Preparing for Litigation Before it Happens: eDiscovery Best Practices, Part Five
Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems. He has also been a great addition to our webinar program, participating with me on several recent webinars. Tom has also written several terrific informational overview series for CloudNine, including eDiscovery and the GDPR: Ready or Not, Here it Comes (which we covered as a webcast), Understanding eDiscovery in Criminal Cases (which we also covered as a webcast), ALSP – Not Just Your Daddy’s LPO, Why Is TAR Like a Bag of M&M’s?, eDiscovery for the Rest of Us (which we also covered as a webcast) and Litigate or Settle? Info You Need to Make Case Decisions (which is our next scheduled webcast on August 29th). Now, Tom has written another terrific overview regarding pre-litigation considerations titled Preparing for Litigation Before it Happens that we’re happy to share on the eDiscovery Daily blog. Enjoy! – Doug
BTW, in addition to exhibiting at ILTACON in National Harbor, MD next week in booth 936, CloudNine will also host a happy hour on Tuesday, August 21 from 4:30 to 6:30pm ET at the National Harbor’s Public House (click here to register). Come and get to know CloudNine, your provider for LAW PreDiscovery®, Concordance® and the CloudNine™ SaaS platform! We want to see you!
Basic Information Governance Solutions
One option, as mentioned above, is to design your own IG structure. An interesting option in that regard is that if you already use the Office 365 operating system, Microsoft has a Compliance Manager add on for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers operating in a public clouds infrastructure.
Compliance Manager allows an organization to build a custom process to manage all compliance activities from one place with three key capabilities:
- Perform on-going risk assessments, now with Compliance Score
Compliance Manager is a cross-Microsoft Cloud services solution designed to help organizations meet complex compliance obligations, including the EU GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA.
- Provides actionable insights from a certification/regulation view
Compliance Manager builds a connection between data protection capabilities and regulatory requirements, enabling users to know which technology solutions they can leverage to meet certain compliance obligations. One centralized view shows customer actions for each certification or regulatory control, and the specific actions recommended for each control. This includes step-by-step guidance through implementing internal controls and developing business processes for the organization.
- Simplifies management of compliance activities with the capability to create multiple assessments for each standard and regulation
Compliance Manager enables assigning, tracking, and recording compliance activities to collaborate across teams and easily manage documents for creating audit reports. This group functionality allows multiple assessments for any standard or regulation that is available in Compliance Manager by time, by teams, or by business units.
For example, you can create a GDPR assessment for the 2018 group and another one for the 2019 group. Similarly, you can create an ISO 27001 assessment for your business units located in the U.S. and another one for your business units located in Europe.
You can learn more about Compliance Manager in the white paper, Simplify your Compliance Journey with Service Trust Portal and Compliance Manager (downloadable here) or on the Compliance Manager support page.
A second method for creating an IG structure is to use the EDRM Information Governance Reference Model (IGRM). As mentioned at the onset of this paper, IG was largely ignored when the EDRM started. That is not the case now as the updated EDRM wall poster diagram below illustrates.
IGRM is one of 8 projects within the EDRM.net organization, and as such is specifically designed to help eDiscovery projects. While the well-known diagram of the EDRM illustrates a model for electronic discovery, the IGRM diagram (shown at the top of this blog post) illustrates a more detailed model for information management.
IGRM provides a framework for cross functional and executive dialogue and serves as a catalyst for defining a unified governance approach to information. It is available to corporations, analyst firms, industry associations and other parties as a tool for communicating with and to organization stakeholders on responsibilities, processes and practices for information governance.
The IGRM diagram is a responsibility model rather than a document or case life cycle model and as such, can be used in a variety of industries and companies. It helps to identify the stakeholders, define their respective “stake” in information, and highlights the intersection and dependence across these stakeholders.
The diagram was developed from multiple key inputs, including:
- Interested parties with expertise in RIM, Discovery, and Information Management
- Community effort
- Series of bi-weekly sessions over more than 12 months
- Socialized with more than 350 Compliance, Governance and Oversight Council (CGOC) corporate member practitioners in several CGOC meetings, and broadly distributed to over 750 CGOC member practitioners
The CGOC also issued a survey of corporate practitioners which showed:
- 100% of respondents stating that defensible disposal was the purpose of information governance practice
- Two-thirds of IT and one-half of RIM respondents said their current responsibility model for information governance didn’t work
- 80% of respondents across legal, IT, and RIM said they had little or very weak linkage between legal obligations for information and records management and data management
You can link to the survey’s preliminary results here: http://www.cgoc.com/webinars/introduction-to-imrm
As you can see at the top of this blog post, the IGRM model has an outer ring of stakeholder groups including business users who need information to operate the organization, IT departments who must implement the mechanics of information management, and legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value. In the center of the diagram is a workflow, or lifecycle diagram. The information basics are distilled out, with the notable inclusion of “dispose” as the end state of information. Note the “information gates” in the middle, where information accumulates.
You can read more about how to use the IGRM model here.
Once comfortable with the components of the IGRM diagram, there are tools that provide the “next level” detail from the IGRM. One example is the CGOC’s process maturity model which outlines 13 key processes in eDiscovery and information management. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation.
We’ll publish Part 6 – One Reason Why Information Governance is Not More Popular – on Thursday.
So, what do you think? Does your organization have a plan for preparing for litigation before it happens? As always, please share any comments you might have or if you’d like to know more about a particular topic.
Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.