CIOs who don’t set and enforce strict compliance with industry regulations for data back-up beware: seemingly small infractions can lead to courtroom woes fast enough to make your head spin.
So said Chuck Ragan, a partner with law firm Pillsbury Winthrop Shaw Pittman, referring to a host of sanctions imposed in some 70 court cases last year involving electronic-discovery — the pre-trial process in which parties are required to produce certain documents, electronic or otherwise, at the request of opposing counsel.
Topped off with a court ruling in Florida this year in which a company that failed to produce backed-up e-mail files in a timely manner and was heavily sanctioned by the court these cases point to the importance proper back-up policies and procedures, the law firm said.
“The potential risks to an organization are so high,” said Ragan, whose firm has more than 900 lawyers operating in 16 North American, European, Asia-Pacific locations. And it’s not unusual to run into trouble.
The defendant in the Florida case “had a practice of backing up servers but of not being religious about tracking an inventory of them — this is a non-unique circumstance,” added Ragan.
While such behavior can cause a company no end of trouble, ranging from lost court cases to millions of dollars in fines, proper data back-up is still very challenging.
As Robert Israel, the CIO at John C. Lincoln Hospital in Phoenix, AZ. puts it, “[d]ocument and data retention is the bane of (IT’s) existence.” Especially as companies and regulations change (think Sarbanes-Oxley) and evolve, it’s a struggle to keep up.
Raytheon Co., the $20 billion defense contractor, for example, has acquired several other companies over the years and has had to meld the retention and storage of those companies’ legacy documents and data into its own schemes. With thousands of corporate servers, each housing millions of pages of data, the challenge is evident.
“We’re fighting to keep up with the ever increasing challenges of technology and data storage,” said Woods Abbott, Raytheon’s senior manager of legal operations.
Meeting the Challenge
So how can CIOs meet the challenge and avoid landing in the e-discovery soup?
Many experts recommend a multi-pronged approach:
“Forever, IT folks have been told that their job is at risk if they lose data,” said Pillsbury’s Ragan. “The message that needs to be added to that ‘don’t-lose-it’ mantra is that information needs to be managed — because not all of it is valuable — and IT can not do it all alone. You need a cross disciplinary team with IT, legal and business-unit managers involved.”
Part of the reason why CIOs need a team approach is that legal obligations for data-preservation depend on a company’s industry. A financial-services firm will need to put different checks, balances and procedures in place than, say, a retail firm.
“We have worked with legal compliance and HR to properly document what needs to be (retained),” said Israel. “This helps with compliance issues such as HIPAA (the Health Insurance Portability and Accountability Act).”
Once a CIO and the other managers work out parameters for their particular industry, they need to formalize and evangelize their policy.
“Small or large, you need a written policy” for document and data retention, said Raytheon’s Abbott. “And you can’t just have a policy. You have to go out and be sure the policy is being enforced.”
“Do the policy now,” Abbott adds, “Before the crisis mode of a lawsuit forces you to.”
To be sure, preventing problems is always preferable to fixing them once they’ve happened. In data management, many stress, this means efficiently saving what must be saved but no more than that.
“Storage is so cheap we can end up maintaining everything,” said Abbott.
That means that most companies have plenty of “digital trash” lying around that may not fall under back-up laws or regulations and can, in fact, gum up the works.
Imagine the cost of paying lawyers or even paralegals to review reams and reams of irrelevant data that’s been backed up without consideration for the data’s business or legal value, said Ragan
“It’s good for the IT department to know that destruction of data is not necessarily a bad thing” — once the required period of preservation has passed, Abbott said. “It’s good for the company to keep lean, mean and clean.”