Information governance, records and information management, and data disposition policies are ways to help lower costs and mitigate risks for organizations. Policies and procedures to actively manage data are not just an IT "problem," they're a collaborative business initiative that is a must in today's "big data" environment. With electronic discovery rules, government regulations and the Sarbanes-Oxley Act, all organizations must proactively take steps to manage their data with well-governed processes and controls, or be willing to face the risks and costs that come along with keeping everything. Organizations must know what information they have, where it is located, the duration data must be retained and what information would be needed when responding to an event. There have been numerous instances of severe legal penalties for organizations that did not have an electronic data strategy, tools, processes and controls to locate and understand their own data. In addition, the risks of unmanaged data include skyrocketing infrastructure and personnel costs and an increase in attorney time to manage massive amounts of data when a litigation event occurs. Information governance is needed much like any business continuity and disaster recovery plans, but with an understanding of data: where data are located, how data are managed, event response, and regular testing of processes and procedures for preparedness.

1. Information Governance &
Management Practices,
Managing Data to Lower Risk
& Costs, and e-Discovery
Implications
ILTA Meeting – April 25, 2013
David Kearney – Volunteer City Representative

2. Overview
Why implement data
management practices? ―I
just keep everything.‖

3. Overview
Unmanaged data raises…
 Costs – Infrastructure, labor, power,
onsite/offsite storage, backups &
disaster recovery, disguises true
discovery costs, and review time.
 Risks – Credibility, sanctions, internal
burden, security, litigation, and
compliance & regulation, e.g.
Healthcare

4. Overview
 Information Governance (Managed Data)
 Adds value by supporting the business strategy
 Revenue
 Efficiency
 Compliance

5. Overview
Information management
practices should be
implemented at all companies
that may be subject to…
Litigation
Regulations and Compliance
Client/Customer Data Policies

6. Overview
Applied to Electronic Discovery
 Discovery is the process of exchanging evidence
between parties. During discovery, each side must share
with the other side all information that is relevant to the
matter, and significant penalties/sanctions may be
levied on any party that does not hand over information
properly.
 Because discovery involves the physical collection,
restoration, and review of information, it is a costly
process. If the scope of the information an attorney
requests is too broad and results in excessive information
being produced, the litigation costs will be exponentially
increased.

7. Overview
Addressed at the Far Left of the
Electronic Discovery Reference
Model

8. OVERVIEW
 EDRM - Information Management
 Many issues can be better managed if this
stage is taken seriously and implemented with
consistent & sound practices.
 This is THE STARTING POINT for the entire process.
Sound and comprehensive information
management strategies aid organizations in
the identification, preservation, and collection
steps of the process and can lower the number
of documents that need to be preserved,
collected, reviewed and produced. This is
where more organizations can GET IT RIGHT.
Furthermore, risks and costs are reduced.

9. Overview
 “Part of the reason eDiscovery is so expensive
is because companies have so much data that
serves no business need. … Companies are
going to realize that it’s important to get their
information governance under control to get rid
of the data that has no business need … in
ways that will improve the company's bottom
line…” — U.S. Magistrate Judge Andrew J.
Peck, CGOC Faculty Member, in a video
interview courtesy of JD Supra Law News,
February 4, 2013.

10. Overview
 Sanctions have been issued for the failure to
preserve documents, negligence during the
processes, and delay in delivering requests…
 Pension Committee of the University of Montreal
Pension Plan v. Banc of America Securities, LLC
 Harkabi v. SanDisk
 Qualcomm v. Broadcom
 Philip Morris
 Morgan Stanley

11. Overview
Data Growth
 40 Zettabytes is how much digitally stored data humankind will
possess by 2020 - IDC
 Data production will be 44 times greater in 2020 than it was in
2009.
 According to estimates, the volume of business data worldwide,
across all companies, doubles every 1.2 years.
 According to execs, the influx of data is putting a strain on IT
infrastructure. 55 percent of respondents reporting a slowdown of
IT systems and 47 percent citing data security problems,
according to a global survey from Avanade.
Data generation will become significant
even at the smallest of organizations

12. Information
Management/Information
Governance
 The set of multi-disciplinary structures, policies, procedures,
processes and controls implemented to manage information at an
enterprise level, supporting an organization's immediate and future
regulatory, legal, risk, environmental and operational requirements.
–Wikipedia, 3/12/13
 The specification of decision rights and an accountability
framework to encourage desirable behavior in the valuation,
creation, storage, use, archival and deletion of information. It
includes the processes, roles, standards and metrics that ensure the
effective and efficient use of information in enabling an
organization to achieve its goals. -Gartner
 A holistic approach to managing and leveraging information for
business benefits and encompasses information quality, information
protection and information life cycle management. -IBM

13. Records Management (RIM)
 Records Management is management responsible
for the efficient and systematic control of the
creation, receipt, maintenance, use, and disposition
of records, including processes for capturing and
maintaining evidence of and information about
business activities and transactions in the form of
records.
 A Record is any recorded information, regardless of
medium or characteristics, made or received and
retained by an organization in pursuance of legal
obligations or in the transaction of business

14. Data Retention Policies
 Policies of Data
 Meeting Legal and Business Requirements
 Weighs Legal and Privacy Concerns
 Determination of Time, Rules, Data Formats
 Determination of Storage, Access, & Encryption
 A Legal Strategy that Affords Certain Legal
Protections

