Managing electronically stored information (ESI) is a challenge for most organizations today. Numerous, diverse data sources, from websites and social media accounts to internal chat platforms, are creating huge volumes of information, making eDiscovery, litigation readiness, and responding to requests for ESI difficult, if not impossible.

“eDiscovery used to be fairly straightforward. You preserved and collected emails and Office files, and that was pretty much it. Now it's all sorts of things. It's more complicated than ever.” 
                 — Doug Austin, Editor of eDiscovery Today

As organizations adopt an increasing number of digital technologies, ESI from new data sources, like Slack and Microsoft Teams, is proliferating rapidly, without mature data governance infrastructure or retention policies.

New laws and regulations intended to address the technology shifts are being rolled out at a similarly breakneck pace. Organizations that aren’t keeping up with the management of these data are putting themselves in a risky position. They are:

• More vulnerable to exposing sensitive data in the event of a cyber attack. 
• At greater risk of regulatory penalties and legal sanctions (including fines).  
• Paying unnecessary storage costs on data that ought to be disposed of. 

To better understand the challenges legal teams are facing when managing ESI in the digital-first age, we conducted a study on the current state of ESI risk management, including litigation readiness, and the consequences of inadequate information governance and retention practices.

In brief, the study consisted of:

• Surveying 200+ in-house legal professionals (chief legal officers, general counsel/deputy general counsel, corporate counsel, attorneys, and legal operations staff). 
• Consulting with industry experts to provide insight on the findings and develop strategic guidance. 
• Creating a comprehensive report featuring five mission-critical recommendations for overcoming modern challenges of managing ESI.

The report’s key findings reveal the current state of ESI management practices and the related risks.

Key Findings

• Fewer than half of organizations report having a mature (i.e., enterprise-wide and consistently enforced) data retention policy for any data source.
• Two-thirds of legal professionals say caseloads are increasing, causing delays in responding to requests for production of ESI.
• Nearly a third of respondents said they have been fined for late responses or been unable to respond to requests for ESI at all.
• Almost half of respondents cite inadequate staffing and inefficient or difficult-to-use technology as top challenges for legal department efficiency. 
• More than two-thirds of respondents say that their legal department must depend on the IT department to complete ESI tasks.

Delays, fines, and data breach vulnerability: The risks of not managing ESI properly

If your company is part of the majority of businesses that lack mature data retention policies for ESI sources, you’re in a precarious position. Not having or not enforcing data retention policies (if only by inaction) is a choice—and one that comes with a lot of risk. In fact, 28% of respondents attest to being fined for late responses to requests for ESI, or being unable to respond at all. 

Retaining data that should have been deleted can be costly 

Without mature data retention policies, organizations are more likely to retain data with no business value—sometimes huge volumes of data. In the event of a cyber attack, that retained data can quickly become an expensive liability.

“We had one client, a very small company of about 1200 employees who had data stolen and ransomed by a hacker group. The company didn't have much consumer interaction at all; it was all B2B. But when we did the assessment of the data that was stolen, we identified 76,000 data subjects that needed to be notified.  It turned out they had data going back to 1998, including lots of data related to former employees.”
                 — Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP 

Companies that fall victim to cyber attacks often find themselves undertaking “huge data remediation projects after the dust settles,” according to D’Ambra. Often, data is not only past its retention period, it has no remaining business value. “Hackers can’t steal what no longer exists on the company’s systems,” D’Ambra points out.

Other potential risks of inappropriately retaining data include:

• Facing regulatory consequences in the event of an audit.
• Increasing litigation costs for the analysis of enormous volumes of ESI.
• Wasting money on unnecessary data storage fees. 

Getting rid of data that should have been retained creates risk

Multiple laws and industry regulations require organizations to retain certain records for a period of time. Companies in highly-regulated industries may have to manage many retention schedules simultaneously. Failing to retain important data can create problems during audits or investigations and can result in sanctions or steep fines. If your organization is reprimanded publicly by auditors or investigators, your reputation and customer loyalty could be damaged, materially damaging the organization and threatening operations.

Destroying ESI, whether intentionally or by accident, can create problems during litigation, too. 

“In discovery where we tend to see people get sanctioned the most is for preservation issues: They didn't lock the data sources down and it got deleted inadvertently or overwritten.”
                 — Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP
 

With data coming in from an ever-growing number channels, teams without the appropriate ESI management technology, that can automate or manage retention periods and legal holds, could lose important data. 

Inefficient technology can also play a role in increasing risk

With caseloads rising and budgets shrinking, efficiency is top of mind for leaders.

According to almost half of respondents (43%) inefficient or difficult-to-use technology is a serious barrier to legal department efficiency.

Most say their ESI technology does not allow them to produce legally admissible documents with digital signatures (74%), automate retention and deletion (68%), handle large ESI volumes (67%), or self-collect data (62%).

In fact, close to three-quarters of legal departments (70%) are forced to depend on the IT department to find, collect, and preserve ESI, and to respond to requests for production.

But this situation is less than ideal—according to 43% of respondents, their IT departments struggle to handle ESI in a sound and legally defensible manner. 

Another 43% say that their requests aren’t adequately prioritized.

“In many companies that are not serial litigants, the IT department usually does not have a dedicated person to support legal.  So when an emergency comes up and suddenly they’ve got to collect five terabytes of data, it’s hard to get the necessary resources to make that happen quickly."
                 — Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP 

But as we’ve discussed, excessive delays are putting companies at risk.

“I'm much happier when a client has dedicated resources whose whole job is to do ESI collections for the company, they work with legal, and they have in-house technology to do those collections. Or they hire a vendor who goes in and does it. In either case, the people doing the collection aren’t being pulled away from their full-time job to handle the emergency."
                 — Andrea L. D'Ambra, US Head of Technology and US Head of eDiscovery and Information Governance at Norton Rose Fulbright US LLP 

Get expert insights and practical strategies for managing your ESI risks

If your organization is struggling to manage ESI, failing to implement company-wide data retention policies, or depending on IT to respond to requests for production of ESI, don’t wait until you’re facing fines or sanctions before you take action. 

In the full report, we present exclusive data on the specific challenges organizations are facing in terms of managing ESI and maintaining litigation readiness.

This data can help your legal team benchmark your litigation readiness and management of ESI with over 200 of your peers. It also includes expert analysis and practical advice for reducing dependence on IT, overcoming ESI management challenges, and mitigating ESI risks. 

Download your copy of the 2024 ESI Risk Management & Litigation Readiness Report and turn ESI challenges into opportunities for increased efficiency and litigation readiness and register for the expert panel webinar on June 4th, 2024 at 1pm ET, where we’ll discuss the findings live.