME Systems, is suing your company for $225 million for conspiracy to harm ACME’s reputation and future sales by spreading false information about their newest product line. You’re told that the plaintiff has documentation (an email) from an ABC Systems employee outlining the conspiracy. You also receive a copy of the “smoking gun” email…

————
From: Ted                                                                                                                          

Date: June 2, 2012

To: Rick

Re: ACME Systems new solutions

“I would say we need to spread as much mis-information and lies about their solution’s capabilities as possible.  We need to throw up as much FUD as we can when we talk to the analyst community to give us time to get our new application to market.  Maybe we can make up a lie about them stealing their IP from a Chinese company.”

————

You’ve got to be kidding me! Once this news gets out the stock will be hit, the board will want an explanation and estimate of potential damage to the company reputation, our channel partners will want to have a legal opinion on the sales in the pipeline, the direct sales force will want a document to give to their potential customers, and the CEO will want estimates of merit etc. as soon as possible…There goes the vacation…and probably my marriage.

Scenario #1

Now what do I do now?

  1. Find out who this “Ted” guy is! (Don’t forget “Rick”)
  2. Find out who Ted and Rick reports to and what department they work in
  3. Call the VP of IT and give her a heads up on what you are going to be asking for
  4. Call your outside counsel and alert them as well
  5. Send an email to the VP of IT (and CC outside counsel) asking her to immediately secure Ted and Rick’s email accounts and any email backup tapes
  6. Send an email to Ted and Rick (and CC outside counsel) asking them to actively collect and secure under a litigation hold any documents and email that has anything to do with ABC Systems (strange thing is the email system has no one by the name of TED in it)
  7. Ask the VP of IT to find the original email from Ted to Rick and any other email messages involved in that conversation thread
  8. Get on the phone to the CEO and update him
  9. Call your wife and tell her to cancel the vacation plans

Five minutes after your wife hangs up on you in mid-sentence the VP of IT calls and informs you that the company has a 90 day email retention policy and recycles backup tapes every 6 months…the original emails don’t exist anymore. And by the way, after speaking to the VP of HR she discovered Ted had left the company 8 months ago. The only hope is that Rick kept local copies of his emails. By this time its 5:37 pm and Rick has gone home – with his laptop.

Monday morning Rick is surprised to find several people from legal and IT waiting at his desk when he arrives. It turns out Rick actually archives his email instead of letting the system delete it after 90 days into a PST file. Rick locates his 4.5 GB PST file on his share drive but for some reason it won’t open. Several members from the IT department spend two hours trying to get it open but determine its probably corrupted because its too big (PSTs have this nasty habit of letting the user keep stuffing files into it even though its already too big).

IT sends the PST off to a consultant to see if they can open it. After three weeks and $17,553 you are told it’s completely corrupted and can’t be opened!

During those three weeks you spend $4,300 tracking down Ted who doesn’t remember why he would have written an email like that. He does vaguely remember Jennifer may have been part of that conversation thread. 4.5 hours later combing through Jennifer’s PST, (why does everyone have a PST if we made a point to delete emails after 90 days?) you actually find a forwarded version of the email from Ted…It really does exist!

You determine it will be impossible to assemble the entire conversation thread so after several months of negotiating with ACME Systems Attorneys, you settle for $35 million and an apology printed on the front page of the Wall Street Journal…and your wife stopped talking to you.

Tune in tomorrow to catch up on the further adventures of Ted, Rick, Jennifer, ABC Systems, and the strangely silent wife…

Predicting the Future of Information Governance


Information Anarchy

Information growth is out of control. The compound average growth rate for digital information is estimated to be 61.7%. According to a 2011 IDC study, 90% of all data created in the next decade will be of the unstructured variety. These facts are making it almost impossible for organizations to actually capture, manage, store, share and dispose of this data in any meaningful way that will benefit the organization.

Successful organizations run on and are dependent on information. But information is valuable to an organization only if you know where it is, what’s in it, and what is shareable or in other words… managed. In the past, organizations have relied on end-users to decide what should be kept, where and for how long. In fact 75% of data today is generated and controlled by individuals. In most cases this practice is ineffective and causes what many refer to as “covert orunderground archiving”, the act of individuals keeping everything in their own unmanaged local archives. These underground archives effectively lock most of the organization’s information away, hidden from everyone else in the organization.

