Video
Advice from Counsel: The State of Information Governance in Corporations
From well-publicized data breaches to skyrocketing data growth (and costs), information governance challenges are all around us. How are corporations responding? What are the teams and roles driving information governance policy development? How are these policies communicated and enforced, not just internally but with external partners and stakeholders? Which IG strategies are producing tangible results, and which programs are coming up short?
Related topics:
Transcript:
Angela Navarro: [0:03] Hello everyone. My name is Angela Navarro, and welcome to today's webcast, "Advice from Counsel, the State of Information Governance in Corporations." This event is brought to you by Inside Counsel, and sponsored by FTI technology, and the CGOC. [0:19] I will help moderate this event, but before we get to the topic, let's get some simple housekeeping items out of the way. [0:26] If you have a question for one of our speakers, please enter it in the Q&A widget on your console. We will endeavor to answer your questions throughout the presentation, so we invite you to ask away. If we don't get to your question, you may receive email response. [0:42] In addition, there are some other customizable functions to be aware of. Every window you currently see, from the slide window, to the Q&A panel, can be either enlarged or collapsed, so if you want to change the look and feel of your console, go right ahead. [0:59] As a reminder, this presentation is being recorded and will be made available to all registrants. Here is today's agenda. After we meet our speakers, we will briefly describe the annual Advice from Counsel Study and move through the key themes of this year's study, information governance, and cybersecurity. [1:21] Next, we'll review how the survey respondents answered questions on the topics of leveraging e discovery software, staffing, cost savings, and how to get started. We'll compare those answers to live responses provided by you, our audience, today. We'll conclude by answering questions submitted through the Q&A tool. [1:43] Finally, I would like to remind you that the views expressed are solely those of the presenters, and should not be attributed to the presenters' organizations or clients. This presentation is solely for educational purposes and does not constitute legal advice. [1:59] By attending this presentation, you understand that there is no attorney client relationship intended or formed between you and the presenters. [2:08] Now let's meet today's speakers. We are very pleased to welcome Steve Ihm of Allstate Insurance Company. Steve leads teams responsible for e discovery, records and information management, litigation support, and more. [2:22] His experience includes leadership across a wide range of insurance and corporate legal matters. Welcome, Steve. Thank you for joining us today.
Steve Ihm: [2:31] Great. Thanks. It's great to be on the call.
Angela: [2:35] Next we have Ari Kaplan, Principal of Ari Kaplan Advisors. Ari is a leading legal industry analyst and the principal researcher for a variety of widely distributed benchmarking reports. He has been a keynote speaker for events around the globe. We are very pleased that he is joining us today. Welcome, Ari.
Ari Kaplan: [2:54] Thank you. I'm honored to be here.
Angela: [2:57] Finally, we have Jake Frazier, Senior Managing Director with FTI Technology. Jake leads FTI Technology's Information Governance & Compliance practice. Jake focuses on assisting corporations and governmental organizations with IG and compliance initiatives, as well as the corresponding costs and risks. Welcome, Jake.
Jake Frazier: [3:18] Thanks, Angela. Appreciate it.
Angela: [3:21] I would now like to turn the call over to Ari Kaplan. Ari, please go ahead.
Ari: [3:27] Thank you, Angela. I am honored that we are today talking about the 10th Advice from Counsel report. It's such a privilege to speak with the corporate counsel who share their perspectives. [3:40] This year, we spoke with 25 in house lawyers with responsibilities that included both e discovery and information governance. Most of them were from Fortune 1000 corporations. In fact, 96 percent develop and implement information governance processes. 84 percent do that for e discovery. A really, very well informed group of individuals. [4:05] 44 percent of those participating were from companies with total annual revenues over $10 billion. 60 percent were from companies with over 10,000 employees. 56 percent are managing more than 100 litigation events. [4:20] Just to give you a bit of a breakdown of where they're from, about a third, 36 percent, were from financial services organizations, which would include banks, insurance companies, etc., 24 percent from energy and utilities, 16 percent manufacturing, and then a variety from retail, transportation, real estate, media, education, etc. [4:43] We really, like in years past, really tried to secure participation from a broad cross section of individuals and are very excited to be talking about these issues today. I look forward to following up. [4:58] Just to raise some key themes we talked about, we asked certain questions about whether companies have an information governance program and what people can expect, what they're thinking of, are they able to leverage their e discovery software. The results will be pretty interesting in terms of defining information governance. [5:23] Jake, I'm curious about this. What are you seeing in terms of the definition of information governance. I found a lot of people struggling with how to incorporate it, and how to actually define it within their own organizations.
