By Brett Tarr, eMag Solutions
All companies today need a plan to manage the massive amounts of electronically stored information (ESI) created in the course of ongoing business and e-commerce companies, which rely heavily on technology, are certainly no exception. In fact, organizations that operate in an electronic environment need these plans perhaps more than any other type of enterprise due to the significant volumes of electronic records being produced each day.
This article will address how e-commerce companies can get a handle on managing organizational information, and outline processes for retaining and managing key business information that could be salient in legal proceedings, regulatory matters, or compliance issues. Additional discussion will examine the evolving data privacy and information security landscape as well as general organizational risk factors that tech-heavy e-commerce companies need to consider in managing business operations.
Not IF, but WHEN
In today’s business climate, litigation and investigation is not a question of “if” but “when.” Companies of all sizes are facing greater litigation risks and costs than ever before; but a great way to reduce those costs is by adopting a proactive approach to E-Disclosure.
According to a recent survey, the average number of lawsuits for companies over $1 billion in revenue has increased to more than 500 cases each year. At the same time, government investigations continue to grow. The Department of Justice investigated 490 corporate fraud cases in 2007 alone, resulting in 171 indictments and 124 convictions.
The e-discovery process is a critical part of these challenges. Legal teams want to keep their organization out of the media spotlight by ensuring government fines, court sanctions and negative verdicts do not occur because of internal failures in managing the electronic discovery process. They also want to make better, faster decisions on legal strategy and tactics based on real-time information about the documents and e-mail in their enterprise systems. In addition, every organization needs to contain costs by finding better methods to improve the predictability of electronic discovery while reducing its cost.
“Reactive” e-discovery means waiting until you face a legal matter and then scrambling to find what you need scattered around the organization. “Proactive” e-discovery means putting processes in place in advance to classify, organize, and manage (retain/delete) information so that when faced with a discovery request you can respond quickly, easily, and at a much reduced cost. A crucial component, one that significantly reduces a company’s risk and cost, is to dispose of old and obsolete data that the company is no longer required to retain.
Good information management requires the ability to classify and index all data, especially unstructured ESI. Your goal is to quickly identify and retrieve relevant information.
The first part of smart records management is to establish retention and deletion policies in line with your corporate or industry-specific compliance mandates as part of an intelligent information management technology strategy for your entire company. Then, leverage that technology to establish data topology reports and automate policy enforcement across all data sources enterprise-wide. This might be something as simple as a policy about when to delete records so that they no longer become a corporate liability and incur cost downstream.
Companies need good records management policies that systematically expire and purge obsolete documents. Reducing the overall storage content not only reduces storage cost, it has a direct cost savings impact on e-discovery tasks that arise later.
Some of the key issues an organization should consider include how to identify, classify, and store information, the types of systems and tools that can be used to manage and archive information, what data should be targeted for protection, retention policy development, and how/when to trigger a hold on information if/when a legal matter arises.
Knowing what you have and where it is
Every organization should prepare an auditable data map of active ESI including IT architecture and examination of how information flows throughout the company. Network servers, e-mail servers, content management systems, storage systems and PCs are all key elements of a data map and help IT and legal departments understand what information exists, how it flows through the organization, and which custodians are implicated in these information conduits.
A data map is a visual reproduction of the ways that ESI moves throughout an organization, from the point it is created to its ultimate destruction as part of the company’s document retention program. At its heart, a data map addresses how people within the organization communicate with one another, and with others outside the organization.
A comprehensive data map provides the legal and IT departments with a guide to the employees, processes, technology, types of data and business areas, along with physical and virtual locations of data throughout a company. It includes information about data retention policies and enterprise content management programs, as well as identifying servers that contain data for various departments or functional areas within the organization. This highly effective form of information organization also takes into account high-risk issues such as the type of litigation a company is facing or is likely to face in the future.
Data maps can help organizations better prepare for legal discovery conferences, improving their ability to negotiate with the opposing counsel. Organizations can also control litigation costs through the ability to plan strategies based on accurate, timely information. Equally important, organizations can protect sensitive business information to help ensure the support of regulatory compliance and corporate information governance policies.
Optimized records management and destruction
Faced with possible liabilities, many organizations fall back on a “save everything” approach, resulting in soaring storage costs and increased difficulties in accessing the right information at the right time.
In order to proactively prepare while still maintaining cost control, record storage needs to be optimized according to corporate, legal and regulatory requirements. Organizations can properly discover, classify and retain all information according to business value and risk. ESI is culled to the minimum subset of potentially responsive data, reducing costs from review tool loading through legal review. Information should be retained only as required by retention rules and schedules, and old records should automatically be deleted based on records management policies.
Solutions for protecting information
Keep sensitive data where you want it – within the enterprise to support information protection and compliance requirements. The number of data hand-offs is reduced, minimizing potential chain-of-custody issues. Organizations also need an audit trail of all actions performed during collection, preservation, culling and production.
Developing retention policies
All too often, businesses discover the need for a document retention policy only when it is least convenient to implement. Particularly in today’s litigious society, when any and all document types can be used in litigation, being proactive in this regard can save an organization from headaches and excessive costs. A document retention policy provides for the systematic review, retention and destruction of documents received or created in the course of business. Your policy should identify those documents that need to be maintained and contain guidelines for how long certain documents should be kept and how they should be destroyed.
Steps in Developing Retention Policy
1) Identify Information Assets
Identify types of information assets (esp. electronically stored information) the organization holds (i.e. e-mail, client contracts, vendor service agreements, compliance documentation, product/service logs, etc.)
2) Legal/Regulatory/Compliance Issues
Identify any particular regulatory agencies or statutes that may govern the industry in which you are operating. Identify any past/anticipated issues facing the organization from a litigation, regulatory, or compliance perspective.