This growing mass of information has brought us to an inflection point; get control of your information to enable innovation, profit and growth, or continue down your current path of information anarchy and choke on your competitor’s dust.

img-pred-IG

Choosing the Right Path

How does an organization ensure this infection point is navigated correctly? Information Governance. You must get control of all your information by employing the proven processes and technologies to allow you to create, store, find, share and dispose of information in an automated and intelligent manner.

An effective information governance process optimizes overall information value by ensuring the right information is retained and quickly available for business, regulatory, and legal requirements.  This process reduces regulatory and legal risk,  insures needed data can be found quickly and is secured for litigation,  reduces overall eDiscovery costs, and provides structure to unstructured information so that employees can be more productive.

Predicting the Future of Information Governance

Predictive Governance is the bridge across the inflection point. It combines machine-learning technology with human expertise and direction to automate your information governance tasks. Using this proven human-machine iterative training capability,Predictive Governance is able to accurately automate the concept-based categorization, data enrichment and management of all your enterprise data to reduce costs, reduce risks, enable information sharing and mitigate the strain of information overload.

Automating information governance so that all enterprise data is captured, granularity evaluated for legal requirements, regulatory compliance, or business value and stored or disposed of in a defensible manner is the only way for organizations to move to the next level of information governance.

Finding the Cure for the Healthcare Unstructured Data Problem


Healthcare information/ and records continue to grow with the introduction of new devices and expanding regulatory requirements such as The Affordable Care Act, The Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH). In the past, healthcare records were made up of mostly paper forms or structured billing data; relatively easy to categorize, store, and manage.  That trend has been changing as new technologies enable faster and more convenient ways to share and consume medical data.

According to an April 9, 2013 article on ZDNet.com, by 2015, 80% of new healthcare information will be composed of unstructured information; information that’s much harder to classify and manage because it doesn’t conform to the “rows & columns” format used in the past. Examples of unstructured information include clinical notes, emails & attachments, scanned lab reports, office work documents, radiology images, SMS, and instant messages.

Who or what is going to actually manage this growing mountain of unstructured information?

To insure regulatory compliance and the confidentiality and security of this unstructured information, the healthcare industry will have to 1) hire a lot more professionals to manually categorize and mange it or 2) acquire technology to do it automatically.

Looking at the first solution; the cost to have people manually categorize and manage unstructured information would be prohibitively expensive not to mention slow. It also exposes private patient data to even more individuals.  That leaves the second solution; information governance technology. Because of the nature of unstructured information, a technology solution would have to:

  1. Recognize and work with hundreds of data formats
  2. Communicate with the most popular healthcare applications and data repositories
  3. Draw conceptual understanding from “free-form” content so that categorization can be accomplished at an extremely high accuracy rate
  4. Enable proper access security levels based on content
  5. Accurately retain information based on regulatory requirements
  6. Securely and permanently dispose of information when required

An exciting emerging information governance technology that can actually address the above requirements uses the same next generation technology the legal industry has adopted…proactive information governance technology based on conceptual understanding of content,  machine learning and iterative “train by example” capabilities

The lifecycle of information


Organizations habitually over-retain information, especially unstructured electronic information, for all kinds of reasons. Many organizations simply have not addressed what to do with it so many of them fall back on relying on individual employees to decide what should be kept and for how long and what should be disposed of. On the opposite end of the spectrum a minority of organizations have tried centralized enterprise content management systems and have found them to be difficult to use so employees find ways around them and end up keeping huge amounts of data locally on their workstations, on removable media, in cloud accounts or on rogue SharePoint sites and are used as “data dumps” with or no records management or IT supervision. Much of this information is transitory, expired, or of questionable business value. Because of this lack of management, information continues to accumulate. This information build-up raises the cost of storage as well as the risk associated with eDiscovery.