Jake: [5:40] That's a great question, Ari. Appreciate it. I think there's definitely still a lot of noise out there around information governance. When we talk to the respondents and other corporate practitioners, I think that they are settling on at least the principles of a definition, in that we hear a couple of refrains over and over again. [6:02] One, that it must be cross functional across a corporation for it to be successful, that really one silo or one department trying to tackle these is really difficult, if not impossible. [6:18] Two, from the substance, I think the Information Governance Reference Model, which is the circle that's put up here, is really latching on as a standard of the substance of what is IG. In the Information Governance Reference Model, you have a couple of things. [6:37] One is that cross functional representation, you can see, divides stakeholders around the wheel as the business, privacy, security, IT, records and information management or compliance, and legal. [6:50] That seems to hold true, for the most part. Sometimes HR takes a role. Sometimes one of these is missing or combined. In general, that cross functional responsibility and opportunity seems to be a key theme. [7:03] Two, on the inside you can see that information life cycle from creation of data, through the obligations that you have, through disposal. [7:16] We find that the organizations that are keeping this kind of definition, which is a little bit more practical rather than, perhaps, a more conceptual or ethereal type of definition, are doing pretty well and are tackling some major projects, as we'll see throughout the study. I think there's a...Go ahead. Sorry, Ari.
Ari: [7:35] No, no, please. Go on.
Jake: [7:37] I was just going to point out a second theme that we see in discussions with corporations is cyber security has risen very quickly to the top of the list or near the top of the list with regard to information governance. [7:54] On the IGR Model there on the left, you can see the blue, privacy and security, is actually the newest member of this model and, I think, increasingly visible, important. A lot of funding, I think, is available because of organizations that really can understand the cyber security threat. [8:13] You can start to see in this statistic that there's quantification of what it might mean to the bottom line and top line. In this case, it was a quantification of about $5.5 million per event, which comes out to be almost $200 per record, when there's a data breach or a data leakage. [8:32] That seems to be really helping some organizations accelerate putting together this cross functional group, because everyone plays a key role in helping solve these kind of problems.
Ari: [8:46] Steve, I wanted to raise something with you. One of the quotes that I heard when I was interviewing folks about defining information governance, and some of these other key themes was that it's a new term. It presents a requirement for change management, because you can only do so much with tools. [9:04] How are you seeing that, in the industry, taking effect?
Steve: [9:10] My reaction is I think that the circle, in particular, shows the business being a much bigger role. I think, in the past, we've thought of records and information management. Information governance is a much wider umbrella. [9:24] Now, what we're seeing, at least, is much more business interest in having the kind of tools that allow people to map out their data, use the data in the big data sense, leveraging social media, doing things with information that 5, 10 years ago were not present. [9:43] Information governance is just completely expanded how we have to think about how we deal with information. It's no longer just records and information management. There is an interest on the business side now, too, which allows these tools, I think, to become more available because there's more funding available, frankly. [10:01] Then, when you throw the cyber security piece on top of that, to me, the best cyber security is not having a piece of data at all. You won't have something stolen if it doesn't exist. There is a tie between cyber security, and information governance, and records and information management. [10:20] If you can make that tie within your organization, it does a couple things. It'll probably help from a funding standpoint, number one. Number two, it helps with the change management piece of it. [10:31] People understand why we need cyber security, and they're, I think, willing to take more work on to make sure we're keeping the right things and doing the right things by our customers, and constituents.
Ari: [10:46] These are great points. First of all, I think you both mentioned the idea that the cybersecurity hook is a great budget advantage. A number of people I spoke to said that they're creating an information governance program to address the very data security and cyber issues that are taking hold. [11:06] The other thing is people were saying, given the increase in the cyber threats, the company now has a cross disciplinary plan for identifying which information needs the most protect, and shouldn't even be on the network. [11:17] Steve, you make a good point about the best security of data is for data that doesn't even exist. A really interesting series of developments. [11:27] We're going to do a polling question now to try to get the audience to think about what their organization's top information governance initiatives are. Steve, there's a bunch of choices on the screen. I'm just curious. Are you seeing anything other than these? [11:46] Is there an emphasis on one over the other? You see a "better managing human behavior," "deciding where to begin the process," "tackling industry regulations," "handling legacy data," and a bunch of others. Are you seeing any one or two that are taking hold in a greater way?
Steve: [12:05] For companies that have made the connection with cybersecurity, I think you'll see more and more of that. My assumption is it's probably not huge right now, but as time goes on, I think we'll see more and more connection there. [12:16] The big one for me is always the human behavior and keeping up with the new technology. Between bring your own device, the social media, all the other things that are going on, the cloud. Those are things that I think everybody's starting to pay more attention to from an information governance standpoint. [12:30] We've got this explosion of data in a multitude of places now that we have to keep track of.
Ari: [12:38] Jake, is that where you're seeing it?
Jake: [12:42] Yeah, I'd agree. I'd say, especially in the last year in practice, I hone in on cyber security here. Don't want to put the thumb on the scale towards cyber security too much. But a couple things I've noticed, cyber security really helps with the five. [13:00] If you take the first one, for example, the human behavior, change, and technology, executives on the board as well as in the C suite just get it. They understand cyber security very easily. [13:13] If we were to try to push e discovery cost savings, it's a little more esoteric and hard to understand. So that really helps with these other five, and can help put some muscles behind initiatives.
Ari: [13:27] Let's see what the audience said in terms of the results, so that we can kind of gauge where we are or what we saw versus what the audience's thinking. You both alluded this. Cyber security and better managing human behavior are key points. Do these results surprise either of you?
