Did you know that nearly 1/3 of companies have been fined by courts or regulatory agencies because the organization couldn’t respond in time to requests for electronically stored information (ESI)?
The explosive growth of ESI itself is largely to blame.
Between the increase in employees working remotely and new technologies, organizations today are creating massive quantities of new, unstructured data. Nearly all of that data is discoverable, and a lot of it falls under industry regulations, like recordkeeping rules.
With so much data coming in from so many sources, businesses are struggling to keep up. Many are being caught without the processes and workflows needed to extract relevant ESI in a timely manner. That can lead to fines.
Legal department leaders already know this is a problem.
In fact, 75% of general/deputy general counsel leaders say implementing an enterprise-wide records retention policy to manage the ESI flood is a top priority. But fewer than half of organizations currently have such a policy in place.
These are just some of the findings from the 2024 ESI Risk Management & Litigation Readiness Report. The report presents survey results from 200+ in-house legal professionals, along with practical strategies for managing ESI risk from industry experts.
“The fundamental challenge is that information governance is never the top priority of any business department. Nobody starts a company and says, the first thing we must do is introduce a records management system. And neither should they. But as a result, to some extent, you're always playing catch up.”
— Richard Jeffrey-Cook, Head of Records Management and Consultancy, In-Form Consult
If your organization is still playing “catch up” too, don’t worry. In this article, we’ve rounded up the report’s key findings and insights from industry experts to help you overcome the underlying challenges with ESI and its role in litigation readiness.
Key Findings from the 2024 ESI Risk & Litigation Readiness Report
- Fewer than half of organizations report having a mature (i.e.,enterprise-wide and consistently enforced) data retention policy for any data source.
- Two-thirds of legal professionals say caseloads are increasing, causing delays in responding to requests for production of ESI.
- Nearly a third of respondents said they have been fined for late responses or been unable to respond to requests for ESI at all.
- Almost half of respondents cite inadequate staffing and inefficient or difficult-to-use technology as top challenges for legal department efficiency.
- More than two-thirds of respondents say that their legal department must depend on the IT department to complete ESI tasks.
Challenge: Immature data retention policies create risk
The majority of companies are missing mature data retention policies for every data source, increasing the risk that they’ll face legal sanctions, regulatory consequences, and other financial risks. For example, if ESI that should have been deleted is exposed in a cyber attack, there may be more people to notify about the breach and more potential plaintiffs for lawsuits about the breach.
"We had one client, a very small company of about 1200 employees who had data stolen and ransomed by a hacker group. The company didn't have much consumer interaction at all; it was all B2B. But when we did the assessment of the data that was stolen, we identified 76,000 data subjects that needed to be notified. It turned out they had data going back to 1998, including lots of data related to former employees.”
—Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
Companies that fall victim to cyber attacks often find themselves undertaking “huge data remediation projects after the dust settles,” according to D’Ambra. Often, data is not only past its retention period, it has no remaining business value.
"Hackers can’t steal what no longer exists on the company’s systems.”
— Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
But deleting ESI that should have been retained, whether intentionally or by accident, can create problems too. D’Ambra points to the risk of legal penalties for deleting the wrong ESI. “In discovery where we tend to see people get sanctioned the most is for preservation issues: They didn't lock the data sources down and it got deleted inadvertently or overwritten.”
Peter Callaghan, Chief Revenue Officer at Pagefreezer, raises additional concerns:
"Not only do immature data retention policies leave organizations vulnerable to exposing sensitive data in cyber attacks, but they also expose the organization to the regulatory, legal, and financial risks of noncompliance—materially damaging an organization’s ability to operate.”
—Peter Callaghan, Chief Revenue Officer at Pagefreezer,
The C-suite must be part of the solution
Maturity efforts won’t succeed without C-suite buy-in. But to get that buy-in, the staff that handles day-to-day ESI management may need to educate leaders.
"You need to have C-suite commitment and investment. They have to see it as being a real priority for the rest of the company to consider it a real priority.”
— Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
But not all leaders understand the company’s true level of ESI-related risk.
Our research shows that while legal department leaders tend to be more aware of fines (36% of leaders vs. 28% of other legal department roles) and the inability to produce ESI (43% vs. 28%) than other legal department roles, they may be less familiar with the upstream factors that lead to those consequences.
D’Ambra notes that, to some degree, that disconnect is unavoidable:
"General counsel and chief legal officers aren’t dealing with the day-to-day challenges of responding to discovery requests. That’s just not what they are doing at their level. So it’s important for legal departments to take the time to educate senior leaders.”
—Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
Doug Austin, Editor of eDiscovery Today, agrees, noting:
"Some organizations probably didn't realize that they weren't on top of it until they got dinged.”
— Doug Austin, Editor of eDiscovery Today
Challenge: Relying on the IT department to manage ESI can be risky
Nearly three-quarters of legal departments (70%) depend on the IT department, at least in part, to manage ESI requests—but close to half (43%) report problems with that approach.