In reality, as information ages, it probability of re-use and therefore its value, shrinks quickly. Fred Moore, Founder of Horison Information Strategies, wrote about this concept years ago.

The figure 1 below shows that as data ages, the probability of reuse goes down…very quickly as the amount of saved data rises. Once data has aged 10 to 15 days, its probability of ever being looked at again approaches 1% and as it continues to age approaches but never quite reaches zero (figure 1 – red shading).

Contrast that with the possibility that a large part of any organizational data store has little of no business, legal or regulatory value. In fact the Compliance, Governance and Oversight Counsel (CGOC) conducted a survey in 2012 that showed that on the average, 1% of organizational data is subject to litigation hold, 5% is subject to regulatory retention and 25% had some business value (figure 1 – green shading). This means that approximately 69% of an organizations data store has no business value and could be disposed of without legal, regulatory or business consequences.

The average employee creates, sends, receives and stores conservatively 20 MB of data per day. This means that at the end of 15 business days, they have accumulated 220 MB of new data, at the end of 90 days, 1.26 GB of data and at the end of three years, 15.12 GB of data. So how much of this accumulated data needs to be retained? Again referring to figure 1 below, the blue shaded area represents the information that probably has no legal, regulatory or business value according to the 2012 CGOC survey. At the end of three years, the amount of retained data from a single employee that could be disposed of without adverse effects to the organization is 10.43 GB. Now multiply that by the total number of employees and you are looking at some very large data stores.

Figure 1: The Lifecycle of data

The above lifecycle of data shows us that employees really don’t need all of the data they squirrel away (because its probability of re-use drops to 1% at around 15 days) and based on the CGOC survey, approximately 69% of organizational data is not required for legal, regulatory retention or has business value. The difficult piece of this whole process is how can an organization efficiently determine what data is not needed and dispose of it automatically…

As unstructured data volumes continue to grow, automatic categorization of data is quickly becoming the only way to get ahead of the data flood. Without accurate automated categorization, the ability to find the data you need, quickly, will never be realized. Even better, if data categorization can be based on the meaning of the content, not just a simple rule or keyword match, highly accurate categorization and therefore information governance is achievable.

Healthcare Information Governance Requires a New Urgency


From safeguarding the privacy of patient medical records to ensuring every staff member can rapidly locate emergency procedures, healthcare organizations have an ethical, legal, and commercial responsibility to protect and manage the information in their care. Inadequate information management processes can result in:

  • A breach of protected health information (PHI) costing millions of dollars and ruined reputations.
  • A situation where accreditation is jeopardized due to a team-member’s inability to demonstrate the location of a critical policy.
  • A premature release of information about a planned merger causing the deal to fail or incurring additional liability.

The benefits of effectively protecting and managing healthcare information are widely recognized but many organizations have struggled to implement effective information governance solutions. Complex technical, organizational, regulatory and cultural challenges have increased implementation risks and costs and have led to relatively high failure rates.  Ultimately, many of these challenges are related to information governance.

In January 2013, The U.S. Department of Health and Human Services published a set of modifications to the HIPAA privacy, security, enforcement and breach notification rules.  These included:

  • Making business associates directly liable for data breaches
  • Clarifying and increasing the breach notification process and penalties
  • Strengthening limitations on data usage for marketing
  • Expanding patient rights to the disclosure of data when they pay cash for care

Effective Healthcare Information Governance steps

Inadvertent or just plain sloppy non-compliance with regulatory requirements can cost your healthcare organization millions of dollars in regulatory fines and legal penalties. For those new to the healthcare information governance topic, below are some suggested steps that will help you move toward reduced risk by implementing more effective information governance processes:

  1. Map out all data and data sources within the enterprise
  2. Develop and/or refresh organization-wide information governance policies and processes
  3. Have your legal counsel review and approve all new and changed policies
  4. Educate all employees and partners, at least annually, on their specific responsibilities
  5. Limit data held exclusively by individual employees
  6. Audit all policies to ensure employee compliance
  7. Enforce penalties for non-compliance

Healthcare information is by nature heterogeneous. While administrative information systems are highly structured, some 80% of healthcare information is unstructured or free form.  Securing and managing large amounts of unstructured patient as well as business data is extremely difficult and costly without an information governance capability that allows you to recognize content immediately, classify content accurately, retain content appropriately and dispose of content defensibly.

