Legal holds are by no means a new concept. However, with the ever expanding amount of data that businesses are producing, it is becoming a much bigger challenge.
In fact, organizations are having such difficulty with it that sanctions for the destruction of Electronically Stored Information (ESI) have increased by 271% since 2005. This data comes from a recent white paper from Code42 entitled "Protecting data in the age of employee churn".
An excerpt from this white paper states the case for legal hold software well.
Courts increasingly require that companies document the steps taken to prevent negligent or intentional destruction of evidence. Technology that automates and tracks legal holds:
Demonstrates the organization has an established process and enables identification, storage and maintenance of relevant data without increasing IT headcount.
Reduces risk and increases defensibility.
Guarantees that holds are issued in a timely fashion and contain all necessary information.
Enables data set selection.
But legal holds are only one piece to the larger information governance puzzle. Below we explore 10 questions to ask about your organization's information governance program.
1. How do we manage information in varying locations (e.g. file shares, SharePoint, Email)?
Managing information thoroughly seems so logical, but it is one of the most commonly overlooked aspects of information governance or records management. Below are three primary approaches that organizations take:
- manage information in place utilizing current systems
- migrate information to one system that also serves as the management software
- migrate information to one system and use third party software to manage it.
A is an appealing approach because it is extremely flexible and can fit into nearly all future environments, systems and upgrades. Plus, it often is associated with higher user adoption because users continue with their current processes and retention/disposition is automated behind the scenes.
B often requires significant design, implementation and cost. Similarly, it often leaves information that resides outside the central repository unmanaged.
C is a similar approach to B, but it can potentially leverage current technology. Still, it has the shortcomings of requiring storage in specific locations and leaves other information unmanaged.
2. Are data migrations, upgrades or changes in the systems required now or in the near future?
It is important to understand what is required in terms of moving information from one location to another. The migration process can consume extensive time, cost and risk.
Further, when a system is upgraded, some software vendors need to adjust the file plan accordingly so it can be applied to records.
3. How does the information governance program account for litigation holds?
Clearly, there needs to be a mechanism to place information on hold. However, once the initial hold is created, it is vital that the solution automatically adds newly created information to an existing hold(s).
4. How does it affect end user processes?
An information governance program is only as good as the adoption rate. End user adoption is directly affected by system changes, cumbersome processes and confusing instructions. Fully understand the process end users will need to adopt. New technology and/or processes may be needed. Yet, the new technology should not drive the new process. The new technology should complement the process.
5. Can it control access to sensitive information?
Increasingly important is the ability to govern access to sensitive information. Your IG program should be able to regulate access, identify locations, automatically protect and dispose of sensitive information appropriately.
6. Can records be locked, remaining immutable until disposition?
Some records should be kept unchanged during their lifecycle. Understand if this functionality exists and if information needs to be moved to a specific location to accomplish this goal.
7. What does it cost in total?
Obviously the information governance program has to fit into budgets. Take the time to understand the total cost. The total cost of ownership (TCO) could include software, hardware, third party systems, services (installation, configuration, assessments and migrations). When comparing multiple solutions, TCO can be tough to compare. Dig into the vendors for true and total cost of their information governance solution.
8. Does the program integrate with my other business systems?
Don’t ignore your other systems when designing your information governance practice. Each of these systems is not only a potential location for redundant, obsolete and trivial information (ROT), they could also be the key to triggering the right actions to determine security, privacy or retention policies.
9. What is the time and resource commitment to implement, support, maintain and upgrade?
The time spent on designing, implementing and maintaining an information governance program is time away from other areas. With that in mind, fully understand how a new program impacts time commitment.
Time is money. Not only does the time commitment equal opportunity cost, it can equal actual hard, quantifiable dollars when being charged by a vendor. Know what to expect before committing to an overly complicated project.
10. How are we handling audit trails and defensible disposition documentation?
Regulations may alter the way you want to track or execute records management and disposition. If called into question, the assurance of sound documentation outlining the retention/disposition process can be critical.
By Kevin Bley