by Mike Lynch

Laying down the law

Nov 22, 2010
Financial Services IndustryIT LeadershipIT Strategy

Whether it be new technologies like cloud computing, new accounting standards like IFRS, or regulation like Sarbanes-Oxley, all these changes arrive at the CIO’s office door to drive major decisions, as their effects on processes and systems have to be taken into account.

In many organisations, new ideas around transparency, such as the effects of the Freedom of Information (FOI) Act (2000), translate into a new approach to information architectures.

But the ability of the IT system to handle FOI requests, given their pan-organisational possibilities, is a tame challenge by comparison with e-discovery.

About five years ago it became clear that the electronic age was challenging basic legal principles. The default interpretation was to look for a few emails and little else, and often it would take years to get the information to court. As one analyst put it, the defence was ‘the computer ate my homework’. In this environment, the scoundrel just had to use IM rather than email and the system was evaded and undermined.

Federal rules This led the Americans to come up with the Federal Rules of Civil Procedure (FRCP), a piece of legislation that made it clear that electronic information such as emails, IMs and voicemails could reasonably be anticipated to be the subject of discovery.

In the event of notification of an action, companies have to investigate all their electronically stored information (ESI) and instead of a year, they have to put their house in order in 99 days.

ESI can often run into terabytes and comes in over 300 or 400 formats including text, audio and even video. The process of finding this information is called e-discovery and used to be a post-event, often outsourced process. With the change in the rules, the amount of information growing exponentially, and timescales shrinking, e-discovery is now becoming an architectural issue. Crucially, a firm’s e-discovery systems have to be ready to go before the issue arises, not after.

In Europe, the rules are generally less defined, but the principles are shifting in the same direction. Plus, don’t forget that almost all medium-to-large European organisations can be sued in the US courts and are therefore also covered by FRCP.

This is all new territory and the rules are still being defined. There was a case where a court ruled that even the contents of server RAM were discoverable. Imagine you sued a bank and the contents of the server RAM at the time of notification had to be preserved. That would be a quicker way to bring down the banking system than selling mortgages to hillbillies.

In a world where SharePoint springs up uncontrolled across the enterprise and where each instance creates a potential discovery liability, the CIO is central to employing strategies and technologies to implement information governance.

Another interesting example is preservation of evidence. In the electronic age, any item relevant to a case must be preserved in a process called legal hold. Up until recently, this would be done by sending an email to people asking them not to delete things.

Rinsing data The problem is that as soon as your internal scoundrel gets that email, they send their laptop for a swim in the nearest river. However, the company is liable, and many regulators now see this trust-based model as out of date and so new technologies are being introduced.

These technologies look through all information on all devices, assess what matches the ideas that may be relevant, locks them down and sends itself a copy in case of any impending aquatic adventures. The scoundrel need never know.

It’s about here we have to grasp the thorny issue of privacy. Take an innocent employee: to know they have nothing relevant you need to look at all the data on their machine – even the emails asking their husband to feed the cat. But perhaps it is less of an intrusion for the emails to be read by a machine than by a lawyer.

For civilisation to work, the legal system has to work. For that, e-discovery has to work, and for that the CIO has to make sure the enterprise is discovery-ready. Stable door bolting, Chapter One.