Steve: [13:49] No, not really. I'm a little surprised that cyber security is as high as it is, frankly. I think that will only increase going forward. I think the human behavior piece, getting people away from a "save everything" approach with their data and legacy data. [14:06] For some reason, there's a certain emotion and frustrations sometimes with people, but if you approach it systematically and from a change management perspective, you can make it work.
Jake: [14:19] Yeah, I agree. I think if we come back in a year with similar questions, cybersecurity will probably be even higher. It doesn't seem to be going anywhere, and the hackers and the complexities only seem to be increasing. Ari: [14:33] You see that there's real consistency in what we've found versus what...it's always fascinating to me. We do a small sample, but that sample is usually statistically significant enough to gauge the tenor of the population. [14:48] Here, on this call today, we have a huge variety of individuals who aren't specifically in this category. Yet, we're finding a very similar theme throughout the legal industry. I love to see that. [15:00] Let's move on a little bit and talk about the possibility of leveraging e discovery software. We're going to try one more poll question on some of these topics to ask you, "Are you able to leverage your e discovery software for information governance purposes?" [15:18] Jake, you heard in the beginning I was saying that almost everyone was involved in developing, implementing information governance processes. A slightly smaller, although equally large number, 84 percent, were developing and implementing e discovery processes. How are you seeing that interplay taking place?
Jake: [15:39] It's kind of two sides of the same coin. I've got a really bad analogy I'll apologize for in advance, which is essentially what you do in information governance is the brushing and flossing. What you experience in e discovery, such as painful root canals and things like that, are directly a result of information governance practices. [16:01] In the spirit of this question, if you look at that information governance reference model, the wheel with the various stakeholders, sometimes we see when they're siloed, just as one example, privacy security will have their own network crawling tool looking for, let's say, PII, PHI. [16:20] E discovery will have their own tool that goes and looks for data for preservation. Records and information management may have their own going and looking for records. [16:30] In the silos we see some inefficiencies. We're starting to see, I'd say it's a little more bleeding edge, some companies that are working together to choose tools that can support multiple use cases. That's probably a good thing, but a little early on in the curve.
Ari: [16:46] Let's see what people said about this particular issue in terms of leveraging this. I want to point something out. When I asked, 76 percent of the respondents had some kind of information governance program to address some of the key issues. [17:05] You see here 63 percent are not able to leverage their e discovery software for information governance purposes. This seems like a disconnect. [17:15] Steve, what do you think about that?
Steve: [17:17] I think it's coming. I think this is something that we'll see on the horizon. The conversations that I've been involved with have been more about the future than the present, even among other companies. [17:28] For example, to the extent you're looking to do something in terms of email management in the future, maybe instituting some smaller mailbox sizes or having an auto delete feature in the future. [17:38] You might tie your litigation hold to that, so that you're taking people offline and not subject to those types of requirements, if you're subject to a litigation hold. [17:50] We haven't really used, for example, our review software for information governance. I'm sure there's creative ways to do that. We haven't gotten there yet. We're hearing a lot about new software that's outside the e discovery space. I just think this is an area that is early yet, but I do think it's coming. I agree with Jake on that.
Ari: [18:10] Jake, Steve mentioned something. One of the quotes that I heard was that companies explored connections between litigation hold software and information governance standards. There was a really strong theme there. Are you seeing that same issue, that same connection?
Jake: [18:28] I should say I see the desire for the connection, and it stems from the goal for defensible disposal. If you are going to engage in defensible disposal, then you really need to have three things mapped out in the same place. [18:45] Those are, "What are your legal hold obligations? What are your regulatory retentions for retention obligations?" And, "What's the business value policy for how long to keep data?" [18:56] If those three things are mapped out pretty well, and tied to the data sources, and in the same place, same tool, then that's really the lynchpin to enable defensible disposal, which has a ton of benefits, as Steve alluded to earlier. [19:12] There's a couple of tools out there that can house both the retention policy and the legal holds, and we see those winning probably more than their fair share of the bake offs, if you will, just given that strategic thrust and understanding what the future might be. [19:28] Even if the organization is not really at a run stage in the crawl walk run, they'd rather have it and not need it than vice versa.
Ari: [19:38] You make a good point. About 40 percent of those that I spoke with were focused on defensible dilution or records retention in their information governance. Just to show people the consistency, again, with their results and our results, we found 76 percent said no, they can't leverage this issue. [19:57] So, about a quarter can leverage eDiscovery software for information governance, but most can't. Steve, what do you think is absolutely necessary for this to take place, for these numbers to shift?
Steve: [20:12] I think it's technology maturing, because I can tell you, we look at these things all the time to see what might work. Some of it's thinking ahead three to five years, where do we want to be, and making sure we're making the correct purchasing decisions now, so that we can link things later. [20:30] Because if you go down one road, you may have difficulty if certain types of software doesn't talk to your information governance software, doesn't talk to your discovery software, etc., so you want to start planning and have at least a roadmap, even if you're not implementing today. [20:45] It's good to know where you're going and revisit that every year, so you can make sound decisions that don't tie your hands down the road.
