How to Select Legal Holds Software: Five Considerations for IT
How to Select Legal Holds Software: Five Considerations for IT
As the stewards of the data subject to legal holds, an enterprise's IT department should carefully evaluate any legal holds application software. When legal holds is viewed as solely a legal department issue, it's easy to lose sight of the fact that the data on hold is everywhere except the legal department! The legal department is the legal holds author and process owner, but the wrong choice in legal hold application software can inadvertently paralyze IT and undermine data management efficiency.
While the legal department concentrates on mitigating risks and documenting its steps, the IT department focuses on efficiencies in data management. This includes the ability to streamline fulfillment requests and decommission PCs and file share data in a timely manner. Legal departments seldom recognize the impact of legal holds on the IT organization and most legal holds applications provide little efficiency for IT.
The Compliance, Governance and Oversight Council (CGOC), a corporate practitioners' community, brings together legal, IT and records information management (RIM) professionals to discuss current and best practices in discovery, information governance, privacy and data management. The CGOC's user community shares experiences, good and bad, in order to advance business practices in these key areas. The following five considerations in selecting legal holds application software reflect the community's experiences and lessons learned.
Providing IT with Transparency to the Data
Consideration No. 1: Does the legal hold application provide IT with transparency to the data in the systems that are on hold?
Some legal hold applications simply send e-mail messages to individual IT staff members, alerting them to holds by case number. In this case, only a few people in IT are aware of what data can't be moved, modified, altered or retired. If IT staff must fish through their e-mail box to find which notices apply at any point in time, they will be unable to efficiently manage data and risks, retiring or recycling the wrong data.
Consideration No. 2: Who benefits from the data source mapping features if they exist?
Beware of data source mapping features that provide legal with a list of systems for discovery when there are no corresponding features for IT! The legal hold application should make it easy for IT to update the data source list. It should provide a view of value to IT including knowing in real time which data sources legal has targeted for any given matter, knowing the discovery and retention parameters for a system, and knowing what governance requirements apply to the system. When legal knows what data sources have been identified in a hold but IT doesn't, data preservation in those systems is at risk.
Providing IT with Ability to Look Up Data
Consideration No. 3: Does the legal hold application provide IT with the ability to look up employees to see whether their data needs to be collected or sequestered?
In most companies, employees leave the company or are transferred every day. IT is tasked with acquiring and repurposing their PC and other assets. However, without access to current information about which employees are on hold, IT simply can't make good decisions about what to keep and what to recycle.
In companies with dozens of new matters a month and hundreds or thousands of employee transitions, a stale list of custodians on hold means that employee data is missed or IT can't reliably repurpose equipment. This often leads IT to store every employee drive when less than 10 percent of departing employees are typically involved in legal holds.
In the worst case, it sets IT up to recycle something only to find out later it was needed for a legal matter. Sorting through a series of hold notices or having to compare a list of thousands of custodians to see if a single employee is on hold is very inefficient for IT and can lead to increased compliance risk.
Consideration No. 4: Will the legal hold application enable holds integration with current and future content management, records management, e-mail and messaging systems?
The volume and complexity of legal holds continues to rise. It is now significantly more efficient to hold data in place than to duplicate data on hold and duplicate it again if it must be produced to courts or adversaries. In applications that can apply retention periods for routine disposal, it's even more important to apply holds so that disposition can occur safely and systematically.
Many application vendors are adding hold functionality to their repositories to simplify governance for IT and reduce legal risk. If the legal holds application was not architected to federate legal holds to repositories, your company will not be able to take full advantage of technology changes that enable hold-in-place and the routine disposal of data not on hold.
The IT organization then bears the burden of always placing manual holds and always being on the hook for preservation. In the worst case, the company won't be able to use the data disposition features of expensive applications, and archives will simply accumulate data endlessly.
Supporting Collection Workflow
Consideration No. 5: How does the legal hold application support collection workflow?
Collection workflow is more complex than legal holds due to detailed recordkeeping requirements and the simple fact that many more IT people may be involved in completing the work. More hands and more details create more risk and a greater burden.
Consider this typical collection request sequence: Legal sends a collection instruction "over the fence" to IT in the form of an e-mail message and a spreadsheet with a list of custodians. The collection request includes getting data for one set of custodians but from multiple sources such as file shares, desktop, e-mail, messaging and applications.
In addition to executing the collection correctly, IT must also coordinate, document and audit multiple spreadsheets-one for each custodian against each data source. For IT, the spreadsheet tracking is more tedious than collecting the data. Even sophisticated collection tools don't manage the workflow and recordkeeping requirements of collections.
This very detailed record of what was collected from each custodian, when and by whom, is critical for legal. Unfortunately, with custodian data collection documented in thousands of spreadsheets, it is impossible for IT to gain any efficiencies in the process or to avoid duplicate work efforts or to inventory and dispose of its copy of the collected data. With several gigabytes per custodian per matter, this quickly escalates out of control.
Most legal hold application tools ignore this workflow (despite the fact that it's more complex and riskier) predominantly because the risk and complexity falls to IT rather than legal!
Netting it out
While it's true that legal determines what data to hold and when, the execution and communication of the holds has far-reaching impact across the enterprise. Legal is not the only stakeholder. In a growing number of court cases, an IT director is deposed or cross-examined only to reveal the poor communication and process between legal and IT. If the intent in purchasing legal holds application software is to reduce the company's risk, then all legal holds stakeholders need transparent, consistent and complete information.
Deidre Paknad is President and CEO of PSS Systems. Deidre is also the founder of the Compliance, Governance and Oversight Council (CGOC), a professional community on retention and preservation. Deidre is widely credited with having conceived and launched the first commercial applications for legal holds, collections and retention management in 2004. She is a well-respected thought leader in the legal and information governance domain. Deidre has been a member of several Sedona working groups since 2005 and leads the EDRM/IMRM working group.
She shares her insight on information governance and the process maturity model in her blog, IMHO by Deidre Paknad. Deidre is a seasoned entrepreneur and executive with 20 years of experience applying technology to poorly functioning business processes in order to reduce cost and risk. She has been profiled in several books and articles for entrepreneurship, most recently in Business Lessons from the Edge by Jim McCormick and Grade A Entrepreneurs by Marylene Delbourg Delphis. She graduated from the University of California. She can be reached at firstname.lastname@example.org.