Today’s CIO encounters many challenges handling security and regulatory mandates that extend far beyond the once-simple duties of maintaining firewalls. CIOs are today’s corporate first responders to spot insider theft or illegal activity, recover lost or deleted data, and to ameliorate poor document retention.
Even before 2008's financial meltdown, courts realized that the amount of electronic data in litigation was growing exponentially. As a result, new Federal guidelines were introduced in 2006
http://www.cioupdate.com/article.php/3646801 to address this growing problem. At the core of any litigation today is the concept of understanding electronic data―where it is located, how it is managed, and how it can be accessed.
In the past, the litigation team consisted of inside and outside counsel, the business unit manager and outside suppliers. The legal responsibility for the management of a company’s data in most businesses falls squarely on the shoulders of the CIO. Thus, if a company is ever entrenched in a legal battle, the CIO needs to be part of the team and must be prepared to take the stand. Because of this person’s unique ability to discuss the internal systems that generate the data in question, a CIO will almost inevitably make any trial attorney’s short list.
In preparing to testify, a CIO must create a plan of action to address the data involved in the litigation. The CIO must be able to speak to the company’s internal IT functions as well as the complexity of the company’s data architecture. A CIO must also be prepared to defend the company’s work practices and policies in anticipation of, not just in response to, litigation. Creating a litigation response team that prepares these responses and policies ahead of time is critical.
The following are sample issues and questions that a CIO may need to address on the stand and, as part of the litigation response team, should be prepared to tackle:
- Present a simple overview as to how data is managed within the corporate structure.
- Discuss data mapping and chain of custody procedures within the company. The ability to easily explain this data mapping process, how it was done, who did it and how it was audited, is a key element of any trial involving eDiscovery.
- Clearly communicate the company’s IT planning approach.
- Explain how data is handled on a day to day basis by the business unit and managed by the IT services organization.
- Speak to compliance issues and how they are managed from an IT perspective. Be prepared to assess what impact this system may have on the litigation.
- Discuss how is data managed in overseas subsidiaries? What safeguards are in place to collect data from these locations? Can data be transferred across borders pursuant to US Department of Commerce Safe Harbor or other criteria?
- How is the records management program handled and what is the CIO’s role in that process? How might this process be impacted by a litigation hold?
- What role does the CIO play when staff needs to be interviewed by the legal team for a deposition or interrogatory?
- How is the collection of data managed internally? Who is collecting the data? Is it self-collection or is it managed by an outside partner?
- What type of audit trail or chain of custody is in place as part of the day-to-day business activities?
- What types of reporting are available regarding the data?
Here are a few basic guidelines that the CIO must adhere to as part of the litigation team:
- Ensure the company complies with regulations pertaining to its business operations.
- Maintain compliance with regulations pertaining to the records the company must keep.
- Be certain the company’s records are maintained and can be located by a chosen set of criteria (examples may be by department, facility, subject, product, etc.)
- Ensure there is an appropriate retention program so required records are kept as long as required and are reliably disposed of when no longer necessary.
- Respond to the discovery obligations of litigation filed against the company within the time deadlines of the courts.
- Manage the cost of the litigation to minimize effect on the company, both financially and in terms of the disruption of ongoing operations.
- Comply fully with the requirements of the courts.
- Ensure the company’s lawyers, whether in-house or outside counsel, are supplied with the information they need and their efforts are effectively supported.
A good reference tool for the CIO is the Electronic Discovery Reference Model (EDRM), which can be found at http://edrm.net/. EDRM is a collaborative effort that involves corporations, law firms and suppliers working together to better delineate the best practices of managing litigation today. As part of the EDRM model, there are specific areas where a CIO can reference these best practices to help prepare and respond to litigation. The model covers each aspect of the litigation process and defines the necessary components to be successful.
CIO’s know that building a firewall after a system is hacked is too little, too late. Now, more than ever, they must extend that lesson to data management. Implementing a comprehensive plan in anticipation of litigation is the company’s best defense against anything, technology or otherwise, that threatens the company.