At most organisations, the lawyers handle the legal work, IT oversees the technology and the two departments rarely (if ever) cross paths. That's simply no longer acceptable in an age where information is paramount to success and legal requests to support litigation now routinely involve electronically stored information (ESI), such as emails. It is more important than ever for IT and legal to work together hand in hand to develop and implement legal holds policies and practices, or risk costly fines and irreparable damage to the company's reputation.
A new benchmark report from the IT Policy Compliance Group, "Improving Results for the Legal Custody of Information," shows a direct correlation between significant cost savings and mature legal holds practices. While the average costs of legal data holds for large enterprises with normative practices is between US$500,000 and $9 million, those with the least-mature practices reported spending between $1.5 million to more than $28 million annually.
In contrast, the most mature legal holds practices led to large enterprise costs of only $120,000 to $2.6 million annually. Across all business sizes, the IT Policy Compliance Group research shows those with the least-mature practices are incurring expenses that are more than 10 times those of their peer companies with more mature practices.
Size, industry segment and past experience are not responsible for lower expenses for legal settlements and fees, nor for lower costs in IT to find, protect and preserve information on hold. Rather, the factors most influencing better results among the best-in-class organisations are the consistent practices and capabilities being implemented. These organisations spend 94 percent less for legal settlements and fees and 92 percent less for IT to find, protect and preserve information on legal hold than organisations with the worst practices. So, what are these organisations doing that's working?
Legal holds on information start when an organisation learns of, or can reasonably anticipate, litigation or a regulatory investigation. Not all companies notify affected employees and respond to legal requests for data and records in the same amount of time, and that is a key factor in determining how quickly and completely IT and legal can locate and recover subpoenaed electronic records. Approximately one in 10-12 percent-of all organisations surveyed is performing at the most mature levels. These organisations notify employees in less than one hour about a legal hold on records and data and are responding to legal requests for information within one day.
Other strategic actions that best-in-class organisations take include:
- Maintaining evidence of the handling of data
- Employee training
- Improving the quality of legal counsel
- Tracking results to make subsequent improvements
IT and Legal Working Together
The findings clearly show that among organisations with the most mature policies and practices, IT is prominently involved in a wide range of activities related to finding, protecting and producing data in response to legal requests. These companies are implementing specific action in IT to manage the lifecycle of information subject to legal holds.
Organisations with the most mature legal holds practices are converting as much information as possible into electronic formats and inventorying and indexing information for rapid search. Although paper-based records are identified as the most traditional format and the most time-consuming and expensive for all organisations, the research shows that ESI requests increasingly make up a larger proportion of the legal requests, especially for email and office productivity files among other forms of ESI. Unless ESI (and this includes email, office files, product design records, customer transaction data, instant messaging files, financial transactions, etc.) is indexed for rapid search, protection and production, it offers no obvious benefit. For example, 10GB of information is about 500,000 pages, close to 200 boxes of paper that would normally not be indexed while being stored offsite.
In addition to ESI, the specific practices in IT that are improving results and reducing costs include:
- Updating policies and procedures for records retention and destruction
- Increasing the frequency of monitoring and measurements
- Correcting gaps in technical and procedural controls
In contrast to these actions and practices, almost seven in ten - 68 percent - of all organisations are not implementing these practices to the same level and as a result are spending four times more on IT and five times more on legal settlements and fees. By comparison, two in 10 - 20 percent - of all organisations are not implementing any of these practices and are spending 13 times more in IT and 18 times more on legal settlements and fees.
With increasing external pressures, including legal and regulatory mandates, and an ever-increasing volume or electronic data, improving practices for the legal custody of data is now a business imperative. Corporate executives, legal counsel and IT managers must work together to define the requirements for policies and solutions to meet this challenging business environment.
Jim Hurley is managing director of IT Policy Compliance Group, where he works with members to drive, field and deliver independent research and tools for organisations to assess current business outcomes and practices to improve results. Jim spent more than 10 years as the vice president of research services for IT security, risk management and compliance with Aberdeen Group , where he served clients from around the world in every industrial sector.