Symantec today issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information (ESI) that we see expanding by the minute. Perhaps counter intuitively, the survey of legal and IT personnel at 2,000 enterprises found that email is no longer the primary source of ESI companies produced in response to eDiscovery requests. In fact, email came in third place (58%) to files/documents (67%) and database/application data (61%). Marking a departure from the landscape as recently as a few years ago, the survey reveals that email does not axiomatically equal eDiscovery any longer.
Some may react incredulously to these results. For instance, noted eDiscovery expert Ralph Losey continues to stress the paramount importance of email: “In the world of employment litigation it is all about email and attachments and other informal communications. That is not to say databases aren't also sometimes important. They can be, especially in class actions. But, the focus of eDiscovery remains squarely on email.” While it’s hard to argue with Ralph, the real takeaway should be less about the relative descent of email’s importance, and more about the ascendency of other data types (including social media), which now have an unquestioned seat at the table.
The primary ramification is that organizations need to prepare for eDiscovery and governmental inquires by casting a wider ESI net, including social media, cloud data, instant messaging and structured data systems. Forward-thinking companies should map out where all ESI resides company-wide so that these important sources do not go unrecognized. Once these sources of potentially responsive ESI are accounted for, the right eDiscovery tools need to be deployed so that these disparate types of ESI can be defensibly collected and processed for review in a singular, efficient and auditable environment.
The survey also found that companies which employ best practices such as implementing information retention plans, automating the enforcement of legal holds and leveraging archiving tools instead of relying on backups, fare dramatically better when it comes to responding to eDiscovery requests. Companies in the survey with good information governance hygiene were:
- 81% more likely to have a formal retention plan in place
- 63% more likely to automate legal holds
- 50% more likely to use a formal archiving tool
These top-tier companies in the survey were able to respond much faster and more successfully to an eDiscovery request, often suffering fewer negative consequences:
- 78% less likely to be sanctioned
- 47% less likely to lead to a compromised legal position
- 45% less likely to disclose too much information
This last bullet (disclosing too much information) has a number of negative ramifications beyond just giving the opposition more ammo than is strictly necessary. Since much of the eDiscovery process is volume-based, particularly the eyes-on review component, every extra gigabyte of produced information costs the organization in both seen and unseen ways. Some have estimated that it costs between $3-5 a document for manual attorney review - and at 50,000 pages to a gigabyte, these data-related expenses can really add up quickly.
On the other side of the coin, there were those companies with bad information governance hygiene. While this isn’t terribly surprising, it is shocking to see how many entities fail to connect the dots between information governance and risk reduction. Despite the numerous risks, the survey found nearly half of the respondents did not have an information retention plan in place, and of this group, only 30% were discussing how to do so. Most shockingly, 14% appear to be ostriches with their heads in the sand and have no plans to implement any retention plan whatsoever. When asked why folks weren’t taking action, respondents indicated lack of need (41%), too costly (38%), nobody has been chartered with that responsibility (27%), don’t have time (26%) and lack of expertise (21%) as top reasons. While I get the cost issue, particularly in these tough economic times, it’s bewildering to think that so many companies feel immune from the requirements of having even a basic retention plan.
As the saying goes, “You don’t need to be a weatherman to tell which way the wind blows.” And, the winds of change are upon us. Treating eDiscovery as a repeatable business process isn’t a Herculean task, but it is one that cannot be accomplished without good information governance hygiene and the profound recognition that email isn’t the only game in town.