Government Intervention and Oversight Driving the Convergence of eDiscovery with Governance, Risk and Compliance (GRC)

With the accelerating increase in the volume of Electronically Stored Information (ESI) along with increased government intervention and oversight, enterprises worldwide are experiencing an unprecedented increase in investigations and reporting  for eDiscovery and Governance, Risk  and Compliance (GRC).   With the financial pressures from today’s economic realities to reduce costs, you would have guessed that most enterprises would be investigating internalizing and centralizing the common activities of eDiscovery and GRC. 

However, as humorous, unbelievable or sad (or some combination of all three) as it may seem, this has just not been the case.

Historically, eDiscovery has been a reactive and outsourced process with little or no involvement from the Information Technology (IT) departments and Governance, Risk and Compliance (GRC) has been something that the “bean counters” will worry about.

However, in 2010 and beyond with increased government intervention and oversight in just about every aspect of the corporate world,  enterprises worldwide are beginning to realize that eDiscovery and all of its associated practices and requirements and Governance, Risk and Compliance (GRC) and all of its associated practices and requirements, may actually be “one- in-the-same” from many respects.  In other words, these previously disparate and most times redundant practices of eDiscovery and Governance, Risk and Compliance (GRC) are converging.

After all, how “forward thinking” do you need to be to “step back” from the daily complications of Global 2000 Information Technology (IT) and realize that, at some level and with a few paragraphs of caveats, it would be a “good thing” to retain all of this Electronically Stored Information (ESI) in some centralized repository, hook up one of today’s analytic platforms and then enable anyone within the enterprise, including eDiscovery and Governance, Risk and Compliance (GRC) practitioners to extract the ESI that they need to full their requirements.

Well, if you throw Data Retention Policy along with enterprise intra and inter divisional politics and inability of legacy systems to talk to one another into the mix, it may be a bit more complicated that I have portrayed. And, if you consider the legal requirements and associated ramifications incumbent in collecting and process ESI for a legal matter, eDiscovery does have its fair share of subtle nuiaces to consider.

However, the fact remains that from a pure financial standpoint. most enterprises world wide will have no viable options short of “continuing to drop the ball” but to integrate and converge eDiscovery and Governance, Risk and Compliance (GRC). 

Looking at this issue from an “investigative” standpoint, Albert Barsocchini, Guidance Software, wrote an excellent article that appeared on May 14, 2010 on the Wall Street and Technology Website titled, “Financial Institutions Now Taking a Holistic Approach to eDiscovery, Internal Investigations and Compliance”.

In this article, Mr. Barsocchini states that, “The 2009 financial meltdown has resulted in new lawsuits and the possibility of increased regulation for many financial firms. Pending legislation that will boost regulation of big banks and hedge funds are two recent examples of this trend. Similarly, legal action against Wall Street firms such as Goldman Sachs, Lehman Brothers and others illustrate the increasing need to be able to respond to an increase in both civil and criminal legal inquiries.”

He goes on to contend that, “These trends are driving a trend toward the corporate legal departments at financial institutions taking a unified approach on the mission critical functions of internal investigations, eDiscovery, audit and compliance. This has now become a boardroom-level issue. “

The “perfect storm is” is here and therefore it is time to stop debating about whether or not it is coming.  It is now time to debate how to deal with it.  Therefore, over the next 90 days, I am planning to evaluate and report on the “best-in-class” technologies and best practices that will provide the foundation for this convergence to occur.  I am also going to be reporting on several successful case studies.  So, I invite technology vendors, consultants and enterprises worldwide to contribute input and comments.  I look forward to hearing from you.