Ari: [20:52] Jake, how long until you think people will be seamlessly doing this?
Jake: [20:59] My sense is that within let's say, when we get to our 12th version of the survey, if we were asked the same question, we'd see a little closer to half and half. It's part and parcel of the key thing we talked about at the beginning in the information governance reference model. [21:18] That once purchasing decision, the kind of RFP process, or evaluating technology also becomes shared across privacy and security, compliance records, management, legal for legal hold, preservation, collection. Then we'll start to see RFPs that require more robust functionality across a broader swath of use cases. [21:39] Once that happens, then the technology vendors are quick to adapt. We're at the beginning of that curve, and I think it's headed that way, and I'd say within one or two years, we'll see at least half or more would be my bet, if I were a betting man.
Ari: [21:54] We're going to hold you to it. It's a behavioral change, it's a request for information and ways of figuring out how these systems... [22:02] That's probably a general theme in technology in the legal community, how can we have interplay between lots of different systems, so that it makes things overall more efficient and more effective for the user, and streamlines cost. We're going to talk about some of those issues. [22:20] We have another polling question, and we're curious to hear your thoughts on this. Steve, I want to ask you about this particular issue. When I talked to individuals, and I asked about people who are responsible for information governance, the leaders, the individuals who are the champions. [22:40] Someone described them as the front line for raising awareness of the company's confidential use policies, and other agreements that relate to data. Is that your perspective here, as our audience is answering the question, do you have staff in house dedicated solely to information governance?
Steve: [22:57] Kind of a funny question. Initially, I thought I knew the answer and as I thought about it further, it's more complicated than I was thinking initially. Because if you're talking about dedicated solely to information governance, we have a staff that's dedicated to, essentially, records and information management. [23:12] Those are the people I thought of initially. We have a dedicated staff in our operations area, and then we have people in the business units who have it as a part time responsibility as well, to manage it within the business units. [23:24] Then I got to thinking, if you include the broader umbrella of information governance, we have people who work solely with big data and managing big data, so I'd have to include them. [23:38] We've got people in information technology who are really managing information, and making sure it's in the right place, and assisting with making sure that it's handled appropriately from a security standpoint as well as a defensible disposal standpoint. [23:55] As I thought about it, this is a bigger question than my initial focus, was pretty narrow. I guess it depends on how you view it, you could answer this a couple of different ways.
Ari: [24:07] Jake, is that your sense as well?
Jake: [24:11] It is. In my mind, I sort of look at this as if we're going to say, "In house dedicated solely to information governance," and we use our model. [24:22] I would almost say it would be interesting if we asked it in a different way, which is to say, "People dedicated solely to being the glue within the information governance reference model," meaning they're only focused with how it comes altogether. [24:35] Program managers, chief data officers, specifically with the goal of bringing all those silos together, then we'd probably get a slightly different answer. [24:49] What we're seeing, again, it's a little bit more kind of leading edge, really large corporations, or really large financial services corporations are putting in Chief Data Officers, or Directors of Information Governance, who are tasked with being the glue. But it's largely a regulatory function juxtaposed against the size of an organization that would dictate that.
Ari: [25:13] It's interesting, to your point about being a regulatory function that it's maybe not surprising that almost 60 percent were from some type of financial services company, or an energy and utility, just in terms of the regulatory nature of the initial push for information governance. [25:34] Let's look at the results, and see who has staff that's dedicated solely to information governance, and get a sense of how the panelists react. Almost 41 percent have staff dedicated solely to information governance. Does that number surprise either of you?
Steve: [25:59] It probably means we have a mix of some larger corporations on the phone, would be my guess. I haven't looked at who is on the phone, but it seems like that would probably tend to show that we have more in that category than not.
Ari: [26:12] Jake? Jake: [26:13] I agree. I think that's right. It's surprising, it's a little high, but a good thing to see. I'm pleased by those results.
Ari: [26:24] What I'm especially pleased to see that, again, it's consistent with our numbers. Every once in a while, we'll have 9 percent audience response, and we'll say 68 percent. It will be totally random, but here it's really interesting to see that there's such fantastic consistency associated with this. [26:44] I'm curious about that. Why do you think that the audience is mirroring these numbers so carefully? Any thoughts on that? Information governance is on the minds of everyone, almost as much as cyber security, because it relates to so many different elements. [27:00] As you said earlier, Steve, that it's such a broad brush that we are having trouble defining it, even, it's so broad. Everyone's really thinking about it.
Steve: [27:11] It's a confluence of things, including things like all the different types of technology we have now. There's also a regulatory piece to it, even if you're not in the financial services industry. [27:23] There was a bill passed this year in Rhode Island that is going to require companies to take action to dispose of personal information of Rhode Island residents, if they don't need it any longer, etc., they don't need to do it for legal or business purposes, etc. [27:41] That was the first one of those types of laws that we've seen in the US. We kind of expected it to come out of California, frankly, but as the regulatory environment starts moving, and you have all these different technologies, you have a big business interest in data, now, and in cleaning up data, making sure it's usable, etc. [27:59] I think you have a confluence of things that are going to lead to more and more companies answering this particular question in the affirmative.