Can you wipe your twitter ramblings, and should you?


In December of 2011, the Library of Congress and Twitter signed an agreement that will eventually make available every public Tweet ever sent as an archive to the Library of Congress.


While writing a blog post last week, I began  to wonder how long all my twitter postings would
be available and who could look at them. For the fun of it, I went back through approximately 6 months of my old twitter postings, re-tweets and replies (yes you can do it, it’s relatively easy and you can look at anyone’s).

I’ve been pretty good about keeping my twitter posts “business-like” and have steered away from personal stuff like “I just checked in to the Ramada Inn on route 11…can’t wait for the evening to begin!”, or “does anyone know how to setup an off-shore bank account?” or “those jerks over at Company ABC are a bunch of losers”.  But many tweeters aren’t so disciplined and have posted stuff that could come back to haunt them later. I could imagine a perspective employer reviewing a candidate’s twitter history or even worse an attorney conducting research for a case using the public twitter archives to create a timeline.

With that in mind, could you delete your twitter postings and should you? Twitter does allow you to delete specific tweets one at a time but as far as I can determine, Twitter does not give you the ability to delete your entire twitter history short of deactivating your account. From the Twitter website:

How To Delete a Tweet

If you’ve posted something that you’d rather take back, you can remove it easily. When you hover over your Tweet while viewing your home or profile page, you’ll see a few options appear below the message.

To delete one of your Twitter updates:

  1. 1.       Log in to Twitter.com
  2. 2.       Visit your Profile page
  3. 3.       Locate the Tweet you want to delete
  4. 4.       Hover your mouse over the message (as shown below), and click the “Delete” option that appears

Voila! Gone forever… almost. Deleted updates sometimes hang out in Twitter search. They will clear with time.

We do not provide a way to bulk delete Tweets. If you’re looking to get a “fresh start” on your Twitter account without losing your username, the best way to do this is to create a temporary account with a temporary username, and then switch the username between your current account and the temporary account. Please see our article on How to Change Your Username for more info. 

On December 30, 2011, CNET published a story titled “How to delete all your tweets” which highlighted a product called TwitWipe. TwitWipe is a free tool that allows you to delete ALL your past tweets in one fell swoop. This may be handy because you can clean out your twitter account and start fresh without changing your username and dumping all your hard won followers.

This is an interesting capability but I think the more important question is why would you use this drastic of a step? The four most obvious reasons one would want to delete all their twitter postings and start fresh would be:

1.       You went through an unfortunate period in your life that you would rather forget

2.       You were regularly conducting criminal activities through your Twitter account

3.       You are considering a run for the presidency

4.       For whatever reason, you don’t want your twitter postings archived and available at the Library of Congress

The ability to delete ESI can be dangerous if done at the wrong time, especially if civil litigation is anticipated. Deleting a single tweet or every tweet you have ever posted can be construed as destruction of evidence if those tweets could have been relevant in litigation. ESI, no matter its format or where it’s stored, is potentially evidence  and should be at least considered when protecting ESI for litigation hold. Attorneys on both sides need to include social media content like twitter postings in their eDiscovery plans and be sure to warn all custodians about deleting/editing  social media content once litigation is anticipated.

Discovering the public cloud in Outlook


In my blog “The coming collision of “free to the public cloud storage and eDiscovery” posted on June 23, I talked about these new free cloud storage options and how they could become a problem in the litigation/eDiscovery process. While researching that blog, I found an interesting capability with Microsoft Outlook and the various cloud storage offerings.

It is called a email folder URL redirect. Microsoft Outlook includes the capability to associate an email folder with a Web page. You can set up this association so that when you select the email folder, the Web page appears or the contents of the folder appear.

This capability can be useful when you want to include internal instructions or news about the organization. Another example would be a redirected folder pushed out to all in the organization announcing a litigation hold and answering questions about the hold, expectations, target content etc.  Although this capability provides the opportunity to create powerful public folder applications, non-approved scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks so users should not be adding redirected email folders without IT’s approval.

