Management Of Electronic Information

FW: In your opinion, are companies paying enough attention to electronically stored information (ESI) strategies? Is there a lack of awareness about its importance?

Coltson: In my opinion companies are not paying enough attention to ESI. It has been my experience that companies tend to take a reactive stance when it comes to the management of ESI – one need only look as far as the US case of Takeda Pharm. Co., Ltd. v. Teva Pharm. USA, Inc., 2010 WL 2640492 (D. Del. June 21, 2010) wherein 18 years of ESI was requested. Many companies do not want to absorb the capital expense of giving ESI the importance it requires.

Lawson: I don’t think there is necessarily a lack of awareness but, for many companies, there certainly isn’t enough attention paid to it—due to a variety of factors including, but not limited to, time, resources, and company priorities. However, let me quickly praise those corporations who have shown a strong commitment to and have actualised strong ESI programs, they do exist. For those other companies, the question is why? For starters, there seems to be some disconnect between the needs of the core business with the necessity for a comprehensive ESI program. While the ramifications for a poor or non-existent ESI strategy are typically clear to the general counsel who has to fund discovery and disclosure activities, it’s less apparent (at least not as a priority) to the CEO or the board. At least, not until it’s too late. It’s almost as if the C-suite sees the ESI strategy as an optional insurance policy. The costs are real enough as are the headlines of others missteps but not being able to put a tangible value on risk mitigation or cost savings often makes the discussion a challenging one.

Gold: Many companies have stepped up to the line and recognise the significance of ESI and its legally effective management. This awareness has been prompted both by a recognition of the perils of ignoring the effective management of ESI and the considerable business benefits of being in control of ESI. Too many companies, however, continue to pay lip service to ESI management, for a variety of reasons, including cost issues and also not having personnel who are sufficiently trained to do the job of effectively managing ESI.

FW: Although most companies have implemented policies to secure their electronic data from external threats, many companies have failed to update their policies to protect against the ever increasing internal threats to data security. Can you outline the current threats to internal data security?

Lawson: Some top internal security threats include the lack of extrusion detection, disgruntled employees, and social networking. Extrusion detection is something I’ve been discussing with my clients for years and is one of the biggest internal data security threats they face today. Whether it’s a corporate spy, a vindictive co-worker, a misplaced computer asset, or an unsecured access point, ESI accessed from within an organisation is easily transmitted to outside sources. Second, disgruntled employees – regardless of the policies and controls in place – have access to sensitive ESI which gives them ample opportunity to steal or pass that information along. Protecting against and detecting such activity can be very challenging. Lastly, social networking issues are less about specific ESI records leaving an organisation and more about sensitive information being leaked, by accident or with intent. Much like email, people tend to be more comfortable and let their guard down while using social networking tools. People may vent issues, gossip, share personal facts and sometimes divulge sensitive corporate information.

Gold: I see the chief threat as a loss of control over a significant business asset – ESI – which in the long run increases the cost of dealing with important business information and exposes that information to unauthorised use (and misuse) by company personnel who do not understand the need to secure electronically stored information or who intend to make some wrongful use of the ESI, such as trade secret theft.

Coltson: It is a difficult task to protect against internal threats – whether it’s a disgruntled employee using webmail to send out company data, or that same employee carrying a thumbdrive in their pocket – internal threats are likely one of the most prevalent as far as data security goes. This risk doesn’t just sit in the lap of the disgruntled employee – how often do trusted employees lose their laptop or a thumbdrive in a public place?

FW: What impact does a high volume of ESI have on productivity and costs?

Gold: The costs incident to high volumes of ESI are varied. As I see the issue, it is not so much the volume of ESI that is the problem; storage costs are relatively low. The real problem is the personnel costs of dealing with ESI that is not effectively managed or stored. Absent ongoing destruction of unnecessary ESI pursuant to a thoughtful ESI retention policy and a ‘map’ of the company’s ESI, the costs of locating and retrieving ESI – say, for litigation purposes – can be extraordinarily high.

Coltson: A high volume of ESI normally means the lack of an effective data retention policy. The cost of data storage can become extremely significant if such a policy does not exist and the volume of data continues to grow – this growth is often exponential.

To Continue Reading: Click Here
------------------------------------------------------------
Source: Financier World