Ari: [28:07] Jake, is that your assessment of the trend?
Jake: [28:10] Yeah, I completely agree. If you take a step back, we always knew this day was coming. We would five years ago, or ten years ago, say, "Wow. Data is growing unabated." It's growing sometimes 40, 60 percent, depending on the survey, and nobody is really executing a defensible disposal routine. [28:33] They're sort of collecting or accumulating data ad infinitum, and the math just would say that that's an untenable situation. It can't just keep going that way forever, with cyber security coming into it. [28:47] Another thing that Steve just raised that jogged my recollection of a couple of engagements we're doing right now, that are on the heels of the FTC and European Union's Safe Harbor framework of agreements falling through, that have also brought this to the forefront for the multinational. [29:08] Given how data must travel back and forth for various business applications and internal applications, and so forth. That's just yet one more stream in the confluence, as Steve mentioned, that's raising this to the top.
Ari: [29:25] I have a question for you guys, and that is, in a number of my conversations, there were concerns about information governance challenges. Someone said, "The scope of the project is a challenge, just the size. If our information governance initiative is too huge, it can almost fall under the weight of itself." [29:48] In relation to the individuals who are responsible for this, there was a certain concern providing and proving that it's worthwhile is, itself, a big challenge for organizations. Any thoughts on that, proving the value, or managing the size of such a huge initiative, Steve?
Steve: [30:13] Be fairly opportunistic is what I would say. We talked about cyber security. We've talked about the size of the issue is so huge that you need to start somewhere. [30:24] To me, you need to look first at your policies. Do you have the right policies in place? Have you started and reviewed those, and communicated those, so people at least have an idea of what they should be doing is a good place to start. [30:38] Then I think we need to start talking about structure, and I think we'll get into that in the next question. You've got to make sure you've got leadership from around the organization, to the extent that any one part of the organization tries to leave this initiative, I think it's a recipe for failure. [30:55] You want to prioritize and have some quick wins, or I truly do believe it will fall under its own weight. You also have to have an understanding in the business that this is a long term process. It's not really a project that will be over in a year. It's a multi year, maybe forever type of a process that you need to engage in and build out the infrastructure for.
Ari: [31:16] Jake, is that what you're seeing in your different engagements? I wonder what you're advising individuals on, in terms of making this a priority and, as Steve said, dividing it up in pieces so that you're seeing a series of successes.
Jake: [31:35] I work with companies that fall into one of two camps, and really which camp they fall into kind of directs what the strategy is. [31:43] The first camp, which is really the minority of companies, that is where there is an edict or a mandate from the CEO, from the board, from high level executives. Basically saying, "We need to get our house in order and we're going to create a funding mechanism for this general ledger code," and in essence, "Go make it happen." [32:10] In those cases, usually it's right after a big event of some kind, right after a corporate integrity agreement was signed, or a consent decree or something like that. That's really the minority. [32:21] I'd say that's 10, 20 percent of companies I work with. Most of the time, it's the opposite, which is the practitioners see that there's a big problem, and have been unable to really get the issue raised to the top of the house. [32:35] In those cases, I completely agree with Steve. You can find one or two burning platforms, problems that are very acute and that everyone understands. Scanning of file shares for PII and PHI, that kind of thing, is a universal problem and not that difficult to solve. From those quick wins, you can really build on, as we'll talk about little bit later.
Ari: [32:58] We have taken us through this arc of information governance. What does it mean? What's driving it? How are people using it? Are they able to leverage existing tools for it? We talked about the individuals who are responsible. Who are the leaders? [33:13] That's a key question, so we're going to do another poll question for our audience, talking about, "Which department is leading your information governance program?" [33:21] What was most fascinating to me, you see there are a bunch of choices, legal compliance, records, information, security. Was the breadth of individuals not necessarily who are leading this, but who are just involved. [33:33] Legal, IT, compliance, that makes sense, records, but what about finance, risk management, HR, the business units themselves? It was fascinating. Steve, I wonder do you have a sense of how that's playing out across corporate America, in terms of who is involved in these initiatives?
Steve: [33:54] I do see legal often owning these things. I have a little bit of a bias against that. I think we're definitely a partner in owning it. You need executive sponsorship, and legal should be one of those executive sponsors. I also think you need somebody on the operations side who can co sponsor it. [34:13] Legal comes up with a lot of requirement for the business. We might tell the business they need to send out a consumer notice of some sort, or what have you, but we don't actually own sending out the consumer notice. It's more helping the business do the things they need to do. [34:29] The business has gotten so complex that I think we need to distribute more broadly the responsibilities for information governance. The big thing for me is really getting the executive sponsors, and then establishing some sort of governance committee, a steering committee, whatever it might be, that has the right people on it. [34:44] Some of the folks that you just mentioned would be key. We've got our chief data officer. Big data's represented. Our IT, obviously, some key business units, compliance. We try to make sure we've got a good, broad spectrum of people who help govern the actual IG operations.
Ari: [35:08] Jake, let's look at our results and see who's doing what, in terms of leadership for information governance. Do these numbers surprise you?