The full text of Mr. Barsocchini’s article is as follows:
 
The 2009 financial meltdown has resulted in new lawsuits and the possibility of increased regulation for many financial firms. Pending legislation that will boost regulation of big banks and hedge funds are two recent examples of this trend. Similarly, legal action against Wall Street firms such as Goldman Sachs, Lehman Brothers and others illustrate the increasing need to be able to respond to an increase in both civil and criminal legal inquiries.
These trends are driving a trend toward the corporate legal departments at financial institutions taking a unified approach on the mission critical functions of internal investigations, eDiscovery, audit and compliance. This has now become a boardroom-level issue.

Internal investigations can include issues involving human resource, fraud, unauthorized network access and intellectual property theft. eDiscovery can include both civil and criminal evidence collections as well as regulatory inquiries. Compliance covers data audit (personal identifiable information, record management enforcement, etc.), data security, HIPAA, Sarbanes-Oxley (SOX) fraud investigations, to name a few.
Traditionally, these types of investigations have been conducted by separate corporate departments and rarely have they been brought under one roof from a technology or departmental resource point of view.
Challenges Driving Convergence But recently, there has been a clear shift to consolidate these areas for efficiency, cost-effectiveness and other internal reasons. Companies are realizing that these departments can no longer operate in isolation and still meet today’s challenges.

There are a variety of challenges driving convergence, including increased litigation and internal investigations, the pressures of evolving case law, increasing volumes of data, reliance on smaller staffs and complex data privacy laws.

There’s also the possible need to defend the technology used in the investigation to prove that the computer program used to discover the computer evidence (ESI) generated authentic evidence. In these cases, the proponent of the evidence must testify to the validity of the program or programs utilized in the process. Daubert v. Merrell Dow Pharmaceuticals, Inc, 509 U.S. 579, 113 S.Ct. 2786, 125 L.Ed.2d 469 (1993) is a landmark U.S. Supreme Court decision that sets forth a legal test to determine the validity of scientific evidence and its relevance to the case at issue. On the other hand, in state courts we see the Frye v. United States, 293 F. 1013 (D.C. Cir. 1923) test employed which is used to determine whether a scientific technique for obtaining, enhancing or analyzing evidence is generally accepted within the relevant scientific community as a valid process.

Judges are also behind this convergence trend, advocating that companies bring eDiscovery in house. For example in Phillip M. Adams & Assocs., L.L.C. v. Dell, Inc., 2009 U.S. Dist. LEXIS 26964 (D. Utah Mar. 27, 2009) the court scolded the producing party, Phillip Adams, for not having appropriate technology to reasonable access potentially relevant electronically stored information (ESI). The court found it unacceptable for a party to hide behind inadequate information management systems as the reason why it could not produce relevant documents.

In Spieker v. Quest Cherokee, LLC, 2009 WL 2168892 (D. Kan. July 21, 2009) the court admonished the defendant for claiming they did not have the ability to generate the requested ESI materials in-house. "This court is aware of no case where a party has been excused from producing discovery because its employees ‘have not previously been asked to search for and/or produce discovery materials.”

Investigations are Similar in Nature
The typical investigation, no matter what practice area, tends to be reactive. Because every investigation is triggered by misconduct or legal proceedings, it is tempting to conduct every investigation in an ad hoc manner without any consistency. The more effective model is to conduct the investigation in a consistent manner under one roof using a single technology, if possible.

The ties that bind these internal inquiries are: they all have legal consequences and they all require similar investigation processes and techniques with similar consequences if not performed correctly. For example, the normal information security response to a network intrusion is to determine the scope of the breach, identify what data was compromised and patch the vulnerability. However, if these are not investigated properly, the company will not have the necessary evidence to properly prosecute a perpetrator either civilly or criminally. The information security department now needs to collect evidence properly according to forensic protocols and procedures for court validity, while at the same time doing their job to fix the breach.

Additionally, the typical triggering events (criminal misconduct, security breach, litigation, employee complaints, ethics hotlines, receipt of a subpoena, whistleblowers, competitors and customers, shareholder demands, regulatory audits and inquiries, responding to governmental investigations) for eDiscovery, compliance, security and audit requires immediate involvement from the legal department before any type of investigation can be initiated.