So how does this capability, email folder URL redirection, relate to cloud storage? All four of the “free to the public cloud storage” offerings mentioned in the blog include a web page where files can be uploaded, viewed and downloaded. This means, for example, the Amazon Cloud Drive service could be a redirection target for an Outlook email folder.

Use the following steps to create and associate an e-mail folder with a Web view:

  • If you don’t already have a folder list showing in your Outlook front end, click on the View menu, then click Folder List.
  • Create a new folder in the folder list called Amazon Cloud by right clicking on the top most folders where you want to create the Cloud folder under. Then type in the new folder name Amazon Cloud

Figure 1: Create a new email folder called “Amazon Cloud”

  • In the Folder List, right-click the folder that you want to associate with a Web page, and then click Properties on the shortcut menu.
  • In the Property dialog box, click the Home Page tab.
  • In the Address box, type the URL for the Amazon Cloud drive web page.
  • Click to select the Show home page by default for this folder check box if you want the Web view active.

Figure 2: Input the URL address of the Amazon Cloud drive webpage

  • Click OK.

Now, by clicking on the new email folder, you will see the Amazon Cloud drive sigh in webpage.

Figure 3: Access and sign in to your Amazon Cloud drive webpage

Figure 4: You now have full access to your cloud storage from within Outlook

Some things you can now do include being able to open files from within your Amazon Cloud Drive. Once opened, data can be copied and pasted to a new email you might be creating.

Some things you can’t do directly include saving an email attachment directly to your cloud drive, dragging a file in your cloud to an email. For both these capabilities, an interim step is required. Namely coping files to your desktop first.

If that’s the case, is this capability useful? That depends… If you utilize a “free to the public cloud storage” service then you may want a more direct capability to view content in your cloud from within Outlook. This is somewhat of a stretch but you never know.

The main reason I’ve highlighted this capability is to illustrate how difficult the eDiscovery collection and litigation hold processes are getting when custodians have all these different options for storing (hiding) potentially responsive ESI.

Effective Records Management Greatly Benefits the Legal Dept for eDiscovery


Many (but not all) corporate legal types consider ESI retention management as the legal hold process. Not a bad thought but really falls short of a true corporate definition of the term. To records managers ESI retention management refers to the systematic retention and disposition of the organizations electronic business records; either for the day to day running of the business, regulatory compliance or litigation support. And in this case I believe the records managers are right.

ESI retention management, also known as records management, needs to be better understood by corporate legal because the proper management and deletion of electronic business records have a direct relationship to the corporate legal department for both legal holds and eDiscovery.

A properly managed ESI records management system allows legal to quickly find and place on legal hold, all archived potentially responsive electronically stored information thereby reducing the risk of spoliation; destruction of evidence. A centralized ESI management system will also act as a on-going collection point so that when eDiscovery starts, the collection phase is already taken care of for that ESI already under management. Because the archive acts as an on-going collection point, the legal department can quickly search the ESI archive for responsive ESI and begin their culling and review responsibilities almost immediately; without the need to spend days or weeks trying to find/collect potentially responsive ESI.

Training Employees Before they Hit the SEND Key


Time and time again we see news stories and legal case writes ups where it has become obvious employees still have no idea that an email is not a private communication. I find most employees, even corporate legal department types, still consider an email is like a verbal conversation in a parking lot; once its ended, it doesn’t exist anymore (unless it was recorded).

A recent example came from the Goldman Sachs Congressional hearings where the following exchange took place:

US Senator Carl Levin: “And when you heard that your employees, in these e-mails, when looking at these deals, said God, what a shitty deal, God what a piece of crap – when you hear your own employees or read about those in the e-mails, do you feel anything?”

David Viniar, chief financial officer, Goldman Sachs: “I think that’s very unfortunate to have on e-mail.”

This is a prime example of a probably very smart guy never considered that specific content in that email would every show up in a blog much less the front page of the Wall Street Journal. This problem of unguarded content in emails has become a major liability for many companies and organizations. Another example is the email flap recently over the emails between various researchers at various universities around the global warming question.