Jake: [35:20] No, this is right about what we would expect. What's happening is, while each of these departments is necessary but not sufficient to the central theme that we're repeating, when there is the need to break inertia, often legal is in the best place to be the sounding board, to sound the alarm about the issues. [35:50] In the early days, we see legal driving. When legal drives, it tends to get more attention more quickly. But I think, over time, it's probably not ideal to be housed in legal. [36:01] But rather have legal be a key stakeholder, and perhaps IT or operations be where it's housed, with the business being the key beneficiary, and legal and compliance being the key advisors.
Ari: [36:14] Jacob, I'm just curious. When I asked where did these initiatives start, 52 percent said it started in legal, and another 20 percent said at the C suite level. Do you think that's part of the reason why legal tends to be the leader in this area, because it started there? [36:34] You mentioned inertia. That's the natural progression. If it started there, then they would maintain leadership?
Jake: [36:42] I think so. If we look back at e discovery, which is a smaller but similar phenomenon, often it was a lawyer saying, "Listen, I'm nervous about this. We have key risk here. We're not doing anything about it." [36:57] Often, they were the ones to sound the alarm to get things going. Often, they would implement their own server under their desk to do something. [37:07] Over time, it became a more repeatable business process, a shared responsibility with various stakeholders. I think we'll see the same thing, just in a larger scale and even more complexity, as evidenced by the fact that e discovery is one of the components of IG. Hopefully, we'll see the same thing happening. [37:25] But, for the organizations that don't have anything happening, and really are stuck, I think legal can break the log jam and get things going in the right direction.
Ari: [37:36] Aside from legal, do either of you think there's a next logical group, or should it just always be interdisciplinary?
Steve: [37:47] I think it's going to vary widely by organization. First, we have to have an operations organization that deals with a lot of the data, works with IT all the time. For other places it might be somewhere in IT to maybe co own it with legal. [38:04] I just think it's going to vary a lot. Compliance would be another place that's certainly always under consideration as a logical place. [38:12] Wherever you put it, though, I think you've got to have that executive sponsorship. You're going to be dealing with budgets, not only your own budget, but sometimes budgets of different business units, to do the things that need to be done, and certainly the technology budget. [38:24] You've got to have ownership at the right level. Ownership at the right level's almost more important than which area it lives in, long term, but that budget issue can't be overlooked, either.
Ari: [38:36] What's funny Steve, actually the next advice from counsel's going to be focused on compliance. While compliance would be a next logical owner of this, it's interesting that sometimes compliance is a subset of legal anyway. In the grand scheme, it's maintained by legal ultimately. [38:59] Let's push on and talk a little bit about the finances. Are you able to quantify any savings, this is a poll question for our audience. As a result of implementing an information governance program? I will say that this is a favorite question in the Advice From Counsel series. We're often trying to give people practical benchmarking tools. [39:25] Over the years we've seen, for example, people being able to quantify savings and spending in e discovery in a much more sophisticated way than when we first started talking to them, gosh, back in 2008 I think, so it's been quite a while. [39:39] Steve, what's the struggle here, in terms of quantifying savings as a result of information governance, if there is one?
Steve: [39:47] I do think it's hard to provide a statistical model. I've certainly had difficulty providing a statistical model to measure the savings. Individual projects, that might be appropriate and can be done. [40:02] But generally, for an overall information governance program, you really focus more on the risk side of things and the value to the business, in terms of things like having clean data, having data that's usable and not cluttered. [40:16] Because of the business interests in how data's being handled now, it's become easier from that standpoint. The information governance program itself might not have to have its own separate ROI, outside of the risk conversation, or the compliance conversation.
Ari: [40:32] Jake, are you finding people able to? Is this something in the value proposition, "Well, you can save X if you're spending Y?"
Jake: [40:43] I'd say that, probably for this audience, we as lawyers, this is usually not our core competency. Usually, if we're going to struggle with something, it's probably the quantification and the rules of how to put the business case together. What's a cost to avoid versus a cost save, and those types of things. [41:01] When I'm working with companies where IT or information security is brought in and taking a little bit more of a lead role, I find it a lot easier. They typically will have those models, already have precedent for success, when they were able to bring something in based on a business case. [41:20] I would say that, to Steve's point, the facts are on our side here in two ways. One, really the moves that we can make, cross functionally, to put in tools and processes, or people, or whatever, will reduce both cost and risk. Usually, an analysis on either side is usually sufficient to fund projects and to fund programs. [41:46] I think it's more important to not try to quantify if it's not in your core competency. What happens is once you try to quantify, the focus from the risk shifts when you get into finance and operations, just because they know the finances aspect of it a little bit better. [42:04] Some careful thought needs to be put into how any sort of reduction in cost, risk, or both is going to be presented. Again, there's ample fodder on both side.