For example, nearly half (43%) of respondents say that the IT department struggles to handle ESI in a sound and legally defensible manner.
"Too many IT staff are unaware of information governance and requirements.”
—Richard Jeffrey-Cook, Head of Records Management and Consultancy at In-Form Consult
Getting IT to prioritize the legal departments’ requests can also be difficult, according to 43% of respondents. D’Ambra views this as a resourcing issue.
“In many companies that are not serial litigants, the IT department usually does not have a dedicated person to support legal. So when an emergency comes up and suddenly they’ve got to collect five terabytes of data, it’s hard to get the necessary resources to make that happen quickly.”
— Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
But even though the delays are understandable, the organization is still paying the price. One survey respondent warns, “The IT department may not understand that judges’ deadlines are real and that these things cost tons of money. People can get jail time… companies can lose billions of dollars if we don't operate properly. I have seen companies go bankrupt.”
Organizations need dedicated resources to reduce risk
Organizations should dedicate specialized resources, including software and personnel as needed, to ESI management.
“I'm much happier when a client has dedicated resources whose whole job is to do ESI collections for the company. They work with legal, and they have in-house technology to do those collections. Or they hire a vendor who goes in and does it. In either case, the people doing the collection aren’t being pulled away from their full time job to handle the emergency.”
— Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
Callaghan favors that approach as well.
"By incorporating specialty software into their eDiscovery technology infrastructure, legal departments can access the records they need directly and collect them without IT involvement.”
— Peter Callaghan, Chief Revenue Officer at Pagefreezer,
The majority of survey respondents also believe self-collection would allow them to ensure that ESI is handled in a sound and defensible manner (55%) and reduce the likelihood of missing deadlines (51%).
Challenge: Difficult ESI technology is hindering legal department efficiency
Inefficient or difficult-to-use technology is the #2 culprit (46%) for reduced legal department efficiency. Most respondents’ current ESI technology is missing key features.
Most businesses face major gaps between data retention, production needs, and existing ESI technology capabilities. Respondents reported their current ESI technology could NOT perform the following essential functions:
- Produce legally admissible documents with digital signatures (74%)
- Automate retention and deletion (68%)
- Handle large ESI data volumes (67%)
- Self-collect data (62%)
- Handle diverse ESI sources (39%)
However, most of the missing features listed are available in modern ESI management technologies—so why are companies using outdated, insufficient tech?
Jeffrey-Cook attributes the technical gaps to businesses’ tendency to be reactive to data retention problems:
"In terms of information governance, the vast majority of organizations are reactive, not proactive.”
—Richard Jeffrey-Cook, Head of Records Management and Consultancy at In-Form Consult
Callaghan has seen this in his work as well:
"When you’re reactive, you don’t know what you don’t know. In a recent case we supported, the organization was confident they knew the scope of the ESI they had to collect. After we captured the information, we found 15 million additional messages that needed to be included in the discovery that they were completely unaware of.”
—Peter Callaghan, Chief Revenue Officer at Pagefreezer,
It's also important to remember that inertia plays a role too:
"Legal teams tend to stick with the platform they're used to, even if it hasn't evolved to meet the needs that they're dealing with.”
—Doug Austin, Editor of eDiscovery Today
Purpose-built tools can reduce ESI-related risks
Organizations should invest in purpose-built technology with features that will help reduce risks associated with ESI management.
The majority of chief legal officers (61%) believe that implementing enhanced workflows for collecting data from key source repositories is the most important discovery readiness priority.
That might include technology that enables self-collection. The majority of respondents believe that being able to self-collect would ensure that ESI is handled in a sound and defensible manner (55%) and reduce the likelihood of missing deadlines (51%).
Other high-value capabilities include:
- Records indexing and search
- Legal holds
- Producing metadata and digital signatures for record authentication
Don’t wait to reduce ESI risks, D’Ambra advises:
“You have to invest now. Spending $200,000 on a technology or disposition project could, and most likely will, avoid millions of dollars worth of risk later.”
— Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance, Norton Rose Fulbright US LLP
Get more insights from the 2024 ESI Risk Management & Litigation Readiness Report
If your organization is like most, you may not have mature data retention policies and you likely depend on IT’s help when you’re responding to requests for production. If we’ve learned anything from our experts featured in this article, it’s that you shouldn’t wait until you’re facing fines or sanctions before you take action.
If you download the full report, you’ll get access to exclusive data from 200+ in-house legal professionals on the specific challenges that organizations like yours are facing along with practical advice from industry experts on how to reduce your dependence on IT, increase responsiveness, and mitigate risk with strategic ESI management best practices.
Download your copy of the 2024 ESI Risk Management & Litigation Readiness Report and turn ESI challenges into opportunities for increased efficiency and litigation readiness. Register for the expert panel webinar on June 4th, 2024 at 1pm ET, where we’ll discuss the findings live.