Organizations are doing themselves a huge disservice by not training their employees around proper email use and its implications if not followed. I am not addressing the “right” or wrong” questions about these two specific examples, just the fact that very smart people continuously ignore the consequences of questionable emails.

So what can organizations do to protect themselves from this kind of liability? Well there are two steps that you can take to drastically reduce your liabilities around smoking gun emails. First, train all employees (not just once but at least annually) on your email use policy (hopefully you have one that addresses this kind of behavior). But also just as important is to educate them on the consequences of inappropriate email usage. Explain to them the eDiscovery process and what that means for email. Government agencies as well as attorneys regularly ask for and get emails from organizations in litigation or agency subpoena.

Also educate them on the email technology. I can’t count how many times I have had CEOs, CIOs all the way down the line to line workers explain to me that when they delete an email from their email box, it’s really gone. Show them why that’s not the case with a couple of the hundreds of case examples where company employees believed the same thing and what happened.

The second step is to put technology in place that helps you zero in on this type of behavior before it ends up in court and on the front page.  Many organizations will think this is “big brotherish” and not fitting with their organizations culture. I disagree with this reasoning…Putting protections in place to ensure proper business behavior is a common sense measure to reduce your legal liabilities. Install an email archiving system so that email is secured for some period of time via retention policies and also have content monitoring capability to be able to monitor, in real time, occurrences of content/behavior your organization has deemed out of bounds. Along with this technology, be sure to explain (repeatedly) to each and every employee that all of their emails are being captured for a period of time and that some are actually being monitored for content. I guarantee you that your employees will be overly careful what they put in emails going forward.

Putting some real teeth in eDiscovery sanctions will drive effective information management


Ok, I know there is a push back from the legal industry in reference to the problem of the cost of discovery. Yes, companies create, use, receive and delete huge amounts of electronic information on a daily basis and it is unreasonable to expect an organization to have enough of a handle on this moving target to be able to place an effective legal hold – quickly, and provide all responsive information in response to an eDiscovery request. But come on… organizations live and die by their information, especially electronic information and if an organization doesn’t have enough of a handle on their data to be able to place a legal hold on select data, then I’m sorry they have other problems.

It all comes down to effective information management. Why is it unreasonable for a Judge to expect a company knows what data it has at any point in time and can find it when it needs to?

I understand the proportionality doctrine argument, and it makes sense. If proportionality did not exist, a plaintiff’s counsel could win every case just based on how they construct their discovery request.

Many businesses in the United States have long given employees total control of the company records, with a few exceptions, with little or no central control or even knowledge the information exists and how it pertains to the business. This does not seem the best business decision for the long run.

Maybe eDiscovery can serve as the impetus to nudge companies to start taking information management seriously. If Judges start imposing even larger penalties and fines for what amounts to eDiscovery failings because of ineffective or no information management policies in an organization, then we may see a corporate change of attitude.

In a recent LTN Law Technology News article, e-discovery analyst Barry Murphy of Murphy Insights noted that very few sanctions for e-discovery have had any real teeth, and the few that have involved large dollar amounts have been overturned. In some cases, e-discovery snafus have led to negative inferences that almost certainly impacted the outcome, but he says even those rulings seem to have had little impact. “The sanctions we’re seeing are too small to register with many people, and while negative inferences may lead to a bad outcome, the impact is not always obvious,” says Murphy. “Once we see a sanction for many millions of dollars because of a failure to preserve electronic evidence, the point will be clearer.”

Let me offer some common sense suggestions around information management and eDiscovery:

  1. Have regularly updated and tested records retention policies
  2. Get rid of data your business no longer needs
  3. Really know what electronically stored information (ESI) you have and don’t have
  4. Be ready to find it quickly
  5. If you are a big enough organization, have tools on hand to help in the searches
  6. Have a tested litigation hold process. Be able to stop records deletions based on content, employee, date etc. quickly
  7. Have a tested eDiscovery process

Too many organizations are willing to risk the consequences; “It’s never happened to me before”. If you manage your ESI effectively, then discovery response should not be a problem