Ari: [42:18] Jake, your point is so well taken. One of the things that has come up over the years, in terms of quantifying savings and spending in e discovery, is that in the beginning it was very difficult to figure out where all the spending was happening. It was in IT. It was by outside counsel. The billings codes weren't uniform. There was a struggle. [42:38] Now, that's become a little more sophisticated. In information governance, we just talked about how these groups who were managing or leading it are diverse, so legal doesn't really have visibility, necessarily, into what compliance is doing or records or finance or HR, while they may still have some hand in organizing this. [42:59] That seems to be one of the challenges. Steve, is that what you're seeing, as well?
Steve: [43:03] Yeah, I agree with that 100 percent. I think one other thing that has worked against us is the cost of storage, at one time, would have been an issue. Now, the cost of storage has gone down every year, so you can't really focus on that any more unless you're really growing exponentially, because it just keeps going down. [43:19] I think you're swimming upstream a little bit, depending on which part of the cost spectrum you're focusing on. I agree with Jake. I think focusing on cost, if that's your competency and you can, but focusing on the risk part of it, risk and compliance, is where most of the traction is going to be had.
Ari: [43:39] Let's see some of the results and what people decided. Can they quantify any savings as a result of implementing? A pretty good number. Almost 41 percent can quantify that savings, which is impressive. This is a point of distinction. We certainly didn't find that big a number that can quantify it. [44:04] Part of the reason for that seemed to be that...one of the individuals I spoke to said that information governance started as records management, and it's evolved to address concerns. It got convoluted, and there's some confusion associated with it, as we've discussed. [44:26] Interesting to see this differentiation. The other thing I'll mention is that the numbers that I received...for the individuals who could quantify how much they're spending, how much they're saving, the numbers were broad. A person would say, "Between $1 and $2 million." And a million is a big number. [44:47] Somebody said, "Between $5 and $20 million." It reminded me of when my daughter was little and asked me how much something costs. She'd say, "Was it more than $100?" I'd say yes. [44:57] She would say, "Is it more than a million," and that was her second response. It's just, "Well, yes, it's somewhere between $100 and $1 million." So I think that there's a struggle there, as well. [45:11] Let's try to give people a sense of how to do this better, how to get started on a program that is going to make them optimally effective. Jake, what do you think?
Jake: [45:26] I'd say the first question to ask is where you are in the organization. We have folks on the call here probably the general counsel of corporations, and we have folks on here who might more focused roles. That's a key question. I'd say for those who are higher up, focusing on the risk to the organization is key to get attention. [45:51] Cybersecurity, right now, is one of those areas that is fraught with risk, and a lot of people don't even know what they don't know as far as how bad the risk is. It shows no signs of abating, and is really only getting worse. If you're high up, then I would focus on those kind of threats to the enterprise, because a couple reasons. [46:11] One, it's ubiquitous, it's horizontal, it applies to everyone. Two, very high level executives get it. The CEO, the board, they get it. Whereas, "Well, if we don't comply with SEC 17a 4, then we might have this kind of a fine, and someone got fined $10 million two years ago, but then nobody got fined." [46:32] Those type of conversations tend to lose the focus. That's really what I would focus on at a high level. At a low level, or more of a focused level I should say, really that's where the opportunity for grassroots projects with quick wins can happen. [46:52] By that, I mean whatever area that you feel you can influence, let's say that it's implementing legal hold process to close off some risk caps, if there's no legal hold automation happening. [47:04] Or, the clean up of file shares, or getting rid of back up tape stores that have been accumulated for years. Those are the types of projects that are relatively straightforward to do, might be six, nine months, $100,000 of external funding. It's biting off digestible chunks. [47:26] Then you can make a win wire, if you will, to say, "Look at what we were able to do, and we've identified two or three more of these we can do." Incrementally building would be how to start from the bottoms up approach.
Ari: [47:45] A win wire, I like that. Steve, any advice?
Steve: [47:50] Three things come to mind. One is, we mentioned this a little bit, updating your policies and procedures. They're going to be a lot of different ones that are out there, social media, computer, just using the computers and bringing your own device, cloud, records management. [48:06] You could even consider building records management, cybersecurity policy in one place. That may be advantageous. Really, making sure you have that structure in place, so when people say, "What can I do?" you've got at least some policies and procedures to guide them. [48:23] The second thing is I think the quick wins are important. I think data consolidation, clean up, even identifying duplicates, which IT can be good at. Once they're engaged in that kind of thing, there's a lot of things you can do from a clean up standpoint, without really increasing your risk too much. [48:39] Third, I'd say get out and interact with the business. I think there is a lot of interest in this area. The key, as we've talked about, is really making it a priority, giving people the guidance they need and, at the same time, setting them this structure, where you've got executive sponsorship and some leadership in place. [49:01] Those would be the three top things I'd focus on if I were just starting out.
Ari: [49:06] I'll just say, from a statistical standpoint, the idea of securing executive support earned about 24 percent of the respondents' top priority. The others were cross disciplinary collaborations, becoming more familiar with your data, planning more properly. Someone said, "Benchmark, benchmark, benchmark." [49:29] You need to speak with similarly situated companies with a common risk profile and size. What would you recommend, both of you, avoiding, the single pitfall you need to stay away from to be safe? Jake?
