BOISE, Idaho — In a sea of electronic information, constant online connectedness, social media, remote work, and globalization that subjects companies to varied multinational legislation, companies always are vulnerable to litigation and regulatory investigation.
By one account, as of 2017, almost two-thirds of medium- to large-sized businesses faced more than 25 legal and regulatory matters per year.[1] And when these matters arise, at least some amount of legal discovery is virtually inescapable. Potentially relevant information must immediately be identified and put on legal hold—that is, marked for preservation until the matter’s resolution. Many companies likely have legal hold processes in place. But to successfully and efficiently preserve relevant information, a company must first know that it exists, and where. Records and information management (“RIM”) and information governance professionals can help.
Discovery is one of the earliest stages of litigation or investigation, and if it doesn’t start well, it can establish a path and tone that are difficult to reset. Credibility and trust among parties can significantly affect the course of events—the pace, the pain, and the outcomes. And being able to quickly identify, properly preserve, and efficiently produce relevant information can be central to building both. Moreover, from the moment a lawsuit or investigation seems imminent, companies must initiate efforts to understand the issues and build a defense. But none of this can happen if a company can’t identify and locate the information it needs.
Even just a few years in the trenches of “big” corporate law gave me insight into how information management can, and does, impact legal and regulatory matters. In a large class-action lawsuit, for example, many systems and millions of documents can quickly come into play. Upfront discovery issues, including an inability to respond promptly to discovery requests, can be the onramp to a multi-year, highly contentious, and exceptionally expensive discovery process. Nothing irritates judges more than discovery disputes. But at least a judge is in place to serve as a neutral authority.
Regulatory investigations, by contrast, generally do not involve an arbiter like a judge; instead, the regulators run the show. Establishing credibility and a working relationship with regulators right from the start therefore can be critical to achieving the best possible outcome in a matter.
A company’s lack of a solid understanding of the types of information it has and where the information is stored can cripple those efforts. For example, in a significant government investigation, highly relevant information the government has requested can be lost in the decommissioning of a system. Or information requested or that would be helpful to review early in a matter can be overlooked, only to be discovered later. This can lead to some serious scrambling—especially if representations have been made that the information does not appear to exist. I can assure you that regulators don’t appreciate such events.
While there are plenty of ways and reasons and points at which discovery issues can arise, a company that can quickly pinpoint potentially relevant systems and information, place them on legal hold, and starts efficiently collecting, reviewing, and producing documents has laid the groundwork for a smoother and less expensive discovery process.
“X” Marks the System
A data map is one of the most helpful tools a company can use to identify its electronic data, which today constitutes the majority of a company’s data, and in what systems it is stored. ARMA International, a leading information management membership organization, defines a data map as:
[a] comprehensive and defensible description of each IT system, which includes: its media (online and offline), the business unit(s) it services, its responsible data stewards and custodians, a business unit contact, the policies that govern access to the system, and the associated retention policies and procedures.
Indeed, Federal Rule of Civil Procedure 26(a)(1)(A)(ii), which requires parties in U.S. district courts to provide each other with “a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses,” widely is regarded as essentially mandating the creation and provision of a sort of data map.
A useful data map should include both structured and unstructured information. Structured information consists of clearly defined and searchable data; unstructured information consists of data types more likely to be found in unstructured systems such as shared drives—for example, emails, text messages, and document collections. The systems in which structured data are held may be simpler to identify and map, but most “dark data”—data that lurks unused and forgotten, and therefore can be dangerous to have brought to light for the first time in litigation or an investigation—tends to be unstructured. Thus, when creating a data map, a company should make a particular effort to identify the types of unstructured data in the company’s systems, along with where it is stored.
Data Mapping is an All-Hands Effort
RIM and information governance professionals are perfectly positioned to take point on building and maintaining an accurate, readable data map. But they shouldn’t do it alone. An important step in creating a functional data map is gathering input from stakeholders who know about the types and locations of information and systems their departments use. Creating a data map should also involve stakeholders who are most likely to rely on it, such as legal and IT. This information-gathering process can be accomplished in a number of ways, including through surveys, open-ended questionnaires, or stakeholder interviews.
Each method has its benefits and drawbacks: While concise surveys might initially lead to a higher response rate—recipients could consider them relatively simple and quick to answer—interviews may yield much more comprehensive and precise information. And the more comprehensive and precise the data map, the more useful it often is both for general information governance and in any litigation or investigation. It may, however, be more difficult to maintain.
Whatever the method, the information gathered should help flesh out fields such as:
- system name and description
- whether the system is hosted internally or externally (and, if externally, in what jurisdiction)
- system status
- roll-out and retirement date
- system custodians (such as business, IT, legal)
- retention periods
- whether the system is a system of record (the single authoritative source for a specific data element) and the type and structure of information contained within the system.
Once the information has been collected and a data map drafted, it will retain its full value only if it is kept current. Thus, at least annually, the data map’s caretaker—likely a RIM or information governance professional—should reconnect with information stakeholders for updates. This also reminds key players that the data map exists. When a fast-moving lawsuit or investigation arises, the legal team might not immediately think to reach out to a RIM or information governance manager, especially in a large, dispersed company. But by involving a member of Legal in the annual update process, the legal team can better use the data map as a quick resource for identifying and preserving potentially relevant systems and information, saving the company significant time, money, and potential grief. Similarly, using cross-functional collaboration to create and maintain a data map can keep open lines of communication with other players in both general information governance and legal and regulatory matters (such as IT).
Conclusion
Data maps might seem like old news to experienced RIM and information governance professionals. But every now and then, it’s worth pausing to remember just how valuable RIM-related tools are, even beyond day-to-day records management. For others, taking time out of already-busy days to answer questions about systems and information might seem taxing and unnecessary. But if (or when) litigation or an investigation arises, it will pay off. If you need assistance drafting a data map or would like to discuss other information management tools and strategies to help minimize legal and regulatory risk, Zasio can help.
[1] Paul Meyer and John Rosenthal, ACC Presentation on Managing the Risks and Spend of E-Discovery (2017).