3) Establish a Response Team
Identify key decision makers within the organization in IT, legal, HR, compliance, as well as C-level executives and lay out appropriate time periods for retention of organizational information or categories of organizational information.
4) Prepare Existing IT Infrastructure Roadmap
Map your existing IT architecture, including disaster recovery, storage infrastructure, and backup media/environments. Prepare an organizational chart to identify key functional areas within the company or reporting relationships that may impact retention policies. Identify any specific areas that need to be carved out from the general policy (i.e. financial records may need to be kept for seven years, regardless of how the organization’s retention policy treats general data).
5) Implement Policy
Implement your new policy, monitor enforcement, and review policy periodically to ensure any new issues are addressed.
Organizations that have never undertaken the task of developing and implementing an effective data retention policy often feel overwhelmed with the initiative, which is among the reasons the project gets put off. Working with a qualified external resource such as a data management solutions provider may be well worth the investment. Experts at data mapping, storage and retrieval are able to help companies create smart retention policies that reduce both cost and risk over the long term.
Understanding the Data Privacy Landscape
Account for Existing Laws and Regulations on Data Privacy
No one law or regulation governs the whole realm of data privacy and information security. The federal government has taken a sectoral approach to the protection of personal information; laws such as the Health Insurance Portability and Accountability Act (HIPAA), and the Graham-Leach-Bliley and Fair Credit Reporting Acts regulate how certain industries protect information. At the state level, many are enacting breach notification laws as well as establishing minimum safeguards for the protection of personal information, including Social Security number protection laws and data disposal statutes. Companies must be aware of this patchwork of laws and regulations and understand how it applies to their business operations.
Prepare for New Federal and State Laws and Regulations
As the data security legal landscape changes rapidly, companies must stay on top of new and proposed laws that may affect their businesses. Many new laws have wide ranging impact and require significant advance preparation in order for a company to be in compliance when they become effective. Recent noteworthy items include:
The HITECH Act: Part of the stimulus bill signed into law by President Obama on February 17, 2009, the law imposes notice obligations on entities covered by HIPAA when they suffer a breach affecting protected health information. It requires notice of any breach to affected individuals and to the U.S. Department of Health and Human Services. If more than 500 consumers in a state or jurisdiction are affected, notice to the media is also required. A breach of some specific electronic health records requires notice to the Federal Trade Commission (FTC) in addition to affected individuals.
Massachusetts data security regulations are set to take effect on January 1, 2010, and they will apply to any company that collects or maintains information on a Massachusetts resident. Among other things, these regulations mandate that companies adopt a comprehensive written security program, encrypt personal information stored on laptops and portable electronic devices, and document actions taken in response to breaches.
Federal data breach notification legislation (H.R. 2221, the Data Accountability and Trust Act) is moving through the U.S. House of Representatives. The bill requires entities possessing personal information to establish and implement certain data security measures, and mandates notice to the FTC in the event of a breach. The legislation, as currently drafted, would preempt state breach notice laws, be enforceable by the FTC and state Attorneys General (AGs), and permit civil penalties of up to $5 million for violations.
Managing Organizational Risk
Managing organizational risk in tough times means taking a holistic view. This requires an integrated cross-departmental framework of controls, checks and balances. Key examples of issues facing organizations that impact corporate risk include fraud, new technology implementation, and the advent of global markets.
Fraud continues to be a problem for numerous organizations. Oversight and quality control managers within organizations must be aware of this issue and develop consistent policies and procedures to address fraud prevention.
New Technology Implementation
In the current business market, organizations are always looking for the latest and greatest innovation to help improve workflows, increase efficiencies, and reduce costs. However, new technologies introduce new organizational risks, and businesses must recognize and prepare for this during the implementation process.
Careless Strategic Decisions
In this day and age, careless decisions can have a ripple effect across continents and into the global marketplace. The cost of strategic errors and the speed of their consequences on the company are increased, enhancing the overall risk profile of every major decision.
Management information also can represent a risk when the information serving for decision making is incomplete, out of date, erroneous, late, not relevant, etc. Organizations can no longer afford to treat risk in silos, or as separate department-level initiatives. Risk management needs to be an integrated, enterprise-wide approach, keeping focus on multiple key indicators that show early warning signs of potential business problems, with preplanned strategies to address potential risks. Further, ongoing board-level attention is required because risk management is no longer tenable as purely a compliance issue, as recent market events have highlighted. Globally, organizations are facing uncertain times and management of risks at the highest level is critical. Only with a systematic but strategically led approach to risk management can organizations of today be more assured of avoiding, or better managing, the pitfalls of difficult market conditions.
The rise of e-commerce is uniquely tied to the explosion of electronic data in the last 15-20 years. Without the constraints of physical filing cabinets or the need for storage rooms devoted to documents, there has been a nearly unchecked proliferation in electronically created and stored information. With this growth, organizations must acknowledge the increased risks, not only from the cost of finding and accessing information, but also the increased involvement of these electronic records in legal, regulatory, and compliance matters.
In order to survive and thrive in today’s economy, organizations need to be lean, eliminate as much risk as possible, and be able to quickly address requests for information both internally and externally. Strategies on information management, retention/destruction of electronic data, data privacy, and risk management are critical to success in the ever-evolving world of e-commerce.
When lawsuits hit, many organizations find themselves scrambling to identify key business records and potentially relevant information. Organizations must take active steps to help prepare to respond and navigate the rough waters of legal discovery. Information management strategies provide companies with the means to quickly zero in on the right custodians and the right data, saving time and reducing expenses around the legal process. Constant evaluation and careful planning of company information assets allow these organizations to minimize risk, maintain data privacy, and manage the overwhelming mountains of electronic information generated through day-to-day e-commerce business activities.