ESI Trends: What it means for Risk / Compliance Managers

As stories on WikiLeaks continue to dominate news headlines, there has been no better time for risk and compliance managers to assess the area of records management. A public scandal in the event of a data breach is a major reason to ensure that policies relating to document creation, retention and disclosure are top of the Boardroom agenda. Other factors include the rise of fraud, increased regulatory activity and the development of e-disclosure practice in the US and, more recently, the UK.

The management of electronically stored information (ESI) is now a complex minefield that needs to be properly ‘cleared’ to avoid any casualties. New technologies that help us to work faster and smarter also create the need for constant review and revision of policy and procedure. Here, we consider the key trends that risk and compliance managers have to grapple with in order to ensure that company data is adequately protected from both internal and external threats.

Growth of technology

Virtually all business communications and transactions take place electronically. Just as email has overtaken letters and facsimiles as the principal means of communication, email is now giving way to new forms of communication such as instant messaging, SMS and social networks. As technology evolves and newer, more attractive devices are brought to market, businesses are starting to trial the use of iPads and other tablets in the workplace, instead of Blackberry devices, and outsource data management to the cloud. These developments underscore our quest for faster and easier lifestyles when it comes to accessing company data. However, these developments need to be carefully evaluated before they are introduced to the business world.

Such assessments are necessarily broad, encompassing IT security (for the avoidance of cyber-crime), archival of documents (to assist with legal discovery) and user training needs (to remind individuals about the appropriate use of business systems).

How should risk and compliance managers respond?

There are hundreds of statutes and regulations that impact on document retention requirements, so good corporate governance necessitates responsible information management. Here are some of the practical matters which have to be balanced in order to maintain a sound business:

Incident readiness

Across the modern geography of business, both regulators and the courts emphasise the need for efficiency in the management of an investigation or a litigation. In the regulatory world, the company’s best interests are served if evidence to support an immunity or leniency application can be produced as quickly as possible. In litigation, as seen in the 2009 case Earles v Barclays Bank Plc, the judiciary takes a tough approach towards litigants who fail to produce the evidential ‘goods’. This process can be greatly assisted by compiling an inventory of potentially relevant sources of information, which can be referenced during the course of a reasonable search.

Legal compliance

In any event, producing such an inventory (otherwise known as a data map) is something which litigants in 2011 and onwards may find themselves doing routinely, following new guidance published in Practice Direction 31B to the Civil Procedure Rules. This practice direction publishes the Electronic Documents Questionnaire, which holds the person responsible for its completion accountable for the scope of the reasonable search undertaken by the party they represent. There is no doubt that smart businesses, even in the absence of a dispute, view the Questionnaire as their guide to gathering the information needed to conduct a search at short notice.

Ownership

Inevitably, risk and compliance managers are likely to face internal political issues. As a recent survey  suggests, legal departments are perhaps more knowledgeable than their respective IT departments about whether they have a document retention policy. This is arguably an issue for board-ruling, which presents a clear need for departments to work together to ensure that well structured policies are properly implemented.

Cost control

In the current economic climate, the focus on efficiency is strongly felt. Keeping a tight rein on legal spending, particularly in the search for evidence, is a major business concern. Companies with a less than firm grip on their ESI will likely face higher costs of producing evidence than their competitors. A growing number of businesses have a legal hold technology tool, which helps ensure that potential evidence is readily accessible and searchable. By adding in-house or outsourced arrangements for the conduct of early case assessments and disclosure projects, and budgeting for the costs involved in managing disclosure, businesses can boost shareholder confidence by demonstrating a strong command of the spending risks.

Review of procedures

More companies are implementing ESI Disclosure Policies and preparing for disclosure in litigation and investigations. In order to ensure that such policies are repeatable and defensible, they must be tested and revisited regularly, to ensure that they remain in step with the changing business environment.

Proactive compliance

2010 saw continued regulatory activity and increased speculation that the tsunami of litigation will hit UK shores in 2011. It was also the year that the Bribery Bill was given Royal Assent, and the European Court of Justice confirmed that legal professional privilege does not apply to legal advice given by in-house lawyers in EU competition law investigations . These developments mean that education of employees on behavioural issues is as important as ever. Moreover, there is a need to ensure that compliance is managed with audits to help discover any potential issues. This is a time consuming commitment, which can be made easier by using intelligent review technologies that assist the review of sample communications and phonetic search engines to find potentially important words spoken during hours of recorded conversations.

Conclusion

There is often a lot of data at various operating levels that does not get seen from the top. Companies need to identify and manage this data in a way that contemplates that, sooner or later, they will need to interrogate ESI rapidly and defensibly. By working to address document risks now, the benefits will be clear when the first information requests arrive.

Rob Jones is a Legal Consultant at Kroll Ontrack's office in London.

Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.