15. Resources
 IGRM (Information Governance Reference Model) -
http://www.edrm.net/projects/igrm
 ARMA International - http://www.arma.org/
 InfoGov Community - http://www.infogovcommunity.com/
 AHIMA (American Health Information Management Association)
- http://www.ahima.org/

16. Information Governance
Reference Model (IGRM)
 Provides
 Common, practical, & flexible framework
 Helps organizations develop and implement
effective and actionable information management
programs
 Offer guidance to stakeholders within organizations
 Facilitates dialogue among stakeholders by
providing a common language and reference for
discussion and decision-making based on the needs
of the organization

18. ARMA International Maturity
Model for Information
Governance
 Defines the characteristics of information
governance programs at differing levels of
maturity, completeness, and effectiveness.
 The Principle (Generally Accepted Recordkeeping Principles) frames
8 principles of recordkeeping;
 Accountability
 Transparency
 Integrity
 Protection
 Compliance
 Availability
 Retention
 Disposition

19. ARMA International Maturity
Model for Information
Governance
 Characteristics typical for each of the ‗Principles‘
(Generally Accepted Recordkeeping Principles) of recordkeeping;
 LEVEL 1 (Sub-standard)
 LEVEL 2 (In Development)
 LEVEL 3 (Essential)
 LEVEL 4 (Proactive)
 LEVEL5 (Transformational)

20. People, Process, &
Technology
 One of the reasons companies hesitate to create
and enforce retention policies is cost of software,
cost of personnel needed to manage it, etc. But,
the cost is minimal compared to paying a six-
figure settlement.
 This is a Business Initiative, NOT an exclusive IT,
Records, or Legal problem.
 The process needs defined, adopted, and
audited
 Technology to automate and assist in defined
process needs identified, implemented, and
audited

21. Stakeholders
Collaboration Must Exist Between
 Business Users – Operate the organization
 Records Management - Control of the
creation, receipt, maintenance, use, and
disposition of records
 IT – Implements mechanics of Info Governance
 Legal Risk & Regulatory Departments -
Understand the organization‘s duty to preserve
information beyond its immediate business
value

22. Approach
 Identify what you have
 Assess Risks
 Business needs
 Legal holds
 Regulatory obligations
 Develop Plan
 Document Plan
 Implement Plan
 Follow Plan – Consistency is Key
 Audit Plan

23. Questions to Ask About
Data
 Does the Data Have Business Value
 Is the Data a ‗Record‘ and is it still under retention
 Is the Data Under Legal Hold
 Law Firms – Is the Data Firm Data or Client Data, Is it a
Record, and Do Your Clients Know About It/That You
Have Their Data
 Corporations – Do You Know Where Your Data Is?

24. Practices
 Develop a transparent and collaborative team
 Understand the locations (includes BYOD &
Cloud) of the data & create data map
 Understand the requirements for the data, such
as regulations, cross-border issues, data types,
business needs, and legal needs

25. Practices
 Manage all information, not just ―records.‖
 Connect legal, privacy and regulatory retention obligations
directly to relevant information.
 Retention periods must take into account the business value
of information in addition to legal and compliance value.
 Identify where information is located.
 Ensure that retention and disposal obligations are
communicated and publicized in a language that
stakeholders can understand.
 Allow for flexibility to adapt to local laws, obligations and
limitations.
 Include a mechanism that allows legal and IT to collaborate
in executing and terminating legal holds.
 Identify and eliminate duplicate information.

26. Tools – EMC
 Comply with business rules and policies, industry
and governmental regulations, and assure
security and privacy for employees, customers,
and corporate intelligence.
 http://www.emc.com/archiving/intelligent-
archiving.htm
 Ideal for: Large Enterprises, Financial Services,
Healthcare
 Built to: Improve storage management, Increase
operational efficiencies, Implement compliance
and reduce risk

27. Tools – Nuix
 Nuix information governance solutions transform your
organization's unstructured data from a liability to an asset
with powerful technology and workflows for searching,
investigating and actively managing information.
 http://www.nuix.com/
 Solutions for e-Discovery, Information Governance,
Investigation, Defensible Deletion, and Archive Search.
 Enables you to respond quickly and effectively to litigation
or regulatory action, mitigate risk, reduce costs and extract
value from your data.

28. Tools – IBM
 The IBM InfoSphere Information Governance
solutions establish sustainable governance of
information quality, master the complete
lifecycle of information, secure and protect
privacy and establish standards across all types
of information projects.
 http://www-01.ibm.com/software/data/information-
governance/overview.html

29. Tools – Google Vault
 Google Vault, a set of information governance
tools for Google Apps customers.
 Google Vault provides a place where businesses
can manage, archive and preserve Google
apps data, an action that is key to the
eDiscovery process.
 Of course, Google also brings search to bear on
the eDiscovery problem because you can use
Google search tools to find documents that
meet certain criteria in an eDiscovery request.

30. Opportunities
Corporate/C-Level Personnel
Attorneys
Business Units
Records Managers
Technologists

31. Roles We Can Play…
 Law Firms
 Get the house in order
 Assist corporate clients to get their house in order
 Corporations
 Proactively get the house in order (ideally before an
event)
 Advise in-house and/or outside counsel of processes
needed to develop info governance plan

32. Now is the time to understand and
adopt information governance.
Don't be caught trying to extinguish
a fire when fire prevention was
really the answer.