In the spring of 2021, Pagefreezer partnered with the Association of Corporate Counsel to examine how legal teams are dealing with new data sources, such as team collaboration tools (like Slack and Microsoft Teams) and video conferencing platforms (like Zoom).
The resulting report, Collecting Online Data for eDiscovery & Litigation Readiness, compiles the responses from 211 in-house counsel across 23 industries and 22 countries.
The report reveals important quantitative insights into the current maturity level of information governance (IG) programs, and the extent to which legal departments are adequately prepared for the eDiscovery processes involved in potential litigation.
Notably, 52.6% of respondents have immature Information Governance processes, which opens their enterprises up to privacy, security, and compliance risks.
We gathered a group of enterprise legal and enterprise archiving professionals to discuss these findings in a webinar. They shared their thoughts on the risks of immature practices, where to start when trying to optimize IG maturity, and their key pieces of advice for improving and streamlining data preservation.
Here are highlights from the survey results and discussion.
Overall Information Governance Maturity
Overall, the panel was surprised to find so many respondents on the less mature side of the information governance maturity spectrum.
- 52.6% have decentralized practices (red and maroon)
- 28% have set procedures, some level of centralization in place and are starting to automate (yellow and mustard)
- 19.4% have an enterprise-wide strategy and automation (green and dark green)
When we asked panelists about the risks one needs to mitigate when their organization has immature Information Governance processes, they named privacy, security, and compliance risks as key issues to tackle. They stressed the importance of putting policies in place, as well as guidelines on when individuals are permitted to use their own devices.
They also cited legal risks. When employees use systems or devices that aren’t sanctioned or managed by the organization for communications, these communications will inevitably be referenced in emails and therefore, will come to light in a discovery process.
Data sources at various maturity levels: how to prioritize?
After understanding the overall IG maturity of the respondents, the survey more closely examined the different types of data sources. We first asked the respondents to name the types of data sources found in their organization, then asked them to rate their maturity by source.
Here are our findings:
- Emails are the most mature, followed by internal messaging—defined in the survey as tools like Microsoft Teams and Slack.
- Text/instant messaging apps, like WhatsApp, and social media content are the least mature in terms of information governance and retention strategies, even though chat has become a standard communication channel for many organizations, both internally and sometimes even with clients.
When discussing the factors that influence which data sources should get prioritized, panelists point to data mapping as the best place to start. A data map, also known as a data inventory, is a single source of truth for understanding all the sources of data in a company, what information these sources collect, where this data is stored, and what happens to it.
Employees looking for convenient ways of communication might resort to tools that aren’t sanctioned or managed by the organization. Or they might simply find a tool that works well for their team and implement it without authorization. This type of “shadow IT” generates real risks to organizations—and it’s a problem within most companies. In fact, a 2019 survey found that 67% of teams in large companies had introduced their own collaboration tool without the input of any other department. So, in order to mature information governance practices, organizations need to ensure that they uncover any shadow IT lurking within the company and make sure that they have control of all collaboration tools.
To prioritize data sources, our panelists suggested establishing a risk profile, understanding where your organization falls when it comes to regulatory compliance, and evaluating the sources on your data map based on a number of factors, including:
- Whether the data source has built-in tools that take steps to preserve the data
- How difficult it is to extract data out of the source
- How difficult it is to derive meaning from the data, once it has been extracted.
The last is a particularly expensive endeavor. In the context of litigation, trust is often in short supply. As such, information needs to be collected in a way that is predictable, verifiable, and credible to cut down time and money wasted on trying to establish trust. Piecing just three conversations together in a format that can be provided to the opposing counsel could cost hundreds of thousands of dollars.
Maturing Information Governance Practices: Where should organizations start?
The survey asked respondents to state the most important IG improvements as an open-ended question and we then categorized their responses. 42% of respondents said that records retention policy is the most important improvement, followed by data management, mapping and indexing. Alignment between departments came in at third place.
Our panel of experts were not at all surprised by the top results.
Where one focuses really depends on what your current state is, what data is being retained, as well as what policies and processes are in place. They stressed that checks and balances must be in place, in order to make sure policies are being followed.
Additionally, data mapping exercises should not be a “one and done” project. As organizations grow, systems evolve, and business processes change to meet demand, data sources are continually added. This means that a data map must be treated as a live document. Organizations that ignore data mapping may later face multi-year projects required to properly map and index all of their data sources, because the situation has spiralled out of control.
Unfortunately, information governance initiatives are often reactive rather than proactive. It is common for organizations to not pay attention until a crisis happens, which ends up costing the organization far more in the long run.
Amy Sellars compared preventative efforts to public health issues. They succeed when nothing bad occurs, and it’s hard to get resources and investments when nothing perceivable is happening. The traditional argument of “investing X to get Y” does not work well. Therefore, the metrics used to discuss information governance need to change.
Final Pieces of Advice for Streamlining & Improving Data Preservation
To conclude their responses, 211 in-house counsel shared one key piece of advice for in-house legal professionals looking to streamline and improve their data preservation strategy:
Get buy-in at the top
“This needs executive sponsorship to truly gain traction.”
“Get C-suite support and use examples (ie. expensive or complicated discovery issues and risk-avoidance issues)”
“Invest in tools and technology solutions.”
"Budget for the process & engage third party consultants."
Work with IT — Get involved and ensure both teams are educated
“Develop a close relationship with IT and ensure they understand eDiscovery needs.”
“Find a trusted IT representative who is willing and able to spend the time to educate the legal team.”
Keep it simple — Complicated processes and policies get ignored
“Don‘t make policies so complicated that they cannot be followed.”
“Don’t let multiple locations choose different platforms.”
“Automate as much as possible.”
Start now — Don’t wait until a disaster happens to get your house in order
“You don’t know when that next discovery cycle is going to require your organization to be ready!”
“Build consideration of search and data retention into every new technology that is brought into the company.”
Our expert panelists each shared a key recommendation as well:
Amy Sellars: My one key piece of advice — start with education. Raise awareness to everyone in your company, every chance you get. Talk about why data hygiene is important, what it means, and what the impact is. Ask people what their repositories of record are, or ask if they know what retention policies affect them. Most people don’t live this everyday, but we do, and we have to help people connect to it if we want good data practices.
Jack Thompson: My key piece of advice is to tie individual interest to company interest when having information governance conversations. Try to tie the initiatives to tangible personal benefits.
Brian Jones: My one key piece of advice would be to recognize that streamlining and improving data preservation and retrieval strategies usually depend at least as much on good business and people management as on good systems management.
Gary Logan: Before streamlining and improving data preservation strategies, take a step back, reflect, circle back and assess the data/records that are currently being collected. Because once you understand that, it will be easier to move forward.
Brandi K. Bush Percy: Don’t wait until a crisis happens. Legal departments should invest the time and resources into the technologies that are available to us, in order to do our jobs more efficiently, provide our clients with excellent service, and better evidence our value to the organization.