Legal-Centric Approach
Depending on the type of event trigger, the legal department should always be the first to be notified. They need to decide whether to investigate, who should be involved (human resources, the board of directors, outside counsel, security, etc.), the scope of the investigation, how it should be conducted and what will be done with the results of the investigation. This legal-centric approach provides companies with the best opportunity to get on top of the case early for early evaluation of the best “go forward” strategy.
This need for a unified approach is obvious when you see more cases involving network security issues, data privacy and the improper handling of electronically stored information. Because security, data privacy and collecting evidence can have significant legal consequences, corporate legal departments concerned about litigation and compliance are better equipped to coordinate and drive technology purchases than IT departments who are mainly concerned about data security and general computer network issues.
Overcoming institutional barriers within corporations is the biggest challenge to having a unified approach to eDiscovery, compliance and internal investigations. However, we are starting to see information security departments, IT and the legal departments work together to break down communication barriers and realize the benefits of cooperation and coordination.

The investigation risks are similar too - failure to find all relevant evidence, failure to properly preserve and authenticate relevant ESI, failure to meet deadlines, failure to document the process, failure to have a consistent workflow, unintentionally altering the evidence and evidence spoliation. Flawed investigations can seriously damage a corporation’s reputation, depress stock prices and hurt employee morale as well.

In all of these cases, the enterprises need to search, identify, preserve, collect and process evidence quickly for attorney or law enforcement or regulatory compliance review. Getting to the evidence over the network early is critical to the success or failure of an investigation.

For cost, efficiency, consistency and to mitigate risk, it makes sense to have a standardized, repeatable and defensible process for all types of corporate investigations. More companies today are creating a single team and using a single enterprise-class technology to perform these types of investigations. Companies without a coordinated policy and strategy will spend more on e-discovery, compliance and internal investigations than those taking a holistic approach.

Effective Response Plan
The need to become "investigation ready" is driving companies to assess, analyze and plan, and unify their investigation response practice. An effective response plan requires an organization to anticipate proactively the type of investigations that could be initiated and develop an offensive response strategy.

Technology is the linchpin to the overall implementation of a proactive response plan. When looking for enterprise technology to handle multiple types of computer investigations, look for technology that can search for evidence over the network from a central location, collect the evidence in a forensically sound manner and properly preserve all metadata. Additionally, having technology that can also do a network-based forensic examination is important for IP theft, SOX investigations and HR cases.

Recommended best practices include having a comphrensive corporate investigation and document retention policy, developing a repeatable process to properly identify and retain evidence for both civil and criminal matters, developing a response strategy for both inside and outside counsel, properly identifying event triggers and creating a decision tree, determining who in the enterprise should control and conduct the investigation, determining how the investigation should be conducted, what should the scope of the investigation be, and what will be done with the results of the investigation.

The rewards of becoming investigation ready and centralizing the process will help a company have a strategic advantage by quickly and efficiently identifying potential liability and effectively limiting risk while allowing the company to control the process before governmental or other third party intervention. It also gives the corporation more time to develop a response or defense strategy, which may ultimately minimize overall criminal and civil exposure and reduce the likelihood of lawsuits. Finally, it can make a corporation look more responsible to the courts, government regulators, shareholders, and auditors, thus minimizing the effect of any negative publicity that has arisen from allegations of wrongdoing while also satisfying the board’s fiduciary obligations to the stockholders.

Ultimately, the goal is to establish a legally-defensible response plan that builds upon prior experience, provides a common language and establishes an effective evidence lifecycle management framework to minimize risk and increase the effectiveness of an investigation. It is a critical piece of overall corporate policy. Combining these investigation areas will provide an organized business workflow that efficiently combines people, processes and technology.

Labels: 2010 eDiscovery Predictions and Trends, Convergence, eDiscovery, Governance, GRC, Risk and Compliance

posted by Charles Skamser @ 9:06 AM