Jake: [49:48] I'd say there's a principle that need to be ingrained in almost all of this, really from any level, which is that perfection cannot be the enemy of good. I've seen a lot of organizations that report that they've tried tackling this and spun in circles in analysis paralysis. [50:08] The indicators will be it's the right people at the table, and everyone's sort of stuck on, "How will we go classify every piece of data in our organization? Because we think we'd have to do that to even get started on anything else." That is a perfection being the enemy of good example. [50:30] I'd say that's the main risk here. The problem can seem overwhelming, and if you try to boil the ocean, it can be very difficult. I've talked to a lot of companies that have spent years stuck in that mode. Often, what we'll do is we'll pluck off one project that's sort of a no brainer, that everyone agrees would be great to fix. [50:54] Let's say it's an email archive that doesn't work and takes three days or weeks to get data out of, or getting rid of backup takes, legal hold, something like that. That's much more of a practical, pragmatic view of things, and you can get some great momentum that will get you where you need to be. It just might take a little bit longer.
Steve: [51:15] I couldn't agree more, Jake. That's a really good point about the perfection being the enemy of good. I also think once you start engaging different areas within the company, you find things that you can do that really don't cost a lot of extra money. Some of it's just planning ahead. [51:29] For example, if you've got your IT architectures, whoever's planning your IT going forward, they can avoid things like not having built in information management capabilities within your software as you're putting new software in. [51:43] For companies that have been around a while, you're going to have legacy systems, and they may not have had even the built in capability to remediate information. [51:52] Sometimes just for a few extra dollars, you can get the module of the software that allows you to manage your data, surprise, surprise. There are things that you can do, from a planning perspective, that will make your life easier the long term, as long as there's an awareness and you've got the right people involved.
Ari: [52:08] I've really been enjoying this discussion. It's funny, because I feel the same way I felt when I was talking to people about this issue. It's new and people are all struggling with it, so it's lucky that they're getting the chance to hear from both of you. [52:21] I think we're going to talk about some questions. It looks like we've gotten a lot, Jake, huh? Angela: [52:28] Thank you. Thank you Jake and Ari and Steve for presenting today. I'd like to remind everyone that you are able to ask questions using the Q&A widget on the bottom of your console. We do have time for just a couple questions. If we're not able to get to your question, you may receive an email response. [52:47] With that, I'd like to turn the call over to Jake to raise the first question. Jake?
Jake: [52:55] The question is, "Do you think initial investments need to run out before more robust applications are used for e discovery. This is a touchy one. It really depends on... [53:08] I'll frame the question this way. Let's say we bought a solution three years ago. It was a point solution that helped us do eight or ten tasks. But, really, it's not a strategic platform or something we can grow. We've really already outstripped its functionality. [53:27] This often depends on being tied in with IT. The reason I say that is because IT is pretty good as a generalization at applying the discipline of sunk costs, and accelerated depreciation. [53:43] Those are more finance, operational type things. But if you speak with IT and say, "I think we've outstripped the functionality of an application that we have. There's some platforms that could give us more reduction in risk or costs." It'd be good to talk to them and understand the finances around it. [54:05] I know it's not really our core competency again as lawyers, but that's really the key. Because the answer really is no. The initial investments were sunk costs. When we applied the discipline of, "Hey, that money is not coming back." So we have to look fresh from today forward of what the best approach is. [54:24] Certainly, one of the alternatives is continue using the existing tool. But, often, with that discipline, you can come to the right answer. It gets really complicated when there are emotions involved with somebody that chose the tool and will feel like you're questioning their expertise and so forth. [54:44] So it's really important to get that person on board to begin with and have them take a key role in the design of a new or selection of a new product as well. Because software lifecycles really are not necessarily meant to be forever. Depreciation and other things like that are designed to help with the process. Angela: [55:08] Thank you, Jake. I think we have time for one more question. Jake, can you take a stab at the next question?
Jake: [55:15] Yeah. Does anyone have any staffing plans to help determine what IG resources may be required and how those are justified? This organization has an IG owner. What about e discovery role, privacy roles, etc.? [55:30] I think there's really two staffing models out there that often have to be part of the end of a business case. Relaying and quantifying the savings up front, risk reduction, and so forth, then the math will sort of dictate about how many people you could afford, if it's about full time employees. [55:50] If you can't have full time employees, then it's about finding a distributed network of people who might have five or ten percent of their job be to assist. In that second model, it is really important that that's an official designation, and not a kind of side of the desk agreement. [56:08] Often, it's important to have whatever you're asking them to do as one of their key major business objectives, or, whatever it's called in any of the bonus or variable compensation plans. [56:21] So it's important to have those institutionalized, and memorialized. But those are really the two kind of models that we see. Ari or Steve, any comments on that?
Steve: [56:33] I agree with that.
Ari: [56:36] I too agree.
Angela: [56:40] Thank you again to all of our speakers. Steve Ihm from Allstate, Ari Kaplan, Ari Kaplan Advisors, and Jake Frazier from FTI Technology. This now concludes today's presentation. [56:52] Again, the recording and the slide deck from this presentation will be shared with all registrants. We wish you a good day. Thank you again for joining us.